Connect to ActiveDirectory Windows Server 2008

chrisg · April 27, 2016, 11:17pm

Also, how do the users get pushed to the server? I have AD connected but the users are not populating. I can see them if I run a wbinfo -u, I do see all the users.

The documentation is seriously lacking on the AD integration and use. It may be something I consider writing up for future users of NS. Let’s face it, AD rules the world and to not have NS tightly integrated and documented, NS will only be “one of those other quasi-mail servers.” For professional IT shops, at least here in the US, ActiveDirectory integration is paramount to buying a product.

giacomo · April 28, 2016, 7:03am

Users are not pushed to NethServer and you will be able to see them only on specific pages (like Web Content Filter), sadly the “Users” page is not one of them.

This is because the integration is partial, since there are many problems to face and most of them are not related to CentOS but to AD itself. I know we have some internal documentation but it is Italian-only and tailored for the Enterprise support.

This was the sad part, now the the bright one!
We are working very hard to have a full integration with AD for NS 7.
The goal is to have fully featured NS which can act as AD PDC and also can connect to a forest of existing AD.
Stay tuned!

GG_jr · April 28, 2016, 9:06am

chrisg · April 28, 2016, 4:40pm

So, NS is false advertising then? It CLEARLY states that AD and email addresses will be imported from AD and now you, as part of the Dev Team are saying that factually FALSE? Perhaps you are mistaken? Or I am not reading this correctly?

From the Administrator Manual:
"The Email module integrates with an Active Directory (AD) environment, if Active Directory member role is enabled in Windows Network page.
To make NethServer work with the external LDAP database provided by Active Directory, the following rules applies:

Only enabled accounts are considered (userAccountControl attribute).
IMAP and SMTP login name is the value of sAMAccountName attribute.
Email addresses associated with an user are the values of mail…"

giacomo · April 29, 2016, 7:08am

You’re not reading correctly, the manual states that “The Email module integrates with an Active Directory (AD) environment”, no one talked about importing
NS reads the users directly from the AD server and no local copy is made. Also, the manual talks about Email modules, not a full integration.

Please be patient, we are working very hard on the next release to create the best user experience for anybody who wants to play with AD

alefattorini · April 29, 2016, 9:52am

Tthe documentation probably isn’t clear enough, as @giacomo already said NethServer 6.x can’t live alone without an AD active, so we’re speaking about syncing and not importing

chrisg · April 29, 2016, 3:21pm

What is the purpose of “integrating” with an AD server and mentioning emails if NS does nothing with that information? Sure, I understand the point of joining the domain for purely security reasons. But what value beyond that is there? Why set false expectations?

I disagree wholeheartedly and so does everyone I have shown this document to. We all read it as NS will use AD and pull the email addresses directly. One stop shopping so-to-speak. If I were NS, I would change the manual immediately to be clear that while you can have NS “talk” to AD, there is no exchange of information. And include a line like: “NS will not import, sync, or otherwise communication with AD for anything other than domain membership. Admins will still need to manually populate users and emails into NS.” THAT IS A FAIR STATEMENT.

giacomo · April 29, 2016, 3:57pm

Maybe we didn’t explained ourselves well enough.
I will try with an example, feel free to ask more!

You have a NS and an AD server acting as PDC of the LAN.
NS is joined to the AD.
NS can act as Mail Server and Web Content Filter using users from AD, but you always need to manage the users from AD server.

Example for Mail Server:

Join NS to the AD
Install the mail server
Create a user goofy on AD
Add an email field to goofy user on AD
NS is automatically configured to receive mails for the goofy user

Example for Web Content Filter:

Join NS to the AD
Install the web content filter
Create a user goofy on AD
On NS create a web content profile for the goofy user (you should see the user from NS web interface)
NS will filter the web for the goofy user

chrisg · April 29, 2016, 4:27pm

If that is the case, it is best news I have heard all week!!! However, the “automatically configured” part is not working. Like I said earlier, I can do a webinfo -u on the NS and see the users. But when trying to log in to the email portal, nothing works.

