My first server. Problems and advice needed

Discuss installation of Scalix software

Moderators: ScalixSupport, admin

markrich
Posts: 105
Joined: Wed May 13, 2009 10:54 am
Location: Bath
Contact:

My first server. Problems and advice needed

Postby markrich » Tue Jun 09, 2009 9:55 am

All!

I have installed Scalix SBE to my new server but unfamiliarity with the system is causing me some grief on installation/configuration.

I have an existing server running openLDAP with all our present users and distribution lists contained within.

I have tried to follow the procedure to synchronise the users over using omldapsync. This has populated my directory on Scalix with some accounts but none can be edited and there seems no way to instruct Scalix to utilise our existing Kerberos server for the password on each user. Therefore I cannot edit any of the accounts and I noone can log in.

I had assumed that omldapsync would act as a conduit between the two servers allowing edits in one to mirror automatically to the other and vice versa.

Can anyone help me resolve this problem and explain in simple steps for me, how to allow the users to log in with their existing Kerberos details which may be slightly different. ie, John Smith may have john.smith@mirifice.com as his email but logs onto the network as "johns".

All help appreciated. I seem to be flitting between admin guide/configuration guide/installation guide etc. without really understanding how to resolve the problem.

Thanks!

Marky

Valerion
Scalix Star
Scalix Star
Posts: 2730
Joined: Thu Feb 26, 2004 7:40 am
Location: Johannesburg, South Africa
Contact:

Re: My first server. Problems and advice needed

Postby Valerion » Tue Jun 09, 2009 10:19 am

Follow the instructions in the Scalix Setup and Configuration Guide, on the Scalix website. That explains it step-by-step, though it uses AD as an example. But it does work for any Kerberos system. The part that's not in that document is simple, edit the various files in /var/opt/scalix/??/s/sys/pam.d - especially ual.remote, omslapdeng and smtpd.auth.

Your users' AUTH ID MUST be of the form username@REALM where username is the Kerberos principal name and REALM is the Kerberos realm in UPPER CASE. This is case sensitive.

markrich
Posts: 105
Joined: Wed May 13, 2009 10:54 am
Location: Bath
Contact:

Re: My first server. Problems and advice needed

Postby markrich » Tue Jun 09, 2009 11:28 am

I have followed the advice as best as I can but the product still does not allow me to log in to webmail with any of the kerberos accounts. Tried many variations on the user.

Also still cannot make the accounts which have appeared in the Directory of Scalix editable.

Still no further forward apart from having edited a few suggested config files.

Also can no longer log into webmail with the sxdmin account. :-(

LeslieW
Scalix
Scalix
Posts: 239
Joined: Thu Jun 19, 2008 10:03 am
Contact:

Re: My first server. Problems and advice needed

Postby LeslieW » Tue Jun 09, 2009 2:39 pm

If you import the data from LDAP, then LDAP "owns" the data. The Scalix Admin Console (SAC) will display it but you won't be allowed to edit it from SAC. To edit, you need to go to LDAP, because LDAP owns the data.

Did you change your pam.d files to allow for Kerberos authentication?

Try this:

Code: Select all

# kinit authid@DOMAIN.COM
(Enter the password when prompted)

# klist


You should see something like the following:

Code: Select all

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: authid@DOMAIN.COM

Valid starting    Expires           Service principal
08/01/08 08:14:54 08/01/08 18:15:00 krbtgt/DOMAIN.COM@DOMAIN.COM    renew until 03/13/09 16:17:42


If that works, you know your Scalix server is properly configured to access Kerberos and get a ticket-granting-ticket. More info is in the Wiki at http://www.scalix.com/wiki/index.php?ti ... le_Sign-On. It's geared for configuring Single-Sign-On but the underlying Kerberos authentication principles still apply. That Wiki article also talks about the pam.d files you need to edit.

markrich
Posts: 105
Joined: Wed May 13, 2009 10:54 am
Location: Bath
Contact:

Re: My first server. Problems and advice needed

Postby markrich » Wed Jun 10, 2009 2:58 am

I amended the Kerberos details on the server using Webmin and the commands you gave me work fine.

