[SOGo] Re: [Samba] Custom SAMBA4/OpenChage ZEG applicance
Finally got DNS partially working, the following tests were successful: host -t SRV _ldap._tcp.example.com. host -t SRV _kerberos._udp.example.com. host -t A sogo.example.com. Still can not join any windows clients (XP or 7) to the EXAMPLE.COM domain. Tried provisioning SAMBA with both --dns-backend=BIND9_DLZ and then --dns-backend=SAMBA_INTERNAL but both return update failed: REFUSED So DNS now seems to be having permission problems? Attached are outputs from samba_dnsupdate --verbose --all-names and the subsequent tail /var/log/syslog. Any ideas? On Fri, Sep 21, 2012 at 4:30 AM, John Russell jb.fr...@gmail.com wrote: Thought for sure this was a real bug, but you are correct Mr. Bartlett, thats just how the SMB protocol works. I verified this with another wireshark capture from the same XP machine and a working SAMBA4 appliance from Sernet. This second capture also reveals that bind9 is still having issues on the SOGo appliance. The host machine registers itself into the DNS zone, but will not add client machines when they try to join the domain. How do I use the internal DNS service with SAMBA4? On Fri, Sep 21, 2012 at 2:24 AM, Andrew Bartlett abart...@samba.orgwrote: On Sat, 2012-09-15 at 11:02 -0400, John Russell wrote: Ran wireshark on the XP client while joining the domain and saw SAM LOGON request from client and SAM Active Directory Response - user unknown. I noticed on the request and the response packets the user name field in the packet is blank (yes, I am typing the user name and password into the prompt from the XP machine!). Any ideas on what causes this? While an odd feature of the protocol, this is actually a normal successful response to the expected packet. (Essentially, this is a historical oddity from a time when asking if a server knew about a user over an un-authenticated UDP packet wasn't considered a security/confidentially issue). -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late. Marilyn Moats Kennedy -- It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late. Marilyn Moats Kennedy root@sogo:~# samba_dnsupdate --verbose --all-names IPs: ['fe80::a00:27ff:fef2:b592%eth0', '172.16.1.7'] Calling nsupdate for A example.com 172.16.1.7 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: example.com.900 IN A 172.16.1.7 update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for A sogo.example.com 172.16.1.7 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: sogo.example.com. 900 IN A 172.16.1.7 update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for A gc._msdcs.example.com 172.16.1.7 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: gc._msdcs.example.com. 900 IN A 172.16.1.7 update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for CNAME a6b5369c-1f1d-457e-813a-dcef9ec89f8b._msdcs.example.com sogo.example.com Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: a6b5369c-1f1d-457e-813a-dcef9ec89f8b._msdcs.example.com. 900 IN CNAME sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kpasswd._tcp.example.com sogo.example.com 464 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._tcp.example.com. 900 IN SRV 0 100 464 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kpasswd._udp.example.com sogo.example.com 464 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kpasswd._udp.example.com. 900 IN SRV 0 100 464 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kerberos._tcp.example.com sogo.example.com 88 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE SECTION: _kerberos._tcp.example.com. 900 IN SRV 0 100 88 sogo.example.com. update failed: REFUSED Failed nsupdate: 2 Calling nsupdate for SRV _kerberos._tcp.dc._msdcs.example.com sogo.example.com 88 Outgoing update query: ;; -HEADER- opcode: UPDATE, status: NOERROR, id: 0 ;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0 ;; UPDATE
[SOGo] Re: [Samba] Custom SAMBA4/OpenChage ZEG applicance
Or could be reverse lookup is not working... root@sogo:~# nslookup sogo Server: 172.16.1.7 Address:172.16.1.7#53 Name: sogo.example.com Address: 172.16.1.7 root@sogo:~# nslookup 172.16.1.7 Server: 172.16.1.7 Address:172.16.1.7#53 ** server can't find 7.1.16.172.in-addr.arpa: SERVFAIL On Sat, Oct 6, 2012 at 10:22 PM, John Russell jb.fr...@gmail.com wrote: Finally got DNS partially working, the following tests were successful: host -t SRV _ldap._tcp.example.com. host -t SRV _kerberos._udp.example.com. host -t A sogo.example.com. Still can not join any windows clients (XP or 7) to the EXAMPLE.COMdomain. Tried provisioning SAMBA with both --dns-backend=BIND9_DLZ and then --dns-backend=SAMBA_INTERNAL but both return update failed: REFUSED So DNS now seems to be having permission problems? Attached are outputs from samba_dnsupdate --verbose --all-names and the subsequent tail /var/log/syslog. Any ideas? On Fri, Sep 21, 2012 at 4:30 AM, John Russell jb.fr...