Difference between revisions of "HowTos/Samba4"

Revision as of 11:36, 3 November 2014

• • • Test Scalix server:***

IP - 192.168.56.105 Hostname - mail.scalix.test

• • • Samba4 server:***

IP - 192.168.56.100 Hostname -DC.test.local Domain - TEST.SCALIX.LOCAL

Samba test user name: testsx

Samba tets group name: scalixtestGR

Before start: here describes the test configuration for other cases you need to change some settings (DN:DC=TEST,DC=SCALIX,DC=LOCAL replace to your DN, etc.)

1.Expand the Samba scheme:

NOTE: Samba Schema extensions is a very dangerous process, so it is recommended to create a backup of schema before start working with it!!!

/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Att_extensions.ldif --option="dsdb:schema update allowed"=true

<file: Att_extensions.ldif>

dn: CN=scalixScalixObject,CN=Schema,CN=Configuration,DC=TEST,DC=SCALIX,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.10 cn: scalixScalixObject name: scalixScalixObject lDAPDisplayName: scalixScalixObject attributeSyntax: 2.5.5.8 isSingleValued: FALSE

dn: CN=scalixAdministrator,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.12 cn: scalixAdministrator name: scalixAdministrator lDAPDisplayName: scalixAdministrator attributeSyntax: 2.5.5.8 isSingleValued: FALSE

dn: CN=scalixMailboxAdministrator,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.13 cn: scalixMailboxAdministrator name: scalixMailboxAdministrator lDAPDisplayName: scalixMailboxAdministrator attributeSyntax: 2.5.5.8 isSingleValued: FALSE

dn: CN=scalixLimitMailboxSize,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.16 cn: scalixLimitMailboxSize name: scalixLimitMailboxSize lDAPDisplayName: scalixLimitMailboxSize attributeSyntax: 2.5.5.9 isSingleValued: FALSE

dn: CN=scalixLimitOutboundMail,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.17 cn: scalixLimitOutboundMail name: scalixLimitOutboundMail lDAPDisplayName: scalixLimitOutboundMail attributeSyntax: 2.5.5.8 isSingleValued: FALSE

dn: CN=scalixLimitInboundMail,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.18 cn: scalixLimitInboundMail name: scalixLimitInboundMail lDAPDisplayName: scalixLimitInboundMail attributeSyntax: 2.5.5.8 isSingleValued: FALSE

dn: CN=scalixLimitNotifyUser,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.19 cn: scalixLimitNotifyUser name: scalixLimitNotifyUser lDAPDisplayName: scalixLimitNotifyUser attributeSyntax: 2.5.5.8 isSingleValued: FALSE

dn: CN=scalixHideUserEntry,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: add objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.20 cn: scalixHideUserEntry name: scalixHideUserEntry lDAPDisplayName: scalixHideUserEntry attributeSyntax: 2.5.5.8

dn: CN=scalixMailnode,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.11 cn: scalixMailnode name: scalixMailnode lDAPDisplayName: scalixMailnode attributeSyntax: 2.5.5.12 isSingleValued: TRUE

dn: CN=scalixServerLanguage,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.14 cn: scalixServerLanguage name: scalixServerLanguage lDAPDisplayName: scalixServerLanguage attributeSyntax: 2.5.5.12 isSingleValued: TRUE

dn: CN=scalixEmailAddress,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.15 cn: scalixEmailAddress name: scalixEmailAddress lDAPDisplayName: scalixEmailAddress attributeSyntax: 2.5.5.12 isSingleValued: FALSE

dn: CN=scalixMailboxClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: attributeSchema attributeID: 1.3.6.1.4.1.19049.1.1.21 cn: scalixMailboxClass name: scalixMailboxClass lDAPDisplayName: scalixMailboxClass attributeSyntax: 2.5.5.12

</file>

/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Class_extensions.ldif --option="dsdb:schema update allowed"=true

<file: Class_extensions.ldif>

dn: CN=scalixUserClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: classSchema governsID: 1.3.6.1.4.1.19049.1.2.10 cn: scalixUserClass name: scalixUserClass lDAPDisplayName: scalixUserClass description: Supplemental class containing the Scalix User-related attributes objectClassCategory: 3 mayContain: scalixScalixObject mayContain: scalixMailnode mayContain: scalixAdministrator mayContain: scalixMailboxAdministrator mayContain: scalixServerLanguage mayContain: scalixEmailAddress mayContain: scalixLimitMailboxSize mayContain: scalixLimitOutboundMail mayContain: scalixLimitInboundMail mayContain: scalixLimitNotifyUser mayContain: scalixHideUserEntry mayContain: scalixMailboxClass defaultObjectCategory: CN=scalixUserClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL

dn: CN=scalixGroupClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL objectClass: top objectClass: classSchema governsID: 1.3.6.1.4.1.19049.1.2.11 cn: scalixGroupClass name: scalixGroupClass lDAPDisplayName: scalixGroupClass description: Supplemental class containing the Scalix Group-related attributes objectClassCategory: 3 mayContain: scalixScalixObject mayContain: scalixMailnode mayContain: displayName mayContain: scalixEmailAddress mayContain: scalixHideUserEntry defaultObjectCategory: CN=scalixGroupClass,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL

</file>

/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Users_extensions.ldif --option="dsdb:schema update allowed"=true

<file: Users_extensions.ldif>

dn: CN=User,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: modify add: auxiliaryClass auxiliaryClass:scalixUserClass

</file>

/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Groups_extensions.ldif --option="dsdb:schema update allowed"=true

<file: Groups_extensions.ldif>

dn: CN=Group,CN=Schema,CN=Configuration,DC=TEST,DC=scalix,DC=LOCAL changetype: modify add: auxiliaryClass auxiliaryClass:scalixGroupClass

</file>

2. Old Samba4 users extensions.

For all users which you wish to add to Scalix make: /Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Mod_user.ldif --option="dsdb:schema update allowed"=true

Instead "CN=testsx" type "CN=other user name'

<file: Mod_user.ldif>

dn: CN=testsx,CN=Users,DC=TEST,DC=scalix,DC=LOCAL changetype: modify replace:scalixScalixObject scalixScalixObject: TRUE replace:scalixMailnode scalixMailnode: sxmail replace:scalixMailboxClass scalixMailboxClass: FULL replace: scalixServerLanguage scalixServerLanguage: ENGLISH replace: scalixEmailAddress scalixEmailAddress:testsx@test.scalix.local replace:scalixLimitOutboundMail scalixLimitOutboundMail: FALSE replace:scalixAdministrator scalixAdministrator: FALSE

</file>

3. Old Samba4 groups extensions.

/Path/To/samba/bin/ldbmodify --url=/Path/To/samba/private/sam.ldb ./Mod_groups.ldif --option="dsdb:schema update allowed"=true

<file: Mod_groups.ldif>

dn: CN=scalixtestGR,CN=Users,DC=TEST,DC=scalix,DC=LOCAL changetype: modify replace:scalixScalixObject scalixScalixObject: TRUE replace:scalixMailnode scalixMailnode: sxmail

</file>

4. Add new user to Samba4.

Create new Samba user :/Path/to/samba/bin/samba-tool user add testsx

and modify it like in chapter 2. (I working from command prompt, so I used this this way. There are simples ways to create a users, but I described the most heaviest variant)

5. Create new group on Samba4.

/Path/to/samba/bin/samba-tool group add scalixtestGR

and modify it like in chapter 3.

6. Add a service principal (keytab).

Create user named "scalix-ual" : /Path/to/samba/bin/samba-tool user add scalix-ual

Create service principal : /Path/to/samba/bin/samba-tool spn add scalix-ual/scalix.test.local scalix-ual

Create keytab file: /Path/to/samba/bin/samba-tool domain exportkeytab ./test.keytab --principal=scalix-ual/scalix.test.local@TEST.SCALIX.LOCAL

7. Kerberos config on Scalix system.

Copy test.keytab to Scalix server

run : ommergekeys ./test.keytab

run: omkrbconf -r TEST.SCALIX.LOCAL -s 192.168.56.100 -d TEST.SCALIX.LOCAL

8. Test Kerberos.

[root@scalix scalix-tomcat]# klist -k Keytab name: FILE:/etc/krb5.keytab KVNO Principal

  1 scalix-ual/scalix.test.local@TEST.SCALIX.LOCAL
  1 scalix-ual/scalix.test.local@TEST.SCALIX.LOCAL
  1 scalix-ual/scalix.test.local@TEST.SCALIX.LOCAL

kinit scalix-ual@TEST.SCALIX.LOCAL

If no errors that means all ok.

9. Scalix Samba4 sync.

Create Samba SA (Synchronization Agreement) like in chpter 7 Scalix AD sync

Then go to /var/opt/scalix/??/s/ldapsync/[Agreement_name] and on sync.cfg change lines:

sn|S|*1,40|*

==>

name|S|*|*

...

givenName|G|*,1,16!ISPRESENT=surname|*

==>

name|G|*,1,16!ISPRESENT=surname|*

and run omldapsync -u [Agreement_name]

10.Tests.

