General discussion on installation and configuration of SOGo

Text archives Help


Re: [SOGo] Outlook question . . .


Chronological Thread 
  • From: Steve Ankeny < >
  • To:
  • Subject: Re: [SOGo] Outlook question . . .
  • Date: Sat, 26 Sep 2015 09:26:03 -0400

On 09/25/2015 08:38 PM, Ludovic Marcotte wrote:
On 25/09/2015 15:40, Steve Ankeny wrote:
(1) What are the differences between Ubuntu Samba 4.1.6 and Inverse Samba 4.1.18 in terms of libraries? Could there be some library or package from 4.1.6 which if removed would cause 4.1.18 to work properly?

It seems to me this might be the source of my problems, as I originally installed 4.1.6
If you use our repository for Samba packages, all should be up-to-date. Here is the bash Samba/OpenChancge function used in the script to prepare the ZEG:

function setupSambaOpenChange {
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak || true

apt-get -y install samba openchangeserver sogo-openchange \
openchangeproxy python-ocsmanager openchange-ocsmanager openchange-rpcproxy python-sievelib python-spyne python-rpclib python-mysqldb

ln -s /etc/apache2/conf.d/ocsmanager.conf /etc/apache2/conf-available/ocsmanager.conf
ln -s /etc/apache2/conf.d/rpcproxy.conf /etc/apache2/conf-available/rpcproxy.conf
cat >/etc/apache2/conf.d/rpcproxy.conf <<EOF
KeepAliveTimeout 120

WSGILazyInitialization On
WSGIPythonPath /usr/lib/openchange/web/rpcproxy

<Directory /usr/lib/openchange/web/rpcproxy/>
<IfVersion < 2.4>
Order deny,allow
Allow from all
</IfVersion>
<IfVersion >= 2.4>
Require all granted
</IfVersion>

SetEnv RPCPROXY_LOGLEVEL INFO
SetEnv NTLMAUTHHANDLER_WORKDIR /var/cache/ntlmauthhandler
SetEnv SAMBA_HOST 127.0.0.1
WSGIPassAuthorization On
WSGIProcessGroup %{GLOBAL}
</Directory>

WSGIScriptAlias /rpc/rpcproxy.dll /usr/lib/openchange/web/rpcproxy/rpcproxy.wsgi
WSGIScriptAlias /rpcwithcert/rpcproxy.dll /usr/lib/openchange/web/rpcproxy/rpcproxy.wsgi
EOF


My 'rpcproxy.conf' was not EXACTLY the same as here, but I've changed it.

It was missing the 'IfVersion' lines and specifically, 'Order, deny,allow' 'Allow from all'

THAT may or may not make a difference but I've modified mine to match your script.

# ocsmanager
cat >/etc/ocsmanager/ocsmanager.ini <<EOF
[DEFAULT]
debug = true
email_to =

smtp_server = localhost
error_email_from = paste@localhost

[main]
auth = ldap
mapistore_root = /var/lib/samba/private
mapistore_data = /var/lib/samba/private/mapistore
debug = yes

[auth:file]

[auth:ldap]
host = ldap://127.0.0.1
port = 389
bind_dn = cn=administrator,cn=Users,dc=example,dc=com
bind_pw = %1OpenChange
basedn = cn=Users,dc=example,dc=com

[auth:single]
username = openchange
password = {SSHA}I6Hy5Wv0wuxyXvMBFWFQDVVN12_CLaX9


How important is THIS password with THIS hash?

The same hash is used in the Configuration guide for 'openchange$123'

Should it not be the hash generated in MySQL for "my" password? (if I've changed it)

[server:main]
use = egg:Paste#http
host = 127.0.0.1
port = 5000
protocol_version = HTTP/1.1

[app:main]
use = egg:ocsmanager
full_stack = true
static_files = true
cache_dir = %(here)s/data
beaker.session.key = ocsmanager
beaker.session.secret = SDyKK3dKyDgW0mlpqttTMGU1f
app_instance_uuid = {ee533ebc-f266-49d1-ae10-d017ee6aa98c}
NTLMAUTHHANDLER_WORKDIR = /var/cache/ntlmauthhandler
SAMBA_HOST = 127.0.0.1

[rpcproxy:ldap]
host = localhost
port = 389
basedn = CN=Users,DC=example,DC=com


set debug = true

[autodiscover]

[autodiscover:rpcproxy]
enabled = true

[outofoffice]

[outofoffice:file]
sieve_script_path = /var/vmail/\$domain/\$user/sieve-script

My line reads 'sieve_script_path = /var/vmail/$domain/$user/sieve-script'

The example in the Configuration guide does not include the back slashes.

