Hallo liebes Univention Forum.
Wir haben folgendes Setup:
2x Windows Server 2008 R2 (beide DomainController)
1x Windows Server 2003 (Exchange der abgelöst werden soll - zurzeit auch noch DomainController)
1x Univention (3.2-4 und jetzt Update auf 4.0) Master mit Zarafa (Version: 7.1.11.46050)
Wir möchten gerne den Exchange Server durch den UCS mit Zarafa ablösen. Die beiden Windows Server 2008 sollen nach wie vor noch Domain Controller spielen. Die Funktions-Ebene der Windows Domäne ist noch auf 2003 aufgebaut da wir den alten Server erst abschalten wenn Zarafa zur vollen Zufriedenheit funktioniert.
Den Univention haben wir der Windows Domäne gejoint mittels “net ads join”. Es sieht auch soweit gut aus.
root@mail01:/etc# wbinfo -t
checking the trust secret for domain TAIPAN via RPC calls succeeded
Ein wbinfo -u liefert auch alle Benutzer von der Domäne.
Die SSO Konfig habe ich nach Zarafa Doku durchgemacht. http://doc.zarafa.com/7.1/Administrator_Manual/ko-KR/html/_single_sign_on_with_zcp.html
Der zarafa-linux Benutzer wurde angelegt und DES für diesen Benutzer aktiviert.
Für die Erstellung der Keytab haben wir folgenden Befehl ausgeführt:
ktpass.exe -princ zarafa/mail01.taipan.at@TAIPAN.AT -mapuser TAIPAN\zarafa-linux -crypto RC4-HMAC-NT -ptype KRB5_NT_PRINCIPAL -pass <password> -out c:\keytab.zarafa
Diese liegt nun unter /etc/zarafa/
die krb5.conf sieht folgendermaßen aus:
[code][libdefaults]
default_realm = TAIPAN.AT
default_tgs_enctypes = des-cbc-md5 arcfour-hmac-md5
default_tkt_enctypes = des-cbc-md5 arcfour-hmac-md5
permitted_enctypes = des-cbc-md5 arcfour-hmac-md5
default_keytab_name = /etc/zarafa/keytab.zarafa
[domain_realm]
.taipan.at = TAIPAN.AT
taipan.at = TAIPAN.AT
[realms]
TAIPAN.AT = {
kdc = dc01.taipan.at
admin_server = dc01.taipan.at
password_server = dc01.taipan.at
default_domain = TAIPAN.AT
}[/code]
Anschließend sso in der server.cfg auf yes gestellt und den server_hostname überprüft. Dieser wurde auch im FQDN Format angegeben.
Hier nochmal die server.cfg
[code]##############################################################
SERVER SETTINGS
IP Address to bind to (0.0.0.0 for ANY)
Set to 127.0.0.1 if connections should only come from localhost
and through the webserver proxy
server_bind = 0.0.0.0
Accept normal TCP connections (not recommended to disable)
server_tcp_enabled = yes
Port to bind to
server_tcp_port = 236
Accept unix pipe connections (not recommended to disable)
server_pipe_enabled = yes
Unix socket location
server_pipe_name = /var/run/zarafa
Priority unix socket location
server_pipe_priority = /var/run/zarafa-prio
Name for identifying the server in a multi-server environment
server_name = Zarafa
Override the hostname of this server, used by Kerberos SSO if enabled
server_hostname = mail01.taipan.at
Database engine (mysql)
database_engine = mysql
Allow connections from normal users through the unix socket
allow_local_users = yes
local admin users who can connect to any store (use this for the zarafa-dagent)
field is SPACE separated
eg: local_admin_users = root vmail
local_admin_users = root
The user has full rights on a folder by default, uncomment the following line to disable this.
owner_auto_full_access = false
owner_auto_full_access = true
e-mail address of the Zarafa System user
system_email_address = postmaster@localhost
drop privileges and run the process as this user
run_as_user =
drop privileges and run the process as this group
run_as_group =
create a pid file for stopping the service via the init.d scripts
pid_file = /var/run/zarafa-server.pid
run server in this path (when not using the -F switch)
running_path = /
create memory coredumps upon crash in the running_path directory
coredump_enabled = yes
session timeout for clients. Values lower than 300 will be upped to 300
automatically. If the server hears nothing from a client in session_timeout
seconds, then the session is killed.
session_timeout = 300
Socket to connect to license server
license_socket = /var/run/zarafa-licensed
Time (in seconds) to wait for a connection to the license server before
terminating the request.
