Zarafa Outlook & Webaccess SSO with Samba4

March 7, 2013 by SystemFuchs   Comments (5)

, , , ,

Zarafa Outlook & Webaccess SSO with Samba4

Because there was no public documentation about Samba4 and Zarafa SSO available I did some research on my own and wrote this documentation. Have fun, any comments, suggestions and improvements are welcome!

Assumptions
  • Samba4 Domain is already setup, DNS is working properly (samba internal or external does not matter, in this HowTo we will use internal Samba4 DNS Server)

  • Zarafa is installed properly, the ldap configuration for ActiveDirectory is working (assuming that Zarafa is installed manually and not deployed through Z-Admin, perhaps a HowTo for Z-Admin will follow later)

  • Apache2 is properly setup & configured, Zarafa webaccess is working

  • krb5-user package is installed on both systems, minimal krb5.conf as mentioend in the Samba4 AC DC Howto ( https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO#Step_8:_Configure_Kerberos ) is installed on your Samba4 DC

  • Every server must have a DNS name, so their IP-addresses can be found by DNS. It is also required that all servers have a PTR record.

  • The time of all servers must always be in sync with each other.

  • This howto was created using a Ubuntu-LTS 12.04 system. Some things may vary on your system if you are using a alternative distribution.

  • Parts of this text are copied from the official Zarafa documentation, available here: http://doc.zarafa.com/7.1/Administrator_Manual/en-US/html-single/index.html

Definitions
  • SYSTEM-FUCHS.EU -> Kerberos Realm

  • system-fuchs.eu -> FQDN

  • samba-dc1.system-fuchs.eu -> FQDN Samba4 DC

  • zarafa-server.system-fuchs.eu -> FQDN Zarafa Server

  • httpd-linux -> Active Directory Service account needed for webaccess SSO

  • zarafa-linux -> Active Directory Service account needed for Outlook SSO

  • www-data -> Service account for apache2 service

  • Samba4 install directory is /usr/local/samba

  • Kerberos Primary used for zarafa-linux (Outlook is zarafa (seems to be hard coded in Zarafa)

  • Kerberos Primary used for httpd-linux is HTTP (seems to be hard coded in Zarafa)

  • -> see http://web.mit.edu/kerberos/krb5-1.5/krb5-1.5.4/doc/krb5-user/What-is-a-Kerberos-Principal_003f.html for a short explaination of Kerberos Principals

ToDo's Samba4 DC

Create Accounts

Create the two service accounts (zarafa-linux, httpd-linux) as mentioned above in your ActiveDirectory. They only have to be regular Domain Users.

Don't use samba-tool for this task; it seems to be the case that not all neccessary kerberos encryption types are properly set on the user object. Use dsa.msc from a Remote Server Administration Tool on a Windows workstation which has already joined the domain.

Windows Server 2003 Administration Tools Pack

Windows 7 RSAT Download

Windows 8 RSAT Download


Configure
/etc/krb5.conf on DC

Check if your /etc/krb5.conf on the Samba4 DC at least contains the following (more entries are not neccesary on the DC)

krb5.conf
[libdefaults]
default_realm = SYSTEM-FUCHS.EU
dns_lookup_realm = false
dns_lookup_kdc = true

Create Service Principal Names (SPN)

We need one SPN without realm and one with realm included, otherwise we are not able to export the keytab in the correct format (took me a whole day to find this out, not sure if this is a bug or a feature ;-)

root@samba-dc1:~# samba-tool spn add zarafa/zarafa-server.system-fuchs.eu zarafa-linux
root@samba-dc1:~# samba-tool spn add zarafa/zarafa-server.system-fuchs.eu@SYSTEM-FUCHS.EU zarafa-linux
root@samba-dc1:~# samba-tool spn add HTTP/zarafa-server.system-fuchs.eu httpd-linux
root@samba-dc1:~# samba-tool spn add HTTP/zarafa-server.system-fuchs.eu@SYSTEM-FUCHS.EU httpd-linux

Export the kerberos keytabs

root@samba-dc1:~# samba-tool domain exportkeytab /tmp/keytab.zarafa --principal=zarafa/zarafa-server.system-fuchs.eu
root@samba-dc1:~# samba-tool domain exportkeytab /tmp/keytab.apache --principal=HTTP/zarafa-server.system-fuchs.eu