I was able to reproduce what you describe.

I am still, unable, however, to log into any Scalix user which is now in my list save those I created myself. My previous problem with sxadmin seems to have gone away so I can log in with local created users but not users sucked in from LDAP, which suggests they are not imported correctly to me and leads onto the second issue.

If, as you say, the information cannot be edited in Scalix, but only in LDAP, for those users, why is Scalix limiting each user only to one email address? Some people have aliases which are not showing.

I thought this would be a two-way sync so changes made in Scalix reflect in LDAP and vice versa. I cannot, therefore move people into distribution groups on the mail server but must continue to create them in LDAP. Is this really correct? How therefore can I make some accounts Standard and some Premium? This doesn't make any sense to me.

The Setup and Configuration Guide speaks a great deal about Active Directory. I am now in a job which uses Linux, Kerberos and LDAP to manage the systems and although I know my way around AD very easily, the new environment is a learning curve. I therefore don't understand how some of those instructions translates. Is there is a simple walkthrough someplace to resolve my issues?

markrich
Posts: 105
Joined: Wed May 13, 2009 10:54 am
Location: Bath
Contact:

Re: My first server. Problems and advice needed

Postby markrich » Fri Jun 12, 2009 3:53 am

Okay, getting the hang of this and understanding the psyche of the manual writers however problems still remain.

As I understand it I have to edit the LDAP entry for each user in openLDAP and add the extra Scalix lines. I have done this manually for my own user and used omldapsync -i 13mirifice.com to import the data to the system. This seemed to work and I appeared as a proper user. However. If I amend my user in openLDAP to add an email address, for example, I am unable to get Scalix to update me. I suspect I am misunderstanding something. Checking through omldapsync.log I see the following error below my name:

<scalix-caa:fault-details xmlns:scalix-caa="http://www.scalix.com/caa">
<message>omaddu : [OM 8265] Authentication ID mark.rich already used. :snotra.mirifice.com</message>
<errorcode>OM 8265</errorcode>
</scalix-caa:fault-details>

On a related note, we do not authenticate our users against LDAP here, we do that via Kerberos for SSO but I am unable to do that with my account. Perhaps (and I do not know for sure) this could be caused by the fact that my Kerberos login name is 'marky' but my LDAP name is 'mark.rich'. Would this cause a problem or am I heading in the wrong direction? Either example does not allow me to log into webmail.

Second: If I can resolve the LDAP sync issues and I desire to change a user from Premium to Standard or vice versa, how would this affect the mailbox for the user on the system? Would the user simply loose his or her extra settings (or indeed gain them for the other way around) and the mailbox/user carry on?

Marky

markrich
Posts: 105
Joined: Wed May 13, 2009 10:54 am
Location: Bath
Contact:

Integrate with existing Kerberos server

Postby markrich » Mon Jun 15, 2009 7:09 am

Step by step we get there. The LDAP issues seem to be resolved and I understand that much better now.

However now I have a more complicated problem I think. Kerberos.

We have an existing Kerberos sever providing SingleSignOn functionality for users. It sits on an existing Debian installation on another machine.

Looking at the instructions from the Configuration Guide I am led to believe I must create a new Kerberos server on the Scalix machine. Can I not use the existing Kerberos server somehow to control login now I have the user accounts on the Scalix server which are being synchronised with our LDAP system every hour via a cron job.

All help appreciated.

Marky

jangi
Posts: 193
Joined: Fri May 16, 2008 2:12 am

Re: My first server. Problems and advice needed

Postby jangi » Mon Jun 15, 2009 10:27 am

You should be able to use another kerberos server. Just to make sure I'm on the same page, the kinit user@REALM.COM was successful?
If so, does any scalix client work? You mentioned webmail fails, but how about ual(outlook premium), or pop3?
Have you modified all of the appropriate PAM configuration files?

markrich
Posts: 105
Joined: Wed May 13, 2009 10:54 am
Location: Bath
Contact:

Re: My first server. Problems and advice needed

Postby markrich » Mon Jun 15, 2009 10:41 am

I have edited them the way I understand they should be but perhaps I could be wrong.

