[SOGo] Re: [Samba] Custom SAMBA4/OpenChage ZEG applicance
Finally got DNS partially working, the following tests were successful: host -t SRV _ldap._tcp.example.com. host -t SRV _kerberos._udp.example.com. host -t A sogo.example.com. Still can not join any windows clients (XP or 7) to the EXAMPLE.COM domain. Tried provisioning SAMBA with both --dns-backend=BIND9_DLZ and then --dns-backend=SAMBA_INTERNAL but both return update failed: REFUSED So DNS now seems to be having permission problems? Attached are outputs from samba_dnsupdate --verbose --all-names and the subsequent tail /var/log/syslog. Any ideas? On Fri, Sep 21, 2012 at 4:30 AM, John Russell jb.fr...@gmail.com wrote: Thought for sure this was a real bug, but you are correct Mr. Bartlett, thats just how the SMB protocol works. I verified this with another wireshark capture from the same XP machine and a working SAMBA4 appliance from Sernet. This second capture also reveals that bind9 is still having issues on the SOGo appliance. The host machine registers itself into the DNS zone, but will not add client machines when they try to join the domain. How do I use the internal DNS service with SAMBA4? On Fri, Sep 21, 2012 at 2:24 AM, Andrew Bartlett abart...@samba.orgwrote: On Sat, 2012-09-15 at 11:02 -0400, John Russell wrote: Ran wireshark on the XP client while joining the domain and saw SAM LOGON request from client and SAM Active Directory Response - user unknown. I noticed on the request and the response packets the user name field in the packet is blank (yes, I am typing the user name and password into the prompt from the XP machine!). Any ideas on what causes this? While an odd feature of the protocol, this is actually a normal successful response to the expected packet. (Essentially, this is a historical oddity from a time when asking if a server knew about a user over an un-authenticated UDP packet wasn't considered a security/confidentially issue). -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late. Marilyn Moats Kennedy -- It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late. Marilyn Moats Kennedy root@sogo:~# samba_dnsupdate --verbose --all-names IPs: ['fe80::a00:27ff:fef2:b592%eth0', '172.16.1.7'] Calling nsupdate for A example.com 172.16.1.7 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: example.com.900 IN A 172.16.1.7 update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for A sogo.example.com 172.16.1.7 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: sogo.example.com. 900 IN A 172.16.1.7 update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for A gc._msdcs.example.com 172.16.1.7 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: gc._msdcs.example.com. 900 IN A 172.16.1.7 update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for CNAME a6b5369c-1f1d-457e-813a-dcef9ec89f8b._msdcs.example.com sogo.example.com Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: a6b5369c-1f1d-457e-813a-dcef9ec89f8b._msdcs.example.com. 900 IN CNAME sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kpasswd._tcp.example.com sogo.example.com 464 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._tcp.example.com. 900 IN SRV 0 100 464 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kpasswd._udp.example.com sogo.example.com 464 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._udp.example.com. 900 IN SRV 0 100 464 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kerberos._tcp.example.com sogo.example.com 88 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.example.com. 900 IN SRV 0 100 88 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.example.com sogo.example.com 88 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE
[SOGo] Re: [Samba] Custom SAMBA4/OpenChage ZEG applicance
Or could be reverse lookup is not working... root@sogo:~# nslookup sogo Server: 172.16.1.7 Address:172.16.1.7#53 Name: sogo.example.com Address: 172.16.1.7 root@sogo:~# nslookup 172.16.1.7 Server: 172.16.1.7 Address:172.16.1.7#53 ** server can't find 7.1.16.172.in-addr.arpa: SERVFAIL On Sat, Oct 6, 2012 at 10:22 PM, John Russell jb.fr...@gmail.com wrote: Finally got DNS partially working, the following tests were successful: host -t SRV _ldap._tcp.example.com. host -t SRV _kerberos._udp.example.com. host -t A sogo.example.com. Still can not join any windows clients (XP or 7) to the EXAMPLE.COMdomain. Tried provisioning SAMBA with both --dns-backend=BIND9_DLZ and then --dns-backend=SAMBA_INTERNAL but both return update failed: REFUSED So DNS now seems to be having permission problems? Attached are outputs from samba_dnsupdate --verbose --all-names and the subsequent tail /var/log/syslog. Any ideas? On Fri, Sep 21, 2012 at 4:30 AM, John Russell jb.fr...@gmail.com wrote: Thought for sure this was a real bug, but you are correct Mr. Bartlett, thats just how the SMB protocol works. I verified this with another wireshark capture from the same XP machine and a working SAMBA4 appliance from Sernet. This second capture also reveals that bind9 is still having issues on the SOGo appliance. The host machine registers itself into the DNS zone, but will not add client machines when they try to join the domain. How do I use the internal DNS service with SAMBA4? On Fri, Sep 21, 2012 at 2:24 AM, Andrew Bartlett abart...