On 09/25/2015 08:38 PM, Ludovic Marcotte wrote:
On 25/09/2015 15:40, Steve Ankeny wrote:
(1) What are the differences between Ubuntu Samba 4.1.6 and Inverse
Samba 4.1.18 in terms of libraries? Could there be some library or
package from 4.1.6 which if removed would cause 4.1.18 to work properly?
It seems to me this might be the source of my problems, as I
originally installed 4.1.6
If you use our repository for Samba packages, all should be
up-to-date. Here is the bash Samba/OpenChancge function used in the
script to prepare the ZEG:
function setupSambaOpenChange {
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak || true
apt-get -y install samba openchangeserver sogo-openchange \
openchangeproxy python-ocsmanager
openchange-ocsmanager openchange-rpcproxy python-sievelib python-spyne
python-rpclib python-mysqldb
ln -s /etc/apache2/conf.d/ocsmanager.conf
/etc/apache2/conf-available/ocsmanager.conf
ln -s /etc/apache2/conf.d/rpcproxy.conf
/etc/apache2/conf-available/rpcproxy.conf
cat >/etc/apache2/conf.d/rpcproxy.conf <<EOF
KeepAliveTimeout 120
WSGILazyInitialization On
WSGIPythonPath /usr/lib/openchange/web/rpcproxy
<Directory /usr/lib/openchange/web/rpcproxy/>
<IfVersion < 2.4>
Order deny,allow
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>
SetEnv RPCPROXY_LOGLEVEL INFO
SetEnv NTLMAUTHHANDLER_WORKDIR /var/cache/ntlmauthhandler
SetEnv SAMBA_HOST 127.0.0.1
WSGIPassAuthorization On
WSGIProcessGroup %{GLOBAL}
</Directory>
WSGIScriptAlias /rpc/rpcproxy.dll
/usr/lib/openchange/web/rpcproxy/rpcproxy.wsgi
WSGIScriptAlias /rpcwithcert/rpcproxy.dll
/usr/lib/openchange/web/rpcproxy/rpcproxy.wsgi
EOF
My 'rpcproxy.conf' was not EXACTLY the same as here, but I've changed it.
It was missing the 'IfVersion' lines and specifically, 'Order,
deny,allow' 'Allow from all'
THAT may or may not make a difference but I've modified mine to match
your script.
# ocsmanager
cat >/etc/ocsmanager/ocsmanager.ini <<EOF
[DEFAULT]
debug = true
email_to = y...@yourdomain.com
smtp_server = localhost
error_email_from = paste@localhost
[main]
auth = ldap
mapistore_root = /var/lib/samba/private
mapistore_data = /var/lib/samba/private/mapistore
debug = yes
[auth:file]
[auth:ldap]
host = ldap://127.0.0.1
port = 389
bind_dn = cn=administrator,cn=Users,dc=example,dc=com
bind_pw = %1OpenChange
basedn = cn=Users,dc=example,dc=com
[auth:single]
username = openchange
password = {SSHA}I6Hy5Wv0wuxyXvMBFWFQDVVN12_CLaX9
How important is THIS password with THIS hash?
The same hash is used in the Configuration guide for 'openchange$123'
Should it not be the hash generated in MySQL for "my" password? (if I've
changed it)
[server:main]
use = egg:Paste#http
host = 127.0.0.1
port = 5000
protocol_version = HTTP/1.1
[app:main]
use = egg:ocsmanager
full_stack = true
static_files = true
cache_dir = %(here)s/data
beaker.session.key = ocsmanager
beaker.session.secret = SDyKK3dKyDgW0mlpqttTMGU1f
app_instance_uuid = {ee533ebc-f266-49d1-ae10-d017ee6aa98c}
NTLMAUTHHANDLER_WORKDIR = /var/cache/ntlmauthhandler
SAMBA_HOST = 127.0.0.1
[rpcproxy:ldap]
host = localhost
port = 389
basedn = CN=Users,DC=example,DC=com
set debug = true
[autodiscover]
[autodiscover:rpcproxy]
enabled = true
[outofoffice]
[outofoffice:file]
sieve_script_path = /var/vmail/\$domain/\$user/sieve-script
My line reads 'sieve_script_path = /var/vmail/$domain/$user/sieve-script'
The example in the Configuration guide does not include the back slashes.
