HowTo Setup OpenChange Server¶
While not required, complete outputs of expected commands are provided along this guide as a reference.
Provision Samba4 server¶
If you don't have DNS resolution and your realm can't be resolved, samba will be unable to authenticate the user in its user database. You must specify a realm which MAPI clients and OpenChange server can resolve.
If everything works fine, the provisioning script will have created all the databases, populated the AD (Active Directory) and generated a valid smb.conf file.
From samba4/source4 directory, run under the root account:
# ./setup/provision --realm=OPENCHANGE.LOCAL --domain=OPENCHANGE --adminpass='%1OpenChange' --server-role='domain controller' Setting up share.ldb Setting up secrets.ldb Setting up the registry Setting up the privileges database Setting up idmap db Setting up SAM db Setting up sam.ldb partitions and settings Setting up sam.ldb rootDSE Pre-loading the Samba 4 and AD schema Adding DomainDN: DC=openchange,DC=local pdc_fsmo_init: no domain object present: (skip loading of domain details) Adding configuration container naming_fsmo_init: no partitions dn present: (skip loading of naming contexts details) Setting up sam.ldb schema Reopening sam.ldb with new schema naming_fsmo_init: no partitions dn present: (skip loading of naming contexts details) naming_fsmo_init: no partitions dn present: (skip loading of naming contexts details) Setting up sam.ldb configuration data Setting up display specifiers Adding users container Modifying users container Adding computers container Modifying computers container Setting up sam.ldb data Setting up sam.ldb users and groups Setting up self join Setting up sam.ldb rootDSE marking as synchronized sh: /usr/sbin/rndc: No such file or directory sh: /usr/sbin/rndc: No such file or directory See /usr/local/samba/private/named.conf for an example configuration include file for BIND and /usr/local/samba/private/named.txt for further documentation required for secure DNS updates A Kerberos configuration suitable for Samba 4 has been generated at /usr/local/samba/private/krb5.conf Please install the phpLDAPadmin configuration located at /usr/local/samba/private/phpldapadmin-config.php into /etc/phpldapadmin/config.php Once the above files are installed, your Samba4 server will be ready to use Server Role: domain controller Hostname: mapiproxy NetBIOS Domain: OPENCHANGE DNS Domain: openchange.local DOMAIN SID: S-1-5-21-3901855499-1409744059-3208764593 Admin password: %1OpenChangeIf you get an error that looks like:
Traceback (most recent call last):
File "./setup/provision", line 33, in <module>
import samba
File "bin/python/samba/__init__.py", line 44, in <module>
import ldb
ImportError: No module named ldb
there are a couple of things to try:
- check if ldb.so is installed in a python library path (if not, the build or install went wrong, and you need to look at the build log to find out why)
- check if that python library path is in the PYTHONPATH environment variable (if not, try adding it)
- check that your PYTHONPATH isn't being overridden (e.g. if you are using sudo, either specify PYTHONPATH explicitly on the command line or edit /etc/sudoers to preserve PYTHONPATH)
Add a Samba4 user¶
If you need to add a user, run the following command from samba4 source directory (i.e. go one level up from the directory where you did the provisioning), changing <username> and <password> to the username and password you would like to use:
# ./bin/samba-tool newuser <username> <password>
For example:
# ./bin/samba-tool newuser openchange openchange
Note that Samba4 release alpha 13 and prior used a different name for this tool, so you may need this instead:
# ./bin/net newuser <username> <password>
Provision OpenChange server¶
In the OpenChange source directory, run the following command to extend Samba4 AD. This script will add necessary schema and attributes to run OpenChange Server:
# ./setup/openchange_provision NOTE: This operation can take several minutes [+] Step 1: Register Exchange OIDs [+] Step 2: Add Exchange attributes to Samba schema [+] Step 3: Add Exchange auxiliary classes to Samba schema [+] Step 4: Add Exchange objectCategory to Samba schema [+] Step 5: Add Exchange containers to Samba schema [+] Step 6: Add Exchange *sub* containers to Samba schema [+] Step 7: Add Exchange CfgProtocol subcontainers to Samba schema [+] Step 8: Add Exchange mailGateway subcontainers to Samba schema [+] Step 9: Add Exchange classes to Samba schema [+] Step 10: Add possSuperior attributes to Exchange classes [+] Step 11: Extend existing Samba classes and attributes [+] Step 12: Exchange Samba with Exchange configuration objects [SUCCESS] Done!
Provision OpenChange database¶
You now need to add the dispatcher database for user mailboxes.
