Zimbra Integration With Samba - Ubuntu Based

[gtr33m]

The ldap on machine one is the zimbra ldap, not another instance of ldap.
The idea is that zimbra and domain authentication will work with only machine 1 running. Machine 2 is a fileserver that will depend on machine 1 being present for authentication, but machine 1 is not dependant on machine 2 at all.

Now that I have throughly confused you, here's my smb from machine 1 (the pdc)

Code:

[global]
  workgroup = MEDALIST
  netbios name = mail
  os level = 34
  preferred master = yes
  enable privileges = yes
  server string = %h server (Samba, Ubuntu)
  wins support =yes 
  dns proxy = no
  name resolve order = wins bcast hosts
  log file = /var/log/samba/log.%m
  log level = 3
  max log size = 1000
  syslog only = no
  syslog = 0
  panic action = /usr/share/samba/panic-action %d
  security = user
  encrypt passwords = true
  ldap passwd sync = yes
  passdb backend = ldapsam:ldap://mail.medalist.com.au/
  ldap admin dn = "cn=config"
  ldap suffix = dc=medalist,dc=com,dc=au
  ldap group suffix = ou=groups
  ldap user suffix = ou=people
  ldap machine suffix = ou=machines
  obey pam restrictions = no
  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
  domain logons = yes
  logon path = \\mail.medalist.com.au\%U\profile
  logon home = \\mail.medalist.com.au\%U
  logon drive = K:
  logon script = logon.cmd
  add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
  add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u
  socket options = TCP_NODELAY
  domain master = yes
  local master = yes

and using it as a base, the modified smb.conf for machine 2:

Code:

[global]
  workgroup = MEDALIST
  netbios name = server1
  os level = 33
  preferred master = yes
  enable privileges = yes
  server string = %h server (Samba, Ubuntu)
  wins support =no 
  dns proxy = no
  name resolve order = wins bcast hosts
  log file = /var/log/samba/log.%m
  log level = 3
  max log size = 1000
  syslog only = no
  syslog = 0
  panic action = /usr/share/samba/panic-action %d
  security = user
  encrypt passwords = true
  ldap passwd sync = yes
  passdb backend = ldapsam:ldap://mail.medalist.com.au/
  ldap admin dn = "cn=config"
  ldap suffix = dc=medalist,dc=com,dc=au
  ldap group suffix = ou=groups
  ldap user suffix = ou=people
  ldap machine suffix = ou=machines
  obey pam restrictions = no
  domain logons = yes
  logon path = \\mail.medalist.com.au\%U\profile
  logon home = \\mail.medalist.com.au\%U
  logon drive = K:
  logon script = logon.cmd
  socket options = TCP_NODELAY
  domain master = no
  local master = yes

What I changed was to remove the passwd lines, the add user and machine lines, change the domain master to no and wins support to no.

I'm not sure if it should be the local master or wether is should be the preferred master.

Something is still wrong because I can't even connect to machine 2 from windows even if I use the ip address

[lithorus]

The ldap on machine one is the zimbra ldap, not another instance of ldap.
The idea is that zimbra and domain authentication will work with only machine 1 running. Machine 2 is a fileserver that will depend on machine 1 being present for authentication, but machine 1 is not dependant on machine 2 at all.

Now that I have throughly confused you, here's my smb from machine 1 (the pdc)

Code:

[global]
  workgroup = MEDALIST
  netbios name = mail
  os level = 34
  preferred master = yes
  enable privileges = yes
  server string = %h server (Samba, Ubuntu)
  wins support =yes 
  dns proxy = no
  name resolve order = wins bcast hosts
  log file = /var/log/samba/log.%m
  log level = 3
  max log size = 1000
  syslog only = no
  syslog = 0
  panic action = /usr/share/samba/panic-action %d
  security = user
  encrypt passwords = true
  ldap passwd sync = yes
  passdb backend = ldapsam:ldap://mail.medalist.com.au/
  ldap admin dn = "cn=config"
  ldap suffix = dc=medalist,dc=com,dc=au
  ldap group suffix = ou=groups
  ldap user suffix = ou=people
  ldap machine suffix = ou=machines
  obey pam restrictions = no
  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
  domain logons = yes
  logon path = \\mail.medalist.com.au\%U\profile
  logon home = \\mail.medalist.com.au\%U
  logon drive = K:
  logon script = logon.cmd
  add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
  add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u
  socket options = TCP_NODELAY
  domain master = yes
  local master = yes

and using it as a base, the modified smb.conf for machine 2:

Code:

[global]
  workgroup = MEDALIST
  netbios name = server1
  os level = 33
  preferred master = yes
  enable privileges = yes
  server string = %h server (Samba, Ubuntu)
  wins support =no 
  dns proxy = no
  name resolve order = wins bcast hosts
  log file = /var/log/samba/log.%m
  log level = 3
  max log size = 1000
  syslog only = no
  syslog = 0
  panic action = /usr/share/samba/panic-action %d
  security = user
  encrypt passwords = true
  ldap passwd sync = yes
  passdb backend = ldapsam:ldap://mail.medalist.com.au/
  ldap admin dn = "cn=config"
  ldap suffix = dc=medalist,dc=com,dc=au
  ldap group suffix = ou=groups
  ldap user suffix = ou=people
  ldap machine suffix = ou=machines
  obey pam restrictions = no
  domain logons = yes
  logon path = \\mail.medalist.com.au\%U\profile
  logon home = \\mail.medalist.com.au\%U
  logon drive = K:
  logon script = logon.cmd
  socket options = TCP_NODELAY
  domain master = no
  local master = yes

What I changed was to remove the passwd lines, the add user and machine lines, change the domain master to no and wins support to no.

