Zarafa und Single Sign On

german

#1

Hallo liebes Univention Forum.

Wir haben folgendes Setup:
2x Windows Server 2008 R2 (beide DomainController)
1x Windows Server 2003 (Exchange der abgelöst werden soll - zurzeit auch noch DomainController)
1x Univention (3.2-4 und jetzt Update auf 4.0) Master mit Zarafa (Version: 7.1.11.46050)

Wir möchten gerne den Exchange Server durch den UCS mit Zarafa ablösen. Die beiden Windows Server 2008 sollen nach wie vor noch Domain Controller spielen. Die Funktions-Ebene der Windows Domäne ist noch auf 2003 aufgebaut da wir den alten Server erst abschalten wenn Zarafa zur vollen Zufriedenheit funktioniert.

Den Univention haben wir der Windows Domäne gejoint mittels “net ads join”. Es sieht auch soweit gut aus.

root@mail01:/etc# wbinfo -t checking the trust secret for domain TAIPAN via RPC calls succeeded

Ein wbinfo -u liefert auch alle Benutzer von der Domäne.

Die SSO Konfig habe ich nach Zarafa Doku durchgemacht. http://doc.zarafa.com/7.1/Administrator_Manual/ko-KR/html/_single_sign_on_with_zcp.html

Der zarafa-linux Benutzer wurde angelegt und DES für diesen Benutzer aktiviert.

Für die Erstellung der Keytab haben wir folgenden Befehl ausgeführt:

ktpass.exe -princ zarafa/mail01.taipan.at@TAIPAN.AT -mapuser TAIPAN\zarafa-linux -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass <password> -out c:\keytab.zarafa

Diese liegt nun unter /etc/zarafa/

die krb5.conf sieht folgendermaßen aus:

[code][libdefaults]
default_realm = TAIPAN.AT
default_tgs_enctypes = des-cbc-md5 arcfour-hmac-md5
default_tkt_enctypes = des-cbc-md5 arcfour-hmac-md5
permitted_enctypes = des-cbc-md5 arcfour-hmac-md5
default_keytab_name = /etc/zarafa/keytab.zarafa

[domain_realm]
.taipan.at = TAIPAN.AT
taipan.at = TAIPAN.AT

[realms]
TAIPAN.AT = {
kdc = dc01.taipan.at
admin_server = dc01.taipan.at
password_server = dc01.taipan.at
default_domain = TAIPAN.AT
}[/code]

Anschließend sso in der server.cfg auf yes gestellt und den server_hostname überprüft. Dieser wurde auch im FQDN Format angegeben.

Hier nochmal die server.cfg

[code]##############################################################

SERVER SETTINGS

IP Address to bind to (0.0.0.0 for ANY)

Set to 127.0.0.1 if connections should only come from localhost

and through the webserver proxy

server_bind = 0.0.0.0

Accept normal TCP connections (not recommended to disable)

server_tcp_enabled = yes

Port to bind to

server_tcp_port = 236

Accept unix pipe connections (not recommended to disable)

server_pipe_enabled = yes

Unix socket location

server_pipe_name = /var/run/zarafa

Priority unix socket location

server_pipe_priority = /var/run/zarafa-prio

Name for identifying the server in a multi-server environment

server_name = Zarafa

Override the hostname of this server, used by Kerberos SSO if enabled

server_hostname = mail01.taipan.at

Database engine (mysql)

database_engine = mysql

Allow connections from normal users through the unix socket

allow_local_users = yes

local admin users who can connect to any store (use this for the zarafa-dagent)

field is SPACE separated

eg: local_admin_users = root vmail

local_admin_users = root

The user has full rights on a folder by default, uncomment the following line to disable this.

owner_auto_full_access = false

owner_auto_full_access = true

e-mail address of the Zarafa System user

system_email_address = postmaster@localhost

drop privileges and run the process as this user

run_as_user =

drop privileges and run the process as this group

run_as_group =

create a pid file for stopping the service via the init.d scripts

pid_file = /var/run/zarafa-server.pid

run server in this path (when not using the -F switch)

running_path = /

create memory coredumps upon crash in the running_path directory

coredump_enabled = yes

session timeout for clients. Values lower than 300 will be upped to 300

automatically. If the server hears nothing from a client in session_timeout

seconds, then the session is killed.

