[SOLVED] Zimbra/Samba integration: posix user not created

[bucketoftruth]

Following Greg's awesome tutorial I was able to get nearly everything set up to auth samba against the zimbra directory on Centos 5.

However, one curious problem is that I can create the posix/samba groups, but not users. After adding a new user in zimbra, I run getent passwd but do not see the user. I cannot log into the samba shares as that user unless I create them by hand using useradd and smbpasswd -a which defeats the purpose of having it managed in zimbra.

After I create the user in Manage Addresses, the Samba Account tab shows the hex password in the field sambaNTPassword so I gather that it's creating everything correctly, but samba isn't talking to the ldap server. My smb.conf contains the following:

Code:

  ldap passwd sync = yes
  passdb backend = ldapsam:ldap://zimbra.asdf.com/
  ldap admin dn = "uid=zimbra,cn=admins,cn=zimbra"
  ldap suffix = dc=zimbra,dc=asdf,dc=com
  ldap group suffix = ou=groups
  ldap user suffix = ou=people
  ldap machine suffix = ou=machines

I think my problem is with pam. Try as I might, I still haven't wrapped my head around pam . Where should I look for clues next? TIA

-Scott

[fajarpri]

Look for info in /var/log/messages

So, getent group works?

[bucketoftruth]

Quote:

Originally Posted by fajarpri

Look for info in /var/log/messages

So, getent group works?

Yes, getent group shows the following:

Quote:

...
exim:x:93:
zimbra:x:500:
postfix:x:501:zimbra
postdrop:x:502:
Users:*:10001:
Admins:*:10002:
Accounting:*:10003:

User, Admins, and Accounting are groups I added through the zimbra webadmin interface.

There's no activity in /var/log/messages when I attempt to make a connection.

/var/log/samba/log.zimbra shows the following when I attempt to connect:

Quote:

[2007/09/02 23:54:22, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/09/02 23:54:22, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/09/02 23:54:22, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/09/02 23:54:22, 3] auth/auth.c:check_ntlm_password(221)
check_ntlm_password: Checking password for unmapped user [domain]\[testuser]@[ZIMBRA] with the new password interface
[2007/09/02 23:54:22, 3] auth/auth.c:check_ntlm_password(224)
check_ntlm_password: mapped user is: [domain]\[testuser]@[ZIMBRA]
[2007/09/02 23:54:22, 3] smbd/sec_ctx.c:push_sec_ctx(208)
push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
[2007/09/02 23:54:22, 3] smbd/uid.c:push_conn_ctx(345)
push_conn_ctx(0) : conn_ctx_stack_ndx = 0
[2007/09/02 23:54:22, 3] smbd/sec_ctx.c:set_sec_ctx(241)
setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
[2007/09/02 23:54:22, 2] lib/smbldap.c:smbldap_open_connection(788)
smbldap_open_connection: connection opened
[2007/09/02 23:54:22, 3] lib/smbldap.c:smbldap_connect_system(992)
ldap_connect_system: succesful connection to the LDAP server
[2007/09/02 23:54:22, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
[2007/09/02 23:54:22, 3] auth/auth_sam.c:check_sam_security(281)
check_sam_security: Couldn't find user 'testuser' in passdb.
[2007/09/02 23:54:22, 3] auth/auth_winbind.c:check_winbind_security(80)
check_winbind_security: Not using winbind, requested domain [domain] was for this SAM.
[2007/09/02 23:54:22, 2] auth/auth.c:check_ntlm_password(319)
check_ntlm_password: Authentication for user [testuser] -> [testuser] FAILED with error NT_STATUS_NO_SUCH_USER
[2007/09/02 23:54:22, 3] smbd/error.c:error_packet(146)
error packet at smbd/sesssetup.c(99) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE

It appears that samba isn't checking against ldap, but I've configured it to do so in /etc/samba/smb.conf:

Quote:

[global]
workgroup = domain
netbios name = zimbra
os level = 33
preferred master = yes
enable privileges = yes
server string = %h server (Samba, Centos)
wins support =yes
dns proxy = no
name resolve order = wins bcast hosts
log file = /var/log/samba/log.%m
log level = 3
max log size = 1000
syslog only = no
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
ldap passwd sync = yes
passdb backend = ldapsam:ldap://zimbra.domain.com/
ldap admin dn = "uid=zimbra,cn=admins,cn=zimbra"
ldap suffix = dc=zimbra,dc=domain,dc=com
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=machines
obey pam restrictions = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
domain logons = yes
logon path = \\zimbra.domain.com\%U\profile
logon home = \\zimbra.domain.com\%U
logon script = logon.cmd
add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u
socket options = TCP_NODELAY
domain master = yes
local master = yes
add user script = /usr/sbin/adduser -c "" %u
add machine script = /usr/sbin/adduser --shell /bin/false -c "machine account" %u

I pretty much copied the smb.conf from the wiki and added a couple lines myself.