Control keytabs

Check the content of both keytab files, it is important that these three encryptions types (des-cbc-crc, des-cbc-md5, arcfour-hmac) are included:

root@samba-dc1:~# klist -e -k /tmp/keytab.zarafa
Keytab name: FILE:/tmp/keytab.zarafa
KVNO Principal
---- --------------------------------------------------------------------------
1 zarafa/zarafa-server.system-fuchs.eu@SYSTEM-FUCHS.EU (des-cbc-crc)
1 zarafa/zarafa-server.system-fuchs.eu@SYSTEM-FUCHS.EU (des-cbc-md5)
1 zarafa/zarafa-server.system-fuchs.eu@SYSTEM-FUCHS.EU (arcfour-hmac)
root@samba-dc1:~# klist -e -k /tmp/keytab.apache
Keytab name: FILE:/tmp/keytab.apache
KVNO Principal
---- --------------------------------------------------------------------------
1 HTTP/zarafa-server.system-fuchs.eu@SYSTEM-FUCHS.EU (des-cbc-crc)
1 HTTP/zarafa-server.system-fuchs.eu@SYSTEM-FUCHS.EU (des-cbc-md5)
1 HTTP/zarafa-server.system-fuchs.eu@SYSTEM-FUCHS.EU (arcfour-hmac)

Copy both keytabs onto your zarafa-server

If you use WinSCP remember that these are binary files!

root@samba-dc1:~# scp /tmp/keytab.zarafa zarafa-server.system-fuchs.eu:/etc/zarafa/
root@samba-dc1:~# scp /tmp/keytab.apache zarafa-server.system-fuchs.eu:/etc/apache2/

Add DNS A Record

Add DNS A Record for your Zarafa-Server (we are using the internal Samba DNS service here, for Bind9 you've to edit the appropriate zone file for your domain by yourself)

root@samba-dc1:~# samba-tool dns add localhost system-fuchs.eu zarafa-server A <your ip address goes here> -UAdministrator

ToDo's Zarafa-Server

Configure /etc/krb5.conf

default_keytab_name defines our kerberos keytab which is used for Outlook SSO

krb5.conf
[libdefaults]
default_realm = SYSTEM-FUCHS.EU
default_keytab_name = /etc/zarafa/keytab.zarafa
default_tgs_enctypes = des-cbc-md5 arcfour-hmac-md5
default_tkt_enctypes = des-cbc-md5 arcfour-hmac-md5
permitted_enctypes = des-cbc-md5 arcfour-hmac-md5

[realms]
SYSTEM-FUCHS.EU = {
kdc = samba-dc1.system-fuchs.eu
admin_server = samba-dc1.system-fuchs.eu
}

[domain_realm]
.system-fuchs.eu = SYSTEM-FUCHS.EU
system-fuchs.eu = SYSTEM-FUCHS.EU

Zarafa Server configuration

To enable Outlook SSO with ZCP set the following in the server.cfg file:

server.cfg
enable_sso = yes

If the hostname of the Linux server (see the hostname command) does not equal the FQDN of the Linux server, the server_hostname variable will need to be changed in the server.cfg file:

server.cfg
server_hostname = zarafa-server.system-fuchs.eu

Restart the zarafa-server to activate all changes.

service zarafa-server restart

Apache configuration (for SSO with WebAccess)

Install the mod_auth_kerb Apache module, e.g. for Debian/Ubuntu

root@zarafa-server:~# apt-get install libapache2-mod-auth-kerb

Open your Zarafa webaccess config file (e.g. /etc/apache2/sites-enabled/zarafa.conf) and modify your config according to the example below

Pay attention to the parameter KrbServiceName HTTP; it matches our choosen SPN Primary!

