Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Samba4 AD and Kerio8
  •  
InterHmai

Messages: 35
Karma: 0
Send a private message to this user
Yes, it isn't officially supported. Just trying it out and making a reference post for anyone interested.

Using all VM's here:
- Zentyal3 (Ubuntu + Samba4) AD DC - Main
- Win2008 R2 AD DC
- Kerio8 Linux VM

Got Samba4 and Win2008R2 playing together.

KADE refused install on Win2008 despite being the schema master. Installer kept getting an error then rolling back (Seems to be something with Samba4's schema)

Ultimately did a schema compare to find the changes and apply them manually from a normal Win2008 AD Schea. If someone wants the K8 ADE Ldif file I can post it.

Tried to apply the changes through Ldifde, but kept giving invalid syntax problems on class creation for the Schema.
Ended up applying those last ones manually through the Schema Editor GUI.
After that installed KADE with the UI Extensions only.

Got Kerio8 Linux VM running, hooked into the Samba4 DC. Picks up users fine. User settings from either Kerio Webadmin or directly from User Editor in Win2008 seems to work along with Password changes.

Edit: Had problems with quota settings, found i had overlooked a schema entry.

[Updated on: Thu, 17 January 2013 18:54]

  •  
czesio

Messages: 5
Karma: 1
Send a private message to this user
Hello,

we are running S4 AD DC + Kerio for half a year now.

S4 AD DC Server - Debian Squeeze VM (S4 since alpha18 till 4.0.0)
Kerio 7.4.3 Server - Debian Squeeze VM

On Kerio Server we configured Kerberos Client (/etc/krb5.conf) to be able to authenicate against S4 DC

Everything works like a charm!

Greetings
Piotr Baron - Hennecke Systems GmbH


Here is the LDIF File to import to S4 AD (for example ver confortable with Apache Directory Studio)


dn: CN=kerio-User-AuthPIN,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
objectClass: attributeSchema
objectClass: top
attributeID: 1.3.6.1.4.1.10311.1.0.1.1
attributeSyntax: 2.5.5.12
cn: kerio-User-AuthPIN
instanceType: 4
isSingleValued: TRUE
lDAPDisplayName: kerio-User-AuthPIN
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
oMSyntax: 64
schemaIDGUID:: T2m1SOHZI06MF5qP9ZPsdQ==
adminDisplayName: kerio-User-AuthPIN
distinguishedName: CN=kerio-User-AuthPIN,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
isMemberOfPartialAttributeSet: FALSE
name: kerio-User-AuthPIN
showInAdvancedViewOnly: TRUE

dn: CN=kerio-Mail-WebReplyToAddress,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
objectClass: attributeSchema
objectClass: top
attributeID: 1.3.6.1.4.1.10311.1.2.1.20
attributeSyntax: 2.5.5.12
cn: kerio-Mail-WebReplyToAddress
instanceType: 4
isSingleValued: TRUE
lDAPDisplayName: kerio-Mail-WebReplyToAddress
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
oMSyntax: 64
schemaIDGUID:: f/k0CF9wtkyBCX/LxkJqWw==
adminDisplayName: kerio-Mail-WebReplyToAddress
description: Preferred Reply-To address for Webmail and automatic notifications.
distinguishedName: CN=kerio-Mail-WebReplyToAddress,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
isMemberOfPartialAttributeSet: FALSE
name: kerio-Mail-WebReplyToAddress
showInAdvancedViewOnly: TRUE

dn: CN=kerio-Mail-QuotaStorage,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
objectClass: attributeSchema
objectClass: top
attributeID: 1.3.6.1.4.1.10311.1.2.1.7
attributeSyntax: 2.5.5.16
cn: kerio-Mail-QuotaStorage
instanceType: 4
isSingleValued: TRUE
lDAPDisplayName: kerio-Mail-QuotaStorage
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
oMSyntax: 65
schemaIDGUID:: Ogz2p/k6x0CNjQGTuNZ64w==
adminDisplayName: kerio-Mail-QuotaStorage
description: Specifies how many on disk space is allowed for an account.
distinguishedName: CN=kerio-Mail-QuotaStorage,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
isMemberOfPartialAttributeSet: FALSE
name: kerio-Mail-QuotaStorage
searchFlags: 16
showInAdvancedViewOnly: TRUE

