| Welcome to the Zimbra - Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | | 
04-21-2009, 12:36 AM
| | | 
The ldap on machine one is the zimbra ldap, not another instance of ldap.
The idea is that zimbra and domain authentication will work with only machine 1 running. Machine 2 is a fileserver that will depend on machine 1 being present for authentication, but machine 1 is not dependant on machine 2 at all.
Now that I have throughly confused you, here's my smb from machine 1 (the pdc) Code: [global]
workgroup = MEDALIST
netbios name = mail
os level = 34
preferred master = yes
enable privileges = yes
server string = %h server (Samba, Ubuntu)
wins support =yes
dns proxy = no
name resolve order = wins bcast hosts
log file = /var/log/samba/log.%m
log level = 3
max log size = 1000
syslog only = no
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
ldap passwd sync = yes
passdb backend = ldapsam:ldap://mail.medalist.com.au/
ldap admin dn = "cn=config"
ldap suffix = dc=medalist,dc=com,dc=au
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=machines
obey pam restrictions = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
domain logons = yes
logon path = \\mail.medalist.com.au\%U\profile
logon home = \\mail.medalist.com.au\%U
logon drive = K:
logon script = logon.cmd
add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u
socket options = TCP_NODELAY
domain master = yes
local master = yes and using it as a base, the modified smb.conf for machine 2: Code: [global]
workgroup = MEDALIST
netbios name = server1
os level = 33
preferred master = yes
enable privileges = yes
server string = %h server (Samba, Ubuntu)
wins support =no
dns proxy = no
name resolve order = wins bcast hosts
log file = /var/log/samba/log.%m
log level = 3
max log size = 1000
syslog only = no
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
ldap passwd sync = yes
passdb backend = ldapsam:ldap://mail.medalist.com.au/
ldap admin dn = "cn=config"
ldap suffix = dc=medalist,dc=com,dc=au
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=machines
obey pam restrictions = no
domain logons = yes
logon path = \\mail.medalist.com.au\%U\profile
logon home = \\mail.medalist.com.au\%U
logon drive = K:
logon script = logon.cmd
socket options = TCP_NODELAY
domain master = no
local master = yes What I changed was to remove the passwd lines, the add user and machine lines, change the domain master to no and wins support to no.
I'm not sure if it should be the local master or wether is should be the preferred master.
Something is still wrong because I can't even connect to machine 2 from windows even if I use the ip address
__________________
Mark Hawkins
Medalist
|
04-21-2009, 12:59 AM
| | |
Quote:
Originally Posted by gtr33m  The ldap on machine one is the zimbra ldap, not another instance of ldap.
The idea is that zimbra and domain authentication will work with only machine 1 running. Machine 2 is a fileserver that will depend on machine 1 being present for authentication, but machine 1 is not dependant on machine 2 at all.
Now that I have throughly confused you, here's my smb from machine 1 (the pdc) Code: [global]
workgroup = MEDALIST
netbios name = mail
os level = 34
preferred master = yes
enable privileges = yes
server string = %h server (Samba, Ubuntu)
wins support =yes
dns proxy = no
name resolve order = wins bcast hosts
log file = /var/log/samba/log.%m
log level = 3
max log size = 1000
syslog only = no
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
ldap passwd sync = yes
passdb backend = ldapsam:ldap://mail.medalist.com.au/
ldap admin dn = "cn=config"
ldap suffix = dc=medalist,dc=com,dc=au
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=machines
obey pam restrictions = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
domain logons = yes
logon path = \\mail.medalist.com.au\%U\profile
logon home = \\mail.medalist.com.au\%U
logon drive = K:
logon script = logon.cmd
add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u
socket options = TCP_NODELAY
domain master = yes
local master = yes and using it as a base, the modified smb.conf for machine 2: Code: [global]
workgroup = MEDALIST
netbios name = server1
os level = 33
preferred master = yes
enable privileges = yes
server string = %h server (Samba, Ubuntu)
wins support =no
dns proxy = no
name resolve order = wins bcast hosts
log file = /var/log/samba/log.%m
log level = 3
max log size = 1000
syslog only = no
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
ldap passwd sync = yes
passdb backend = ldapsam:ldap://mail.medalist.com.au/
ldap admin dn = "cn=config"
ldap suffix = dc=medalist,dc=com,dc=au
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=machines
obey pam restrictions = no
domain logons = yes
logon path = \\mail.medalist.com.au\%U\profile
logon home = \\mail.medalist.com.au\%U
logon drive = K:
logon script = logon.cmd
socket options = TCP_NODELAY
domain master = no
local master = yes What I changed was to remove the passwd lines, the add user and machine lines, change the domain master to no and wins support to no.
I'm not sure if it should be the local master or wether is should be the preferred master.
Something is still wrong because I can't even connect to machine 2 from windows even if I use the ip address | Did you setup libpam-ldap on the second machine? The problem might be that the samba on the second machine doesn't have the password setup for the LDAP connection.
