Re: [SOGo] OpenChange without Samba

[Dennis Moebus]

Hi all,

I'm sorry for my late response...
First of all, thank you for your advices!!!

I joined my Samba4 Server as a Member to my Windows 2012 AD.
(https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member)
This worked without any problems.

This is my smb.conf, hope this will help :-)

#
# Sample configuration file for the Samba suite for Debian GNU/Linux.
#
#
# This is the main Samba configuration file. You should read the
# smb.conf(5) manual page in order to understand the options listed
# here. Samba has a huge number of configurable options most of which
# are not shown in this example
#
# Some options that are often worth tuning have been included as
# commented-out examples in this file.
#  - When such options are commented with ";", the proposed setting
#    differs from the default Samba behaviour
#  - When commented with "#", the proposed setting is the default
#    behaviour of Samba but the option is considered important
#    enough to be mentioned here
#
# NOTE: Whenever you modify this file you should run the command
# "testparm" to check that you have not made any basic syntactic
# errors.

#======================= Global Settings =======================

[global]

       netbios name = SOGo
       security = ADS
       workgroup = 3PC
       realm = 3PC.LOCAL

       log file = /var/log/samba/%m.log
       log level = 1

       dedicated keytab file = /etc/krb5.keytab
       kerberos method = secrets and keytab
       winbind refresh tickets = yes

       winbind trusted domains only = no
       winbind use default domain = yes
       winbind enum users  = yes
       winbind enum groups = yes

       # idmap config used for your domain.
       # Choose one of the following backends fitting to your
       # requirements and add the corresponding configuration.
       #  - idmap config ad
       #  - idmap config rid
       #  - idmap config autorid

       ###  Configuration required by OpenChange server ###
        dsdb:schema update allowed = true
        dcerpc endpoint servers = epmapper, mapiproxy, dnsserver
        dcerpc_mapiproxy:server = true
        dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp,
exchange_ds_rfr
       ### Configuration required by OpenChange server ###

       mapistore:namedproperties = mysql
       namedproperties:mysql_user = openchange
       namedproperties:mysql_pass = *****
       namedproperties:mysql_host = localhost
       namedproperties:mysql_db = openchange
       mapistore:indexing_backend =
mysql://openchange:*****@localhost/openchange
       mapiproxy:openchangedb =
mysql://openchange:*****@localhost/openchange

## Browsing/Identification ###

# Change this to the workgroup/NT-domain name your Samba server will part of
#   workgroup = WORKGROUP

# Windows Internet Name Serving Support Section:
# WINS Support - Tells the NMBD component of Samba to enable its WINS Server
#   wins support = no

# WINS Server - Tells the NMBD components of Samba to be a WINS Client
# Note: Samba can be either a WINS Server, or a WINS Client, but NOT both
;   wins server = w.x.y.z

# This will prevent nmbd to search for NetBIOS names through DNS.
   dns proxy = no

#### Networking ####

# The specific set of interfaces / networks to bind to
# This can be either the interface name or an IP address/netmask;
# interface names are normally preferred
;   interfaces = 127.0.0.0/8 eth0

# Only bind to the named interfaces and/or networks; you must use the
# 'interfaces' option above to use this.
# It is recommended that you enable this feature if your Samba machine is
# not protected by a firewall or is a firewall itself.  However, this
# option cannot handle dynamic or non-broadcast interfaces correctly.
;   bind interfaces only = yes



#### Debugging/Accounting ####

# This tells Samba to use a separate log file for each machine
# that connects
#   log file = /var/log/samba/log.%m

# Cap the size of the individual log files (in KiB).
   max log size = 1000

# If you want Samba to only log through syslog then set the following
# parameter to 'yes'.
#   syslog only = no

# We want Samba to log a minimum amount of information to syslog. Everything
# should go to /var/log/samba/log.{smbd,nmbd} instead. If you want to log
# through syslog you should set the following parameter to something higher.
   syslog = 0

# Do something sensible when Samba crashes: mail the admin a backtrace
   panic action = /usr/share/samba/panic-action %d


####### Authentication #######

# Server role. Defines in which mode Samba will operate. Possible
# values are "standalone server", "member server", "classic primary
# domain controller", "classic backup domain controller", "active
# directory domain controller".
#
# Most people will want "standalone sever" or "member server".
# Running as "active directory domain controller" will require first
# running "samba-tool domain provision" to wipe databases and create a
# new domain.
   server role = standalone server
# If you are using encrypted passwords, Samba will need to know what
# password database type you are using.
   passdb backend = tdbsam

   obey pam restrictions = yes

# This boolean parameter controls whether Samba attempts to sync the Unix
# password with the SMB password when the encrypted SMB password in the
# passdb is changed.
   unix password sync = yes

# For Unix password sync to work on a Debian GNU/Linux system, the following
# parameters must be set (thanks to Ian Kahan
<<ka...@informatik.tu-muenchen.de> for
# sending the correct chat script for the passwd program in Debian Sarge).
   passwd program = /usr/bin/passwd %u
   passwd chat = *Enter\snew\s*\spassword:* %n\n
*Retype\snew\s*\spassword:* %n\n *password\supdated\ssuccessfully* .