dn: CN=kerio-Mail-QuotaMessage,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
objectClass: attributeSchema
objectClass: top
attributeID: 1.3.6.1.4.1.10311.1.2.1.8
attributeSyntax: 2.5.5.16
cn: kerio-Mail-QuotaMessage
instanceType: 4
isSingleValued: TRUE
lDAPDisplayName: kerio-Mail-QuotaMessage
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
oMSyntax: 65
schemaIDGUID:: kSK111mKkEmlR1Gv/kV6aA==
adminDisplayName: kerio-Mail-QuotaMessage
description: Specifies how many messages is allowed for an account.
distinguishedName: CN=kerio-Mail-QuotaMessage,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
isMemberOfPartialAttributeSet: FALSE
name: kerio-Mail-QuotaMessage
searchFlags: 16
showInAdvancedViewOnly: TRUE

dn: CN=kerio-Mail-Preferred-Address,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
objectClass: attributeSchema
objectClass: top
attributeID: 1.3.6.1.4.1.10311.1.2.1.25
attributeSyntax: 2.5.5.12
cn: kerio-Mail-Preferred-Address
instanceType: 4
isSingleValued: TRUE
lDAPDisplayName: kerio-Mail-Preferred-Address
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
oMSyntax: 64
schemaIDGUID:: myUn8YUbH0Gph9MqIDRz2w==
adminDisplayName: kerio-Mail-Preferred-Address
distinguishedName: CN=kerio-Mail-Preferred-Address,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
isMemberOfPartialAttributeSet: FALSE
name: kerio-Mail-Preferred-Address
showInAdvancedViewOnly: TRUE

dn: CN=kerio-Mail-MaxOutgoingMessageSize,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
objectClass: attributeSchema
objectClass: top
attributeID: 1.3.6.1.4.1.10311.1.2.1.24
attributeSyntax: 2.5.5.16
cn: kerio-Mail-MaxOutgoingMessageSize
instanceType: 4
isSingleValued: TRUE
lDAPDisplayName: kerio-Mail-MaxOutgoingMessageSize
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
oMSyntax: 65
schemaIDGUID:: JIFp/HIJ30ehoRZ+gMcM1w==
adminDisplayName: kerio-Mail-MaxOutgoingMessageSize
description: Maximum outgoing message size for the user.
distinguishedName: CN=kerio-Mail-MaxOutgoingMessageSize,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
isMemberOfPartialAttributeSet: FALSE
name: kerio-Mail-MaxOutgoingMessageSize
searchFlags: 16
showInAdvancedViewOnly: TRUE

dn: CN=kerio-Mail-HomeServer,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
objectClass: attributeSchema
objectClass: top
attributeID: 1.3.6.1.4.1.10311.1.2.1.22
attributeSyntax: 2.5.5.12
cn: kerio-Mail-HomeServer
instanceType: 4
isSingleValued: TRUE
lDAPDisplayName: kerio-Mail-HomeServer
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
oMSyntax: 64
schemaIDGUID:: pT07q5kIDUGCVyswb6+lqw==
adminDisplayName: kerio-Mail-HomeServer
description: Specifies ID of user's home storage server in cluster.
distinguishedName: CN=kerio-Mail-HomeServer,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
isMemberOfPartialAttributeSet: FALSE
name: kerio-Mail-HomeServer
searchFlags: 16
showInAdvancedViewOnly: TRUE