# ./setup/openchange_provision --openchangedb
Setting up openchange db
[+] Public Folders
===================
* Public Folder Root 0x0000000000010001
* IPM_SUBTREE 0x0000000000020001
* NON_IPM_SUBTREE 0x0000000000030001
* EFORMS REGISTRY 0x0000000000040001
* OFFLINE ADDRESS BOOK 0x0000000000050001
* /o=First Organization/cn=addrlists/cn=oabs/cn=Default Offline Address Book 0x0000000000060001
* SCHEDULE+ FREE BUSY 0x0000000000070001
* EX:/o=First Organization/ou=Exchange Administrative Group (MAPIPROXY) 0x0000000000080001
* Events Root 0x0000000000090001
Add an OpenChange user¶
Extend the user Active Directory attributes¶
Finally running OpenChange server for a given user implies it belongs to the "Exchange Organization". The openchange_newuser script will extend existing user records and add attributes needed by OpenChange:
# ./setup/openchange_newuser --create <username>
For example for our openchange test user, output would be similar to:
# ./setup/openchange_newuser --create openchange [+] User openchange extended and enabled
Users created with this script are enabled by default. You can enable/disable these users at any time by running:
# ./setup/openchange_newuser --enable <username> # ./setup/openchange_newuser --disable <username>
Create the OpenChange user mailbox¶
You can now create the mailbox for the user in the dispatcher database
# ./setup/openchange_newuser --mailbox <username>
For example for our openchange test user, output would be similar to:
# ./setup/openchange_newuser --mailbox openchange
[+] Mailbox for 'openchange'
============================
* GlobalCount (0xa) and ReplicaID (0x1)
* Mapistore content repository created: /usr/local/samba/private/mapistore/openchange
* User object created: CN=openchange,CN=First Organization Unit,CN=First Organization,CN=MAPIPROXY,DC=openchange,DC=local
* Adding System Folders
* Mailbox Root : 0x00000000000a0001
* Deferred Actions : 0x00000000000b0001
* Common Views : 0x00000000000c0001
* Search : 0x00000000000d0001
* Schedule : 0x00000000000e0001
* Shortcuts : 0x00000000000f0001
* To-Do Search : 0x0000000000100001
* Views : 0x0000000000110001
* Spooler Queue : 0x0000000000120001
* IPM Subtree : 0x0000000000130001
* Sent Items : 0x0000000000140001
* Outbox : 0x0000000000150001
* Inbox : 0x0000000000160001
* Deleted Items : 0x0000000000170001
* Reminders : 0x0000000000180001
* Adding Special Folders:
* Calendar : 0x0000000000190001 (IPF.Appointment)
* Contacts : 0x00000000001a0001 (IPF.Contact)
* Journal : 0x00000000001b0001 (IPF.Journal)
* Notes : 0x00000000001c0001 (IPF.StickyNote)
* Tasks : 0x00000000001d0001 (IPF.Task)
* Drafts : 0x00000000001e0001 (IPF.Note)
* Adding default Receive Folders:
* All Message Class added to 0x0000000000160001
* IPM Message Class added to 0x0000000000160001
* Report.IPM Message Class added to 0x0000000000160001
* IPM.Note Message Class added to 0x0000000000160001
* IPC Message Class added to 0x0000000000130001
* Adding additional default properties to Inbox
* Adding additional default properties to Reminders
* GlobalCount (0x1f)
Setting smb.conf¶
In order to run OpenChange server, you need to set up additional parameters in the section of smb.conf.
Roughly, you need to add the following entries to the [globals] section:
### Configuration required by OpenChange server ### dcerpc endpoint servers = epmapper, mapiproxy dcerpc_mapiproxy:server = true dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp, exchange_ds_rfr ### Configuration required by OpenChange server ###
A sample basic smb.conf file would look like:
[globals]
# Global parameters
[global]
server role = domain controller
workgroup = OPENCHANGE
realm = OPENCHANGE.LOCAL
netbios name = REPENS
setup directory = setup/
### Configuration required by OpenChange server ###
dcerpc endpoint servers = +mapiproxy
dcerpc_mapiproxy:server = true
dcerpc_mapiproxy:interfaces = exchange_emsmdb, exchange_nsp, exchange_ds_rfr
### Configuration required by OpenChange server ###
[netlogon]
path = /usr/local/samba/var/locks/sysvol/openchange.local/scripts
read only = No
[sysvol]
path = /usr/local/samba/var/locks/sysvol
read only = No
Note that the "+mapiproxy" syntax was added to samba in early Dec 2010, and is not available on samba4-alpha13.