That is done with : Quote: |
smbpasswd -w theRealPassword
| Btw. I was wrong about the /etc/ldap/ thing. The files you need to copy is /etc/ldap.conf and /etc/ldap.secret to copy the LDAP settings from one machine to another.
Last edited by lithorus : 04-21-2009 at 01:02 AM.
|
04-21-2009, 01:11 AM
| | |
No I haven't explicitely setup libpam-ldap. Am I to understand that I should follow Greg's howto guide on machine 2, omitting the steps related to zimbra (part 2) and then use the smb.conf for machine 2 as above?
__________________
Mark Hawkins
Medalist
|
04-21-2009, 01:47 AM
| | |
Basically yes. For the system to assign a specific LDAP user as owner of a file it uses libnss-ldap (which is installed by libpam-ldap). libnss-ldap uses the files /etc/ldap.conf and /etc/ldap.secret to connect to the LDAP server and look up the user. You can test the connection and if it sees the users with "getent passwd".
In theory you could live without the libnss-ldap thing, but then system doesn't have any control over who owns what.
Here are the steps we do for our secondary servers :
install :
libnss-ldap
libpam-ldap
(just ignore the config steps here since you copy the files over anyway later)
edit /etc/nsswitch.conf : Quote:
passwd: compat ldap
group: compat ldap
shadow: compat ldap
| copy :
scp root@machine1:/etc/ldap.* /etc/
scp root@machine1:/etc/samba/smb.conf /etc/samba/
(in your case you don't need to copy the smb.conf)
change ldap password:
smbpasswd -w realPassword |
04-21-2009, 09:58 AM
| | | Un
Hi folks, while going through the setup steps, I ran into an extra step not listed on that tutorial...specifically at the end of step 8 (configuring the newly installed libpam-ldap): Code: Configuring ldap-auth-config
Please enter the name of the account that will be used to log in to the LDAP database.
Warning: DO NOT use privileged accounts for logging in, the configuration file has to be world readable.
Unprivileged database user:
cn=proxyuser,dc=example,dc=net Is there a non-privileged ldap account setup in zimbra? Do I need to create one?
After that it additionally asks: Code: Please enter the password that will be used to log in to the LDAP database.
Password for database login account: Should I use the my root LDAP password?
Running
zcs-NETWORK-5.0.15_GA_2851.UBUNTU8_64.20090310194234
Ubuntu 8.04LTS (both on Samba and Zimbra servers) |
04-21-2009, 11:50 PM
| | |
Quote:
Originally Posted by notpeter Hi folks, while going through the setup steps, I ran into an extra step not listed on that tutorial...specifically at the end of step 8 (configuring the newly installed libpam-ldap): Code: Configuring ldap-auth-config
Please enter the name of the account that will be used to log in to the LDAP database.
Warning: DO NOT use privileged accounts for logging in, the configuration file has to be world readable.
Unprivileged database user:
cn=proxyuser,dc=example,dc=net Is there a non-privileged ldap account setup in zimbra? Do I need to create one?
After that it additionally asks: Code: Please enter the password that will be used to log in to the LDAP database.
Password for database login account: Should I use the my root LDAP password?
Running
zcs-NETWORK-5.0.15_GA_2851.UBUNTU8_64.20090310194234
Ubuntu 8.04LTS (both on Samba and Zimbra servers) | The ldap-auth-config step is the same as configuring the libpam-ldap and you should just proceed like you are setting up libpam-ldap. It's because the guide is for 6.06.  |
04-22-2009, 03:10 AM
| | |
I'm by no means an expert but I set up up ldap-auth-config using the settings of both libpam-ldap and libnss-ldap. The only difference is that there is a step regarding the storage of passwords for which I chose 'clear'. Probably less secure, but seemed the most likely to compatible.
If you get it wrong, just dpkg-reconfigure ldap-auth-config and start over.
__________________
Mark Hawkins
Medalist
|
04-22-2009, 08:39 AM
| | |
Quote:
Originally Posted by rnajmabadi Hi evrebody,
First of all thanks for the great howto.
I just installed zcs-5.0.9 on Ubuntu 8.04 with posix and samba integration in a lab using your guide with small adaptations. I have however a problem with admin extensions in the GUI. When I want to add a Posix Group I do not see the "Samba Group" tab. I imagine that this tab allows to link a Posix group with a Samba domain.
Any hint as why this tab may not be visible and what exactly it performs would be appreciated.
Thanks,
Ramin | To anyone having this issue, try using Firefox instead. I spent half a day cooking up my brain with this problem only to notice that IE7 doesn't work properly with zimbra_samba extension. When using Firefox, I can see the "Samba Group" tab, with IE7 I can't.
__________________
You may not enjoy living together, but dying together isn't gonna solve anything, anyway.
|
07-20-2009, 12:30 PM
| | |
Has anyone had any success with integrating two zimbra domains for auth through samba? I administrate two companies, domain1.com, and domain2.com, and I'd like to setup a samba server that has shares that can be accessed by users from both domains. | | Thread Tools | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