dn: CN=kerio-Mail-ForwardMode,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
objectClass: attributeSchema
objectClass: top
attributeID: 1.3.6.1.4.1.10311.1.2.1.5
attributeSyntax: 2.5.5.9
cn: kerio-Mail-ForwardMode
instanceType: 4
isSingleValued: TRUE
lDAPDisplayName: kerio-Mail-ForwardMode
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
oMSyntax: 2
schemaIDGUID:: DIeZ+k+/lkypO3+Zm0+OSw==
adminDisplayName: kerio-Mail-ForwardMode
distinguishedName: CN=kerio-Mail-ForwardMode,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
isMemberOfPartialAttributeSet: FALSE
name: kerio-Mail-ForwardMode
showInAdvancedViewOnly: TRUE

dn: CN=kerio-Mail-ForwardAddress,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
objectClass: attributeSchema
objectClass: top
attributeID: 1.3.6.1.4.1.10311.1.2.1.6
attributeSyntax: 2.5.5.12
cn: kerio-Mail-ForwardAddress
instanceType: 4
isSingleValued: FALSE
lDAPDisplayName: kerio-Mail-ForwardAddress
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
oMSyntax: 64
schemaIDGUID:: CckUR6xQSkqUUMiAw8Quzg==
adminDisplayName: kerio-Mail-ForwardAddress
distinguishedName: CN=kerio-Mail-ForwardAddress,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
isMemberOfPartialAttributeSet: FALSE
name: kerio-Mail-ForwardAddress
showInAdvancedViewOnly: TRUE

dn: CN=kerio-Mail-Authorization,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
objectClass: attributeSchema
objectClass: top
attributeID: 1.3.6.1.4.1.10311.1.2.1.23
attributeSyntax: 2.5.5.12
cn: kerio-Mail-Authorization
instanceType: 4
isSingleValued: FALSE
lDAPDisplayName: kerio-Mail-Authorization
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
oMSyntax: 64
schemaIDGUID:: xnSPb9waWUq1J+l3pJCkag==
adminDisplayName: kerio-Mail-Authorization
description: Authorization rights of the user or group.
distinguishedName: CN=kerio-Mail-Authorization,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
isMemberOfPartialAttributeSet: FALSE
name: kerio-Mail-Authorization
searchFlags: 16
showInAdvancedViewOnly: TRUE

dn: CN=kerio-Mail-AdminRights,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
objectClass: attributeSchema
objectClass: top
attributeID: 1.3.6.1.4.1.10311.1.2.1.3
attributeSyntax: 2.5.5.9
cn: kerio-Mail-AdminRights
instanceType: 4
isSingleValued: TRUE
lDAPDisplayName: kerio-Mail-AdminRights
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
oMSyntax: 2
schemaIDGUID:: QGDtruc7KE26SlyMk9u7zw==
adminDisplayName: kerio-Mail-AdminRights
distinguishedName: CN=kerio-Mail-AdminRights,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
isMemberOfPartialAttributeSet: FALSE
name: kerio-Mail-AdminRights
searchFlags: 16
showInAdvancedViewOnly: TRUE

dn: CN=kerio-Mail-Address,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
objectClass: attributeSchema
objectClass: top
attributeID: 1.3.6.1.4.1.10311.1.2.1.4
attributeSyntax: 2.5.5.12
cn: kerio-Mail-Address
instanceType: 4
isSingleValued: FALSE
lDAPDisplayName: kerio-Mail-Address
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
oMSyntax: 64
schemaIDGUID:: LwWVFfc2lkSrmlwi1K0Zkw==
adminDisplayName: kerio-Mail-Address
distinguishedName: CN=kerio-Mail-Address,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
isMemberOfPartialAttributeSet: FALSE
name: kerio-Mail-Address
searchFlags: 1
showInAdvancedViewOnly: TRUE