license_timeout = 10
##############################################################
LOG SETTINGS
Logging method (syslog, file), syslog facility is ‘mail’
log_method = file
Logfile (for log_method = file, ‘-’ for stderr)
log_file = /var/log/zarafa/server.log
Loglevel (0=no logging, 5=full logging)
log_level = 6
Log timestamp - prefix each log line with timestamp in ‘file’ logging mode
log_timestamp = 1
##############################################################
AUDIT LOG SETTINGS
Audit logging is by default not enabled
audit_log_enabled = no
Audit logging method (syslog, file), syslog facility is ‘authpriv’
audit_log_method = syslog
Audit logfile (for log_method = file, ‘-’ for stderr)
audit_log_file = /var/log/zarafa/audit.log
Audit loglevel (0=no logging, 1=full logging)
audit_log_level = 1
Audit log timestamp - prefix each log line with timestamp in ‘file’ logging mode
audit_log_timestamp = 1
##############################################################
MYSQL SETTINGS (for database_engine = mysql)
MySQL hostname to connect to for database access
Warning: the value “mysql_host” has been set via UCR variable “zarafa/cfg/server/mysql_host”
mysql_host = localhost
MySQL port to connect with (usually 3306)
Warning: the value “mysql_port” has been set via UCR variable “zarafa/cfg/server/mysql_port”
mysql_port = 3306
The user under which we connect with MySQL
Warning: the value “mysql_user” has been set via UCR variable “zarafa/cfg/server/mysql_user”
mysql_user = zarafaDbUser
The password for the user (leave empty for no password)
Warning: the value “mysql_password” has been set via UCR variable “zarafa/cfg/server/mysql_password”
mysql_password = hochsicheres Kennwort
Override the default MySQL socket to access mysql locally
Works only if the mysql_host value is empty or ‘localhost’
mysql_socket =
Database to connect to
Warning: the value “mysql_database” has been set via UCR variable “zarafa/cfg/server/mysql_database”
mysql_database = zarafa
Where to place attachments. Value can be ‘database’ or ‘files’
attachment_storage = files
When attachment_storage is ‘files’, use this path to store the files
attachment_path = /var/lib/zarafa/attachments
Compression level for attachments when attachment_storage is ‘files’.
Set compression level for attachments disabled=0, max=9
attachment_compression = 6
##############################################################
SSL SETTINGS
enable SSL support in server
Warning: the value “server_ssl_enabled” has been set via UCR variable “zarafa/cfg/server/server_ssl_enabled”
server_ssl_enabled = yes
Listen for SSL connections on this port
server_ssl_port = 237
Required Server certificate, contains the certificate and the private key parts
Warning: the value “server_ssl_key_file” has been set via UCR variable “zarafa/cfg/server/server_ssl_key_file”
server_ssl_key_file = /etc/ssl/taipan.at/mail.taipan.at.pem
Password of Server certificate
server_ssl_key_pass =
Required Certificate Authority of server
Warning: the value “server_ssl_ca_file” has been set via UCR variable “zarafa/cfg/server/server_ssl_ca_file”
server_ssl_ca_file = /etc/ssl/taipan.at/mail.taipan.at.pem
Path with CA certificates, e.g. /etc/ssl/certs
server_ssl_ca_path =
Accept SSLv2 only connections. Normally v3 connections are used.
server_ssl_enable_v2 = no
Path of SSL Public keys of clients
sslkeys_path = /etc/zarafa/sslkeys
##############################################################
THREAD SETTINGS
Number of server threads
default: 8
threads = 8
Watchdog frequency. The number of watchdog checks per second.
default: 1
watchdog_frequency = 1
Watchdog max age. The maximum age in ms of a task before a
new thread is started.
default: 500
watchdog_max_age = 500
Maximum SOAP keep_alive value
default: 100
server_max_keep_alive_requests = 100
SOAP recv timeout value (time between requests)
default: 5
server_recv_timeout = 5
SOAP read timeout value (time during requests)
default: 60
server_read_timeout = 60
SOAP send timeout value
default: 60
server_send_timeout = 60
##############################################################
OTHER SETTINGS
Softdelete clean cycle (in days) 0=never running
softdelete_lifetime = 45
Sync lifetime, removes all changes remembered for a client after x days of inactivity
sync_lifetime = 90
Set to ‘yes’ if all changes (for synchronization) to messages should be logged to the database
sync_log_all_changes = yes
Set to ‘yes’ if you have Kerberos or NTLM correctly configured for single sign-on
enable_sso = yes
Set to ‘yes’ if you want to show the GAB to your users
enable_gab = yes
Authentication can be through plugin (default, recommended), pam or kerberos
auth_method = plugin
If auth_method is set to pam, you should provide the pam service name
pam_service = passwd
#############################################################
CACHE SETTINGS
To see the live cache usage, use ‘zarafa-stats --system’.
