Thanks to Andrew(s), OpenChange Schema works again

Julien Kerihuel j.kerihuel at
Tue Jan 6 12:35:57 GMT 2009

On Tue, 2009-01-06 at 11:37 +0200, Sassy Natan wrote:
> run make;make install, make provision-install, make mapiproxy-install,
> make installman, make install-server.

Hi Sassy,

I've updated the Makefile recently (r972) so mapiproxy-servers-install
now installs openchange python scripts and ldif file. 

You should only have to run 'make; make install' to have OpenChange
installed properly.

> Now I started to provision my site. I don't know why - But i added to
> create the smb.conf before starting any step. It was workign before
> but somethig happend.

Indeed, I encountered similar issue. Jelmer thought the problem was
fixed (with the samba master git rev we are using), so I suppose this
issue will automatically be fixed when we update to a more recent Samba
master revision.

>  So now I run the provision-backend, provision, add the options
> required for openchange in the smb.conf
>        dcerpc_mapiproxy:server = true
>        dcerpc_mapiproxy:proxy = true
>         ### Configuration required by mapiproxy ###

dcerpc_mapiproxy:proxy is not a valid mapiproxy parametric option. If
you have found such reference in any OpenChange documentation, please
let me know this is a bug!

I have started to document OpenChange server mode

> MAPIPROXY server 'exchange_emsmdb' registered
> MAPIPROXY server 'exchange_nsp' registered
> MAPIPROXY server 'exchange_ds_rfr' registered
> MAPIPROXY server mode enabled
> MAPIPROXY proxy mode disabled
>  the proxy module is disable since it can't bind to the samba4. 

proxy mode is disabled because you have set dcerpc_mapiproxy:server to

> when running the provision script i get the fowling:
> DevBox:/usr/share/openchange/setup# ./openchange_provision
> --username=samba-admin --password=manager11
> --simple-bind-dn=cn=samba-admin,cn=samba
> NOTE: This operation can take several minutes
> [+] Step 1: Register Exchange OIDs
> [+] Step 2: Add new Exchange classes and attributes to Samba schema
> Traceback (most recent call last):
>   File "./openchange_provision", line 53, in <module>
>     openchange.provision(setup_path, lp, creds,
> firstorg=opts.firstorg, firstou=opts.firstou)
>   File "/usr/lib/python2.5/site-packages/openchange/",
> line 309, in provision
>     install_schemas(setup_path, names, lp, creds)
>   File "/usr/lib/python2.5/site-packages/openchange/",
> line 144, in install_schemas
>     "SCHEMADN": names.schemadn
>   File "/usr/lib/python2.5/site-packages/samba/", line
> 164, in setup_add_ldif
>     ldb.add_ldif(data)
>   File "/usr/lib/python2.5/site-packages/samba/", line 192,
> in add_ldif
>     self.add(msg)
> _ldb.LdbError: (19, 'LDAP error 19 LDAP_CONSTRAINT_VIOLATION -
> <entryDN: no user modification allowed> <>')

I need to investigate this traceback more closely. I have only been
doing provisioning test using the default LDB backend, not any external
LDAP server. This setup being untested so far, I can only assume it
doesn't work properly yet.

> Why? also when running  ./openchange_newuser --create  username
> Traceback (most recent call last):
>   File "./openchange_newuser", line 60, in <module>
>     openchange.newuser(lp, creds, username=args[0])
>   File "/usr/lib/python2.5/site-packages/openchange/",
> line 251, in newuser
>     samdb.modify_ldif(extended_user)
>   File "/usr/lib/python2.5/site-packages/samba/", line 200,
> in modify_ldif
>     self.modify(msg)
> _ldb.LdbError: (32, 'No such object (32)')

The openchange_newuser script doesn't create the user AD object. It only
extends the user record within users.ldb so it includes Exchange
attributes needed by OpenChange servers.

You first have to create the user using samba4/source4/newuser
<username> script, then you can run openchange_newuser --create
<username> script.

Similarly to what I've said in a previous email, Samba doesn't need
OpenChange to run. If an Administrator is running a organization with 20
users - where 5 of them are temporary contractors and 15 are classical
employees - he may want to have Exchange mailboxes for classical
employees, but not for temporary ones.

While temporary contractors don't have access to OpenChange servers,
they still have access to Samba shares (if they are allowed to).

When you have turned your user account into an Exchange one (--create),
you can next enable or disable it (--enable or --disable) and control
when users should have access to OpenChange servers.

Note that OpenChange provisioning only makes sense when you run one or
all OpenChange servers. It is not a step required to proxify MAPI
traffic from an Outlook client to a real Exchange server - typical
mapiproxy configuration.

Finally, you should know that OpenChange servers (NSPI,RFR,EMSMDB) are
currently under heavy development and won't (yet) be really helpful.


Julien Kerihuel
j.kerihuel at
OpenChange Project Manager

GPG Fingerprint: 0B55 783D A781 6329 108A  B609 7EF6 FE11 A35F 1F79

-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: This is a digitally signed message part
Url :

More information about the samba-technical mailing list