dn: CN=kerio-Mail-Active,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
objectClass: attributeSchema
objectClass: top
attributeID: 1.3.6.1.4.1.10311.1.2.1.1
attributeSyntax: 2.5.5.12
cn: kerio-Mail-Active
instanceType: 4
isSingleValued: TRUE
lDAPDisplayName: kerio-Mail-Active
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
oMSyntax: 64
schemaIDGUID:: a3XCoQN5qU6MNYRGD9gHXg==
adminDisplayName: kerio-Mail-Active
distinguishedName: CN=kerio-Mail-Active,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
isMemberOfPartialAttributeSet: FALSE
name: kerio-Mail-Active
searchFlags: 1
showInAdvancedViewOnly: TRUE

dn: CN=kerio-Mail-AccountEnabled,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
objectClass: attributeSchema
objectClass: top
attributeID: 1.3.6.1.4.1.10311.1.2.1.2
attributeSyntax: 2.5.5.9
cn: kerio-Mail-AccountEnabled
instanceType: 4
isSingleValued: TRUE
lDAPDisplayName: kerio-Mail-AccountEnabled
objectCategory: CN=Attribute-Schema,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
oMSyntax: 2
schemaIDGUID:: ios+dSIz8USSGBC32Vl42g==
adminDisplayName: kerio-Mail-AccountEnabled
description: Specifies if an account is enabled.
distinguishedName: CN=kerio-Mail-AccountEnabled,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
isMemberOfPartialAttributeSet: FALSE
name: kerio-Mail-AccountEnabled
searchFlags: 16
showInAdvancedViewOnly: TRUE

dn: CN=kerio-Mail-User,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
objectClass: classSchema
objectClass: top
cn: kerio-Mail-User
defaultObjectCategory: CN=kerio-Mail-User,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
governsID: 1.3.6.1.4.1.10311.2.2.1.1
instanceType: 4
objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
objectClassCategory: 3
schemaIDGUID:: K3m9j7hx3EyxgbWsNEOtVw==
subClassOf: top
adminDisplayName: kerio-Mail-User
defaultHidingValue: TRUE
distinguishedName: CN=kerio-Mail-User,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
lDAPDisplayName: kerio-Mail-User
mayContain: kerio-Mail-Preferred-Address
mayContain: kerio-Mail-WebReplyToAddress
mayContain: kerio-Mail-MaxOutgoingMessageSize
mayContain: kerio-Mail-HomeServer
mayContain: kerio-Mail-QuotaMessage
mayContain: kerio-Mail-QuotaStorage
mayContain: kerio-Mail-ForwardAddress
mayContain: kerio-Mail-ForwardMode
mayContain: kerio-Mail-Address
mayContain: kerio-Mail-Authorization
mayContain: kerio-Mail-AdminRights
mayContain: kerio-User-AuthPIN
mayContain: kerio-Mail-AccountEnabled
mayContain: kerio-Mail-Active
name: kerio-Mail-User
rDNAttID: cn
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=kerio-Mail-Group,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
objectClass: classSchema
objectClass: top
cn: kerio-Mail-Group
defaultObjectCategory: CN=kerio-Mail-Group,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
governsID: 1.3.6.1.4.1.10311.2.2.1.2
instanceType: 4
objectCategory: CN=Class-Schema,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
objectClassCategory: 3
schemaIDGUID:: lB1v/epHsUKthvse95FYUQ==
subClassOf: top
adminDisplayName: kerio-Mail-Group
defaultHidingValue: TRUE
distinguishedName: CN=kerio-Mail-Group,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
lDAPDisplayName: kerio-Mail-Group
mayContain: kerio-Mail-Address
mayContain: kerio-Mail-Authorization
mayContain: kerio-Mail-AdminRights
mayContain: kerio-Mail-Active
name: kerio-Mail-Group
rDNAttID: cn
showInAdvancedViewOnly: TRUE
systemOnly: FALSE

dn: CN=User,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
changetype: modify
add: auxiliaryClass
auxiliaryClass: kerio-Mail-User
-

dn: CN=Group,CN=Schema,CN=Configuration,DC=DOMAIN,DC=LOCAL
changetype: modify
add: auxiliaryClass
auxiliaryClass: kerio-Mail-Group
-



  •  
it2

Messages: 6
Karma: 0
Send a private message to this user
Hi!