I cannot attach to the server from Apple Mail with IMAP or POP and cannot access webmail with Firefox. No log in account works. Even sxadmin now has ceased to work for me again unless I remove the Kerberos settings from the pam files.

I cannot see how I am supposed to point Scalix to another Kerberos servers. Am I supposed to edit another config file? It's not clear in the instruction guides.

Yes the KINIT stuff was sucessful. I used Webmail to configure the server to point to our existing Kerberos system at the start of my server setup. All is well there.

Marky

jangi
Posts: 193
Joined: Fri May 16, 2008 2:12 am

Re: My first server. Problems and advice needed

Postby jangi » Mon Jun 15, 2009 10:53 am

I'm not sure I understand how you used webmail to configure kerberos... but moving past that, if kinit works that means kerberos is working fine. All that's necessary is to tell scalix to use it. Please post the relevent pam files.

markrich
Posts: 105
Joined: Wed May 13, 2009 10:54 am
Location: Bath
Contact:

Re: My first server. Problems and advice needed

Postby markrich » Mon Jun 15, 2009 11:30 am

Spelling error. I meant to write 'Webmin' not 'Webmail'. One letter makes a word of difference :-)

The kerberos server is at kerberos.mirifice.com. The LDAP server is at directory.mirifice.com and the mail server is at scalix.mirifice.com.

Not sure how these files point there. Any help appreciated. I thought I was doing well with the multiple cups of black coffee and manual pages until now.

omslapdeng

Code: Select all

# Standard Scalix Authentication
#
# Comment this out if you want to use one of the alternative authentication
# schemes below.
# auth     required om_auth nullok

#
# Kerberos authentication 1
#
# With this scheme we attempt local authentication first and, if that
# fails, we try kerberos authentication. Note that if we do it the other
# way around we run the risk of the KDC locking a principal account for
# users that are known to both Kerberos and Scalix. See om_krb5(8) for more
# information.
#
auth   sufficient om_auth nullok
auth   sufficient om_krb5 use_first_pass
auth   required pam_deny

# Kerberos authentication 2
#
# With this scheme, users that are known to the kerberos KDC, must
# authenticate using kerberos. Users not known to the kerberos KDC can log
# in using their Scalix password. See om_krb5(8) for more information.
#
# auth   required om_krb5 user_unknown=ignore
#¬†auth   optional om_auth nullok use_first_pass

# LDAP Authentication.
# There are two possible schemes corresponding to the two Kerberos schemes.
# above See om_ldap(8) for more information.
#
# LDAP authentication 1
# auth   sufficient om_auth nullok
# auth   sufficient om_ldap use_first_pass
# auth   required pam_deny
#
# LDAP authentication 2
# auth required om_ldap user_unknown=ignore
# auth optional om_auth nullok use_first_pass


# Combined authentication
#
# It is possible to combine Kerberos authentication 1 and LDAP
# authentication 1, although there is no good way to escape false negative
# authentication attempts with one or the other scheme. If users are known
# to either Kerberos or LDAP then we can extend scheme 2 for combined
# authentication:
#
# auth   required om_krb5 user_unknown=ignore
# auth required om_ldap user_unknown=ignore
# auth optional om_auth nullok use_first_pass


account  required om_auth


pop3

Code: Select all

# auth     required om_auth
account  required om_auth
password required om_auth
auth sufficient om_krb use_first_pass
auth required pam_deny


smtpd.auth

Code: Select all

auth     required om_auth
account  required om_auth


ual.remote

Code: Select all

# Standard Scalix Authentication
#
# Comment this out if you want to use one of the alternative authentication
# schemes below.
# auth     required om_auth nullok

