Results 1 to 10 of 10

Thread: [SOLVED] Zimbra/Samba integration: posix user not created

  1. #1
    bucketoftruth is offline Member
    Join Date
    Oct 2005
    Posts
    13
    Rep Power
    9

    Question [SOLVED] Zimbra/Samba integration: posix user not created

    Following Greg's awesome tutorial I was able to get nearly everything set up to auth samba against the zimbra directory on Centos 5.

    However, one curious problem is that I can create the posix/samba groups, but not users. After adding a new user in zimbra, I run getent passwd but do not see the user. I cannot log into the samba shares as that user unless I create them by hand using useradd and smbpasswd -a which defeats the purpose of having it managed in zimbra.

    After I create the user in Manage Addresses, the Samba Account tab shows the hex password in the field sambaNTPassword so I gather that it's creating everything correctly, but samba isn't talking to the ldap server. My smb.conf contains the following:
    Code:
      ldap passwd sync = yes
      passdb backend = ldapsam:ldap://zimbra.asdf.com/
      ldap admin dn = "uid=zimbra,cn=admins,cn=zimbra"
      ldap suffix = dc=zimbra,dc=asdf,dc=com
      ldap group suffix = ou=groups
      ldap user suffix = ou=people
      ldap machine suffix = ou=machines
    I think my problem is with pam. Try as I might, I still haven't wrapped my head around pam . Where should I look for clues next? TIA

    -Scott

  2. #2
    fajarpri's Avatar
    fajarpri is offline Loyal Member
    Join Date
    Jul 2007
    Posts
    98
    Rep Power
    7

    Default

    Look for info in /var/log/messages

    So, getent group works?

  3. #3
    bucketoftruth is offline Member
    Join Date
    Oct 2005
    Posts
    13
    Rep Power
    9

    Default

    Quote Originally Posted by fajarpri View Post
    Look for info in /var/log/messages

    So, getent group works?
    Yes, getent group shows the following:
    ...
    exim:x:93:
    zimbra:x:500:
    postfix:x:501:zimbra
    postdrop:x:502:
    Users:*:10001:
    Admins:*:10002:
    Accounting:*:10003:
    User, Admins, and Accounting are groups I added through the zimbra webadmin interface.

    There's no activity in /var/log/messages when I attempt to make a connection.

    /var/log/samba/log.zimbra shows the following when I attempt to connect:
    [2007/09/02 23:54:22, 3] smbd/uid.c:push_conn_ctx(345)
    push_conn_ctx(0) : conn_ctx_stack_ndx = 0
    [2007/09/02 23:54:22, 3] smbd/sec_ctx.c:set_sec_ctx(241)
    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
    [2007/09/02 23:54:22, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
    [2007/09/02 23:54:22, 3] auth/auth.c:check_ntlm_password(221)
    check_ntlm_password: Checking password for unmapped user [domain]\[testuser]@[ZIMBRA] with the new password interface
    [2007/09/02 23:54:22, 3] auth/auth.c:check_ntlm_password(224)
    check_ntlm_password: mapped user is: [domain]\[testuser]@[ZIMBRA]
    [2007/09/02 23:54:22, 3] smbd/sec_ctx.c:push_sec_ctx(208)
    push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
    [2007/09/02 23:54:22, 3] smbd/uid.c:push_conn_ctx(345)
    push_conn_ctx(0) : conn_ctx_stack_ndx = 0
    [2007/09/02 23:54:22, 3] smbd/sec_ctx.c:set_sec_ctx(241)
    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
    [2007/09/02 23:54:22, 2] lib/smbldap.c:smbldap_open_connection(788)
    smbldap_open_connection: connection opened
    [2007/09/02 23:54:22, 3] lib/smbldap.c:smbldap_connect_system(992)
    ldap_connect_system: succesful connection to the LDAP server
    [2007/09/02 23:54:22, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
    [2007/09/02 23:54:22, 3] auth/auth_sam.c:check_sam_security(281)
    check_sam_security: Couldn't find user 'testuser' in passdb.
    [2007/09/02 23:54:22, 3] auth/auth_winbind.c:check_winbind_security(80)
    check_winbind_security: Not using winbind, requested domain [domain] was for this SAM.
    [2007/09/02 23:54:22, 2] auth/auth.c:check_ntlm_password(319)
    check_ntlm_password: Authentication for user [testuser] -> [testuser] FAILED with error NT_STATUS_NO_SUCH_USER