@gmail.com wrote: Thought for sure this was a real bug, but you are correct Mr. Bartlett, thats just how the SMB protocol works. I verified this with another wireshark capture from the same XP machine and a working SAMBA4 appliance from Sernet. This second capture also reveals that bind9 is still having issues on the SOGo appliance. The host machine registers itself into the DNS zone, but will not add client machines when they try to join the domain. How do I use the internal DNS service with SAMBA4? On Fri, Sep 21, 2012 at 2:24 AM, Andrew Bartlett abart...@samba.orgwrote: On Sat, 2012-09-15 at 11:02 -0400, John Russell wrote: Ran wireshark on the XP client while joining the domain and saw SAM LOGON request from client and SAM Active Directory Response - user unknown. I noticed on the request and the response packets the user name field in the packet is blank (yes, I am typing the user name and password into the prompt from the XP machine!). Any ideas on what causes this? While an odd feature of the protocol, this is actually a normal successful response to the expected packet. (Essentially, this is a historical oddity from a time when asking if a server knew about a user over an un-authenticated UDP packet wasn't considered a security/confidentially issue). -- Andrew Bartlett http://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late. Marilyn Moats Kennedy -- It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late. Marilyn Moats Kennedy -- It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late. Marilyn Moats Kennedy -- users@sogo.nu https://inverse.ca/sogo/lists
Re: [SOGo] Sogo Domain for Microsoft Setup
Just curious, what linux distro/version are you using? On Thu, Sep 27, 2012 at 10:59 AM, Devinder Singh devinder.si...@qlc.inwrote: Hi All, I have been able to configure the entire SOGo setup for Microsoft Native Compatibility. I am stuck at the last step .* Enter the DNS name or the IP address of your SOGo server in the Microsoft Exchange Server field** * On my system right now, with any can run the SOGo due to the conf configuration as below. ProxyPass /SOGo http://127.0.0.1:2/SOGo retry=0 by giving my IP no. as 192.168.1.185 does not work. Any idea what value can I add in that field ? Additionally, what does autodiscover.example.com does ? how would I configure it . Already ocsmanager.conf has the ProxyPass for the /autodiscovery. Kindly guide. -- Thanks Regards, Devinder Singh Birdi -- It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late. Marilyn Moats Kennedy -- users@sogo.nu https://inverse.ca/sogo/lists
[SOGo] Re: [Samba] Custom SAMBA4/OpenChage ZEG applicance
Thought for sure this was a real bug, but you are correct Mr. Bartlett, thats just how the SMB protocol works. I verified this with another wireshark capture from the same XP machine and a working SAMBA4 appliance from Sernet. This second capture also reveals that bind9 is still having issues on the SOGo appliance. The host machine registers itself into the DNS zone, but will not add client machines when they try to join the domain. How do I use the internal DNS service with SAMBA4? On Fri, Sep 21, 2012 at 2:24 AM, Andrew Bartlett abart...@samba.org wrote: On Sat, 2012-09-15 at 11:02 -0400, John Russell wrote: Ran wireshark on the XP client while joining the domain and saw SAM LOGON request from client and SAM Active Directory Response - user unknown. I noticed on the request and the response packets the user name field in the packet is blank (yes, I am typing the user name and password into the prompt from the XP machine!). Any ideas on what causes this? While an odd feature of the protocol, this is actually a normal successful response to the expected packet. (Essentially, this is a historical oddity from a time when asking if a server knew about a user over an un-authenticated UDP packet wasn't considered a security/confidentially issue). -- Andrew Bartletthttp://samba.org/~abartlet/ Authentication Developer, Samba Team http://samba.org -- It's better to be boldly decisive and risk being wrong than to agonize at length and be right too late. Marilyn Moats Kennedy -- users@sogo.nu https://inverse.ca/sogo/lists
[SOGo] Re: Custom SAMBA4/OpenChage ZEG applicance