[fajarpri]

If samba cannot connect to ldap server, you will see lots of error in /var/log/messages.

I suspect the mistake could be in the zimlet installation of posix_account and zimbra_samba.

[bucketoftruth]

Quote:

Originally Posted by fajarpri

If samba cannot connect to ldap server, you will see lots of error in /var/log/messages.

I suspect the mistake could be in the zimlet installation of posix_account and zimbra_samba.

I reinstalled the zimlets... no change . Upon starting the zimbra services I noticed in /var/log/message:

Code:

"nscd: nss_ldap: could not search LDAP server - Server is unavailable"

I looked it up via google and found that removing the line in ldap.conf "bind_policy soft" removed that particular error. I don't think I did anything wrong in the installation of the zimlets. Like I said, I can create groups without any problems. The output from getent passwd doesn't show that the users have been created. If I had errors in my logs I would post them, but I'm turning up nothing! There must be something simple that I'm missing here

[bucketoftruth]

I tried an ldapsearch and got the following error back

Code:

ldapsearch -H ldap://zimbra.domain.com/ -v -x -W -D 'uid=zimbra,ou=people,dc=zimbra,dc=domain,dc=com' -s sub '(objectclass=*)' -LL
LDAP vendor version mismatch: library 20333, header 20327

I didn't find anything helpful with regards to troubleshooting that error (warning?) via google. Running the command didn't throw anything into /var/log/messages, either.

[bucketoftruth]

Here's the output from authconfig --test in case that helps:

Code:

# authconfig --test
caching is enabled
nss_files is always enabled
nss_compat is disabled
nss_db is disabled
nss_hesiod is disabled
 hesiod LHS = ""
 hesiod RHS = ""
nss_ldap is enabled
 LDAP+TLS is disabled
 LDAP server = "ldap://zimbra.domain.com"
 LDAP base DN = "dc=zimbra,dc=domain,dc=com"
nss_nis is disabled
 NIS server = ""
 NIS domain = ""
nss_nisplus is disabled
nss_winbind is disabled
 SMB workgroup = "domain"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
 Winbind template shell = "/bin/false"
 SMB idmap uid = "16777216-33554431"
 SMB idmap gid = "16777216-33554431"
nss_wins is disabled
pam_unix is always enabled
 shadow passwords are enabled
 md5 passwords are enabled
pam_krb5 is disabled
 krb5 realm = "EXAMPLE.COM"
 krb5 realm via dns is disabled
 krb5 kdc = "kerberos.example.com:88"
 krb5 kdc via dns is disabled
 krb5 admin server = "kerberos.example.com:749"
pam_ldap is enabled

 LDAP+TLS is disabled
 LDAP server = "ldap://zimbra.domain.com"
 LDAP base DN = "dc=zimbra,dc=domain,dc=com"
pam_pkcs11 is disabled

 use only smartcard for login is disabled
 smartcard module = "coolkey"
 smartcard removal action = "Ignore"
pam_smb_auth is disabled
 SMB workgroup = "domain"
 SMB servers = ""
pam_winbind is disabled
 SMB workgroup = "domain"
 SMB servers = ""
 SMB security = "user"
 SMB realm = ""
pam_cracklib is enabled (try_first_pass retry=3)
pam_passwdqc is disabled ()
Always authorize local users is disabled ()
Authenticate system accounts against network services is disabled

[bucketoftruth]

...And some more results of my testing. I removed the root alias in the Zimbra admin, and ran smbpasswd -a root which produced the following in /var/log/zimbra.log:

Code:

zimbra slapd[14560]: Entry (uid=root,ou=people,dc=zimbra,dc=domain,dc=com), attribute 'userPassword' not allowed 
zimbra slapd[14560]: entry failed schema check: attribute 'userPassword' not allowed

[bucketoftruth]

According to this test samba is talking to ldap.

Code:

# pdbedit -L
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))]
smbldap_open_connection: connection opened
ldap_connect_system: succesful connection to the LDAP server
ldapsam_setsampwent: 1 entries in the base dc=zimbra,dc=domain,dc=com
init_sam_from_ldap: Entry found for user: root
root:0:root

It only see's the root user which I created via smbpasswd -a root. I'm posting all this stuff in the hopes that someone might see something obvious. Any ideas?

[bucketoftruth]

Ugh.... I figured it out. Where I was putting in dc=zimbra,dc=domain,dc=com, I should have been entering dc=domain,dc=com.