This is I believe the final step of my implementation. If someone could explain how to get NS to read the email addresses from AD and then send/receive for those addresses, my life would be great! Right now, I am stuck at “* NS is automatically configured to receive mails for the goofy user”

For background, we do have the email addresses listed properly in the AD entry.

giacomo · April 30, 2016, 10:42am

I think @davidep can help us on this!

davidep · May 2, 2016, 9:36am

Hi @chrisg, if “email portal” is SOGo, one further configuration step is required. Some infos are from this post:

chrisg · May 2, 2016, 6:42pm

No luck. Does any user actually have AD integrated with NethServer? I’m curious if I am chasing a rabbit here. I’ve done everything suggested but still no luck.

davidep · May 2, 2016, 8:34pm

I try to recap the situation:

ads join is OK, and winbind lists the domain accounts. I guess also getent passwd does the same.
Login on SOGo fails, even after it has been configured with the right permissions to bind the AD LDAP service.

Now it might help to verify if domain users can access their mailboxes with IMAP. Does it work?

chrisg · May 2, 2016, 8:55pm

Hi David,

Yes, you are right so far. When trying to login, SOGo spins a little when you hit enter so it is doing something. I can completely login with an email account created directly in NS so SOGo works.

IMAP works for the NS user but none of the AD users.

davidep · May 2, 2016, 9:33pm

Can you see any relevant line in /var/log/imap?

chrisg · May 2, 2016, 10:10pm

May 2 14:53:50 mail dovecot: imap: Error: Internal auth failure (client-pid=27959 client-id=1)
May 2 14:53:50 mail dovecot: imap-login: Internal login failure (pid=27959 id=1) (internal failure, 1 succesful auths): user=, method=PLAIN, rip=172.30.0.3, lip=192.168.202.42, mpid=27962, TLS: Disconnected, session=<KWSSK+IxZACsHgAD>

May 2 14:54:13 mail dovecot: imap: Error: Internal auth failure (client-pid=28065 client-id=1)
May 2 14:54:13 mail dovecot: imap-login: Internal login failure (pid=28065 id=1) (internal failure, 1 succesful auths): user=, method=PLAIN, rip=172.30.0.3, lip=192.168.202.42, mpid=28066, TLS, session=<Q0noMeIx+wCsHgAD>

chrisg · May 2, 2016, 10:35pm

From the 10user_source_active_directory config file for SOGo:
push @sogoUserSources, qq(
id = AD_Users;
type = ldap;
CNFieldName = cn;
IDFieldName = sAMAccountName;
#IDFieldName = mail;
UIDFieldName = sAMAccountName;
IMAPLoginFieldName = mail;
canAuthenticate = YES;
bindDN = “CN=$sogoCredentials[0],CN=Users,$adsBasePath”;
bindPassword = “$sogoCredentials[1]”;
baseDN = “$baseDN”;
bindFields = (mail,
sAMAccountName,
);
hostname = $adsLdapServer;
filter = “(objectClass=’‘user’’)”;
scope = SUB;
displayName = “$adsRealm users”;
isAddressBook = YES;
);

chrisg · May 2, 2016, 10:37pm

I checked AD and the mail attribute is set properly. So is the sAMAccountName.

mail=user2@myamrg.com
sAMAccountName = user2

interestingly, uid is not set to anything in AD.

davidep · May 3, 2016, 7:22am

So, let’s concentrate on IMAP! I guess the dovecot keytab file has some kind of issue…

Remove it:

rm -vf /var/lib/dovecot/krb5.keytab

Re-create it, and look at the command exit status:

/usr/libexec/nethserver/smbads initkeytab
echo $?

Then

service dovecot restart

Finally try to login again on IMAP. I hope it helps!

alefattorini · May 10, 2016, 10:51am

@chrisg I am interested in how your join is going.