Zimbra

alekseyn · #51 (**permalink**) 04-02-2010, 09:32 AM

Hello guys.

Zimbra is just the best solution for people like me who need an alternative to win server and AD....

So here I am trying to install everything following this guide - UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI 6.0

I run Ubuntu 8.04 LTS server and trying to install the latest Zimbra Collaboration Suite (exact version in header of my post)

I am trying to install everything on one ubuntu box.

has quite a few problems during the installation... and quite honestly I have lost a track of things I did or did not do...

My problem at the moment is - I can not get the Samba domain to show up i the admin console...

I will post my smb.conf at the end of my post... but I have setup samba domains before and honestly do not see an issue with it...

what could be a problem? how can I test if the zimbra ldap is working?

I really do not want to (and can not) reinstall everything from scratch... Please help!!

Also guys, should I even bother installing this kind of system.. I have quite a few users with Win 7... would they be able to join the domain with Ubuntu's 3.0.28a Samba that gets installed using "apt-get install samba"... or should I somehow install the latest samba from samba.com???

smb.conf

Code:

[global]
  workgroup = NRG-GLOBAL.COM
  netbios name = SERVER
  os level = 33
  preferred master = yes
  enable privileges = yes
  server string = %h server (Samba, Ubuntu)
  wins support =yes 
  dns proxy = no
  name resolve order = wins bcast hosts
  log file = /var/log/samba/log.%m
  log level = 3
  max log size = 1000
  syslog only = no
  syslog = 0
  panic action = /usr/share/samba/panic-action %d
  security = user
  encrypt passwords = true
  ldap passwd sync = yes
  passdb backend = ldapsam:ldap://192.168.1.3/
  ldap admin dn = "uid=zmposixroot,cn=appaccts,cn=zimbra"
  ldap suffix = dc=nrg-global,dc=com
  ldap group suffix = ou=groups
  ldap user suffix = ou=people
  ldap machine suffix = ou=machines
  obey pam restrictions = no
  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
  domain logons = yes
  ;logon path = \\server\%U\profile
  ;logon home = \\server\%U
  ;logon script = logon.cmd
 
  logon path =
  logon home = 
  logon script =   

  add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
  add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u
  socket options = TCP_NODELAY
  domain master = yes
  local master = yes
[homes]
  comment = Home Directories
  browseable =yes 
  read only = No
  valid users = %S
[netlogon]
  comment = Network Logon Service
  path = /var/lib/samba/netlogon
  guest ok = yes
  locking = no
[profiles]
  comment = Users profiles
  path = /var/lib/samba/profiles
  read only = No
[profdata]
  comment = Profile Data Share
  path = /var/lib/samba/profdata
  read only = No
  profile acls = Yes
[printers]
  comment = All Printers
  browseable = no
  path = /tmp
  printable = yes
  public = no
  writable = no
  create mode = 0700
[print$]
  comment = Printer Drivers
  path = /var/lib/samba/printers
  browseable = yes
  read only = yes
  guest ok = no

/etc/ldap.conf

Code:

###DEBCONF###
#host server.nrg-global.com
base dc=nrg-global,dc=com
rootbinddn uid=zmposixroot,cn=appaccts,cn=zimbra
port 389
bind_policy soft
nss_reconnect_tries 2
uri ldap://192.168.1.3/
ssl start_tls
tls_cacertdir /opt/zimbra/conf/ca
# tell to not check the server certificate
tls_checkpeer no
# optional
pam_password md5
# where nss find the information
nss_base_passwd         ou=people,dc=nrg-global,dc=com?one
nss_base_shadow         ou=people,dc=nrg-global,dc=com?one
nss_base_group          ou=groups,dc=nrg-global,dc=com?one
nss_base_hosts          ou=machines,dc=nrg-global,dc=com?one

ldap_version 3
nss_initgroups_ignoreusers backup,bin,bind,daemon,dhcp,fetchmail,games,gnats,haldaemon,irc,klog,libuuid,list,lp,mail,man,messagebus,mysql,news,ntp,openldap,polkituser,proxy,root,saned,sshd,sync,sys,syslog,uucp,www-data

UPDATE:

upgraded to the latest samba (built from source) and reran some of the steps in the how-to...

samba appears OK and everything operates normally, but can not join the machines into the domain...
any help whatsoever would be really appreciated.

vavai · #52 (**permalink**) 04-05-2010, 07:03 AM

Hi,

Quote:

Originally Posted by alekseyn

Hello guys.