session_timeout = 300

Socket to connect to license server

license_socket = /var/run/zarafa-licensed

Time (in seconds) to wait for a connection to the license server before

terminating the request.

license_timeout = 10

##############################################################

LOG SETTINGS

Logging method (syslog, file), syslog facility is ‘mail’

log_method = file

Logfile (for log_method = file, ‘-’ for stderr)

log_file = /var/log/zarafa/server.log

Loglevel (0=no logging, 5=full logging)

log_level = 6

Log timestamp - prefix each log line with timestamp in ‘file’ logging mode

log_timestamp = 1

##############################################################

AUDIT LOG SETTINGS

Audit logging is by default not enabled

audit_log_enabled = no

Audit logging method (syslog, file), syslog facility is ‘authpriv’

audit_log_method = syslog

Audit logfile (for log_method = file, ‘-’ for stderr)

audit_log_file = /var/log/zarafa/audit.log

Audit loglevel (0=no logging, 1=full logging)

audit_log_level = 1

Audit log timestamp - prefix each log line with timestamp in ‘file’ logging mode

audit_log_timestamp = 1

##############################################################

MYSQL SETTINGS (for database_engine = mysql)

MySQL hostname to connect to for database access

Warning: the value “mysql_host” has been set via UCR variable “zarafa/cfg/server/mysql_host”

mysql_host = localhost

MySQL port to connect with (usually 3306)

Warning: the value “mysql_port” has been set via UCR variable “zarafa/cfg/server/mysql_port”

mysql_port = 3306

The user under which we connect with MySQL

Warning: the value “mysql_user” has been set via UCR variable “zarafa/cfg/server/mysql_user”

mysql_user = zarafaDbUser

The password for the user (leave empty for no password)

Warning: the value “mysql_password” has been set via UCR variable “zarafa/cfg/server/mysql_password”

mysql_password = hochsicheres Kennwort

Override the default MySQL socket to access mysql locally

Works only if the mysql_host value is empty or ‘localhost’

mysql_socket =

Database to connect to

Warning: the value “mysql_database” has been set via UCR variable “zarafa/cfg/server/mysql_database”

mysql_database = zarafa

Where to place attachments. Value can be ‘database’ or ‘files’

attachment_storage = files

When attachment_storage is ‘files’, use this path to store the files

attachment_path = /var/lib/zarafa/attachments

Compression level for attachments when attachment_storage is ‘files’.

Set compression level for attachments disabled=0, max=9

attachment_compression = 6

##############################################################

SSL SETTINGS

enable SSL support in server

Warning: the value “server_ssl_enabled” has been set via UCR variable “zarafa/cfg/server/server_ssl_enabled”

server_ssl_enabled = yes

Listen for SSL connections on this port

server_ssl_port = 237

Required Server certificate, contains the certificate and the private key parts

Warning: the value “server_ssl_key_file” has been set via UCR variable “zarafa/cfg/server/server_ssl_key_file”

server_ssl_key_file = /etc/ssl/taipan.at/mail.taipan.at.pem

Password of Server certificate

server_ssl_key_pass =

Required Certificate Authority of server

Warning: the value “server_ssl_ca_file” has been set via UCR variable “zarafa/cfg/server/server_ssl_ca_file”

server_ssl_ca_file = /etc/ssl/taipan.at/mail.taipan.at.pem

Path with CA certificates, e.g. /etc/ssl/certs

server_ssl_ca_path =

Accept SSLv2 only connections. Normally v3 connections are used.

server_ssl_enable_v2 = no

Path of SSL Public keys of clients

sslkeys_path = /etc/zarafa/sslkeys

##############################################################

THREAD SETTINGS

Number of server threads

default: 8

threads = 8

Watchdog frequency. The number of watchdog checks per second.

default: 1

watchdog_frequency = 1

Watchdog max age. The maximum age in ms of a task before a

new thread is started.

