Difference between revisions of "HowTos/Samba4"
(Created page with "===Test Scalix server:=== IP - 192.168.56.105 Hostname - scalix.test.local ===Test Samba4 server=== IP - 192.168.56.100 Hostname -DC.test.local Domain - TEST.SCALIX.LOC...") |
|||
Line 1: | Line 1: | ||
− | + | ***Test Scalix server:*** | |
− | + | ||
IP - 192.168.56.105 | IP - 192.168.56.105 | ||
+ | Hostname - mail.scalix.test | ||
− | + | ***Samba4 server:*** | |
− | + | ||
− | + | ||
− | + | ||
IP - 192.168.56.100 | IP - 192.168.56.100 | ||
− | |||
Hostname -DC.test.local | Hostname -DC.test.local | ||
− | |||
Domain - TEST.SCALIX.LOCAL | Domain - TEST.SCALIX.LOCAL | ||
Revision as of 11:36, 3 November 2014
- Test Scalix server:***
IP - 192.168.56.105 Hostname - mail.scalix.test
- Samba4 server:***
IP - 192.168.56.100 Hostname -DC.test.local Domain - TEST.SCALIX.LOCAL
Samba test user name: testsx
Samba tets group name: scalixtestGR
Before start: here describes the test configuration for other cases you need to change some settings (DN:DC=TEST,DC=SCALIX,DC=LOCAL replace to your DN, etc.)
Contents
1.Expand the Samba scheme:
NOTE: Samba Schema extensions is a very dangerous process, so it is recommended to create a backup of schema before start working with it!!!
/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Att_extensions.ldif --option="dsdb:schema update allowed"=true
<file: Att_extensions.ldif>
dn: CN=scalixScalixObject,CN=Schema,CN=Configuration,DC=TEST,DC=SCALIX,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.10 cn: scalixScalixObject name: scalixScalixObject lDAPDisplayName: scalixScalixObject attributeSyntax: 2.5.5.8 isSingleValued: FALSE
dn: CN=scalixAdministrator,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.12 cn: scalixAdministrator name: scalixAdministrator lDAPDisplayName: scalixAdministrator attributeSyntax: 2.5.5.8 isSingleValued: FALSE
dn: CN=scalixMailboxAdministrator,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.13 cn: scalixMailboxAdministrator name: scalixMailboxAdministrator lDAPDisplayName: scalixMailboxAdministrator attributeSyntax: 2.5.5.8 isSingleValued: FALSE
dn: CN=scalixLimitMailboxSize,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.16 cn: scalixLimitMailboxSize name: scalixLimitMailboxSize lDAPDisplayName: scalixLimitMailboxSize attributeSyntax: 2.5.5.9 isSingleValued: FALSE
dn: CN=scalixLimitOutboundMail,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.17 cn: scalixLimitOutboundMail name: scalixLimitOutboundMail lDAPDisplayName: scalixLimitOutboundMail attributeSyntax: 2.5.5.8 isSingleValued: FALSE
dn: CN=scalixLimitInboundMail,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.18 cn: scalixLimitInboundMail name: scalixLimitInboundMail lDAPDisplayName: scalixLimitInboundMail attributeSyntax: 2.5.5.8 isSingleValued: FALSE
dn: CN=scalixLimitNotifyUser,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.19 cn: scalixLimitNotifyUser name: scalixLimitNotifyUser lDAPDisplayName: scalixLimitNotifyUser attributeSyntax: 2.5.5.8 isSingleValued: FALSE
dn: CN=scalixHideUserEntry,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.20 cn: scalixHideUserEntry name: scalixHideUserEntry lDAPDisplayName: scalixHideUserEntry attributeSyntax: 2.5.5.8
dn: CN=scalixMailnode,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.11 cn: scalixMailnode name: scalixMailnode lDAPDisplayName: scalixMailnode attributeSyntax: 2.5.5.12 isSingleValued: TRUE
dn: CN=scalixServerLanguage,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.14 cn: scalixServerLanguage name: scalixServerLanguage lDAPDisplayName: scalixServerLanguage attributeSyntax: 2.5.5.12 isSingleValued: TRUE
dn: CN=scalixEmailAddress,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.15 cn: scalixEmailAddress name: scalixEmailAddress lDAPDisplayName: scalixEmailAddress attributeSyntax: 2.5.5.12 isSingleValued: FALSE
dn: CN=scalixMailboxClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.21 cn: scalixMailboxClass name: scalixMailboxClass lDAPDisplayName: scalixMailboxClass attributeSyntax: 2.5.5.12
</file>
/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Class_extensions.ldif --option="dsdb:schema update allowed"=true
<file: Class_extensions.ldif>