UPDATE:

upgraded to the latest samba (built from source) and reran some of the steps in the how-to...

samba appears OK and everything operates normally, but can not join the machines into the domain...
any help whatsoever would be really appreciated.

Could you please tell us, what is the failed message problem displayed on client while attempt to join to the domain? Something like "could not find domain controller" or something like that.

Do you use Win XP or Win 7 as client ?

Note : I've successfully integrating Zimbra with Samba on openSUSE/SLES based on same tutorial on Zimbra Wiki with minor changes. I'll be glad to share some configuration if you think it could helps.

alekseyn · #53 (**permalink**) 04-05-2010, 08:29 AM

Hi and thanks for your reply!

I am trying to join XP and win 7 with no luck.

with XP and Win 7 the message is - Acces is denied...

going out of my mind to find out why...
any pointers to where I could maybe check the logs would be appreciated!

vavai · #54 (**permalink**) 04-05-2010, 07:41 PM

Quote:

Originally Posted by alekseyn

Hi and thanks for your reply!

I am trying to join XP and win 7 with no luck.

with XP and Win 7 the message is - Acces is denied...

going out of my mind to find out why...
any pointers to where I could maybe check the logs would be appreciated!

Please check (or paste the appropriate part of) your log on the following file :

/var/log/samba/log.smbd
/var/log/samba/log.nmbd
/opt/zimbra/log/mailbox.log and
/var/log/zimbra.log

alekseyn · #55 (**permalink**) 04-05-2010, 10:03 PM

Quote:

Originally Posted by vavai

Please check (or paste the appropriate part of) your log on the following file :

/var/log/samba/log.smbd
/var/log/samba/log.nmbd
/opt/zimbra/log/mailbox.log and
/var/log/zimbra.log

well, here is an experiment: I have emptied out all those logs and tried to join a win 7 machine again with the same result. And all of those logs were empty.

But the one with the machine name on it (/var/log/samba/log.{machine name} was full of stuff. I have raised the detail level to 5 trying to pinpoint the problem.

Maybe you could get something useful from the attached...

vavai · #56 (**permalink**) 04-05-2010, 10:52 PM

1. Did your XP/Win 7 client find your domain controller successfully?
2. Did the join domain Admin password came up and ask for user & password?
3. What is the admin user you used to join to the domain?
4. Do you have added your admin user (or the user you used for join) as domain admins group?

alekseyn · #57 (**permalink**) 04-05-2010, 10:55 PM

Quote:

Originally Posted by vavai

1. Did your XP/Win 7 client find your domain controller successfully?
2. Did the join domain Admin password came up and ask for user & password?
3. What is the admin user you used to join to the domain?
4. Do you have added your admin user (or the user you used for join) as domain admins group?

1. Yes
2. Yes
3. "aleksey" is the user name as you could see in the logs
4. Yes, user "aleksey" is added to the "Domain Admins" group in Zimbra Admin UI

vavai · #58 (**permalink**) 04-05-2010, 11:10 PM

I found the following error message on your log :

Quote:

ldapsam_getgroup: Did not find group, filter was (&(objectClass=sambaGroupMapping)(sambaSID=S-1-5-32-544))
[2010/04/06 09:01:40.904995, 3] smbd/sec_ctx.c:418(pop_sec_ctx)
pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 1
[2010/04/06 09:01:40.905011, 5] auth/token_util.c:306(create_builtin_administrators)
create_builtin_administrators: Failed to create Administrators

Do you have recreate Samba SID or changing domain/netbios name ?