Apache zarafa.conf
Alias /webaccess /usr/share/zarafa-webaccess

<Directory /usr/share/zarafa-webaccess>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbServiceName HTTP
KrbAuthRealms SYSTEM-FUCHS.EU
Krb5KeyTab /etc/apache2/keytab.apache
require valid-user
</Directory>

Set the filesystem permissions of the keytab file to 400 and change the owner to the Apache user:

root@zarafa-server:/etc/apache2# chmod 400 keytab.apache
root@zarafa-server:/etc/apache2# chown www-data:www-data keytab.apache

Do a syntax check & restart Apache to activate all changes:

root@zarafa-server:~# apache2ctl configtest
Syntax OK
root@zarafa-server:~# apache2ctl restart

WebAccess configuration

To setup a Single Sign On environment for Zarafa Collaboration Platform, it’s necessary to make a trust between the Apache webserver and the Zarafa Storage Server. The trust is necessary to handle the WebAccess authentication by the Apache webserver, not by the Zarafa Storage Server anymore.To create this trust, add the running Apache user to the following line in the /etc/zarafa/server.cfg:

server.cfg
local_admin_users = root www-data

To configure the Zarafa WebAccess for Single Sign On change the following option in the /usr/share/zarafa-webaccess/config.php file:

config.php
define("LOGINNAME_STRIP_DOMAIN", true);

In this configuration we assume the Zarafa WebAccess is installed on the same server as the Zarafa Storage Server.

Restart the Zarafa-server processes to activate this change:

root@zarafa-server:~# service zarafa-server restart

Browser configuration

Before Single Sign On can be used in a browser, configure the following settings:

Firefox:

  1. Type in the addressbar about:config

  2. Filter on auth Change the options: network.negotiate-auth.trusted-uris and network.negotiate-auth.delegation-uris to .system-fuchs.eu

Internet Explorer:

  1. Go to Tools > Internet options > Advanced

  2. Make sure the option Enable integrated Windows authentication is enabled

  3. Add the url of the Zarafa Server ( http://zarafa-server.system-fuchs.eu ) to the Local Intranet sites.

Restart the browser and open the WebAccess via the FQDN ( http://zarafa-server.system-fuchs.eu/webaccess ). If the configuration is done correctly, the user will be logged in to the WebAccess without typing the username and password.

 

It is important to use the FQDN here, otherwise kerberos SSO will not work. In my lab enviroment it only worked with Firefox. In Internet Explorer 9 there always came up the auth dialog. When I filled the form with the correct user & password a login to webaccess with the domain user was possible.

Now that SSO seems to work with the Linux server, it will automatically be used by zarafa-server. Now log on to a Windows workstation on the domain and create a new Outlook profile for the user just logged on, but leave the password field empty. Outlook should create the profile without the password.

 

 

Hi SystemFuchs,

this is really a great article! Does this also work with samba3 - or does this only work with samba4?

I am interested to test this with z-admin - but there samba3 is used.

Kind regards

    Kai

Kai 399 days ago

Hi Kai,

I'm really glad that you like my HowTo, thank you :-)

You need an ActiveDirectory for this solution so either you have an existing ActiveDirectory working under Windows or you have to setup one with samba4. For the moment this is the reason why my documentation excludes z-admin.

Setting up a working ActiveDirectory with samba4 is really an easy task, take a look here -> https://wiki.samba.org/index.php/Samba_AD_DC_HOWTO

It just takes about half an hour to complete it if you rely on the samba internal DNS server

Kind regards

Stephan

 

SystemFuchs 399 days ago

Hi Stephan,

thank you for your feedback. I will try out setting up an extra samba4!

Have a nice weekend

   Kai

Kai 399 days ago

We setup a Samba4 v4.1 based AD SSO with Zarafa about 5 months ago. It works great except for one thing. When we create new Zarafa users in AD and go through the Zarafa account creation dialogue the user store is never automatically created.

I double-checked the process above and don't see where things went wrong. Do other get the store automatically generated or does everyone have to manually create the store ala

zarafa-admin  --create-store <username>

I would like to resolve this so I can delegate user creation, so suggestion or insights would be helpful. The Zarafa server is 7.1 on Centos 6.

Thanks in advance!

            -Stephanie

sesullivan 231 days ago

Hi Stephanie,

there are several triggers inside of Zarafa which should trigger the actual account creation (instead of running --create-store manually). In general the store should get created when either the user logs ins (regardless of the service he logs in through), when an email is delivered to him (which triggers an internal login) or when the global adressbook is opened by another user.

Felix Bartels 231 days ago