March 7, 2013 by SystemFuchs
Comments (5)
samba4, sso, single sign on, outlookl, webaccess
Because there was no public documentation about Samba4 and Zarafa SSO available I did some research on my own and wrote this documentation. Have fun, any comments, suggestions and improvements are welcome!
Samba4 Domain is already setup, DNS is working properly (samba internal or external does not matter, in this HowTo we will use internal Samba4 DNS Server)
Zarafa is installed properly, the ldap configuration for ActiveDirectory is working (assuming that Zarafa is installed manually and not deployed through Z-Admin, perhaps a HowTo for Z-Admin will follow later)
Apache2 is properly setup & configured, Zarafa webaccess is working
krb5-user package is installed on both systems, minimal krb5.conf as mentioend in the Samba4 AC DC Howto ( https:/
Every server must have a DNS name, so their IP-addresses can be found by DNS. It is also required that all servers have a PTR record.
The time of all servers must always be in sync with each other.
This howto was created using a Ubuntu-LTS 12.04 system. Some things may vary on your system if you are using a alternative distribution.
Parts of this text are copied from the official Zarafa documentation, available here: http:/
SYSTEM-FUCHS.EU -> Kerberos Realm
system-fuchs.eu -> FQDN
samba-dc1.system-fuchs.eu -> FQDN Samba4 DC
zarafa-server.system-fuchs.eu -> FQDN Zarafa Server
httpd-linux -> Active Directory Service account needed for webaccess SSO
zarafa-linux -> Active Directory Service account needed for Outlook SSO
www-data -> Service account for apache2 service
Samba4 install directory is /usr/local/samba
Kerberos Primary used for zarafa-linux (Outlook is zarafa (seems to be hard coded in Zarafa)
Kerberos Primary used for httpd-linux is HTTP (seems to be hard coded in Zarafa)
-> see http:/
Create the two service accounts (zarafa-linux, httpd-linux) as mentioned above in your ActiveDirectory. They only have to be regular Domain Users.
Don't use samba-tool for this task; it seems to be the case that not all neccessary kerberos encryption types are properly set on the user object. Use dsa.msc from a Remote Server Administration Tool on a Windows workstation which has already joined the domain.
Configure /etc/krb5.conf on DC
Check if your /etc/krb5.conf on the Samba4 DC at least contains the following (more entries are not neccesary on the DC)
[libdefaults]
default_realm = SYSTEM-FUCHS.EU
dns_lookup_realm = false
dns_lookup_kdc = true
We need one SPN without realm and one with realm included, otherwise we are not able to export the keytab in the correct format (took me a whole day to find this out, not sure if this is a bug or a feature ;-)
[email protected]:~# samba-tool spn add zarafa/zarafa-server.system-fuchs.eu zarafa-linux
[email protected]:~# samba-tool spn add zarafa/[email protected] zarafa-linux
[email protected]:~# samba-tool spn add HTTP/zarafa-server.system-fuchs.eu httpd-linux
[email protected]:~# samba-tool spn add HTTP/[email protected] httpd-linux
[email protected]:~# samba-tool domain exportkeytab /tmp/keytab.zarafa --principal=zarafa/zarafa-server.system-fuchs.eu
[email protected]:~# samba-tool domain exportkeytab /tmp/keytab.apache --principal=HTTP/zarafa-server.system-fuchs.eu
Check the content of both keytab files, it is important that these three encryptions types (des-cbc-crc, des-cbc-md5, arcfour-hmac) are included:
[email protected]:~# klist -e -k /tmp/keytab.zarafa
Keytab name: FILE:/tmp/keytab.zarafa
KVNO Principal
---- --------------------------------------------------------------------------
1 zarafa/[email protected] (des-cbc-crc)
1 zarafa/[email protected] (des-cbc-md5)
1 zarafa/[email protected] (arcfour-hmac)
[email protected]:~# klist -e -k /tmp/keytab.apache
Keytab name: FILE:/tmp/keytab.apache
KVNO Principal
---- --------------------------------------------------------------------------
1 HTTP/[email protected] (des-cbc-crc)
1 HTTP/[email protected] (des-cbc-md5)
1 HTTP/[email protected] (arcfour-hmac)
If you use WinSCP remember that these are binary files!
[email protected]:~# scp /tmp/keytab.zarafa zarafa-server.system-fuchs.eu:/etc/zarafa/
[email protected]:~# scp /tmp/keytab.apache zarafa-server.system-fuchs.eu:/etc/apache2/
Add DNS A Record for your Zarafa-Server (we are using the internal Samba DNS service here, for Bind9 you've to edit the appropriate zone file for your domain by yourself)
[email protected]:~# samba-tool dns add localhost system-fuchs.eu zarafa-server A <your ip address goes here> -UAdministrator
default_keytab_name defines our kerberos keytab which is used for Outlook SSO
[libdefaults]
default_realm = SYSTEM-FUCHS.EU
default_keytab_name = /etc/zarafa/keytab.zarafa
default_tgs_enctypes = des-cbc-md5 arcfour-hmac-md5
default_tkt_enctypes = des-cbc-md5 arcfour-hmac-md5
permitted_enctypes = des-cbc-md5 arcfour-hmac-md5
[realms]
SYSTEM-FUCHS.EU = {
kdc = samba-dc1.system-fuchs.eu
admin_server = samba-dc1.system-fuchs.eu
}
[domain_realm]
.system-fuchs.eu = SYSTEM-FUCHS.EU
system-fuchs.eu = SYSTEM-FUCHS.EU
To enable Outlook SSO with ZCP set the following in the server.cfg file:
enable_sso = yes
If the hostname of the Linux server (see the hostname command) does not equal the FQDN of the Linux server, the server_hostname variable will need to be changed in the server.cfg file:
server_hostname = zarafa-server.system-fuchs.eu
Restart the zarafa-server to activate all changes.