#
# Kerberos authentication 1
#
# With this scheme we attempt local authentication first and, if that
# fails, we try kerberos authentication. Note that if we do it the other
# way around we run the risk of the KDC locking a principal account for
# users that are known to both Kerberos and Scalix. See om_krb5(8) for more
# information.
#
#¬†auth   sufficient om_auth nullok
auth   sufficient om_krb5 use_first_pass
auth   required pam_deny

# Kerberos authentication 2
#
# With this scheme, users that are known to the kerberos KDC, must
# authenticate using kerberos. Users not known to the kerberos KDC can log
# in using their Scalix password. See om_krb5(8) for more information.
#
# auth   required om_krb5 user_unknown=ignore
# auth   optional om_auth nullok use_first_pass

# LDAP Authentication.
# There are two possible schemes corresponding to the two Kerberos schemes.
# above See om_ldap(8) for more information.
#
# LDAP authentication 1
# auth   sufficient om_auth nullok
# auth   sufficient om_ldap use_first_pass
# auth   required pam_deny
#
# LDAP authentication 2
# auth required om_ldap user_unknown=ignore
# auth optional om_auth nullok use_first_pass


# Combined authentication
#
# It is possible to combine Kerberos authentication 1 and LDAP
# authentication 1, although there is no good way to escape false negative
# authentication attempts with one or the other scheme. If users are known
# to either Kerberos or LDAP then we can extend scheme 2 for combined
# authentication:
#
# auth   required om_krb5 user_unknown=ignore
# auth required om_ldap user_unknown=ignore
# auth optional om_auth nullok use_first_pass


account  required om_auth
password required om_auth nullok

jangi
Posts: 193
Joined: Fri May 16, 2008 2:12 am

Re: My first server. Problems and advice needed

Postby jangi » Mon Jun 15, 2009 11:37 am

Let's start with an easy one... pop3. Here's my file:

Code: Select all

auth required om_krb5 user_unknown=ignore
auth optional om_auth nullok use_first_pass
account required om_auth
password required om_auth nullok


This translates to:
Authenticate against kerberos first, then the local scalix db as a backup.

After installing this file do a quick pop3 test. Again, the user's authID should exactly (case-sensative) match the kerberos user, with the realm in all caps. The same (exact) user that works with kinit would be a good test candidate.

jangi
Posts: 193
Joined: Fri May 16, 2008 2:12 am

Re: My first server. Problems and advice needed

Postby jangi » Mon Jun 15, 2009 11:41 am

Ignore my translates to section... though the file should still work.

markrich
Posts: 105
Joined: Wed May 13, 2009 10:54 am
Location: Bath
Contact:

Re: My first server. Problems and advice needed

Postby markrich » Mon Jun 15, 2009 11:59 am

I'm afraid the POP connection still does not work for me. I cannot get the client to logon with a Kerberos user. I tried my own account and the client timed out trying to connect. I tried sxadmin and after a long wait it connected and moved forward to the next setup panel. 'sxadmin' is a local user so the system has clearly timed out and fallen back onto the the local accounts as suggested in the config.

I am struggling to understand the reason why now. I expect it's only a config to change, but cannot discover where.

Thanks again for all your help so far. More appreciated. :-)

Marky

Valerion
Scalix Star
Scalix Star
Posts: 2730
Joined: Thu Feb 26, 2004 7:40 am
Location: Johannesburg, South Africa
Contact:

Re: My first server. Problems and advice needed

Postby Valerion » Mon Jun 15, 2009 12:17 pm

Try using sxpamauth -vvv. Create a pamcheck file, and put

auth required om_debug verbosity=3 file=stderr

in the beginning. Have a look at the man pages for sxpamauth and om_debug. That will tell you what Kerberos is doing with the auth tokens.


Return to “Installation”



Who is online

Users browsing this forum: No registered users and 0 guests