Size in bytes of the ‘cell’ cache (should be set as high as you can afford to set it)
cache_cell_size = 256M
Size in bytes of the ‘object’ cache
cache_object_size = 5M
Size in bytes of the ‘indexed object’ cache
cache_indexedobject_size = 16M
Size in bytes of the userquota details
cache_quota_size = 1M
Lifetime for userquota details
cache_quota_lifetime = 1
Size in bytes of the acl cache
cache_acl_size = 1M
Size in bytes of the store id/guid cache
cache_store_size = 1M
Size in bytes of the ‘user id’ cache (this is allocated twice)
cache_user_size = 1M
Size in bytes of the ‘user details’ cache
cache_userdetails_size = 26214400
Lifetime for user details
Warning: the value “cache_userdetails_lifetime” has been set via UCR variable “zarafa/cfg/server/cache_userdetails_lifetime”
cache_userdetails_lifetime = 5
Size in bytes of the server details (multiserver setups only)
cache_server_size = 1M
Lifetime for server details (multiserver setups only)
cache_server_lifetime = 30
##############################################################
QUOTA SETTINGS
The default Warning Quota Level. Set to 0 to disable this level.
The user will receive an email when this level is reached. Value is in Mb. Default value is 0.
quota_warn = 9216
The default Soft Quota Level. Set to 0 to disable this level.
The user will still receive mail, but sending new mail is prohibited, until objects are removed from the store.
VALUE is in Mb. Default value is 0.
quota_soft = 9800
The default Hard Quota Level. Set to 0 to disable this level.
The user can not receive and send mail, until objects are removed from the store.
Value is in Mb. Default value is 0.
quota_hard = 10240
The default Warning Quota Level for multitenant public stores. Set to 0 to disable this level.
The tenant administrator will receive an email when this level is reached. Value is in Mb. Default value is 0.
companyquota_warn = 0
##############################################################
USER PLUGIN SETTINGS
Name of the plugin that handles users
Required, default = db
Values: ldap, unix, db, ldapms (available in enterprise license)
Warning: the value “user_plugin” has been set via UCR variable “zarafa/cfg/server/user_plugin”
user_plugin = ldap
configuration file of the user plugin, examples can be found in /usr/share/doc/zarafa/example-config
user_plugin_config = /etc/zarafa/ldap.cfg
location of the zarafa plugins
if you have a 64bit distribution, this probably should be changed to /usr/lib64/zarafa
plugin_path = /usr/lib/zarafa
scripts which create stores for users from an external source
used for ldap and unix plugins only
createuser_script = /etc/zarafa/userscripts/createuser
deleteuser_script = /etc/zarafa/userscripts/deleteuser
creategroup_script = /etc/zarafa/userscripts/creategroup
deletegroup_script = /etc/zarafa/userscripts/deletegroup
createcompany_script = /etc/zarafa/userscripts/createcompany
deletecompany_script = /etc/zarafa/userscripts/deletecompany
Set this option to ‘yes’ to skip the creation and deletion of new users
The action will be logged, so you can see if your changes to the plugin
configuration are correct.
Warning: the value “user_safe_mode” has been set via UCR variable “zarafa/cfg/server/user_safe_mode”
user_safe_mode = yes
##############################################################
MISC SETTINGS
Thread size in KB, default is 512
WARNING: Do not set too small, your server WILL crash
thread_stacksize = 512
Enable multi-tenancy environment
When set to true it is possible to create tenants within the
zarafa instance and assign all users and groups to particular
tenants.
When set to false, the normal single-tenancy environment is created.
enable_hosted_zarafa = false
Enable multi-server environment
When set to true it is possible to place users and tenants on
specific servers.
When set to false, the normal single-server environment is created.
enable_distributed_zarafa = false
Display format of store name
Allowed variables:
%u Username
%f Fullname
%c Teantname
default: %f
storename_format = %f
Loginname format (for Multi-tenancy installations)
When the user does not login through a system-wide unique
username (like the email address) a unique name is created
by combining the username and the tenantname.
With this configuration option you can set how the
loginname should be built up.
Note: Do not use the = character in the format.
Allowed variables:
%u Username
%c Teantname
default: %u
loginname_format = %u
Set to yes for Windows clients to be able to download the latest
Zarafa Outlook client from the Zarafa server
client_update_enabled = false
Place the correct Zarafa Outlook Client in this directory for
Windows clients to download through the Zarafa server
client_update_path = /var/lib/zarafa/client
Recieve update information from the client (0 = disabled, 1 = only on error, 2 = log always)
client_update_log_level = 1
Log location for the client auto update files
client_update_log_path = /var/log/zarafa/autoupdate
Everyone is a special internal group, which contains every user and group
You may want to disable this group from the Global Addressbook by setting
this option to ‘yes’. Administrators will still be able to see the group.
hide_everyone = yes
System is a special internal user, which has super-admin privileges
You may want to disable this user from the Global Addressbook by setting
this option to ‘yes’. Administrators will still be able to see the user.
hide_system = yes
Use Indexing service for faster searching.