default: 500

watchdog_max_age = 500

Maximum SOAP keep_alive value

default: 100

server_max_keep_alive_requests = 100

SOAP recv timeout value (time between requests)

default: 5

server_recv_timeout = 5

SOAP read timeout value (time during requests)

default: 60

server_read_timeout = 60

SOAP send timeout value

default: 60

server_send_timeout = 60

##############################################################

OTHER SETTINGS

Softdelete clean cycle (in days) 0=never running

softdelete_lifetime = 45

Sync lifetime, removes all changes remembered for a client after x days of inactivity

sync_lifetime = 90

Set to ‘yes’ if all changes (for synchronization) to messages should be logged to the database

sync_log_all_changes = yes

Set to ‘yes’ if you have Kerberos or NTLM correctly configured for single sign-on

enable_sso = yes

Set to ‘yes’ if you want to show the GAB to your users

enable_gab = yes

Authentication can be through plugin (default, recommended), pam or kerberos

auth_method = plugin

If auth_method is set to pam, you should provide the pam service name

pam_service = passwd

#############################################################

CACHE SETTINGS

To see the live cache usage, use ‘zarafa-stats --system’.

Size in bytes of the ‘cell’ cache (should be set as high as you can afford to set it)

cache_cell_size = 256M

Size in bytes of the ‘object’ cache

cache_object_size = 5M

Size in bytes of the ‘indexed object’ cache

cache_indexedobject_size = 16M

Size in bytes of the userquota details

cache_quota_size = 1M

Lifetime for userquota details

cache_quota_lifetime = 1

Size in bytes of the acl cache

cache_acl_size = 1M

Size in bytes of the store id/guid cache

cache_store_size = 1M

Size in bytes of the ‘user id’ cache (this is allocated twice)

cache_user_size = 1M

Size in bytes of the ‘user details’ cache

cache_userdetails_size = 26214400

Lifetime for user details

Warning: the value “cache_userdetails_lifetime” has been set via UCR variable “zarafa/cfg/server/cache_userdetails_lifetime”

cache_userdetails_lifetime = 5

Size in bytes of the server details (multiserver setups only)

cache_server_size = 1M

Lifetime for server details (multiserver setups only)

cache_server_lifetime = 30

##############################################################

QUOTA SETTINGS

The default Warning Quota Level. Set to 0 to disable this level.

The user will receive an email when this level is reached. Value is in Mb. Default value is 0.

quota_warn = 9216

The default Soft Quota Level. Set to 0 to disable this level.

The user will still receive mail, but sending new mail is prohibited, until objects are removed from the store.

VALUE is in Mb. Default value is 0.

quota_soft = 9800

The default Hard Quota Level. Set to 0 to disable this level.

The user can not receive and send mail, until objects are removed from the store.

Value is in Mb. Default value is 0.

quota_hard = 10240

The default Warning Quota Level for multitenant public stores. Set to 0 to disable this level.

The tenant administrator will receive an email when this level is reached. Value is in Mb. Default value is 0.

companyquota_warn = 0

##############################################################

USER PLUGIN SETTINGS

Name of the plugin that handles users

Required, default = db

Values: ldap, unix, db, ldapms (available in enterprise license)

Warning: the value “user_plugin” has been set via UCR variable “zarafa/cfg/server/user_plugin”

user_plugin = ldap

configuration file of the user plugin, examples can be found in /usr/share/doc/zarafa/example-config

user_plugin_config = /etc/zarafa/ldap.cfg

location of the zarafa plugins

if you have a 64bit distribution, this probably should be changed to /usr/lib64/zarafa

plugin_path = /usr/lib/zarafa

scripts which create stores for users from an external source

used for ldap and unix plugins only

createuser_script = /etc/zarafa/userscripts/createuser
deleteuser_script = /etc/zarafa/userscripts/deleteuser
creategroup_script = /etc/zarafa/userscripts/creategroup
deletegroup_script = /etc/zarafa/userscripts/deletegroup
createcompany_script = /etc/zarafa/userscripts/createcompany
deletecompany_script = /etc/zarafa/userscripts/deletecompany

Set this option to ‘yes’ to skip the creation and deletion of new users

The action will be logged, so you can see if your changes to the plugin

configuration are correct.