I'm not sure if it should be the local master or wether is should be the preferred master.

Something is still wrong because I can't even connect to machine 2 from windows even if I use the ip address

Did you setup libpam-ldap on the second machine? The problem might be that the samba on the second machine doesn't have the password setup for the LDAP connection.

That is done with :

smbpasswd -w theRealPassword

Btw. I was wrong about the /etc/ldap/ thing. The files you need to copy is /etc/ldap.conf and /etc/ldap.secret to copy the LDAP settings from one machine to another.

[gtr33m]

No I haven't explicitely setup libpam-ldap. Am I to understand that I should follow Greg's howto guide on machine 2, omitting the steps related to zimbra (part 2) and then use the smb.conf for machine 2 as above?

[lithorus]

Basically yes. For the system to assign a specific LDAP user as owner of a file it uses libnss-ldap (which is installed by libpam-ldap). libnss-ldap uses the files /etc/ldap.conf and /etc/ldap.secret to connect to the LDAP server and look up the user. You can test the connection and if it sees the users with "getent passwd".

In theory you could live without the libnss-ldap thing, but then system doesn't have any control over who owns what.

Here are the steps we do for our secondary servers :

install :
libnss-ldap
libpam-ldap
(just ignore the config steps here since you copy the files over anyway later)

edit /etc/nsswitch.conf :

passwd: compat ldap
group: compat ldap
shadow: compat ldap

copy :
scp root@machine1:/etc/ldap.* /etc/
scp root@machine1:/etc/samba/smb.conf /etc/samba/
(in your case you don't need to copy the smb.conf)

change ldap password:
smbpasswd -w realPassword

[notpeter]

Hi folks, while going through the setup steps, I ran into an extra step not listed on that tutorial...specifically at the end of step 8 (configuring the newly installed libpam-ldap):

Code:

Configuring ldap-auth-config
 Please enter the name of the account that will be used to log in to the LDAP database.
Warning: DO NOT use privileged accounts for logging in, the configuration file has to be world readable.

Unprivileged database user:
cn=proxyuser,dc=example,dc=net

Is there a non-privileged ldap account setup in zimbra? Do I need to create one?

After that it additionally asks:

Code:

Please enter the password that will be used to log in to the LDAP database. 
Password for database login account:

Should I use the my root LDAP password?

Running
zcs-NETWORK-5.0.15_GA_2851.UBUNTU8_64.20090310194234
Ubuntu 8.04LTS (both on Samba and Zimbra servers)

[lithorus]

Hi folks, while going through the setup steps, I ran into an extra step not listed on that tutorial...specifically at the end of step 8 (configuring the newly installed libpam-ldap):

Code:

Configuring ldap-auth-config
 Please enter the name of the account that will be used to log in to the LDAP database.
Warning: DO NOT use privileged accounts for logging in, the configuration file has to be world readable.

Unprivileged database user:
cn=proxyuser,dc=example,dc=net

Is there a non-privileged ldap account setup in zimbra? Do I need to create one?

After that it additionally asks:

Code:

Please enter the password that will be used to log in to the LDAP database. 
Password for database login account:

Should I use the my root LDAP password?

Running
zcs-NETWORK-5.0.15_GA_2851.UBUNTU8_64.20090310194234
Ubuntu 8.04LTS (both on Samba and Zimbra servers)

The ldap-auth-config step is the same as configuring the libpam-ldap and you should just proceed like you are setting up libpam-ldap. It's because the guide is for 6.06.

[gtr33m]

I'm by no means an expert but I set up up ldap-auth-config using the settings of both libpam-ldap and libnss-ldap. The only difference is that there is a step regarding the storage of passwords for which I chose 'clear'. Probably less secure, but seemed the most likely to compatible.

If you get it wrong, just dpkg-reconfigure ldap-auth-config and start over.

[ramoneiro]

Hi evrebody,

First of all thanks for the great howto.

I just installed zcs-5.0.9 on Ubuntu 8.04 with posix and samba integration in a lab using your guide with small adaptations. I have however a problem with admin extensions in the GUI. When I want to add a Posix Group I do not see the "Samba Group" tab. I imagine that this tab allows to link a Posix group with a Samba domain.
Any hint as why this tab may not be visible and what exactly it performs would be appreciated.

Thanks,

Ramin

To anyone having this issue, try using Firefox instead. I spent half a day cooking up my brain with this problem only to notice that IE7 doesn't work properly with zimbra_samba extension. When using Firefox, I can see the "Samba Group" tab, with IE7 I can't.

[devnul]

Has anyone had any success with integrating two zimbra domains for auth through samba? I administrate two companies, domain1.com, and domain2.com, and I'd like to setup a samba server that has shares that can be accessed by users from both domains.

[celsowebber]

Has anyone had any success with integrating two zimbra domains for auth through samba? I administrate two companies, domain1.com, and domain2.com, and I'd like to setup a samba server that has shares that can be accessed by users from both domains.

Hello devnul,

I believe this should work OK. Since Zimbra is multi-domain aware, I see no problems about having two Samba domains also. The secret will be to set up the LDAP base dn's correctly when acting over one or another domain.

When I was migrating from one "standard" Samba to this solution, I had two domains in parallel and I believe they're working ok alltogether.

Regards, Celso.