Anyway, all Zimbra log was empty. What happen if you trying to stop and re-start Zimbra service and then restart Samba Service. I'm interesting to look at what is the Samba message on joining process.

Note : Sorry if I ask too much question. I've struggling similar problem on my side last week, and after various investigation, the problem are on add machine script part on smb.conf. I found this problem because there was an error on Samba log complaining machine script. You may encounter different problem, so the best solution are debugging join process and see (tail -f Samba log) Samba & Zimbra log while joining client.

p_nyet · #59 (**permalink**) 04-12-2010, 12:20 AM

A few weeks I had same problem, but my PDC running on OpenLDAP and Samba 3.2.15. And after change the profile permission, my problem has gone..

# ls -la /data/profiles
drwxrwxrwx 32 root root 4096 Apr 12 10:34 profiles

in smb.conf

[Profiles]
path = /data/profiles
force user = %U
read only = No
create mask = 0777
directory mask = 0777
guest ok = yes
browseable = No
profile acls = yes
csc policy = disable

fruitloaf · #60 (**permalink**) 04-25-2010, 06:21 AM

I'm trying to integrate a new Zimbra server with samba but I'm having some troubles.

Using gregs guide on the wiki I have no problem setting up Ubuntu 8.04 with ZCS 6.06 on two seperate servers (zimbra + samba) using the samba package from the repositories. However I'd like to have the option of having Windows 7 clients join so I tried to build samba from sources. However using the same working smb.conf and ldap.conf from the repository version I'm getting authorisation errors in my samba logs and the domain is never added to the Zimbra admin console.

This is the start of my samba log which shows the errors I'm getting. These repeat as samba tries to connect over and over.

Code:

[2010/04/25 13:52:56,  2] lib/smbldap_util.c:277(smbldap_search_domain_info)
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDo
mainName=FRANCHISEROUTE))]
[2010/04/25 13:52:56,  0] lib/smbldap.c:656(smb_ldap_start_tls)
  Failed to issue the StartTLS instruction: Connect error
[2010/04/25 13:52:56,  1] lib/smbldap.c:1231(another_ldap_try)
  Connection to LDAP server failed for the 1 try!
[2010/04/25 13:52:57,  3] lib/smbldap_util.c:302(smbldap_search_domain_info)
  smbldap_search_domain_info: Got no domain info entries for domain
[2010/04/25 13:52:57,  0] lib/smbldap.c:656(smb_ldap_start_tls)
  Failed to issue the StartTLS instruction: Connect error
[2010/04/25 13:52:57,  1] lib/smbldap.c:1231(another_ldap_try)
  Connection to LDAP server failed for the 1 try!
[2010/04/25 13:52:58,  3] lib/smbldap_util.c:163(add_new_domain_info)
  add_new_domain_info: Adding new domain
[2010/04/25 13:52:58,  0] lib/smbldap.c:656(smb_ldap_start_tls)
  Failed to issue the StartTLS instruction: Connect error
[2010/04/25 13:52:58,  1] lib/smbldap.c:1231(another_ldap_try)
  Connection to LDAP server failed for the 1 try!
[2010/04/25 13:52:59,  1] lib/smbldap_util.c:233(add_new_domain_info)
  add_new_domain_info: failed to add domain dn= sambaDomainName=FRANCHISEROUTE,d
c=scotland,dc=franchiseroute,dc=net with: Strong(er) authentication required
        modifications require authentication
[2010/04/25 13:52:59,  0] lib/smbldap_util.c:310(smbldap_search_domain_info)
  smbldap_search_domain_info: Adding domain info for FRANCHISEROUTE failed with
NT_STATUS_UNSUCCESSFUL

Any ideas or has anyone sucessfully managed to use a newer version of samba and have Win 7 clients join the domain?

Zimbra

Downloads

Product Information

Toolbox

Why Join?