dn: CN=scalixUserClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: classSchema governsID: 1.3.6.1.4.1.19049.1.2.10 cn: scalixUserClass name: scalixUserClass lDAPDisplayName: scalixUserClass description: Supplemental class containing the Scalix User-related attributes objectClassCategory: 3 mayContain: scalixScalixObject mayContain: scalixMailnode mayContain: scalixAdministrator mayContain: scalixMailboxAdministrator mayContain: scalixServerLanguage mayContain: scalixEmailAddress mayContain: scalixLimitMailboxSize mayContain: scalixLimitOutboundMail mayContain: scalixLimitInboundMail mayContain: scalixLimitNotifyUser mayContain: scalixHideUserEntry mayContain: scalixMailboxClass defaultObjectCategory: CN=scalixUserClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL
dn: CN=scalixGroupClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: classSchema governsID: 1.3.6.1.4.1.19049.1.2.11 cn: scalixGroupClass name: scalixGroupClass lDAPDisplayName: scalixGroupClass description: Supplemental class containing the Scalix Group-related attributes objectClassCategory: 3 mayContain: scalixScalixObject mayContain: scalixMailnode mayContain: displayName mayContain: scalixEmailAddress mayContain: scalixHideUserEntry defaultObjectCategory: CN=scalixGroupClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL
</file>
/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Users_extensions.ldif --option="dsdb:schema update allowed"=true
<file: Users_extensions.ldif>
dn: CN=User,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: modify add: auxiliaryClass auxiliaryClass:scalixUserClass
</file>
/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Groups_extensions.ldif --option="dsdb:schema update allowed"=true
<file: Groups_extensions.ldif>
dn: CN=Group,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: modify add: auxiliaryClass auxiliaryClass:scalixGroupClass
</file>
2. Old Samba4 users extensions.
For all users which you wish to add to Scalix make: /Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Mod_user.ldif --option="dsdb:schema update allowed"=true
Instead "CN=testsx" type "CN=other user name'
<file: Mod_user.ldif>
dn: CN=testsx,CN=Users,DC=TEST,DC=scalix,DC=LOCAL changetype: modify replace:scalixScalixObject scalixScalixObject: TRUE replace:scalixMailnode scalixMailnode: sxmail replace:scalixMailboxClass scalixMailboxClass: FULL replace: scalixServerLanguage scalixServerLanguage: ENGLISH replace: scalixEmailAddress scalixEmailAddress:testsx@test.scalix.local replace:scalixLimitOutboundMail scalixLimitOutboundMail: FALSE replace:scalixAdministrator scalixAdministrator: FALSE
</file>
3. Old Samba4 groups extensions.
/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Mod_groups.ldif --option="dsdb:schema update allowed"=true
<file: Mod_groups.ldif>
dn: CN=scalixtestGR,CN=Users,DC=TEST,DC=scalix,DC=LOCAL changetype: modify replace:scalixScalixObject scalixScalixObject: TRUE replace:scalixMailnode scalixMailnode: sxmail
</file>
4. Add new user to Samba4.
Create new Samba user :/Path/to/samba/bin/samba-tool user add testsx
and modify it like in chapter 2. (I working from command prompt, so I used this this way. There are simples ways to create a users, but I described the most heaviest variant)
5. Create new group on Samba4.
/Path/to/samba/bin/samba-tool group add scalixtestGR
and modify it like in chapter 3.
6. Add a service principal (keytab).
Create user named "scalix-ual" : /Path/to/samba/bin/samba-tool user add scalix-ual
Create service principal : /Path/to/samba/bin/samba-tool spn add scalix-ual/scalix.test.local scalix-ual
Create keytab file: /Path/to/samba/bin/samba-tool domain exportkeytab ./test.keytab --principal=scalix-ual/scalix.test.local@TEST.SCALIX.LOCAL
7. Kerberos config on Scalix system.
Copy test.keytab to Scalix server
run : ommergekeys ./test.keytab
run: omkrbconf -r TEST.SCALIX.LOCAL -s 192.168.56.100 -d TEST.SCALIX.LOCAL
8. Test Kerberos.
[root@scalix scalix-tomcat]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal
--------------------------------------------------------------------------
1 scalix-ual/scalix.test.local@TEST.SCALIX.LOCAL 1 scalix-ual/scalix.test.local@TEST.SCALIX.LOCAL 1 scalix-ual/scalix.test.local@TEST.SCALIX.LOCAL
kinit scalix-ual@TEST.SCALIX.LOCAL
If no errors that means all ok.
