Hi everbody!
Almost there...
In the step:
of the tutorials I am following I get the
error:
Code:
New SMB password:
Retype new SMB password:
ldapsam_modify_entry: LDAP Password could not be changed for user root: Insufficient access
unknown
ldapsam_add_sam_account: failed to modify/add user with uid = root (dn = uid=root,ou=people,dc=example,dc=com)
Failed to add entry for user root.
Failed to modify password entry for user root
The base tutorials are:
UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI 6.0 - Zimbra :: Wiki
UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI - Zimbra :: Wiki
Zimbra Integration With Samba - Ubuntu Based (Similar To AD And Exchange) | HowtoForge - Linux Howtos and Tutorials
I reorganized my tutorial, trying to automate and get speed where possible.
Zimbra 6.0.1 Integration with Samba in Ubuntu 8.04.3 LTS Server
============================================
(01) install the Ubuntu 8.04.3 LTS Server for Zimbra -
zimbra.example.com
(02) install Zimbra 6.0.1
(03) at
zimbra.example.com, as the
zimbra user, create and execute the script
/tmp/samba-zimbra.sh (content bellow); reboot the server
observation: get samba.schema before execute /tmp/samba-zimbra.sh executing as root the following comands
Code:
apt-get --yes install samba-doc
gunzip /usr/share/doc/samba-doc/examples/LDAP/samba.schema.gz
/tmp/samba-zimbra.sh
Code:
#!/bin/bash
clear
# get Zimbra LDAP password
ZIMBRA_LDAP_PASSWORD=`zmlocalconfig -s zimbra_ldap_password | cut -d ' ' -f3`
# include NIS schema into Zimbra LDAP
ldap stop
cp /opt/zimbra/openldap/etc/openldap/schema/nis.ldif /opt/zimbra/data/ldap/config/cn\=config/cn\=schema/cn\=\{10\}nis.ldif
cd /opt/zimbra/data/ldap/config/cn\=config/cn=\schema
sed -i 's/dn: cn=nis,cn=schema,cn=config/dn: cn={10}nis/' cn\=\{10\}nis.ldif
sed -i 's/cn: nis/cn: {10}nis/' cn\=\{10\}nis.ldif
chmod 600 cn\=\{10\}nis.ldif
ldap start
# include Samba schema into Zimbra LDAP
mkdir -p /tmp/ldap/schema
cd /tmp/ldap
cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema /tmp/ldap/schema
tee test.conf > /dev/null <<- 'EOF'
include /opt/zimbra/openldap/etc/openldap/schema/core.schema
include /opt/zimbra/openldap/etc/openldap/schema/cosine.schema
include /opt/zimbra/openldap/etc/openldap/schema/inetorgperson.schema
include /tmp/ldap/schema/samba.schema
EOF
/opt/zimbra/openldap/sbin/slaptest -f /tmp/ldap/test.conf -F /tmp/ldap
cd cn\=config/cn\=schema
mv cn\=\{3\}samba.ldif cn\=\{11\}samba.ldif
sed -i 's/dn: cn={3}samba/dn: cn={11}samba/' cn\=\{11\}samba.ldif
sed -i 's/cn: {3}samba/cn: {11}samba/' cn\=\{11\}samba.ldif
ldap stop
cp /tmp/ldap/cn\=config/cn\=schema/cn\=\{11\}samba.ldif /opt/zimbra/data/ldap/config/cn\=config/cn\=schema/
ldap start
# add indexes for PAM and Samba
tee /tmp/indexes.ldif > /dev/null <<- 'EOF'
dn: olcDatabase={2}hdb,cn=config
changetype:modify
add: olcDbIndex
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: memberUid eq
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaDomainName eq
EOF
ldapmodify -f /tmp/indexes.ldif -x -H ldapi:/// -D cn=config -w $ZIMBRA_LDAP_PASSWORD
# create two new users for the local posix and samba processes to use to access the information from the LDAP server
ZMPOSIX_LDAP_PASSWORD=`/opt/zimbra/openldap/sbin/slappasswd -s zmposix`
ZMPOSIXROOT_LDAP_PASSWORD=`/opt/zimbra/openldap/sbin/slappasswd -s zmposixroot`
tee /tmp/posixusers.ldif > /dev/null <<- EOF
dn: uid=zmposix,cn=appaccts,cn=zimbra
uid: zmposix
objectClass: zimbraAccount
objectClass: organizationalPerson
cn: zmposix
sn: zmposix
zimbraAccountStatus: active
zimbraIsSystemResource: TRUE
zimbraId: 59BC2282-98CC-11DE-9492-C023E3CEB16B
description: The zimbra posix account
userPassword: $ZMPOSIX_LDAP_PASSWORD
dn: uid=zmposixroot,cn=appaccts,cn=zimbra
uid: zmposixroot
objectClass: zimbraAccount
objectClass: organizationalPerson
cn: zmposixroot
sn: zmposixroot
zimbraAccountStatus: active
zimbraIsSystemResource: TRUE
zimbraId: 6ED47B38-98CC-11DE-AAC1-9F159BA35B33
description: The zimbra posix root account
userPassword: $ZMPOSIXROOT_LDAP_PASSWORD
EOF
ldapadd -f /tmp/posixusers.ldif -x -H ldapi:/// -D cn=config -w $ZIMBRA_LDAP_PASSWORD
# adjust the LDAP acls so that these new users can read the data necessary from the LDAP server
tee /tmp/acl.ldif > /dev/null <<- 'EOF'
dn: olcDatabase={2}hdb,cn=config
changetype:modify
delete: olcAccess
olcAccess: {9}to attrs=entry by dn.children="cn=admins,cn=zimbra" write by * read
-
add: olcAccess
olcAccess: {9}to attrs=entry by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by * read
dn: olcDatabase={2}hdb,cn=config
changetype:modify
add: olcAccess