    [2007/09/02 23:54:22, 3] smbd/error.c:error_packet(146)
    error packet at smbd/sesssetup.c(99) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
    It appears that samba isn't checking against ldap, but I've configured it to do so in /etc/samba/smb.conf:
    [global]
    workgroup = domain
    netbios name = zimbra
    os level = 33
    preferred master = yes
    enable privileges = yes
    server string = %h server (Samba, Centos)
    wins support =yes
    dns proxy = no
    name resolve order = wins bcast hosts
    log file = /var/log/samba/log.%m
    log level = 3
    max log size = 1000
    syslog only = no
    syslog = 0
    panic action = /usr/share/samba/panic-action %d
    security = user
    encrypt passwords = true
    ldap passwd sync = yes
    passdb backend = ldapsam:ldap://zimbra.domain.com/
    ldap admin dn = "uid=zimbra,cn=admins,cn=zimbra"
    ldap suffix = dc=zimbra,dc=domain,dc=com
    ldap group suffix = ou=groups
    ldap user suffix = ou=people
    ldap machine suffix = ou=machines
    obey pam restrictions = no
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
    domain logons = yes
    logon path = \\zimbra.domain.com\%U\profile
    logon home = \\zimbra.domain.com\%U
    logon script = logon.cmd
    add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
    add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u
    socket options = TCP_NODELAY
    domain master = yes
    local master = yes
    add user script = /usr/sbin/adduser -c "" %u
    add machine script = /usr/sbin/adduser --shell /bin/false -c "machine account" %u
    I pretty much copied the smb.conf from the wiki and added a couple lines myself.

  4. #4
    fajarpri's Avatar
    fajarpri is offline Loyal Member
    Join Date
    Jul 2007
    Posts
    98
    Rep Power
    7

    Default

    If samba cannot connect to ldap server, you will see lots of error in /var/log/messages.

    I suspect the mistake could be in the zimlet installation of posix_account and zimbra_samba.

  5. #5
    bucketoftruth is offline Member
    Join Date
    Oct 2005
    Posts
    13
    Rep Power
    9

    Default

    Quote Originally Posted by fajarpri View Post
    If samba cannot connect to ldap server, you will see lots of error in /var/log/messages.

    I suspect the mistake could be in the zimlet installation of posix_account and zimbra_samba.
    I reinstalled the zimlets... no change . Upon starting the zimbra services I noticed in /var/log/message:
    Code:
    "nscd: nss_ldap: could not search LDAP server - Server is unavailable"
    I looked it up via google and found that removing the line in ldap.conf "bind_policy soft" removed that particular error. I don't think I did anything wrong in the installation of the zimlets. Like I said, I can create groups without any problems. The output from getent passwd doesn't show that the users have been created. If I had errors in my logs I would post them, but I'm turning up nothing! There must be something simple that I'm missing here

  6. #6
    bucketoftruth is offline Member
    Join Date
    Oct 2005
    Posts
    13
    Rep Power
    9

    Default

    I tried an ldapsearch and got the following error back
    Code:
    ldapsearch -H ldap://zimbra.domain.com/ -v -x -W -D 'uid=zimbra,ou=people,dc=zimbra,dc=domain,dc=com' -s sub '(objectclass=*)' -LL
    LDAP vendor version mismatch: library 20333, header 20327
    I didn't find anything helpful with regards to troubleshooting that error (warning?) via google. Running the command didn't throw anything into /var/log/messages, either.
    Last edited by bucketoftruth; 09-03-2007 at 12:16 PM.