9. Scalix Samba4 sync.
Create Samba SA (Synchronization Agreement) like in chpter 7 Scalix AD sync
Then go to /var/opt/scalix/??/s/ldapsync/[Agreement_name] and on sync.cfg change lines:
sn|S|*1,40|*
==>
name|S|*|*
...
givenName|G|*,1,16!ISPRESENT=surname|*
==>
name|G|*,1,16!ISPRESENT=surname|*
and run omldapsync -u [Agreement_name]
10.Tests.
On /var/opt/scalix/??/s/sys/pam.d modify authentications files:
<file: omslapdeng>
- Standard Scalix Authentication
- Comment this out if you want to use one of the alternative authentication
- schemes below.
auth required om_auth nullok
- Kerberos authentication 1
- With this scheme we attempt local authentication first and, if that
- fails, we try kerberos authentication. Note that if we do it the other
- way around we run the risk of the KDC locking a principal account for
- users that are known to both Kerberos and Scalix. See om_krb5(8) for more
- information.
- auth sufficient om_auth nullok
- auth sufficient om_krb5 use_first_pass
- auth required pam_deny
- Kerberos authentication 2
- With this scheme, users that are known to the kerberos KDC, must
- authenticate using kerberos. Users not known to the kerberos KDC can log
- in using their Scalix password. See om_krb5(8) for more information.
- auth required om_krb5 user_unknown=ignore
- auth optional om_auth nullok use_first_pass
- LDAP Authentication.
- There are two possible schemes corresponding to the two Kerberos schemes.
- above See om_ldap(8) for more information.
- LDAP authentication 1
- auth sufficient om_auth nullok
- auth sufficient om_ldap use_first_pass
- auth required pam_deny
- LDAP authentication 2
- auth required om_ldap user_unknown=ignore
- auth optional om_auth nullok use_first_pass
- Combined authentication
- It is possible to combine Kerberos authentication 1 and LDAP
- authentication 1, although there is no good way to escape false negative
- authentication attempts with one or the other scheme. If users are known
- to either Kerberos or LDAP then we can extend scheme 2 for combined
- authentication:
- auth required om_krb5 user_unknown=ignore
- auth required om_ldap user_unknown=ignore
- auth optional om_auth nullok use_first_pass
- account required om_auth
- password required om_auth nullok
- auth required om_krb5 user_unknown=ignore
auth optional om_auth nullok use_first_pass account required om_auth password required om_auth nullok
</file>
<file: pop3>
auth sufficient om_krb5 use_first_pass auth required pam_deny account required om_auth password required om_auth
</file>
<file: smtpd.auth>
auth required om_krb5 user_unknown=ignore auth optional om_auth nullok use_first_pass account required om_auth
</file>
<file: ual.local>
auth required om_krb5 user_unknown=ignore auth optional om_auth nullok use_first_pass account required om_auth password required om_auth nopreauth nullok
</file>
<file: ual.remote>
- Standard Scalix Authentication
- Comment this out if you want to use one of the alternative authentication
- schemes below.
- auth required om_auth nullok
- Kerberos authentication 1
- With this scheme we attempt local authentication first and, if that
- fails, we try kerberos authentication. Note that if we do it the other
- way around we run the risk of the KDC locking a principal account for
- users that are known to both Kerberos and Scalix. See om_krb5(8) for more
- information.
- auth sufficient om_auth nullok
- auth sufficient om_krb5 use_first_pass
- auth required pam_deny
- Kerberos authentication 2
- With this scheme, users that are known to the kerberos KDC, must
- authenticate using kerberos. Users not known to the kerberos KDC can log
- in using their Scalix password. See om_krb5(8) for more information.
- auth required om_krb5 user_unknown=ignore
- auth optional om_auth nullok use_first_pass
- LDAP Authentication.
- There are two possible schemes corresponding to the two Kerberos schemes.
- above See om_ldap(8) for more information.
- LDAP authentication 1
- auth sufficient om_auth nullok
- auth sufficient om_ldap use_first_pass
- auth required pam_deny
- LDAP authentication 2
- auth required om_ldap user_unknown=ignore
- auth optional om_auth nullok use_first_pass
- Combined authentication
- It is possible to combine Kerberos authentication 1 and LDAP
- authentication 1, although there is no good way to escape false negative
- authentication attempts with one or the other scheme. If users are known
- to either Kerberos or LDAP then we can extend scheme 2 for combined
- authentication:
- auth required om_krb5 user_unknown=ignore
- auth required om_ldap user_unknown=ignore
- auth optional om_auth nullok use_first_pass
- account required om_auth
- password required om_auth nullok
auth required om_krb5 user_unknown=ignore auth optional om_auth nullok use_first_pass account required om_auth password required om_auth nullok
</file>
Restart Scalix serveces and try to log in via Outlook, SWA, or POP3/IMAP