On Mon, 2010-01-25 at 18:45 +0500, Waseem Azhar wrote: > Hi Julien, > > > I need to know have you decided any timeline for adding support for > "delegated credentials" in mapiproxy? Specially for exchange 2007 ? I > realized that there are major differences in NT4 and 2003/2007 > compatible domains. Do you think it is even possible with exchange > 2007 server. > > > It would be great if you could give some idea. > 1 - Is it doable with exchange 2007 ?
It is. > 2 - Have you decided any timelines yet ? I can't give you any time line since there is a research effort involved here and I am not very familiar with KDC. That is not formally only a development issue where the only task remaining is "code to write". > > For exchange server 2003, we were able to find a workaround. Importing > hashes from exchange server 2003 using 'net samdump'. And > populating credentials structure with password hash at login time. > This workaround was ok for exchange server 2003 (mixed mode) > but exchange server 2007 does not respond to 'net samdump' command. > Probably because I think 'net samdump' only works with NT4 compatible > Domains. Could you describe the methodology (with detailed command) so we can add this to the official documentation? And possibly mapiproxy patches required to make this NTLM hack work? I'm sure there may be several other mapiproxy's users out there interested in having similar work-around for their 2k3 environments. > > At this point it is really important to know. At which point, support > for 'delegated credentials' is going to be added. Let me be clear. Delegated credentials matters to me since that's the only remaining feature preventing mapiproxy from entering large company's network environment smoothly. In the meantime, if you are ready to spend some time on this, I suggest we create a development page on the website detailing the different steps needed to set up the basic environment required for delegated credentials to work, document the issues with pcap's reference captures files, then look for work-around/solutions. When real issues are formally identified, the "when" can be scheduled properly. > And have you planned to implements for both Exchange 2003 and 2007 > servers ? The methodology planned to be used is common both to 2003,2007 and 2010 environments. It relies on windows KDC and delegated authentication for Exchange pipes to work. In such case mapiproxy is authorized to authenticate users on Exchange pipes. > > Thanks. > -WAzhar > > On Sun, Jan 3, 2010 at 2:48 AM, Julien Kerihuel > <[email protected]> wrote: > Hi Azhar, > > I need to get back to the code and find/read my personal > notes. I used > to have delegated credentials working under specific > environment/configuration - which I honestly don't remember > except that: > > - you need to use fully qualified domain names instead > of IP > address for the binding string > - samba4 needs to be provisioned with a server role set > to > 'member server' > - the remote exchange server needs to have mapiproxy > defined for > NSPI, EMSMDB and RFR pipes using a command line > option ... I > don't remember anymore. > > Anyway, I'll put delegated credentials in the openchange 0.10 > roadmap. > > I can't yet say when it will be released - we still have to > define the > features we want + the codename - but I'll let you know when > it is > available in trunk or when I start working on this task - > through > trac/reviewboard. > > My first 2010 task is to implement Exchange 2003 0xA and 0xB > calls > within openchange stack to get ride of some exchange 2007 > limitations + > mapiproxy downgrade module. > > Some kind of adaptive dual MAPI stack using either 0x0/0x2 or > 0xA/0xB > calls. > > Cheers, > Julien. > > > On Tue, 2009-12-29 at 10:19 +0500, Waseem Azhar wrote: > > Hi, > > > > > > Thats right. I am using mapiproxy. Probably should wait for > Julien to > > come back. > > > > > > Thanks, > > Azhar > > > > On Tue, Dec 29, 2009 at 4:26 AM, Brad Hards > <[email protected]> > > wrote: > > On Monday 28 December 2009 23:26:34 Waseem Azhar > wrote: > > > We have been trying to figure out where things go > wrong > > while try login > > > using delegated auth option. > > > > I guess you're trying to use mapiproxy here? If so, > Julien is > > best placed to > > answer your questions. However he is unlikely to see > your > > questions for about > > a week. > > > > -- > Julien Kerihuel > [email protected] > OpenChange Project Manager > > GPG Fingerprint: 0B55 783D A781 6329 108A B609 7EF6 FE11 A35F > 1F79 > > > _______________________________________________ > devel mailing list > [email protected] > http://mailman.openchange.org/listinfo/devel > > > Julien Kerihuel [email protected] OpenChange Project Manager GPG Fingerprint: 0B55 783D A781 6329 108A B609 7EF6 FE11 A35F 1F79
signature.asc
Description: This is a digitally signed message part
_______________________________________________ devel mailing list [email protected] http://mailman.openchange.org/listinfo/devel