  7. #7
    bucketoftruth is offline Member
    Join Date
    Oct 2005
    Posts
    13
    Rep Power
    9

    Default

    Here's the output from authconfig --test in case that helps:
    Code:
    # authconfig --test
    caching is enabled
    nss_files is always enabled
    nss_compat is disabled
    nss_db is disabled
    nss_hesiod is disabled
     hesiod LHS = ""
     hesiod RHS = ""
    nss_ldap is enabled
     LDAP+TLS is disabled
     LDAP server = "ldap://zimbra.domain.com"
     LDAP base DN = "dc=zimbra,dc=domain,dc=com"
    nss_nis is disabled
     NIS server = ""
     NIS domain = ""
    nss_nisplus is disabled
    nss_winbind is disabled
     SMB workgroup = "domain"
     SMB servers = ""
     SMB security = "user"
     SMB realm = ""
     Winbind template shell = "/bin/false"
     SMB idmap uid = "16777216-33554431"
     SMB idmap gid = "16777216-33554431"
    nss_wins is disabled
    pam_unix is always enabled
     shadow passwords are enabled
     md5 passwords are enabled
    pam_krb5 is disabled
     krb5 realm = "EXAMPLE.COM"
     krb5 realm via dns is disabled
     krb5 kdc = "kerberos.example.com:88"
     krb5 kdc via dns is disabled
     krb5 admin server = "kerberos.example.com:749"
    pam_ldap is enabled
    
     LDAP+TLS is disabled
     LDAP server = "ldap://zimbra.domain.com"
     LDAP base DN = "dc=zimbra,dc=domain,dc=com"
    pam_pkcs11 is disabled
    
     use only smartcard for login is disabled
     smartcard module = "coolkey"
     smartcard removal action = "Ignore"
    pam_smb_auth is disabled
     SMB workgroup = "domain"
     SMB servers = ""
    pam_winbind is disabled
     SMB workgroup = "domain"
     SMB servers = ""
     SMB security = "user"
     SMB realm = ""
    pam_cracklib is enabled (try_first_pass retry=3)
    pam_passwdqc is disabled ()
    Always authorize local users is disabled ()
    Authenticate system accounts against network services is disabled

  8. #8
    bucketoftruth is offline Member
    Join Date
    Oct 2005
    Posts
    13
    Rep Power
    9

    Default

    ...And some more results of my testing. I removed the root alias in the Zimbra admin, and ran smbpasswd -a root which produced the following in /var/log/zimbra.log:
    Code:
    zimbra slapd[14560]: Entry (uid=root,ou=people,dc=zimbra,dc=domain,dc=com), attribute 'userPassword' not allowed 
    zimbra slapd[14560]: entry failed schema check: attribute 'userPassword' not allowed

  9. #9
    bucketoftruth is offline Member
    Join Date
    Oct 2005
    Posts
    13
    Rep Power
    9

    Default

    According to this test samba is talking to ldap.
    Code:
    # pdbedit -L
    smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))]
    smbldap_open_connection: connection opened
    ldap_connect_system: succesful connection to the LDAP server
    smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))]
    smbldap_open_connection: connection opened
    ldap_connect_system: succesful connection to the LDAP server
    ldapsam_setsampwent: 1 entries in the base dc=zimbra,dc=domain,dc=com
    init_sam_from_ldap: Entry found for user: root
    root:0:root
    It only see's the root user which I created via smbpasswd -a root. I'm posting all this stuff in the hopes that someone might see something obvious. Any ideas?

  10. #10
    bucketoftruth is offline Member
    Join Date
    Oct 2005
    Posts
    13
    Rep Power
    9

    Default

    Ugh.... I figured it out. Where I was putting in dc=zimbra,dc=domain,dc=com, I should have been entering dc=domain,dc=com.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 21
    Last Post: 02-04-2010, 10:06 AM
  2. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM
  3. Services stopped working
    By lilwong in forum Administrators
    Replies: 4
    Last Post: 08-15-2006, 09:19 AM
  4. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 07:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •