Active Directory integration for NethServer mail server

[Davide Principi]

If you have an AD environment and you'd like a mail server with AD
users mailboxes and single-sign-on authentication, please test it and
post here your feedback!

Last days, I've pushed into nethserver-testing yum repository a bundle
of packages. It has been a big challenge to make everything work and I
think it's now good enough to widen the test cases.

Note that:

- this is still TESTING, don't use it on production servers;

- we require more recent versions of postfix and dovecot, for
SASL/GSSAPI support: they come from nethserver-testing repository, but
should be stable enough;

- only IMAP and SMTP servers are configured. In other words, SOGo still
does not work.

To install required software from nethserver-testing yum repository
type:

# yum --enablerepo=nethserver-testing update \
nethserver-{base,nethgui,ntp} postfix
[...]
Updated:
nethserver-base.noarch 0:1.2.3-1.ns6
nethserver-nethgui.noarch 0:1.1.1-1.ns6
postfix.x86_64 2:2.9.6-2.ns6
nethserver-ntp.noarch 0:1.0.3-1.ns6

# yum --enablerepo=nethserver-testing install \
@nethserver-mail nethserver-hosts nethserver-samba
[...]
Installed:
nethserver-hosts.noarch 0:1.0.3-1.ns6
nethserver-mail-filter.noarch 0:1.1.0-1.ns6
nethserver-mail-server.noarch 0:1.4.0-1.ns6
nethserver-samba.noarch 0:1.3.0-1.ns6


To join the Active Directory domain, follow instructions on

https://dev.nethesis.it/projects/nethserver/wiki/Nethserver-samba#Active-Directory-domain-member

Some important notes about nethserver-mail-server integration with AD
are also on

https://dev.nethesis.it/projects/nethserver/wiki/Nethserver-mail-server#Active-Directory-integration


--
Davide Principi

Nethesis srl - Pesaro (Italy)

[Davide Principi]

Il giorno ven, 31/05/2013 alle 10.39 +0200, Davide Principi ha scritto:
> If you have an AD environment and you'd like a mail server with AD
> users mailboxes and single-sign-on authentication, please test it and
> post here your feedback!

One week has passed since I started the Active Directory join test:
two virtual machines, NethServer and Windows Server 2008 with AD are
running.

The goal is testing the cronjobs that refresh Kerberos tickets for
dovecot and postfix daemons, ensuring user SASL/GSSAPI authentication
and mail address lookup queries on AD LDAP.

This morning I found some mail messages from the hourly cronjob:

/etc/cron.hourly/smbads_tgt:

kinit: Clock skew too great while getting initial credentials
kinit: Clock skew too great while getting initial credentials

I checked the machine clocks: the problem was AD running without NTP
configuration. Probably for a VM clock only a few days are enough to
drift out of the five minutes Kerberos tolerance.

To configure NTP on AD I followed the instructions from ntp.org:

http://support.ntp.org/bin/view/Support/WindowsTimeService

It seems that after setting the external time source, AD works as NTP
server as well. Previous attempts to use AD as time source from
NethServer ntpd failed. Now it works, so I've updated the "Active
directory domain member" section here:

https://dev.nethesis.it/projects/nethserver/wiki/Nethserver-samba#Active-Directory-domain-member

[Davide Principi]

On Fri, 2013-05-31 at 10:39 +0200, Davide Principi wrote:
> If you have an AD environment and you'd like a mail server with AD
> users mailboxes and single-sign-on authentication, please test it and
> post here your feedback!

Fedora maintainer has recently accepted our patch to the postfix
package.

https://bugzilla.redhat.com/show_bug.cgi?id=1052958

The upstream version can now be tested directly on the current
NethServer 6.5 beta3.

http://dev.nethserver.org/issues/2658

I've pushed Postfix packages from EPEL to nethserver-testing:

postfix-2.10.3-1.el6.x86_64.rpm
postfix-perl-scripts-2.10.3-1.el6.x86_64.rpm

To install them type at root prompt:

# yum update --enablerepo=nethserver-testing postfix postfix-perl-scripts