service zarafa-server restart
Install the mod_auth_kerb Apache module, e.g. for Debian/Ubuntu
[email protected]:~# apt-get install libapache2-mod-auth-kerb
Open your Zarafa webaccess config file (e.g. /etc/apache2/sites-enabled/zarafa.conf) and modify your config according to the example below
Pay attention to the parameter KrbServiceName HTTP; it matches our choosen SPN Primary!
Alias /webaccess /usr/share/zarafa-webaccess
<Directory /usr/share/zarafa-webaccess>
AuthType Kerberos
AuthName "Kerberos Login"
KrbMethodNegotiate On
KrbMethodK5Passwd Off
KrbServiceName HTTP
KrbAuthRealms SYSTEM-FUCHS.EU
Krb5KeyTab /etc/apache2/keytab.apache
require valid-user
</Directory>
Set the filesystem permissions of the keytab file to 400 and change the owner to the Apache user:
[email protected]:/etc/apache2# chmod 400 keytab.apache
[email protected]:/etc/apache2# chown www-data:www-data keytab.apache
Do a syntax check & restart Apache to activate all changes:
[email protected]:~# apache2ctl configtest
Syntax OK
[email protected]:~# apache2ctl restart
To setup a Single Sign On environment for Zarafa Collaboration Platform, it’s necessary to make a trust between the Apache webserver and the Zarafa Storage Server. The trust is necessary to handle the WebAccess authentication by the Apache webserver, not by the Zarafa Storage Server anymore.To create this trust, add the running Apache user to the following line in the /etc/zarafa/server.cfg:
local_admin_users = root www-data
To configure the Zarafa WebAccess for Single Sign On change the following option in the /usr/share/zarafa-webaccess/config.php file:
define("LOGINNAME_STRIP_DOMAIN", true);
In this configuration we assume the Zarafa WebAccess is installed on the same server as the Zarafa Storage Server.
Restart the Zarafa-server processes to activate this change:
[email protected]:~# service zarafa-server restart
Before Single Sign On can be used in a browser, configure the following settings:
Firefox:
Type in the addressbar about:config
Filter on auth Change the options: network.negotiate-auth.trusted-uris and network.negotiate-auth.delegation-uris to .system-fuchs.eu
Internet Explorer:
Go to Tools > Internet options > Advanced
Make sure the option Enable integrated Windows authentication is enabled
Add the url of the Zarafa Server ( http:/
Restart the browser and open the WebAccess via the FQDN ( http:/
It is important to use the FQDN here, otherwise kerberos SSO will not work. In my lab enviroment it only worked with Firefox. In Internet Explorer 9 there always came up the auth dialog. When I filled the form with the correct user & password a login to webaccess with the domain user was possible.
Now that SSO seems to work with the Linux server, it will automatically be used by zarafa-server. Now log on to a Windows workstation on the domain and create a new Outlook profile for the user just logged on, but leave the password field empty. Outlook should create the profile without the password.
Hi Kai,
I'm really glad that you like my HowTo, thank you :-)
You need an ActiveDirectory for this solution so either you have an existing ActiveDirectory working under Windows or you have to setup one with samba4. For the moment this is the reason why my documentation excludes z-admin.
Setting up a working ActiveDirectory with samba4 is really an easy task, take a look here -> https:/
It just takes about half an hour to complete it if you rely on the samba internal DNS server
Kind regards
Stephan
SystemFuchs 2867 days ago
Hi Stephan,
thank you for your feedback. I will try out setting up an extra samba4!
Have a nice weekend
Kai
Kai 2867 days ago
We setup a Samba4 v4.1 based AD SSO with Zarafa about 5 months ago. It works great except for one thing. When we create new Zarafa users in AD and go through the Zarafa account creation dialogue the user store is never automatically created.
I double-checked the process above and don't see where things went wrong. Do other get the store automatically generated or does everyone have to manually create the store ala
zarafa-admin --create-store <username>
I would like to resolve this so I can delegate user creation, so suggestion or insights would be helpful. The Zarafa server is 7.1 on Centos 6.
Thanks in advance!
-Stephanie
sesullivan 2700 days ago
Hi Stephanie,
there are several triggers inside of Zarafa which should trigger the actual account creation (instead of running --create-store manually). In general the store should get created when either the user logs ins (regardless of the service he logs in through), when an email is delivered to him (which triggers an internal login) or when the global adressbook is opened by another user.
Felix Bartels 2699 days ago
Kai
Profile
Friends
Friends of
Blog
Pages
Hi SystemFuchs,
this is really a great article! Does this also work with samba3 - or does this only work with samba4?
I am interested to test this with z-admin - but there samba3 is used.
Kind regards
Kai
Kai 2867 days ago