Connect. Communicate. Collaborate. Securely.

Home » Kerio User Forums » Kerio Connect » Samba 4 and Kerio AD Schema Extension
  •  
dthompson

Messages: 23
Karma: 1
Send a private message to this user
Hi there,

I'm trying to setup a test environment with SAMBA 4 and extending the schema to support the current kerio active directory schema extensions.

I've seen a link here with the ldif export that someone on this forum has posted, however there seem to be quite a few errors on it whenever I try and import the file.

Does anyone have any examples on how they've imported the files so that SAMBA 4 acts as the directory server for kerio connect?
  •  
Roger_cwb

Messages: 26
Karma: 1
Send a private message to this user
Hi!

I´m having the same problem.

I found this link with one kerio connect schema:

http://kb.kerio.com/assets/kerio-mailserver.schema

But I don´t know how to put this in SAMBA 4 schema.

I found this page too from microsoft that have some instructions how to compare and sync AD schemas, but I think that isn´t work with SAMBA.

If you or others discover anything, please let me know.

[]s
Roger
Curitiba - PR - Brasil
  •  
dthompson

Messages: 23
Karma: 1
Send a private message to this user
I was actually able to figure this out fairly easily actually. I'm going to put together a how to on my site and I'll post the link here in a couple of days once I've gotten it done.

I ended up breaking down the attributes into individual files (not that i think I had to) and then importing them all at once (kind of) depending on whether it was an ldbmodify or and ldbadd command that needed to be done on the schema.

  •  
dthompson

Messages: 23
Karma: 1
Send a private message to this user
It would also be nice if Kerio would just make those schema extensions readily available on their site whenever they issue new version of connect so once can just download and import the schema extensions into SAMBA without too much issue.

Kerio, can you guys start to do this please? that would be super!!
  •  
Roger_cwb

Messages: 26
Karma: 1
Send a private message to this user
This is a great news!

I still need to test if Kerio Control works with SAMBA AD, but Kerio Connect is very important, because I have some years of e-mails hosted with Kerio Connect.

If this isn´t work, probably I will need to migrate to Zentyal but then will be a lot of work to transfer.

[]s
Roger
Curitiba - PR - Brasil
  •  
dthompson

Messages: 23
Karma: 1
Send a private message to this user
It should work just fine from what I can tell. I actually have my kerio bound to the 4.0 release of Zentyal and its all good in my test environment so far. I'll let you know once I get a chance to write up my how to so you can also get it setup.

  •  
Roger_cwb

Messages: 26
Karma: 1
Send a private message to this user
Hi,

I tried the ldif method from this site of Microsoft ( http://technet.microsoft.com/en-us/magazine/2009.04.schema.a spx) and almost work, but I received an error in a Class import:

Entry DN: cn=kerio-Mail-Group,cn=Schema,CN=Configuration,DC=hmcwb,DC=lan
changetype: add
Attribute 0) objectClass:classSchema
Attribute 1) governsID:1.3.6.1.4.1.10311.2.2.1.2
Attribute 2) ldapDisplayName:kerio-Mail-Group
Attribute 3) adminDisplayName:kerio-Mail-Group
Attribute 4) schemaIDGUID: UNPRINTABLE BINARY(16)
Attribute 5) objectClassCategory:3
Attribute 6) systemOnly:FALSE
Attribute 7) subclassOf:2.5.6.0
Attribute 8) rdnAttId:2.5.4.3
Attribute 9) mayContain:1.3.6.1.4.1.10311.1.2.1.1 1.3.6.1.4.1.10311.1.2.1.4 1.3.6.1.4.1.10311.1.2.1.3 1.3.6.1.4.1.10311.1.2.1.23
Attribute 10) defaultObjectCategory:cn=kerio-Mail-Group,cn=Schema,CN=Configuration,DC=hmcwb,DC=lan

Add error on entry starting on line 475: Invalid Syntax
The server side error is: 0x200b The attribute syntax specified to the directory service is invalid.

The extended server error is:
0000200B: objectclass_attrs: attribute 'rDNAttID' on entry 'CN=kerio-Mail-Group,CN=Schema,CN=Configuration,DC=hmcwb,DC=lan' contains at least one invalid value!

An error has occurred in the program

So in Domains | Directory Service the Test Connection now works, but if I try to Activate Users from Directory Service in Users | Add I still receive an error:

Failed to activate user, LDAP operation failed. It seems Kerio Directory Extension is not correctly installed on the LDAP server or you have read-only access.


I'm attaching the LDIF file that the ADSI Tool created.

