Zimbra

wolrah · #1 (**permalink**) 02-23-2008, 09:43 PM

After reluctantly following the advice I received to first put 4.5.7 (the version of my old box) on my new machine before upgrading to 5.0.2, I have almost everything working but I can not get in to the admin console.

Here's an overview of what I did:

-Down old machine, rsync /opt/zimbra to external hard drive.
-Install new machine, install.sh -s same version as was on old machine
-rm -rf /opt/zimbra
-rsync from external to /opt
-./install.sh and "upgrade" to the same version once again
-check that all is working properly (worked perfectly after fixing Samba/POSIX LDAP schemas)
-zmcontrol stop
-extract 5.0.2, ./install.sh, upgrade, blah blah blah...
-check operation again, fix LDAP schemas again (after wasting a half hour before finding slapd.conf.in had been moved and the wiki not updated)
-install samba and posix zimlets from command line

and here I am. Whenever I try to log on to the admin console, I get this puked out in my mailbox.log:

Code:

2008-02-23 23:32:33,558 INFO  [btpool0-9] [name=sharlow@medinavoip.com;ip=10.0.1.160;ua=ZimbraWebClient - SAF (Mac);] SoapEngine - handler exception
com.zimbra.common.service.ServiceException: system failure: unable to modify attrs: [LDAP: error code 50 - Insufficient Access Rights]
Code:service.FAILURE
	at com.zimbra.common.service.ServiceException.FAILURE(ServiceException.java:183)
	at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrsInternal(LdapProvisioning.java:300)
	at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrs(LdapProvisioning.java:268)
	at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrs(LdapProvisioning.java:249)
	at com.zimbra.cs.account.Provisioning.modifyAttrs(Provisioning.java:1473)
	at com.zimbra.cs.service.admin.ModifyAdminSavedSearches.handle(ModifyAdminSavedSearches.java:100)
	at com.zimbra.cs.service.admin.ModifyAdminSavedSearches.handle(ModifyAdminSavedSearches.java:60)
	at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:342)
	at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:208)
	at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:113)
	at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:272)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
	at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:174)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
	at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)
	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1093)
	at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81)
	at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:132)
	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
	at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
	at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
	at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
	at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:716)
	at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:406)
	at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:211)
	at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
	at org.mortbay.jetty.handler.RewriteHandler.handle(RewriteHandler.java:176)
	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
	at org.mortbay.jetty.Server.handle(Server.java:313)
	at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:506)
	at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:844)
	at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:644)
	at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:205)
	at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:381)
	at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:396)
	at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)
Caused by: javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining name 'uid=sharlow,ou=people,dc=medinavoip,dc=com'
	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3013)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2758)
	at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1441)
	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
	at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:153)
	at com.zimbra.cs.account.ldap.LdapUtil.modifyAttributes(LdapUtil.java:1260)
	at com.zimbra.cs.account.ldap.LdapUtil.modifyAttrs(LdapUtil.java:661)
	at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrsInternal(LdapProvisioning.java:285)
	... 35 more

LDAP is working properly and I can even log on to the Samba boxes I have attached to it, I just can't admin the thing.

Since it seems to be operational I'm going to head home and go to sleep (been working on this upgrade for 10 hours, I can see command lines even when I close my eyes) but when morning comes around I'll be able to provide any files or logs needed.

Oh yea, for anyone who read my previous post about how to move this, I am using Ubuntu 6.06 now. I managed to fix the missing network driver, so for the first time ever I'm running on a supported OS.

czaveri · #2 (**permalink**) 02-25-2008, 12:35 AM

Are you logging in as a domain admin? A bug was recently logged for this: Bug 24861 - DomainAdmin login fails with posixaccount/samba zimlets enabled

wolrah · #3 (**permalink**) 02-25-2008, 05:26 AM

Quote:

Originally Posted by czaveri

Are you logging in as a domain admin? A bug was recently logged for this: Bug 24861 - DomainAdmin login fails with posixaccount/samba zimlets enabled

No, my account is a full administrator.

I have encountered the domain admin bug in the past when I was still on 4.5.7, but the user I was trying to assign domain admin privs could just as easily have full admin, so I didn't think much of it.

My boss (who was the one I tried to give domain admin a few months back) is also a full admin and is locked out in the same way.

edit: also, I should have noted above that I was locked out like this even before deploying the POSIX/Samba Zimlets. I have never once seen the ZCS 5.0 admin console.

The rest works fine and my users are happy, so I'm not going to burn my remaining support incident on it just yet, but if I need to do something at the admin console it might come down to that.

czaveri · #4 (**permalink**) 02-25-2008, 05:45 AM

does this work without the samba/posix extensions?

i also see that you are a zimbra network customer. if the above works then could you please log a case? we can use the case as a reference and forward it to the developer who worked on this and log a new bug or extend the scope, if/as required.

pls let us know if it doesn't work even without the samba/posix extension.

czaveri · #5 (**permalink**) 02-25-2008, 05:51 AM

Quote:

Originally Posted by wolrah

The rest works fine and my users are happy, so I'm not going to burn my remaining support incident on it just yet, but if I need to do something at the admin console it might come down to that.

it's generally not counted as an incident if it's a bug.

wolrah · #6 (**permalink**) 02-25-2008, 06:32 AM

Same thing even after pulling the zimbra_samba and zimbra_posixaccount addins and restarting the whole thing. I'm opening a case.

Code:

zimbra@baal:~$ zmzimletctl undeploy zimbra_samba
[] INFO: Undeploying on baal.medinavoip.com
[] INFO: Undeploy initiated.  (check the servers mailbox.log for the status)
zimbra@baal:~$ zmzimletctl undeploy zimbra_posixaccount
[] INFO: Undeploying on baal.medinavoip.com
[] INFO: Undeploy initiated.  (check the servers mailbox.log for the status)

Code:

2008-02-25 08:30:27,365 INFO  [btpool0-7] [name=sharlow@medinavoip.com;ip=10.0.1.160;ua=ZimbraWebClient - FF2.0 (Mac);] SoapEngine - handler exception
com.zimbra.common.service.ServiceException: system failure: unable to modify attrs: [LDAP: error code 50 - Insufficient Access Rights]
Code:service.FAILURE
	at com.zimbra.common.service.ServiceException.FAILURE(ServiceException.java:183)
	at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrsInternal(LdapProvisioning.java:300)
	at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrs(LdapProvisioning.java:268)
	at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrs(LdapProvisioning.java:249)
	at com.zimbra.cs.account.Provisioning.modifyAttrs(Provisioning.java:1473)
	at com.zimbra.cs.service.admin.ModifyAdminSavedSearches.handle(ModifyAdminSavedSearches.java:100)
	at com.zimbra.cs.service.admin.ModifyAdminSavedSearches.handle(ModifyAdminSavedSearches.java:60)
	at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:342)
	at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:208)
	at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:113)
	at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:272)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
	at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:174)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
	at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)
	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1093)
	at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81)
	at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:132)
	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
	at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
	at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
	at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
	at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:716)
	at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:406)
	at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:211)
	at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
	at org.mortbay.jetty.handler.RewriteHandler.handle(RewriteHandler.java:176)
	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
	at org.mortbay.jetty.Server.handle(Server.java:313)
	at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:506)
	at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:844)
	at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:644)
	at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:205)
	at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:381)
	at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:396)
	at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)
Caused by: javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining name 'uid=sharlow,ou=people,dc=medinavoip,dc=com'
	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3013)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2758)
	at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1441)
	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
	at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:153)
	at com.zimbra.cs.account.ldap.LdapUtil.modifyAttributes(LdapUtil.java:1260)
	at com.zimbra.cs.account.ldap.LdapUtil.modifyAttrs(LdapUtil.java:661)
	at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrsInternal(LdapProvisioning.java:285)
	... 35 more

wolrah · #7 (**permalink**) 02-25-2008, 07:06 AM

The plot thickens...

When any user tries to add a signature, we get a very similar error.
edit: ANY SETTING CHANGES

Code:

2008-02-25 09:04:49,115 INFO  [btpool0-0] [name=sharlow@medinavoip.com;ip=10.0.1.160;ua=ZimbraWebClient - FF2.0 (Mac)/5.0.2_GA_1975.UBUNTU6;] SoapEngine - handler exception
com.zimbra.common.service.ServiceException: system failure: unable to modify attrs: [LDAP: error code 50 - Insufficient Access Rights]
Code:service.FAILURE
	at com.zimbra.common.service.ServiceException.FAILURE(ServiceException.java:183)
	at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrsInternal(LdapProvisioning.java:300)
	at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrs(LdapProvisioning.java:268)
	at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrs(LdapProvisioning.java:249)
	at com.zimbra.cs.account.Provisioning.modifyAttrs(Provisioning.java:1473)
	at com.zimbra.cs.account.ldap.LdapSignature.createAccountSignature(LdapSignature.java:135)
	at com.zimbra.cs.account.ldap.LdapProvisioning.createSignature(LdapProvisioning.java:4245)
	at com.zimbra.cs.service.account.CreateSignature.handle(CreateSignature.java:65)
	at com.zimbra.soap.SoapEngine.dispatchRequest(SoapEngine.java:342)
	at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:199)
	at com.zimbra.soap.SoapEngine.dispatch(SoapEngine.java:113)
	at com.zimbra.soap.SoapServlet.doPost(SoapServlet.java:272)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:727)
	at com.zimbra.cs.servlet.ZimbraServlet.service(ZimbraServlet.java:174)
	at javax.servlet.http.HttpServlet.service(HttpServlet.java:820)
	at org.mortbay.jetty.servlet.ServletHolder.handle(ServletHolder.java:487)
	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1093)
	at org.mortbay.servlet.UserAgentFilter.doFilter(UserAgentFilter.java:81)
	at org.mortbay.servlet.GzipFilter.doFilter(GzipFilter.java:132)
	at org.mortbay.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1084)
	at org.mortbay.jetty.servlet.ServletHandler.handle(ServletHandler.java:360)
	at org.mortbay.jetty.security.SecurityHandler.handle(SecurityHandler.java:216)
	at org.mortbay.jetty.servlet.SessionHandler.handle(SessionHandler.java:181)
	at org.mortbay.jetty.handler.ContextHandler.handle(ContextHandler.java:716)
	at org.mortbay.jetty.webapp.WebAppContext.handle(WebAppContext.java:406)
	at org.mortbay.jetty.handler.ContextHandlerCollection.handle(ContextHandlerCollection.java:211)
	at org.mortbay.jetty.handler.HandlerCollection.handle(HandlerCollection.java:114)
	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
	at org.mortbay.jetty.handler.RewriteHandler.handle(RewriteHandler.java:176)
	at org.mortbay.jetty.handler.HandlerWrapper.handle(HandlerWrapper.java:139)
	at org.mortbay.jetty.Server.handle(Server.java:313)
	at org.mortbay.jetty.HttpConnection.handleRequest(HttpConnection.java:506)
	at org.mortbay.jetty.HttpConnection$RequestHandler.content(HttpConnection.java:844)
	at org.mortbay.jetty.HttpParser.parseNext(HttpParser.java:644)
	at org.mortbay.jetty.HttpParser.parseAvailable(HttpParser.java:205)
	at org.mortbay.jetty.HttpConnection.handle(HttpConnection.java:381)
	at org.mortbay.io.nio.SelectChannelEndPoint.run(SelectChannelEndPoint.java:396)
	at org.mortbay.thread.BoundedThreadPool$PoolThread.run(BoundedThreadPool.java:442)
Caused by: javax.naming.NoPermissionException: [LDAP: error code 50 - Insufficient Access Rights]; remaining name 'uid=sharlow,ou=people,dc=medinavoip,dc=com'
	at com.sun.jndi.ldap.LdapCtx.mapErrorCode(LdapCtx.java:3013)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2951)
	at com.sun.jndi.ldap.LdapCtx.processReturnCode(LdapCtx.java:2758)
	at com.sun.jndi.ldap.LdapCtx.c_modifyAttributes(LdapCtx.java:1441)
	at com.sun.jndi.toolkit.ctx.ComponentDirContext.p_modifyAttributes(ComponentDirContext.java:255)
	at com.sun.jndi.toolkit.ctx.PartialCompositeDirContext.modifyAttributes(PartialCompositeDirContext.java:172)
	at javax.naming.directory.InitialDirContext.modifyAttributes(InitialDirContext.java:153)
	at com.zimbra.cs.account.ldap.LdapUtil.modifyAttributes(LdapUtil.java:1260)
	at com.zimbra.cs.account.ldap.LdapUtil.modifyAttrs(LdapUtil.java:661)
	at com.zimbra.cs.account.ldap.LdapProvisioning.modifyAttrsInternal(LdapProvisioning.java:285)
	... 36 more

Greg · #8 (**permalink**) 02-25-2008, 09:51 AM

Wolrah, can you post the SOAP trace (run admin UI with ?mode=mjsf&gzip=false at the end of the URL)? It is important to see what are the attributes that UI is sending for modification to the server when it gets back the error.

wolrah · #9 (**permalink**) 02-25-2008, 10:06 AM

That gets me nothing new. It stalls at the loading screen just like before, no new data displayed. Since it's HTTPS I can't even capture with wireshark and expect to get anything useful.

edit: with that, is there any way to temporarily override tomcat to run the admin UI on an insecure connection? That should let me get anything you want from the client-server exchange.

Greg · #10 (**permalink**) 02-25-2008, 11:46 AM

Quote:

Originally Posted by wolrah

That gets me nothing new. It stalls at the loading screen just like before, no new data displayed. Since it's HTTPS I can't even capture with wireshark and expect to get anything useful.

edit: with that, is there any way to temporarily override tomcat to run the admin UI on an insecure connection? That should let me get anything you want from the client-server exchange.

There are two simple ways to capture SOAP trace over HTTPS:
1) use FireFox browser with FireBug plugin (getfirebug.com) and look in the Console tab in firebug

2) when you add ?mode=mjsf&gzip=false&debug=1 to the URL, the admin UI will pop-up a new window with debugging messages. You may need to allow your pop-up blocker to show it. (pop-up blockers are now built-in and enabled by default with any new version of IE or Mozilla)

Zimbra

Downloads

Product Information

Toolbox

Why Join?