Warning: the value “user_safe_mode” has been set via UCR variable “zarafa/cfg/server/user_safe_mode”

user_safe_mode = yes

##############################################################

MISC SETTINGS

Thread size in KB, default is 512

WARNING: Do not set too small, your server WILL crash

thread_stacksize = 512

Enable multi-tenancy environment

When set to true it is possible to create tenants within the

zarafa instance and assign all users and groups to particular

tenants.

When set to false, the normal single-tenancy environment is created.

enable_hosted_zarafa = false

Enable multi-server environment

When set to true it is possible to place users and tenants on

specific servers.

When set to false, the normal single-server environment is created.

enable_distributed_zarafa = false

Display format of store name

Allowed variables:

%u Username

%f Fullname

%c Teantname

default: %f

storename_format = %f

Loginname format (for Multi-tenancy installations)

When the user does not login through a system-wide unique

username (like the email address) a unique name is created

by combining the username and the tenantname.

With this configuration option you can set how the

loginname should be built up.

Note: Do not use the = character in the format.

Allowed variables:

%u Username

%c Teantname

default: %u

loginname_format = %u

Set to yes for Windows clients to be able to download the latest

Zarafa Outlook client from the Zarafa server

client_update_enabled = false

Place the correct Zarafa Outlook Client in this directory for

Windows clients to download through the Zarafa server

client_update_path = /var/lib/zarafa/client

Recieve update information from the client (0 = disabled, 1 = only on error, 2 = log always)

client_update_log_level = 1

Log location for the client auto update files

client_update_log_path = /var/log/zarafa/autoupdate

Everyone is a special internal group, which contains every user and group

You may want to disable this group from the Global Addressbook by setting

this option to ‘yes’. Administrators will still be able to see the group.

hide_everyone = yes

System is a special internal user, which has super-admin privileges

You may want to disable this user from the Global Addressbook by setting

this option to ‘yes’. Administrators will still be able to see the user.

hide_system = yes

Use Indexing service for faster searching.

Enabling this option requires the zarafa-search service to

be running.

Warning: the value “search_enabled” has been set via UCR variable “zarafa/cfg/server/search_enabled”

search_enabled = yes

Path to the zarafa-search service, this option is only required

if the server is going to make use of the indexing service.

search_socket = file:///var/run/zarafa-search

Time (in seconds) to wait for a connection to the zarafa-search service

before terminating the indexed search request.

search_timeout = 10

Allow enhanced ICS operations to speedup synchronization with cached profiles.

default: yes

enable_enhanced_ics = yes

SQL Procedures allow for some optimized queries when streaming with enhanced ICS.

This is default disabled because you must set ‘thread_stack = 256k’ in your

MySQL server config under the [mysqld] tag and restart your MySQL server.

enable_sql_procedures = no

Synchronize GAB users on every open of the GAB (otherwise, only on

zarafa-admin --sync)

Warning: the value “sync_gab_realtime” has been set via UCR variable “zarafa/cfg/server/sync_gab_realtime”

sync_gab_realtime = no

Disable features for users. Default all features are disabled. This

list is space separated. Currently valid values: imap

disabled_features = imap pop3

Maximum number of deferred records in total

max_deferred_records = 0

Maximum number of deferred records per folder

max_deferred_records_folder = 20

Restrict the permissions that admins receive to folder permissions only. Please

read the server.cfg manpage before enabling this option so you really understand

the implications

restrict_admin_permissions = no

The maximum level of attachment recursion; Defines the number of

attachment-in-attachment in-attachment levels are allowed when saving and

replicating objects in the database. If you really want a higher level of

recursion than about 20, you probably have to increase MySQL’s stack_size

to allow replication to work properly.

embedded_attachment_limit = 20

Header to detect whether a connection has been received through a proxy. The

value of the header is not inspected. If the header exists then the connection

is taken to be received via a proxy. An empty value disables proxy detection

and the value of ‘*’ is used to indicate that all connections are proxied

proxy_header =[/code]

Natürlich den Zarafa Server neugestartet.