Enabling this option requires the zarafa-search service to
be running.
Warning: the value “search_enabled” has been set via UCR variable “zarafa/cfg/server/search_enabled”
search_enabled = yes
Path to the zarafa-search service, this option is only required
if the server is going to make use of the indexing service.
search_socket = file:///var/run/zarafa-search
Time (in seconds) to wait for a connection to the zarafa-search service
before terminating the indexed search request.
search_timeout = 10
Allow enhanced ICS operations to speedup synchronization with cached profiles.
default: yes
enable_enhanced_ics = yes
SQL Procedures allow for some optimized queries when streaming with enhanced ICS.
This is default disabled because you must set ‘thread_stack = 256k’ in your
MySQL server config under the [mysqld] tag and restart your MySQL server.
enable_sql_procedures = no
Synchronize GAB users on every open of the GAB (otherwise, only on
zarafa-admin --sync)
Warning: the value “sync_gab_realtime” has been set via UCR variable “zarafa/cfg/server/sync_gab_realtime”
sync_gab_realtime = no
Disable features for users. Default all features are disabled. This
list is space separated. Currently valid values: imap
disabled_features = imap pop3
Maximum number of deferred records in total
max_deferred_records = 0
Maximum number of deferred records per folder
max_deferred_records_folder = 20
Restrict the permissions that admins receive to folder permissions only. Please
read the server.cfg manpage before enabling this option so you really understand
the implications
restrict_admin_permissions = no
The maximum level of attachment recursion; Defines the number of
attachment-in-attachment in-attachment levels are allowed when saving and
replicating objects in the database. If you really want a higher level of
recursion than about 20, you probably have to increase MySQL’s stack_size
to allow replication to work properly.
embedded_attachment_limit = 20
Header to detect whether a connection has been received through a proxy. The
value of the header is not inspected. If the header exists then the connection
is taken to be received via a proxy. An empty value disables proxy detection
and the value of ‘*’ is used to indicate that all connections are proxied
proxy_header =[/code]
Natürlich den Zarafa Server neugestartet.
Allerdings kommt die Fehlermeldung “Benutzer oder Kennwort falsch” wenn wir das Zarafa Profil am Client einrichten. Wir tragen nur Server und Benutzernamen ein. Kennwort ist leer.
Da Single Sign On mit Kerberos nicht funktioniert haben wir NTLM konfiguriert das ohne Probleme auf einem Win7 Client funktioniert (jedoch nicht mit Windows 8.1).
Heute habe ich das Update auf UCS 4.0 durchgeführt. Dieses verlief ohne Probleme.
Nur leider hat es nichts an der Situation geändert.
Der Win7 Client authentifiziert sich mit NTLM und hier funktioniert Single Sign On. Jedoch möchten wir es mittel Kerberos realisieren da auch Win 8.1 Clients im Netzwerk sind und es generell die bevorzugte Wahl ist.
In der zarafa-server.log steht folgendes:
Thu Jan 22 16:46:21 2015: New ntlm_auth started on pid 3942
Thu Jan 22 16:46:21 2015: Found username (TAIPAN\rdstest1)
Thu Jan 22 16:46:21 2015: Single sign on: User Authenticated: rdstest1
NTLM funktioniert jedoch kein Kerberos:
Fri Jan 23 16:42:36 2015: Accepted incoming SSL connection from 192.168.249.101
Fri Jan 23 16:42:36 2015: Kerberos principal: zarafa@mail01.taipan.at
Fri Jan 23 16:42:36 2015: Unable to accept security context: An unsupported mechanism was requested
Fri Jan 23 16:42:36 2015: Unable to accept security context: Unknown error
Fri Jan 23 16:42:36 2015: End of session (logoff) 2329838768477727946
Fri Jan 23 16:42:36 2015: No certificate in SSL connection.
Fri Jan 23 16:42:36 2015: Authentication by plugin failed for user ThomasB: Trying to authenticate failed: Disallowing NULL password for user CN=Thomas Blühmann,OU=Zentrale,OU=Standarduser,OU=Benutzer,DC=taipan,DC=at; username = ThomasB
Fri Jan 23 16:42:36 2015: Failed to authenticate user ThomasB from 192.168.249.101 using program OUTLOOK.EXE
Habt ihr eine Idee was ich falsch gemacht habe und wie ich das Problem lösen kann.
Sollten noch Infos nötig sein werde ich die gerne nachreichen.
LG Basti