Thanks a lot for this ldif File, really very helpful! I imported it successful into AD and Kerio (we use 8.1.2 and samba 4.0.7) is now authenticating user against the AD.

Unfortunately there are no further user setting for kerio in the AD user editor. How did you make that work? Di you have any hints for me? The AD management runs on a 2008R2.

Thanks a lot and best regards
Tom
  •  
juosukai

Messages: 1
Karma: 0
Send a private message to this user
Hi,

I would also like to thank for providing the the ldiff file.

Our Samba4 - Kerio system is working just fine, except for XMPP. For some reason XMPP has its own AD connection to the Samba server, and this fails. This means that users who are in Kerio and can send a receive email cannot use the instant messaging part of Kerio at all.

Here is the specific error that crops up every 15min to the warning log in Kerio and the separate XMPP log:

[22/08/2013 13:22:24] WARNING Syncing all users from domain retracted failed (com.kerio.im.core.user.UserControlList.sync)com.kerio.im.xm pp.api.XmppException: Failed to merge users in domain retracted
at com.kerio.im.core.user.UserControl.sync(UserControl.java:125 )
at com.kerio.im.core.user.UserControlList.sync(UserControlList. java:77)
at com.kerio.im.core.user.EventDomainSync.event(EventDomainSync .java:35)
at com.kerio.im.core.user.EventDomainSync.event(EventDomainSync .java:15)
at com.kerio.im.core.Bus.publish(Bus.java:34)
at com.kerio.im.core.domain.DomainControl.check(DomainControl.j ava:94)
at com.kerio.im.core.domain.DomainFullSync$ExtDomainsHandler.ha ndle(DomainFullSync.java:83)
at com.kerio.im.connect.AdminApi.getAllDomains(AdminApi.java:12 6)
at com.kerio.im.connect.ExtServiceImpl.getAllDomains(ExtService Impl.java:99)
at com.kerio.im.core.domain.DomainFullSync.sync(DomainFullSync. java:44)
at com.kerio.im.core.domain.DomainFullSync.run(DomainFullSync.j ava:35)
at java.util.concurrent.Executors$RunnableAdapter.call(Unknown Source)
at java.util.concurrent.FutureTask$Sync.innerRunAndReset(Unknow n Source)
at java.util.concurrent.FutureTask.runAndReset(Unknown Source)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu tureTask.access$101(Unknown Source)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu tureTask.runPeriodic(Unknown Source)
at java.util.concurrent.ScheduledThreadPoolExecutor$ScheduledFu tureTask.run(Unknown Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.runTask(Unkno wn Source)
at java.util.concurrent.ThreadPoolExecutor$Worker.run(Unknown Source)
at java.lang.Thread.run(Unknown Source)
Caused by: com.kerio.im.xmpp.api.XmppException: Failed to get root node
at com.kerio.im.tigase.user.XmppRepositoryImpl.getRootNode(Xmpp RepositoryImpl.java:385)
at com.kerio.im.tigase.user.XmppRepositoryImpl.update(XmppRepos itoryImpl.java:309)
at com.kerio.im.core.user.UserControl$UserMerge.merge(UserContr ol.java:249)
at com.kerio.im.core.user.UserControl$UserPaired.ex(UserControl .java:227)
at com.kerio.im.core.user.UserControl$UserPaired.ex(UserControl .java:215)
at com.kerio.im.common.CollectionUtil.sync(CollectionUtil.java: 27)
at com.kerio.im.core.user.UserControl.sync(UserControl.java:115 )
... 19 more

Any ideas, suggestions? Probably something in the ldapschema that is missing, but finding out what seems to be an issue unless I can make the XMPP process to log more...
Previous Topic: Mail Server CPU Spiking
Next Topic: Kerio 6.7.0 Build 7660 charset=iso-8859-1 show html code ?
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Tue Aug 22 20:32:53 CEST 2017

Total time taken to generate the page: 0.00380 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.