@samba.orgwrote: On Sat, 2012-09-15 at 11:02 -0400, John Russell wrote: Ran wireshark on the XP client while joining the domain and saw SAM LOGON request from client and SAM Active Directory Response - user unknown. I noticed on the request and the response packets the user name field in the packet is blank (yes, I am typing the user name and password into the prompt from the XP machine!). Any ideas on what causes this? While an odd feature of the protocol, this is actually a normal successful response to the expected packet. (Essentially, this is a historical oddity from a time when asking if a server knew about a user over an un-authenticated UDP packet wasn't considered a security/confidentially issue). -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late. Marilyn Moats Kennedy -- It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late. Marilyn Moats Kennedy -- It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late. Marilyn Moats Kennedy -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Sogo Domain for Microsoft Setup
Just curious, what linux distro/version are you using? On Thu, Sep 27, 2012 at 10:59 AM, Devinder Singh devinder.si...@qlc.inwrote: Hi All, I have been able to configure the entire SOGo setup for Microsoft Native Compatibility. I am stuck at the last step .* Enter the DNS name or the IP address of your SOGo server in the Microsoft Exchange Server field** * On my system right now, with any can run the SOGo due to the conf configuration as below. ProxyPass /SOGo http://127.0.0.1:2/SOGo retry=0 by giving my IP no. as 192.168.1.185 does not work. Any idea what value can I add in that field ? Additionally, what does autodiscover.example.com does ? how would I configure it . Already ocsmanager.conf has the ProxyPass for the /autodiscovery. Kindly guide. -- Thanks Regards, Devinder Singh Birdi -- It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late. Marilyn Moats Kennedy -- users@sogo.nu https://inverse.ca/sogo/lists
[SOGo] Re: [Samba] Custom SAMBA4/OpenChage ZEG applicance
Thought for sure this was a real bug, but you are correct Mr. Bartlett, thats just how the SMB protocol works. I verified this with another wireshark capture from the same XP machine and a working SAMBA4 appliance from Sernet. This second capture also reveals that bind9 is still having issues on the SOGo appliance. The host machine registers itself into the DNS zone, but will not add client machines when they try to join the domain. How do I use the internal DNS service with SAMBA4? On Fri, Sep 21, 2012 at 2:24 AM, Andrew Bartlett abart...@samba.org wrote: On Sat, 2012-09-15 at 11:02 -0400, John Russell wrote: Ran wireshark on the XP client while joining the domain and saw SAM LOGON request from client and SAM Active Directory Response - user unknown. I noticed on the request and the response packets the user name field in the packet is blank (yes, I am typing the user name and password into the prompt from the XP machine!). Any ideas on what causes this? While an odd feature of the protocol, this is actually a normal successful response to the expected packet. (Essentially, this is a historical oddity from a time when asking if a server knew about a user over an un-authenticated UDP packet wasn't considered a security/confidentially issue). -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late. Marilyn Moats Kennedy -- users@sogo.nu https://inverse.ca/sogo/lists
[SOGo] Re: Custom SAMBA4/OpenChage ZEG applicance
Was able to fix one problem with kinit not working. Added the following
lines to /etc/krb5.conf:
[realms]
EXAMPLE.COM = {
kdc = sogo
admin_server = sogo
default_domain = EXAMPLE.COM
}
[domain_realm]
.example.com = EXAMPLE.COM
example.com = EXAMPLE.COM
This gave me the following output when running kinit s...@example.com
Kerberos: AS-REQ s...@example.com from ipv4:172.16.1.20:59784 for krbtgt/
example@example.com
Kerberos: Client sent patypes: REQ-ENC-PA-REP
Kerberos: Looking for PK-INIT(ietf) pa-data -- s...@example.com
Kerberos: Looking for PK-INIT(win2k) pa-data -- s...@example.com
Kerberos: Looking for ENC-TS pa-data -- s...@example.com
Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ
Kerberos: AS-REQ s...@example.com from ipv4:172.16.1.20:50248 for krbtgt/
example@example.com
Kerberos: Client sent patypes: ENC-TS, REQ-ENC-PA-REP
Kerberos: Looking for PK-INIT(ietf) pa-data -- s...@example.com
Kerberos: Looking for PK-INIT(win2k) pa-data -- s...@example.com
Kerberos: Looking for ENC-TS pa-data -- s...@example.com
Kerberos: ENC-TS Pre-authentication succeeded -- s...@example.com using
arcfour-hmac-md5
Kerberos: ENC-TS pre-authentication succeeded -- s...@example.com
Kerberos: AS-REQ authtime: 2012-09-15T01:02:47 starttime: unset endtime:
2012-09-15T11:02:47 renew till: 2012-09-16T01:02:43
Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96,
aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using
arcfour-hmac-md5/arcfour-hmac-md5
Kerberos: Requested flags: renewable-ok
samba_dnsupdate still fails as mentioned before and I still can not join an
XP client to the domain.