You can use this syntax instead:
dcerpc endpoint servers = epmapper, mapiproxy
Start the server¶
The simplest is to just run "samba", but as a developer you may find the following more useful:
# samba -d3 -i -M single
that means start samba server without messages in stdout, and running a single process . That mode of operation makes debugging samba with gdb particularly easy.
After running samba, looks within the output for the following specific lines:DCERPC endpoint server 'exchange_emsmdb' registered DCERPC endpoint server 'exchange_nsp' registered DCERPC endpoint server 'exchange_ds_rfr' registered
MAPIPROXY server 'exchange_ds_rfr' registered MAPIPROXY server 'exchange_nsp' registered MAPIPROXY server 'exchange_emsmdb' registered MAPIPROXY server mode enabled MAPIPROXY proxy mode disabled mapiproxy_server_load 'exchange_nsp' (OpenChange NSPI server) mapiproxy_server_load 'exchange_emsmdb' (OpenChange EMSMDB server) mapiproxy_server_load 'exchange_ds_rfr' (OpenChange RFR server)
If you find similar output and no errors, Congratulations! You have OpenChange server running properly!
Below is provided as a reference a complete successful startup log of Samba4 server with OpenChange:
# /usr/local/samba/sbin/samba -d3 -i -M single lp_load: refreshing parameters from /usr/local/samba/etc/smb.conf params.c:pm_process() - Processing configuration file "/usr/local/samba/etc/smb.conf" Processing section "[globals]" Processing section "[netlogon]" Processing section "[sysvol]" adding hidden service IPC$ adding hidden service ADMIN$ samba version 4.0.0alpha12-GIT-9cddf89 started. Copyright Andrew Tridgell and the Samba Team 1992-2010 GENSEC backend 'sasl-DIGEST-MD5' registered GENSEC backend 'krb5' registered GENSEC backend 'fake_gssapi_krb5' registered GENSEC backend 'schannel' registered GENSEC backend 'spnego' registered GENSEC backend 'gssapi_spnego' registered GENSEC backend 'gssapi_krb5' registered GENSEC backend 'gssapi_krb5_sasl' registered GENSEC backend 'ntlmssp' registered NTPTR backend 'simple_ldb' NTVFS backend 'simple' for type 1 registered NTVFS backend 'cifs' for type 1 registered NTVFS backend 'nbench' for type 1 registered NTVFS backend 'unixuid' for type 1 registered NTVFS backend 'unixuid' for type 3 registered NTVFS backend 'unixuid' for type 2 registered NTVFS backend 'cifsposix' for type 1 registered NTVFS backend 'smb2' for type 1 registered NTVFS backend 'default' for type 2 registered NTVFS backend 'default' for type 3 registered NTVFS backend 'default' for type 1 registered NTVFS backend 'posix' for type 1 registered PROCESS_MODEL 'standard' registered PROCESS_MODEL 'prefork' registered PROCESS_MODEL 'single' registered AUTH backend 'winbind_samba3' registered AUTH backend 'winbind' registered AUTH backend 'winbind_wbclient' registered AUTH backend 'server' registered AUTH backend 'name_to_ntstatus' registered AUTH backend 'fixed_challenge' registered AUTH backend 'unix' registered AUTH backend 'anonymous' registered AUTH backend 'sam' registered AUTH backend 'sam_ignoredomain' registered SHARE backend [ldb] registered. SHARE backend [classic] registered. ldb_wrap open of sam.ldb ldb_wrap open of privilege.ldb samba: using 'single' process model DCERPC endpoint server 'wkssvc' registered DCERPC endpoint server 'drsuapi' registered DCERPC endpoint server 'spoolss' registered DCERPC endpoint server 'winreg' registered DCERPC endpoint server 'epmapper' registered DCERPC endpoint server 'srvsvc' registered DCERPC endpoint server 'netlogon' registered DCERPC endpoint server 'browser' registered DCERPC endpoint server 'rpcecho' registered DCERPC endpoint server 'unixinfo' registered DCERPC endpoint server 'samr' registered DCERPC endpoint server 'remote' registered DCERPC endpoint server 'dssetup' registered DCERPC endpoint server 'lsarpc' registered DCERPC endpoint server 'exchange_emsmdb' registered