olcAccess: {10}to dn.subtree="dc=example,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {11}to dn.subtree="ou=machines,dc=example,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {12}to dn.subtree="ou=groups,dc=example,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {13}to dn.subtree="ou=people,dc=example,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
EOF
ldapmodify -f /tmp/acl.ldif -x -H ldapi:/// -D cn=config -w $ZIMBRA_LDAP_PASSWORD
# run the following zmprov commands as user zimbra
zmprov mcf +zimbraAccountExtraObjectClass posixAccount
zmprov mcf +zimbraAccountExtraObjectClass sambaSamAccount
echo
echo Proceed to "Installing zimbra_posixaccount and zimbra_samba extensions for Zimbra Admin"
echo (04) deploy zimbra_posixaccount and zimbra_samba extensions for Zimbra Admin (content of config_template.xml for zimbra_posixaccount.zip and zimbra_samba.zip bellow)
config_template.xml for zimbra_posixaccount.zip
Code:
<zimletConfig name="zimbra_posixaccount" version="4">
<global>
<property name="loginShells">/bin/bash,/bin/sh,/bin/false</property>
<property name="homePath">/home/%u</property>
<property name="gidBase">20000</property>
<property name="uidBase">10000</property>
<property name="ldapSuffix">dc=example,dc=com</property>
<property name="ldapGroupSuffix">ou=groups</property>
</global>
</zimletConfig> config_template.xml for zimbra_samba.zip
Code:
<zimletConfig name="zimbra_samba" version="6">
<global>
<property name="gidBase">20000</property>
<property name="uidBase">10000</property>
<property name="ridBase">1000</property>
<property name="ldapSuffix">dc=example,dc=com</property>
<property name="ldapGroupSuffix">ou=groups</property>
<property name="ldapMachineSuffix">ou=machines</property>
</global>
</zimletConfig> (05) install the Ubuntu 8.04.3 LTS Server for Samba -
samba.example.com
(06) install and configure Samba
Code:
sudo apt-get --yes install samba smbclient libnss-ldap
(answers to dialogs)
ldap://zimbra.example.com/
dc=example,dc=com
3
Yes
Yes
uid=zmposixroot,cn=appaccts,cn=zimbra
zmposixroot
uid=zmposix,cn=appaccts,cn=zimbra
zmposix
sudo /etc/init.d/samba stop
sudo tee /etc/nsswitch.conf > /dev/null <<- 'EOF'
passwd: files ldap
group: files ldap
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
EOF
sudo tee /etc/samba/smb.conf > /dev/null <<- 'EOF'
[global]
workgroup = EXAMPLE
netbios name = samba
os level = 33
preferred master = yes
enable privileges = yes
server string = %h server (Samba, Ubuntu)
wins support =yes
dns proxy = no
name resolve order = wins bcast hosts
log file = /var/log/samba/log.%m
log level = 3
max log size = 1000
syslog only = no
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
ldap passwd sync = yes
passdb backend = ldapsam:ldap://zimbra.example.com/
ldap admin dn = "uid=zmposixroot,cn=appaccts,cn=zimbra"
ldap suffix = dc=example,dc=com
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=machines
obey pam restrictions = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
domain logons = yes
logon path = \\samba.example.com\%U\profile
logon home = \\samba.example.com\%U
logon script = logon.cmd
add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u
socket options = TCP_NODELAY
domain master = yes
local master = yes
[homes]
comment = Home Directories
browseable =yes
read only = No
valid users = %S
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
locking = no
[profiles]
comment = Users profiles
path = /var/lib/samba/profiles
read only = No
[profdata]
comment = Profile Data Share
path = /var/lib/samba/profdata
read only = No
profile acls = Yes
[printers]
comment = All Printers
browseable = no
path = /tmp
printable = yes
public = no
writable = no
create mode = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
EOF
sudo smbpasswd -w zmposixroot
sudo tee /etc/pam.d/common-account > /dev/null <<- 'EOF'
account sufficient pam_unix.so
account sufficient pam_ldap.so
EOF
sudo tee /etc/pam.d/common-auth > /dev/null <<- 'EOF'
auth sufficient pam_ldap.so
auth sufficient pam_unix.so
EOF
sudo tee /etc/pam.d/common-password > /dev/null <<- 'EOF'
password sufficient pam_unix.so
password sufficient pam_ldap.so
EOF
sudo tee /etc/pam.d/common-session > /dev/null <<- 'EOF'
session required pam_mkhomedir.so skel=/etc/skel umask=0077
session sufficient pam_unix.so
session sufficient pam_ldap.so
EOF
sudo /etc/init.d/samba start Then create posix/samba groups in Zimbra Admin, create Zimbra users in Zimbra Admin and confirm the connection of
samba.example.com with
zimbra.example.com LDAP using "getent group" and "getent passwd" on
samba.example.com.
Until here, all fine...
Then the error mentioned in the beggining of the post.