Allerdings kommt die Fehlermeldung “Benutzer oder Kennwort falsch” wenn wir das Zarafa Profil am Client einrichten. Wir tragen nur Server und Benutzernamen ein. Kennwort ist leer.

Da Single Sign On mit Kerberos nicht funktioniert haben wir NTLM konfiguriert das ohne Probleme auf einem Win7 Client funktioniert (jedoch nicht mit Windows 8.1).

Heute habe ich das Update auf UCS 4.0 durchgeführt. Dieses verlief ohne Probleme.
Nur leider hat es nichts an der Situation geändert.

Der Win7 Client authentifiziert sich mit NTLM und hier funktioniert Single Sign On. Jedoch möchten wir es mittel Kerberos realisieren da auch Win 8.1 Clients im Netzwerk sind und es generell die bevorzugte Wahl ist.

In der zarafa-server.log steht folgendes:

Thu Jan 22 16:46:21 2015: New ntlm_auth started on pid 3942 Thu Jan 22 16:46:21 2015: Found username (TAIPAN\rdstest1) Thu Jan 22 16:46:21 2015: Single sign on: User Authenticated: rdstest1
NTLM funktioniert jedoch kein Kerberos:

Fri Jan 23 16:42:36 2015: Accepted incoming SSL connection from 192.168.249.101 Fri Jan 23 16:42:36 2015: Kerberos principal: zarafa@mail01.taipan.at Fri Jan 23 16:42:36 2015: Unable to accept security context: An unsupported mechanism was requested Fri Jan 23 16:42:36 2015: Unable to accept security context: Unknown error Fri Jan 23 16:42:36 2015: End of session (logoff) 2329838768477727946 Fri Jan 23 16:42:36 2015: No certificate in SSL connection. Fri Jan 23 16:42:36 2015: Authentication by plugin failed for user ThomasB: Trying to authenticate failed: Disallowing NULL password for user CN=Thomas Blühmann,OU=Zentrale,OU=Standarduser,OU=Benutzer,DC=taipan,DC=at; username = ThomasB Fri Jan 23 16:42:36 2015: Failed to authenticate user ThomasB from 192.168.249.101 using program OUTLOOK.EXE

Habt ihr eine Idee was ich falsch gemacht habe und wie ich das Problem lösen kann.

Sollten noch Infos nötig sein werde ich die gerne nachreichen.

LG Basti


#2

Das sieht mir jetzt sehr nach einer manuellen Umsetzung aus. Für solche Fälle gibts ja eigentlich den AD-Connector im AppCenter. Nur so als Anregung.


#3

Hallo SirTux.

Ja diesen Weg haben wir auch ausprobiert allerdings hat dieser beim ersten Versuch fehlgeschlagen.
Der Computer wurde nicht richtig gejoint.Der Computer wurde leider nicht in der Windows Domäne angelegt.

Danke trotzdem für die rasche Antwort.

LG Basti


#4

Hallo,

ich würde tatsächlich auch vorschlagen, dass Sie sich das genau für diesen Anwendungsfall konzipierte AD-Member-Mode Szenario anschauen:
9.3.2. UCS als Mitglied einer Active Directory-Domäne
Für das händische Arbeiten mit Principles hilft alternativ eventuell Working with kerberos principals and keytabs

Mit freundlichen Grüßen,
Tim Petersen


#5

Hallo.

Wir haben das Thema vorerst mal auf Eis gelegt da SSO mit NTLM funktioniert. Es ist nur ein Win 8.1 Computer mit einem Benutzer der Probleme macht. Beim selben Computer mit einem anderen Benutzer funktioniert es auch mit NTLM.

Wir werden wenn mehr Zeit ist, bei uns intern eine Windows AD Umgebung aufziehen und versuchen das Problem nachzustellen.

Wenn ich etwas nützliches herausgefunden habe werde ich die Infos natürlich nachreichen.

LG Basti