On Fri, Sep 14, 2012 at 3:54 PM, John Russell jb.fr...@gmail.com wrote:
Changing direction yet again. I decided do some testing with the latest *SOGo
ZEG v2.0.0 rc5 appliance.*
Since this is supposed to be a turnkey package with SAMBA4, OpenChange and
SOGo all somewhat working together I figured i'd give it a shot.
Started up the appliance and try to join an XP client to the EXAMPLE
domain... FAILED: The error was: DNS name does not exist. (error code
0x232B RCODE_NAME_ERROR)
Try to join an XP client to the OPENCHANGE domain... FAILED: The error
was: Network path was not found. The DNS lookup partially worked buttail
/var/log/samba/log.sambashowed:
RuntimeError: kinit for SOGO$@EXAMPLE.COM failed (Cannot contact any KDC
for requested realm)
Basically samba_dnsupdate fails with the following output.
Traceback (most recent call last):
File /usr/sbin/samba_dnsupdate, line 485, in module
get_credentials(lp)
File /usr/sbin/samba_dnsupdate, line 120, in get_credentials
creds.get_named_ccache(lp, ccachename)
RuntimeError: kinit for SOGO$@EXAMPLE.COM failed (Cannot contact any KDC
for requested realm)
This is the same problem found here
http://thread.gmane.org/gmane.comp.groupware.sogo.user/11358
At this point I know I have a KRB/KDC related issue and possibly DNS is
not running properly. kinit isnt installed and Bind9 isnt configured
with'--with-dlopen=yes'.
Here is the output of
/usr/sbin/named -V:
BIND 9.8.1-P1 built with '--prefix=/usr' '--mandir=/usr/share/man'
'--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var'
'--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared'
'--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr'
'--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6'
'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2'
'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro'
'CPPFLAGS=-D_FORTIFY_SOURCE=2'
using OpenSSL version: OpenSSL 1.0.1 14 Mar 2012
using libxml2 version: 2.7.8
From here:
I installed krb5-user dpkg-dev libkrb5-dev libssl-dev libgeoip-dev
Recompiled bind9 with the '--with-dlopen=yes' option
Re-provisioned samba4 with domain EXAMPLE and realm EXAMPLE.COM
Added tkey-gssapi-keytab /var/lib/samba/private/dns.keytab; to
/etc/bind/named.conf.options
Copied /var/lib/samba/private/krb5.conf to /etc/krb5.conf
Modified /etc/hosts so that sogo.example.comsogo uses interface
IP instead of loopback.
Restarted bind and samba
And still get the same error. Any ideas? Just trying to add a windows
client to the domain at this point. Thanks
On Tue, Apr 17, 2012 at 1:20 PM, John Russell jb.fr...@gmail.com wrote:
Question following HowTo build your own OpenChange/SOGo appliance:
I have been building my own SAMBA4/OpenChange appliance *MOSTLY*following
the instructions at
http://tracker.openchange.org/projects/openchange/wiki/HowTo_build_your_own_OpenChangeSOGo_appliance
.
I am using Ubuntu-Server 12.04 LTS (Precise Pangolin)
precise-server-amd64.iso
OpenChange from svn co -r 3923
https://svn.openchange.org/openchange/branches/sogo
SAMBA4 - Samba-4.0.0Alpha18
At the step titled Configure DNS service
# cd /etc/bind
# mkdir samba
# cp /usr/local/samba/private/named.* samba/
# cp –rfi /usr/local