# This boolean controls whether PAM will be used for password changes
# when requested by an SMB client instead of the program listed in
# 'passwd program'. The default is 'no'.
   pam password change = yes

# This option controls how unsuccessful authentication attempts are mapped
# to anonymous connections
   map to guest = bad user

########## Domains ###########

#
# The following settings only takes effect if 'server role = primary
# classic domain controller', 'server role = backup domain controller'
# or 'domain logons' is set
#

# It specifies the location of the user's
# profile directory from the client point of view) The following
# required a [profiles] share to be setup on the samba server (see
# below)
;   logon path = \\%N\profiles\%U
# Another common choice is storing the profile in the user's home directory
# (this is Samba's default)
#   logon path = \\%N\%U\profile

# The following setting only takes effect if 'domain logons' is set
# It specifies the location of a user's home directory (from the client
# point of view)
;   logon drive = H:
#   logon home = \\%N\%U

# The following setting only takes effect if 'domain logons' is set
# It specifies the script to run during logon. The script must be stored
# in the [netlogon] share
# NOTE: Must be store in 'DOS' file format convention
;   logon script = logon.cmd

# This allows Unix users to be created on the domain controller via the SAMR
# RPC pipe.  The example command creates a user account with a disabled Unix
# password; please adapt to your needs
; add user script = /usr/sbin/adduser --quiet --disabled-password
--gecos "" %u

# This allows machine accounts to be created on the domain controller
via the
# SAMR RPC pipe.
# The following assumes a "machines" group exists on the system
; add machine script  = /usr/sbin/useradd -g machines -c "%u machine
account" -d /var/lib/samba -s /bin/false %u

# This allows Unix groups to be created on the domain controller via the
SAMR
# RPC pipe.
; add group script = /usr/sbin/addgroup --force-badname %g

############ Misc ############

# Using the following line enables you to customise your configuration
# on a per machine basis. The %m gets replaced with the netbios name
# of the machine that is connecting
;   include = /home/samba/etc/smb.conf.%m

# Some defaults for winbind (make sure you're not using the ranges
# for something else.)
;   idmap uid = 10000-20000
;   idmap gid = 10000-20000
;   template shell = /bin/bash

# Setup usershare options to enable non-root users to share folders
# with the net usershare command.

# Maximum number of usershare. 0 (default) means that usershare is disabled.
;   usershare max shares = 100

# Allow users who've been granted usershare privileges to create
# public shares, not just authenticated ones
   usershare allow guests = yes

#======================= Share Definitions =======================

[homes]
   comment = Home Directories
   browseable = no

# By default, the home directories are exported read-only. Change the
# next parameter to 'no' if you want to be able to write to them.
   read only = yes

# File creation mask is set to 0700 for security reasons. If you want to
# create files with group=rw permissions, set next parameter to 0775.
   create mask = 0700

# Directory creation mask is set to 0700 for security reasons. If you
want to
# create dirs. with group=rw permissions, set next parameter to 0775.
   directory mask = 0700

# By default, \\server\username shares can be connected to by anyone
# with access to the samba server.
# The following parameter makes sure that only "username" can connect
# to \\server\username
# This might need tweaking when using external authentication schemes
   valid users = %S

# Un-comment the following and create the netlogon directory for Domain
Logons
# (you need to configure Samba to act as a domain controller too.)
;[netlogon]
;   comment = Network Logon Service
;   path = /home/samba/netlogon
;   guest ok = yes
;   read only = yes

# Un-comment the following and create the profiles directory to store
# users profiles (see the "logon path" option above)
# (you need to configure Samba to act as a domain controller too.)
# The path below should be writable by all users so that their
# profile directory may be created the first time they log on
;[profiles]
;   comment = Users profiles
;   path = /home/samba/profiles
;   guest ok = no
;   browseable = no
;   create mask = 0600
;   directory mask = 0700

[printers]

[printers]
   comment = All Printers
   browseable = no
   path = /var/spool/samba
   printable = yes
   guest ok = no
   read only = yes
   create mask = 0700

# Windows clients look for this share name as a source of downloadable
# printer drivers
[print$]
   comment = Printer Drivers
   path = /var/lib/samba/printers
   browseable = yes
   read only = yes
   guest ok = no
# Uncomment to allow remote administration of Windows print drivers.
# You may need to replace 'lpadmin' with the name of the group your
# admin users are members of.
# Please note that you also need to set appropriate Unix permissions
# to the drivers directory for these users to have write rights in it
;   write list = root, @lpadmin