[Updated on: Thu, 06 November 2014 11:22]


[]s
Roger
Curitiba - PR - Brasil
  •  
Roger_cwb

Messages: 26
Karma: 1
Send a private message to this user
Hi,

I tried the ldif method from this site of Microsoft ( http://technet.microsoft.com/en-us/magazine/2009.04.schema.a spx) and almost work, but I received an error in a Class import:

Entry DN: cn=kerio-Mail-Group,cn=Schema,CN=Configuration,DC=hmcwb,DC=lan
changetype: add
Attribute 0) objectClass:classSchema
Attribute 1) governsID:1.3.6.1.4.1.10311.2.2.1.2
Attribute 2) ldapDisplayName:kerio-Mail-Group
Attribute 3) adminDisplayName:kerio-Mail-Group
Attribute 4) schemaIDGUID: UNPRINTABLE BINARY(16)
Attribute 5) objectClassCategory:3
Attribute 6) systemOnly:FALSE
Attribute 7) subclassOf:2.5.6.0
Attribute 8) rdnAttId:2.5.4.3
Attribute 9) mayContain:1.3.6.1.4.1.10311.1.2.1.1 1.3.6.1.4.1.10311.1.2.1.4 1.3.6.1.4.1.10311.1.2.1.3 1.3.6.1.4.1.10311.1.2.1.23
Attribute 10) defaultObjectCategory:cn=kerio-Mail-Group,cn=Schema,CN=Configuration,DC=hmcwb,DC=lan

Add error on entry starting on line 475: Invalid Syntax
The server side error is: 0x200b The attribute syntax specified to the directory service is invalid.

The extended server error is:
0000200B: objectclass_attrs: attribute 'rDNAttID' on entry 'CN=kerio-Mail-Group,CN=Schema,CN=Configuration,DC=hmcwb,DC=lan' contains at least one invalid value!

An error has occurred in the program

So in Domains | Directory Service the Test Connection now works, but if I tried to Activate Users from Directory Service in Users | Add I still have an error:

Failed to activate user, LDAP operation failed. It seems Kerio Directory Extension is not correctly installed on the LDAP server or you have read-only access.


I'm attaching the LDIF file that the ADSI Tool created.


[]s
Roger
Curitiba - PR - Brasil
  •  
Roger_cwb

Messages: 26
Karma: 1
Send a private message to this user
Hi!

Ok I fixed the LDIF, now the import works, now the Add | Add from Directory Service don´t give me a error and Domains | Directory Service still works. Very Happy

BUT... When I try to login with an user imported from the AD I'm still receiving a msg saying that the username or password is incorrect and in the Security Log I have this message:

External authentication service rejected authentication due to invalid password or authentication restriction


I'm attaching the fixed LDIF file that the ADSI Tool created.


[]s
Roger
Curitiba - PR - Brasil
  •  
dthompson

Messages: 23
Karma: 1
Send a private message to this user
Hmm.. Still trying to find the time to write up my how to here, but one question that I have is this:

Is your Kerio Server bound to the SAMBA domains Kerberos REALM?
In my case my kerio server has the following in the /etc/krb5.conf configuration:

[libdefaults]
default_realm = DIGIDNS.PRIVATE
dns_lookup_kdc = true
dns_lookup_realm = false
rdns = no

Obviously replace the DIGIDNS.PRIVATE domain name with the domain that you are running on SAMBA. You can find that on the samba side by issuing: cat /etc/krb5.conf

[Updated on: Thu, 06 November 2014 15:27]

  •  
Roger_cwb

Messages: 26
Karma: 1
Send a private message to this user
Hi!

I managed to make it work.Using the LDIF that I attached in the previous post.

I was forgetting to put the in Domains | Advanced the domain again in the field Kerberos 5.

And yes I put the infos of my server in the /etc/krb5.conf file.

Now I will clear up all the mess that I did to make this work and try again just for sure.

[Updated on: Thu, 06 November 2014 18:57]


[]s
Roger
Curitiba - PR - Brasil
  •  
dthompson

Messages: 23
Karma: 1
Send a private message to this user
Thats great! I looked at the LDIF file you have and its different than what I use, however I use the ldbadd and ldbmodify on LINUX to extend the schema. I tried with on a windows box and it worked just the same.

What I can't figure out with this is when extending the schema, if you install the actual Active Directory Schema extensions in the user profile when adding a new user, you get the add new kerio mailbox attribute when creating the new user, as well you get the kerio tab when you modify the user. I cannot figure out how to get that part working even though the i would assume that difference would be there once you do a diff between the base AD and the modified schema, even after turning on the advanced features in RSAT.
  •  
CoBuz

Messages: 3
Karma: 0
Send a private message to this user
Dear dthompson,

> Thats great! I looked at the LDIF file you have and its different than what I use, however I use the
> ldbadd and ldbmodify on LINUX to extend the schema. I tried with on a windows box and it worked just the
> same.

I'm really curious, how did you do that exactly?

Previous Topic: Redirect from http to https
Next Topic: Extend Samba4 Active Directory Schema with the Kerio Connect AD Attributes
Goto Forum:
  


Disclaimer:
Kerio discussion forums are intended for open communication between forum members and may contain information and material posted by members which may be useful in learning about Kerio products. The discussion forums are not intended to provide technical support for any specific product. Any information implied or expressed in the discussion forums is that of the posting member. Kerio is in no way responsible for the information posted in the forums, or its accuracy. Kerio employees may participate in the discussions, but their postings do not represent an offical position of the company on any issues raised or discussed. Kerio reserves the right to monitor and maintain the forums to promote free and accurate exchange of information.

Current Time: Mon May 01 08:10:24 CEST 2017

Total time taken to generate the page: 0.01269 seconds
.:: Contact :: Home ::.
Powered by: FUDforum 3.0.4.