How important are the back slashes? I will modify mine and test it.
sieve_script_path_mkdir = false
[outofoffice:managesieve]
secret = secret
[loggers]
keys = root
[handlers]
keys = console
[formatters]
keys = generic
[logger_root]
level = INFO
handlers = console
[handler_console]
class = StreamHandler
args = (sys.stderr,)
level = NOTSET
formatter = generic
[formatter_generic]
format = %(asctime)s %(levelname)-5.5s [%(name)s] [%(threadName)s]
%(message)s
EOF
# enable modules
a2enconf rpcproxy
a2enconf ocsmanager
# it gets better, provision will fail if smb.conf exists
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak || true
rm -rf /var/lib/samba/private/* || true
samba-tool domain provision --realm=$DOMAINNAME.$TLD \
--domain=$DOMAINNAMEUPPER \
--adminpass='%1OpenChange' \
--server-role='domain controller'
samba-tool user setexpiry administrator --noexpiry
cat >/etc/samba/smb.conf <<EOF
# Global parameters
[global]
server role = active directory domain controller
workgroup = $DOMAINNAMEUPPER
realm = $DOMAINNAME.$TLD
netbios name = sogo
passdb backend = samba4
dns forwarder = 8.8.4.4
### Configuration required by OpenChange server ###
dsdb:schema update allowed = true
dcerpc endpoint servers = epmapper, mapiproxy, dnsserver
Again, the Configuration guide lists ONLY 'dcerpc endpoint servers =
+epmapper, +mapiproxy'
I have been using 'dcerpc endpoint servers = +mapiproxy'
How important are these DCERPC calls when Samba AD includes 'epmapper' &
'dnsserver' natively?
adam@sogo:~$ samba-tool testparm -v | grep 'dcerpc endpoint servers'
dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr,
netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser,
eventlog6, backupkey, dnsserver
adam@sogo:~$
It is my understanding that invoking 'epmapper' & 'dnsserver' through
DCERPC calls disables --
wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup,
unixinfo, browser, eventlog6, backupkey
Are we sure we want to "turn off" those endpoint servers?
dcerpc_mapiproxy:server = true
dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp,
exchange_ds_rfr
mapistore:namedproperties = mysql
namedproperties:mysql_user = openchange-user
namedproperties:mysql_pass = openchange123
namedproperties:mysql_host = localhost
namedproperties:mysql_db = openchange
HERE the OpenChange password is 'openchange123' See the discussion
above on password & hash.
mapistore:indexing_backend =
mysql://openchange-user:openchange123@localhost/openchange
mapiproxy:openchangedb =
mysql://openchange-user:openchange123@localhost/openchange
### Configuration required by OpenChange server ###
[netlogon]
path = /var/lib/samba/sysvol/$DOMAINNAME.$TLD/scripts
read only = No
[sysvol]
path = /var/lib/samba/sysvol
read only = No
EOF
# sogo config link since samba is started as root
rm -rf /root/GNUstep || true
ln -s ~sogo/GNUstep /root/
I find no link of '~sogo/GNUstep' in '/root' although 'root' has access
to the directory.
# OpenChange MySQL indexing db
mysql -uroot <<EOF
CREATE USER "openchange-user"@"localhost" IDENTIFIED BY "openchange123";
GRANT ALL PRIVILEGES ON openchange.* TO "openchange-user"@"localhost"
WITH GRANT OPTION;
FLUSH PRIVILEGES;
EOF
/usr/sbin/openchange_provision --standalone
/usr/sbin/openchange_provision --openchangedb --openchangedb-uri
'mysql://openchange-user:openchange123@localhost/openchange'
echo "manual" >> /etc/init/nmbd.conf
echo "manual" >> /etc/init/smbd.conf
service slapd stop
update-rc.d slapd disable
sed -i s/'start on (local-filesystems and net-device-up)'/'start on
(started mysql)'/ /etc/init/samba-ad-dc.conf
start samba-ad-dc
a2enmod proxy proxy_http
/etc/init.d/apache2 restart
echo "supersede domain-name-servers 127.0.0.1;"
>>/etc/dhcp/dhclient.conf
}
(2) Could there be an issue with 'NTLMAuthHandler.py' such as was
experienced in Bug 0002732?
http://www.sogo.nu/bugs/view.php?id=2732
No, that was a packaging issue only affecting RHEL-based distributions.
Thanks,
--
users@sogo.nu
https://inverse.ca/sogo/lists