Was able to fix one problem with kinit not working. Added the following lines to /etc/krb5.conf: [realms] EXAMPLE.COM = { kdc = sogo admin_server = sogo default_domain = EXAMPLE.COM } [domain_realm] .example.com = EXAMPLE.COM example.com = EXAMPLE.COM This gave me the following output when running kinit s...@example.com Kerberos: AS-REQ s...@example.com from ipv4:172.16.1.20:59784 for krbtgt/ example@example.com Kerberos: Client sent patypes: REQ-ENC-PA-REP Kerberos: Looking for PK-INIT(ietf) pa-data -- s...@example.com Kerberos: Looking for PK-INIT(win2k) pa-data -- s...@example.com Kerberos: Looking for ENC-TS pa-data -- s...@example.com Kerberos: Need to use PA-ENC-TIMESTAMP/PA-PK-AS-REQ Kerberos: AS-REQ s...@example.com from ipv4:172.16.1.20:50248 for krbtgt/ example@example.com Kerberos: Client sent patypes: ENC-TS, REQ-ENC-PA-REP Kerberos: Looking for PK-INIT(ietf) pa-data -- s...@example.com Kerberos: Looking for PK-INIT(win2k) pa-data -- s...@example.com Kerberos: Looking for ENC-TS pa-data -- s...@example.com Kerberos: ENC-TS Pre-authentication succeeded -- s...@example.com using arcfour-hmac-md5 Kerberos: ENC-TS pre-authentication succeeded -- s...@example.com Kerberos: AS-REQ authtime: 2012-09-15T01:02:47 starttime: unset endtime: 2012-09-15T11:02:47 renew till: 2012-09-16T01:02:43 Kerberos: Client supported enctypes: aes256-cts-hmac-sha1-96, aes128-cts-hmac-sha1-96, des3-cbc-sha1, arcfour-hmac-md5, using arcfour-hmac-md5/arcfour-hmac-md5 Kerberos: Requested flags: renewable-ok samba_dnsupdate still fails as mentioned before and I still can not join an XP client to the domain. On Fri, Sep 14, 2012 at 3:54 PM, John Russell jb.fr...@gmail.com wrote: Changing direction yet again. I decided do some testing with the latest *SOGo ZEG v2.0.0 rc5 appliance.* Since this is supposed to be a turnkey package with SAMBA4, OpenChange and SOGo all somewhat working together I figured i'd give it a shot. Started up the appliance and try to join an XP client to the EXAMPLE domain... FAILED: The error was: DNS name does not exist. (error code 0x232B RCODE_NAME_ERROR) Try to join an XP client to the OPENCHANGE domain... FAILED: The error was: Network path was not found. The DNS lookup partially worked buttail /var/log/samba/log.sambashowed: RuntimeError: kinit for SOGO$@EXAMPLE.COM failed (Cannot contact any KDC for requested realm) Basically samba_dnsupdate fails with the following output. Traceback (most recent call last): File /usr/sbin/samba_dnsupdate, line 485, in module get_credentials(lp) File /usr/sbin/samba_dnsupdate, line 120, in get_credentials creds.get_named_ccache(lp, ccachename) RuntimeError: kinit for SOGO$@EXAMPLE.COM failed (Cannot contact any KDC for requested realm) This is the same problem found here http://thread.gmane.org/gmane.comp.groupware.sogo.user/11358 At this point I know I have a KRB/KDC related issue and possibly DNS is not running properly. kinit isnt installed and Bind9 isnt configured with'--with-dlopen=yes'. Here is the output of /usr/sbin/named -V: BIND 9.8.1-P1 built with '--prefix=/usr' '--mandir=/usr/share/man' '--infodir=/usr/share/info' '--sysconfdir=/etc/bind' '--localstatedir=/var' '--enable-threads' '--enable-largefile' '--with-libtool' '--enable-shared' '--enable-static' '--with-openssl=/usr' '--with-gssapi=/usr' '--with-gnu-ld' '--with-geoip=/usr' '--enable-ipv6' 'CFLAGS=-fno-strict-aliasing -DDIG_SIGCHASE -O2' 'LDFLAGS=-Wl,-Bsymbolic-functions -Wl,-z,relro' 'CPPFLAGS=-D_FORTIFY_SOURCE=2' using OpenSSL version: OpenSSL 1.0.1 14 Mar 2012 using libxml2 version: 2.7.8 From here: I installed krb5-user dpkg-dev libkrb5-dev libssl-dev libgeoip-dev Recompiled bind9 with the '--with-dlopen=yes' option Re-provisioned samba4 with domain EXAMPLE and realm EXAMPLE.COM Added tkey-gssapi-keytab /var/lib/samba/private/dns.keytab; to /etc/bind/named.conf.options Copied /var/lib/samba/private/krb5.conf to /etc/krb5.conf Modified /etc/hosts so that sogo.example.comsogo uses interface IP instead of loopback. Restarted bind and samba And still get the same error. Any ideas? Just trying to add a windows client to the domain at this point. Thanks On Tue, Apr 17, 2012 at 1:20 PM, John Russell jb.fr...@gmail.com wrote: Question following HowTo build your own OpenChange/SOGo appliance: I have been building my own SAMBA4/OpenChange appliance *MOSTLY*following the instructions at http://tracker.openchange.org/projects/openchange/wiki/HowTo_build_your_own_OpenChangeSOGo_appliance . I am using Ubuntu-Server 12.04 LTS (Precise Pangolin) precise-server-amd64.iso OpenChange from svn co -r 3923 https://svn.openchange.org/openchange/branches/sogo SAMBA4 - Samba-4.0.0Alpha18 At the step titled Configure DNS service # cd /etc/bind # mkdir samba # cp /usr/local/samba/private/named.* samba/ # cp –rfi /usr/local