Am 16.02.2016 um 17:30 schrieb Steve Ankeny:
> On 02/16/2016 08:57 AM, Maxime RUBINO wrote:
>> Hi all,
>>
>> You can found all warning and best practice to join an existing AD to
>> a Samba AD, but, Samba4 doesn't support joining a 2012 AD as a Domain
>> Controller, so... too bad for you if you have an 2012 AD.
>>
>> https://wiki.samba.org/index.php/Joining_a_Windows_Server_2012_/_2012_R2_DC_to_a_Samba_AD
>>
>>
> I don't believe the original poster was doing that.
> 
> He was trying to join an existing Windows AD as a Member Server. The
> question is "How did he do that?"
> 
> And, in order to discover his problem, he might need to look at his
> smb.conf (as Rowland suggests)
> 
> (I may be wrong, so we'll have to see what he says)
> 
>> Le 16/02/2016 14:12, Rowland Penny a écrit :
>>> On 16/02/16 12:26, Steve Ankeny wrote:
>>>> On 02/16/2016 02:43 AM, Dennis Moebus wrote:
>>>>> Hey Steve,
>>>>>
>>>>> I joined my Samba/OpenChange/Sogo Server to my existing Windows Active
>>>>> Directory as a member. I followed the offical Native Microsoft Outlook
>>>>> Configuration Guide from sogo.nu
>>>>> (http://sogo.nu/files/docs/SOGo%20Native%20Microsoft%20Outlook%20Configuration.pdf).
>>>>>
>>>>> Installing the software and entering my crendentials is done and
>>>>> doublechecked.
>>>>> But everytime I enter the command:
>>>>>
>>>>> "openchange_newuser --create dmoebus",
>>>>>
>>>>> I get the following error:
>>>>>
>>>>> Traceback (most recent call last):
>>>>>    File "/usr/sbin/openchange_newuser", line 70, in <module>
>>>>>      lp, creds, opts.firstorg, opts.firstou)
>>>>>    File "/usr/lib/python2.7/dist-packages/openchange/provision.py",
>>>>> line
>>>>> 167, in guess_names_from_smbconf
>>>>>      raise Exception("Cannot find first exchange organization in %s",
>>>>> exchangedn)
>>>>> Exception: ('Cannot find first exchange organization in %s',
>>>>> 'CN=Microsoft Exchange,CN=Services,CN=Configuration,CN=SOGO')
>>>>>
>>>>> What is wrong? Google has no answers for me...
>>>>>
>>>>> Thank you!
>>>>> Dennis
>>>>
>>>> (I am no expert)
>>>>
>>>> It cannot find the "first exchange organization" because it's not
>>>> querying your existing Microsoft AD
>>>>
>>>> IF you followed the Inverse, "Native Microsoft Outlook Configuration
>>>> Guide," you installed the Samba & OpenChange packages from Inverse
>>>> (so, you have the correct packages), but how did you provision Samba?
>>>
>>> At the moment you can only provision as a DC.
>>>
>>>>
>>>> The Guide tells you to provision as an AD controller. However,
>>>> that's not going to "fit" your existing AD
>>>>
>>>> At this point, I'd check the configuration options in the Samba Wiki
>>>> on "joining" as a Member --
>>>>
>>>> https://wiki.samba.org/index.php/Setup_Samba_as_an_AD_Domain_Member
>>>>
>>>> Compare the configuration and setups between the Inverse Guide and
>>>> the Samba link, and see what you find.  You're looking for
>>>> differences.  One of the main issues is DNC: "Which AD DC does your
>>>> smb.conf point to?"
>>>>
>>>> There are people more expert in both Samba & OpenChange on this
>>>> list, so maybe someone will see the flaw.
>>>
>>> The flaw is probably that he has created a new domain and is now
>>> trying to join it to another domain, I don't think this is going to
>>> work, it may help to say one way or the other, if the OP was to post
>>> the smb.conf from the Sogo machine.
>>>
>>>>
>>>> The "first exchange organization" is contained in the database
>>>> controlling the AD (usually an LDB in Samba), but you're connected
>>>> to the Microsoft AD, so it has to look there, and it's not looking
>>>> at the right domain controller.
>>>>
>>>> The question would be, "How did you join your existing Microsoft AD?"
>>>>
>>>>
>>>
>>> Very good question.
>>>
>>> Rowland
>>>
>>
> 
> 

-- 
Dennis Möbus
dmoe...@3pc.de

-----------------------------------------------
3pc GmbH
Neue Kommunikation

Prinzessinnenstraße 1
10969 Berlin
Tel.: +49-(0)30-28 51 98-00
Fax: +49-(0)30-28 51 98-28
http://3pc.de
i...@3pc.de

-----------------------------------------------
3pc GmbH
Neue Kommunikation
Büro Süd

Andreas-Hofer-Straße 11
73730 Esslingen
Tel.: +49 (0)711-16 12 15 31
s...@3pc.de

-----------------------------------------------
Geschäftsführer
Armin Berger

Amtsgericht Berlin Charlottenburg
HRB 794 28
USt-IdNr.: DE217652890

-----------------------------------------------
facebook.com/3pc.de
plus.3pc.de
twitter.com/3pc
flickr.com/photos/3pc
-- 
users@sogo.nu
https://inverse.ca/sogo/lists