Thread: Help to make a Zimbra + Samba Tutorial for Ubuntu 8.04.3 Server and Zimbra 6.0.1
View Single Post
  #19 (permalink)  
Old 09-28-2009, 06:01 PM
peracchi peracchi is offline
Intermediate Member
  
Posts: 24
Lightbulb
I have found something!

If I repeat all steps I have done until now, without a change, but in smb.conf I change:

Code:
ldap admin dn = "uid=zmposixroot,cn=appaccts,cn=zimbra"
to

Code:
ldap admin dn = "uid=zimbra,cn=admins,cn=zimbra"
then the error at:

Quote:
Next, log in to Zimbra Admin UI, click on Aliases and remove root@.gregzimbra1.zimbra.com alias. Then run

Code:
 smbpasswd -a root
goes away!

So, there is something causing the error at this part of the original wiki article:

Quote:
Now, you need to adjust the LDAP acls so that these new users can read the data necessary from the LDAP server. This will need to be done on each LDAP server that exists. Create a file called /tmp/acl.ldif and add the following to it. If this is a master with replicas, you need to change the olcDatabase line to be olcDatabase={3}hdb,cn=config in both sections.

In this example I will use the domain gregzimbra1.zimbra.com, which is the name of my Ubuntu Linux machine running inside a VMWare instance, hence my ldapSuffix is

Code:
dc=gregzimbra1,dc=zimbra,dc=com
Be sure to replace dc=gregzimbra1,dc=zimbra,dc=com with your actual domain

Code:
dn: olcDatabase={2}hdb,cn=config
changetype:modify
delete: olcAccess
olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write  by * read
-
add: olcAccess
olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by * read

dn: olcDatabase={2}hdb,cn=config
changetype:modify
add: olcAccess
olcAccess: {10}to dn.subtree="dc=gregzimbra1,dc=zimbra,dc=com"  by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read  by * none
olcAccess: {11}to dn.subtree="ou=machines,dc=gregzimbra1,dc=zimbra,dc=com"  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read  by * none
olcAccess: {12}to dn.subtree="ou=groups,dc=gregzimbra1,dc=zimbra,dc=com"  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read  by * none
olcAccess: {13}to dn.subtree="ou=people,dc=gregzimbra1,dc=zimbra,dc=com"  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read  by * none
Now apply this ACL modification to the LDAP server:

Code:
ldapmodify -f /tmp/acl.ldif -x -H ldapi:/// -D cn=config -W
I have turned this part of the wiki article into this part of my bash script:

Code:
# create two new users for the local posix and samba processes to use to access the information from the LDAP server
ZMPOSIX_LDAP_PASSWORD=`/opt/zimbra/openldap/sbin/slappasswd -s zmposix`
ZMPOSIXROOT_LDAP_PASSWORD=`/opt/zimbra/openldap/sbin/slappasswd -s zmposixroot`
tee /tmp/posixusers.ldif > /dev/null <<- EOF
	dn: uid=zmposix,cn=appaccts,cn=zimbra
	uid: zmposix
	objectClass: zimbraAccount
	objectClass: organizationalPerson
	cn: zmposix
	sn: zmposix
	zimbraAccountStatus: active
	zimbraIsSystemResource: TRUE
	zimbraId: 59BC2282-98CC-11DE-9492-C023E3CEB16B
	description: The zimbra posix account
	userPassword: $ZMPOSIX_LDAP_PASSWORD

	dn: uid=zmposixroot,cn=appaccts,cn=zimbra
	uid: zmposixroot
	objectClass: zimbraAccount
	objectClass: organizationalPerson
	cn: zmposixroot
	sn: zmposixroot
	zimbraAccountStatus: active
	zimbraIsSystemResource: TRUE
	zimbraId: 6ED47B38-98CC-11DE-AAC1-9F159BA35B33
	description: The zimbra posix root account
	userPassword: $ZMPOSIXROOT_LDAP_PASSWORD
EOF
ldapadd -f /tmp/posixusers.ldif -x -H ldapi:/// -D cn=config -w $ZIMBRA_LDAP_PASSWORD



# adjust the LDAP acls so that these new users can read the data necessary from the LDAP server
tee /tmp/acl.ldif > /dev/null <<- 'EOF'
	dn: olcDatabase={2}hdb,cn=config
	changetype:modify
	delete: olcAccess
	olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write  by * read
	-
	add: olcAccess
	olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by * read

	dn: olcDatabase={2}hdb,cn=config
	changetype:modify
	add: olcAccess
	olcAccess: {10}to dn.subtree="dc=example,dc=com"  by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read  by * none
	olcAccess: {11}to dn.subtree="ou=machines,dc=example,dc=com"  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read  by * none
	olcAccess: {12}to dn.subtree="ou=groups,dc=example,dc=com"  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read  by * none
	olcAccess: {13}to dn.subtree="ou=people,dc=example,dc=com"  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read  by * none
EOF
ldapmodify -f /tmp/acl.ldif -x -H ldapi:/// -D cn=config -w $ZIMBRA_LDAP_PASSWORD
Can anyone spot any error?

Clearly is a problem of ACLs for zmposixroot.

When I made this setup Zimbra 5.0.x the LDAP structure was different, read access to LDAP doesn´t require login (now we must use zmposix).

One more little step toward the goal!

lithorus, thanks for the help but wasn´t

Code:
ldap ssl = Off
that was causing the problem.
Reply With Quote