DCERPC endpoint server 'exchange_nsp' registered DCERPC endpoint server 'exchange_ds_rfr' registered DCERPC endpoint server 'mapiproxy' registered MAPIPROXY module 'pack' registered MAPIPROXY module 'dummy' registered MAPIPROXY module 'downgrade' registered MAPIPROXY module 'cache' registered MAPIPROXY server 'exchange_ds_rfr' registered MAPIPROXY server 'exchange_nsp' registered MAPIPROXY server 'exchange_emsmdb' registered MAPIPROXY server mode enabled MAPIPROXY proxy mode disabled mapiproxy_server_load 'exchange_nsp' (OpenChange NSPI server) mapiproxy_server_load 'exchange_emsmdb' (OpenChange EMSMDB server) mapiproxy_server_load 'exchange_ds_rfr' (OpenChange RFR server) added interface ip=10.254.0.100 nmask=255.255.255.0 Attempting to autogenerate TLS self-signed keys for https for hostname 'MAPIPROXY.openchange.local' Enabling QUICK mode in gcrypt Generating private key Generating CA private key Generating CA certificate Generating TLS certificate Exporting TLS keys TLS self-signed keys generated OK added interface ip=10.254.0.100 nmask=255.255.255.0 added interface ip=10.254.0.100 nmask=255.255.255.0 FIXME: Using new system session for hdb ldb_wrap open of sam.ldb dreplsrv_partition[CN=Configuration,DC=openchange,DC=local] loaded dreplsrv_partition[CN=Schema,CN=Configuration,DC=openchange,DC=local] loaded dreplsrv_partition[DC=openchange,DC=local] loaded dreplsrv_refresh_partition(DC=openchange,DC=local) dreplsrv_refresh_partition(CN=Schema,CN=Configuration,DC=openchange,DC=local) dreplsrv_refresh_partition(CN=Configuration,DC=openchange,DC=local) dreplsrv_periodic_schedule(15) scheduled for: Sun Jul 25 02:21:16 2010 CEST ldb_wrap open of idmap.ldb kccsrv_partition[DC=openchange,DC=local] loaded kccsrv_partition[CN=Configuration,DC=openchange,DC=local] loaded kccsrv_partition[CN=Schema,CN=Configuration,DC=openchange,DC=local] loaded kccsrv_periodic_schedule(15) scheduled for: Sun Jul 25 02:21:16 2010 CEST Loading new DNS update grant rules Calling DNS name update script Calling SPN name update script Registered MAPIPROXY<00> with 10.254.0.100 on interface 10.254.0.255 Registered MAPIPROXY<03> with 10.254.0.100 on interface 10.254.0.255 Registered MAPIPROXY<20> with 10.254.0.100 on interface 10.254.0.255 Registered OPENCHANGE<1b> with 10.254.0.100 on interface 10.254.0.255 Registered OPENCHANGE<1c> with 10.254.0.100 on interface 10.254.0.255 Registered OPENCHANGE<00> with 10.254.0.100 on interface 10.254.0.255 Child /usr/local/samba/sbin/samba_spnupdate exited with status 0 - Success Completed SPN update check OK /usr/local/samba/sbin/samba_dnsupdate: Traceback (most recent call last): /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 284, in <module> /usr/local/samba/sbin/samba_dnsupdate: get_credentials(lp) /usr/local/samba/sbin/samba_dnsupdate: File "/usr/local/samba/sbin/samba_dnsupdate", line 91, in get_credentials /usr/local/samba/sbin/samba_dnsupdate: creds.get_named_ccache(lp, ccachename) /usr/local/samba/sbin/samba_dnsupdate: RuntimeError: kinit for MAPIPROXY$@OPENCHANGE.LOCAL failed (Cannot contact any KDC for requested realm: unable to reach any KDC in realm OPENCHANGE.LOCAL) /usr/local/samba/sbin/samba_dnsupdate: Child /usr/local/samba/sbin/samba_dnsupdate exited with status 1 - Operation not permitted dsdb/dns/dns_update.c:249: Failed DNS update - NT_STATUS_ACCESS_DENIED dreplsrv_periodic_run(): schedule pull replication dreplsrv_periodic_run(): run pending_ops memory=64 dreplsrv_refresh_partition(DC=openchange,DC=local) dreplsrv_refresh_partition(CN=Schema,CN=Configuration,DC=openchange,DC=local) dreplsrv_refresh_partition(CN=Configuration,DC=openchange,DC=local) dreplsrv_periodic_schedule(300) scheduled for: Sun Jul 25 02:26:16 2010 CEST kccsrv_periodic_run(): simple update Testing kcctpl_create_intersite_connections kccsrv_periodic_schedule(300) scheduled for: Sun Jul 25 02:26:16 2010 CEST