How important are the back slashes? I will modify mine and test it.

sieve_script_path_mkdir = false

[outofoffice:managesieve]
secret = secret

[loggers]
keys = root

[handlers]
keys = console

[formatters]
keys = generic

[logger_root]
level = INFO
handlers = console

[handler_console]
class = StreamHandler
args = (sys.stderr,)
level = NOTSET
formatter = generic

[formatter_generic]
format = %(asctime)s %(levelname)-5.5s [%(name)s] [%(threadName)s] %(message)s
EOF

# enable modules
a2enconf rpcproxy
a2enconf ocsmanager

# it gets better, provision will fail if smb.conf exists
mv /etc/samba/smb.conf /etc/samba/smb.conf.bak || true
rm -rf /var/lib/samba/private/* || true

samba-tool domain provision --realm=$DOMAINNAME.$TLD \
--domain=$DOMAINNAMEUPPER \
--adminpass='%1OpenChange' \
--server-role='domain controller'

samba-tool user setexpiry administrator --noexpiry

cat >/etc/samba/smb.conf <<EOF
# Global parameters
[global]
server role = active directory domain controller
workgroup = $DOMAINNAMEUPPER
realm = $DOMAINNAME.$TLD
netbios name = sogo
passdb backend = samba4
dns forwarder = 8.8.4.4

### Configuration required by OpenChange server ###
dsdb:schema update allowed = true
dcerpc endpoint servers = epmapper, mapiproxy, dnsserver

Again, the Configuration guide lists ONLY 'dcerpc endpoint servers = +epmapper, +mapiproxy'

I have been using 'dcerpc endpoint servers = +mapiproxy'

How important are these DCERPC calls when Samba AD includes 'epmapper' & 'dnsserver' natively?

adam@sogo:~$ samba-tool testparm -v | grep 'dcerpc endpoint servers'

dcerpc endpoint servers = epmapper, wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey, dnsserver
adam@sogo:~$

It is my understanding that invoking 'epmapper' & 'dnsserver' through DCERPC calls disables --

wkssvc, rpcecho, samr, netlogon, lsarpc, spoolss, drsuapi, dssetup, unixinfo, browser, eventlog6, backupkey

Are we sure we want to "turn off" those endpoint servers?

dcerpc_mapiproxy:server = true
dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp, exchange_ds_rfr

mapistore:namedproperties = mysql
namedproperties:mysql_user = openchange-user
namedproperties:mysql_pass = openchange123
namedproperties:mysql_host = localhost
namedproperties:mysql_db = openchange


HERE the OpenChange password is 'openchange123' See the discussion above on password & hash.

mapistore:indexing_backend = mysql://openchange-user:openchange123@localhost/openchange
mapiproxy:openchangedb = mysql://openchange-user:openchange123@localhost/openchange
### Configuration required by OpenChange server ###

[netlogon]
path = /var/lib/samba/sysvol/$DOMAINNAME.$TLD/scripts
read only = No

[sysvol]
path = /var/lib/samba/sysvol
read only = No
EOF

# sogo config link since samba is started as root
rm -rf /root/GNUstep || true
ln -s ~sogo/GNUstep /root/

I find no link of '~sogo/GNUstep' in '/root' although 'root' has access to the directory.


# OpenChange MySQL indexing db
mysql -uroot <<EOF
CREATE USER "openchange-user"@"localhost" IDENTIFIED BY "openchange123";
GRANT ALL PRIVILEGES ON openchange.* TO "openchange-user"@"localhost" WITH GRANT OPTION;
FLUSH PRIVILEGES;
EOF

/usr/sbin/openchange_provision --standalone
/usr/sbin/openchange_provision --openchangedb --openchangedb-uri 'mysql://openchange-user:openchange123@localhost/openchange'

echo "manual" >> /etc/init/nmbd.conf
echo "manual" >> /etc/init/smbd.conf
service slapd stop
update-rc.d slapd disable
sed -i s/'start on (local-filesystems and net-device-up)'/'start on (started mysql)'/ /etc/init/samba-ad-dc.conf
start samba-ad-dc

a2enmod proxy proxy_http
/etc/init.d/apache2 restart

echo "supersede domain-name-servers 127.0.0.1;" >>/etc/dhcp/dhclient.conf
}


(2) Could there be an issue with 'NTLMAuthHandler.py' such as was experienced in Bug 0002732?

http://www.sogo.nu/bugs/view.php?id=2732
No, that was a packaging issue only affecting RHEL-based distributions.

Thanks,






Archive powered by MHonArc 2.6.18.

Top of page