On /var/opt/scalix/??/s/sys/pam.d modify authentications files:

<file: omslapdeng>

1. Standard Scalix Authentication
3. Comment this out if you want to use one of the alternative authentication
4. schemes below.

auth required om_auth nullok

2. Kerberos authentication 1
4. With this scheme we attempt local authentication first and, if that
5. fails, we try kerberos authentication. Note that if we do it the other
6. way around we run the risk of the KDC locking a principal account for
7. users that are known to both Kerberos and Scalix. See om_krb5(8) for more
8. information.
10. auth sufficient om_auth nullok
11. auth sufficient om_krb5 use_first_pass
12. auth required pam_deny

1. Kerberos authentication 2
3. With this scheme, users that are known to the kerberos KDC, must
4. authenticate using kerberos. Users not known to the kerberos KDC can log
5. in using their Scalix password. See om_krb5(8) for more information.
7. auth required om_krb5 user_unknown=ignore
8. auth optional om_auth nullok use_first_pass

1. LDAP Authentication.
2. There are two possible schemes corresponding to the two Kerberos schemes.
3. above See om_ldap(8) for more information.
5. LDAP authentication 1
6. auth sufficient om_auth nullok
7. auth sufficient om_ldap use_first_pass
8. auth required pam_deny
10. LDAP authentication 2
11. auth required om_ldap user_unknown=ignore
12. auth optional om_auth nullok use_first_pass

1. Combined authentication
3. It is possible to combine Kerberos authentication 1 and LDAP
4. authentication 1, although there is no good way to escape false negative
5. authentication attempts with one or the other scheme. If users are known
6. to either Kerberos or LDAP then we can extend scheme 2 for combined
7. authentication:
9. auth required om_krb5 user_unknown=ignore
10. auth required om_ldap user_unknown=ignore
11. auth optional om_auth nullok use_first_pass

1. account required om_auth
2. password required om_auth nullok

1. auth required om_krb5 user_unknown=ignore

auth optional om_auth nullok use_first_pass account required om_auth password required om_auth nullok

</file>

<file: pop3>

auth sufficient om_krb5 use_first_pass auth required pam_deny account required om_auth password required om_auth

</file>

<file: smtpd.auth>

auth required om_krb5 user_unknown=ignore auth optional om_auth nullok use_first_pass account required om_auth

</file>

<file: ual.local>

auth required om_krb5 user_unknown=ignore auth optional om_auth nullok use_first_pass account required om_auth password required om_auth nopreauth nullok

</file>

<file: ual.remote>

1. Standard Scalix Authentication
3. Comment this out if you want to use one of the alternative authentication
4. schemes below.
5. auth required om_auth nullok

2. Kerberos authentication 1
4. With this scheme we attempt local authentication first and, if that
5. fails, we try kerberos authentication. Note that if we do it the other
6. way around we run the risk of the KDC locking a principal account for
7. users that are known to both Kerberos and Scalix. See om_krb5(8) for more
8. information.
10. auth sufficient om_auth nullok
11. auth sufficient om_krb5 use_first_pass
12. auth required pam_deny

1. Kerberos authentication 2
3. With this scheme, users that are known to the kerberos KDC, must
4. authenticate using kerberos. Users not known to the kerberos KDC can log
5. in using their Scalix password. See om_krb5(8) for more information.
7. auth required om_krb5 user_unknown=ignore
8. auth optional om_auth nullok use_first_pass

1. LDAP Authentication.
2. There are two possible schemes corresponding to the two Kerberos schemes.
3. above See om_ldap(8) for more information.
5. LDAP authentication 1
6. auth sufficient om_auth nullok
7. auth sufficient om_ldap use_first_pass
8. auth required pam_deny
10. LDAP authentication 2
11. auth required om_ldap user_unknown=ignore
12. auth optional om_auth nullok use_first_pass

1. Combined authentication
3. It is possible to combine Kerberos authentication 1 and LDAP
4. authentication 1, although there is no good way to escape false negative
5. authentication attempts with one or the other scheme. If users are known
6. to either Kerberos or LDAP then we can extend scheme 2 for combined
7. authentication:
9. auth required om_krb5 user_unknown=ignore
10. auth required om_ldap user_unknown=ignore
11. auth optional om_auth nullok use_first_pass

1. account required om_auth
2. password required om_auth nullok

auth required om_krb5 user_unknown=ignore auth optional om_auth nullok use_first_pass account required om_auth password required om_auth nullok

</file>

Restart Scalix serveces and try to log in via Outlook, SWA, or POP3/IMAP