Active Directory and Linux guideIntegration of Active Directory and Linux <<previous|next>> :Is there a Linux collaboration tool that integrates well with Microsoft AD?
Enterprise applications for Linux
How-to: Integrating Kerio MailServer on Linux with MS Active Directory
By John Wu
When reading about one of the many product announcements at LinuxWorld Conference & Expo in San Francisco this week, many IT pros wish they could read between the lines. They wonder, "What would it be like to use it?" This installment in our "new product how-to" series gives some clues about one LinuxWorld introduction, version 6.1 of the Kerio Mailserver, which runs on Linux.
Version 6.1 brings focuses on security with the addition of anti-spam, anti-virus and Web mail enhancements. It can also be integrated with Microsoft Active Directory. This step-by-step guide to that process was penned by John Wu, a Kerio engineer.
SearchEnterpriseLinux.com's "new product how-tos" are designed to introduce IT professionals to a product or technology and can be found in our Tips section.
Product: Kerio MailServer
Type of product: This mail server software includes messaging and collaboration capabilities.
Vendor: Kerio Technologies Inc. of Santa Clara, Calif., provides Internet messaging and security products for small- to medium-sized enterprises.
Value proposition: Integrating the Kerio MailServer with Active Directory not only utilizes the benefit of Kerberos 5 authentication, but it also allows administrators to import user accounts and groups from Active Directory and create new mailboxes through Active Directory without having to log into the MailServer administration console. An end user feature provided by the integration is the ability to change passwords by logging into Kerio's secure WebMail.
Price: $499 per 20-user license
How to integrate the Kerio MailServer with Microsoft Active Directory:There are two stages for integrating the Kerio MailServer with Active Directory: joining the Kerio MailServer machine to the Active Directory domain; and configuring the Kerio MailServer.
Join the Kerio MailServer machine to the Active Directory domain
1. To join a Linux machine into an Active Directory domain, Kerberos 5 must be installed. To check this, run the following command:
#rpm –qa krb5-workstation
The command should return something like krb5-workstation-1.2.5-8. If nothing is returned, then it means that Kerberos 5 is not installed.
2. Make sure the time on the Linux machine is synchronized: It needs to be less than 5 seconds off from the AD controller or Kerberos will not work. SNTP synchronization to the AD controller is recommended (but outside the scope of this document).
3. Edit the /etc/krb5.conf file and edit the sections 'libdefaults', 'realms' and 'domain_realm' with the information of the Active Directory domain that Linux machine is going to join.
The names that are all in caps are the Realm name, the lower case names are the domain name.
4. Run the following command:
This will prompt for the password of the administrator user of the Active Directory domain. Provide the password and hit Enter. The only thing to keep in mind at this stage is the proper case.
Be sure to use the same case for the realm that was used in the krb5.conf which is upper case. So, for example, if email@example.com is used, Kerberos will not be able to authenticate.
5. After getting authenticated, run the following command to add the machine to Active Directory:
#net ads join –S YOURREALM.LOCAL
This will give an output similar to "Joined 'linclnt' to realm 'YOURREALM.LOCAL'. To check that everything worked properly, go to the Domain Controller and open Active Directory Users and Computers and go to Computers. The Linux machine should listed there, if it has joined successfully.
Configuring the Kerio MailServer
1. Download the Kerio Active Directory Extensions from http://www.kerio.com/kms_download.html and install on the Domain Controller.
2. Install the Kerio MailServer on the Linux machine and log into the Admin console by entering the command "kerioadmin".
3. Go to Configuration > Domains
4. Double-click on the domain that will integrate with Active Directory.
5. Go to the Directory Service tab and enter in the information for the Active Directory domain that the domain will integrate with. For more details on this tab, consult the section on "Domains" in MailServer manual.
6. Go to the Advanced tab and enter the realm name into the Kerberos 5 field. The realm name must be all in caps. Click OK, then click Apply at the lower right hand corner or of the Admin console.
Now the Kerio MailServer is ready to import and authenticate users and groups from Active Directory.
01 Aug 2005
Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.