LDAP authentication problem after backup script run

[phoenix]

I asked you earlier if you'd run an ldapsearch (on the Zimbra server) against the AD sub-domain after the backup has run and you've lost the connection to it, did you ever do that and what was the result? Specifically, you should try a search for one of the Zimbra users that's authenticating against that server.

[phoenix]

What I forgot to ask earlier is this: you say you're using sub-domain, do you have multiple domains on this server? If you do, you'll need to specify an authentication filter for each domain, what filters are you using against the AD server? For the users that can not authenticate after the failure, do they have a local password on the Zimbra server? Did you implement authentication fallback as I mentioned earlier. Is IPv6 enabled on this server and could you disable it if it's on.

You could also run the following (before & after the failure) to confirm the routing table:

Code:

netstat -rn

and just out of interest please also post the output of the following commands (run on the zimbra server):

Code:

cat /etc/hosts
cat /etc/resolv.conf
host `hostname`  <-- use backticks not single quotes
dig yourdomain.com mx
dig yourdomain.com any
dig sub.yourdomain.com mx
dig sub.yourdomain.com any

zmcontrol -v

I assume that this is your DC?

Code:

DomainDnsZones.syd.internal.mitacademy

When you lose connectivity with it could you run a traceroute using the FQDN of the DC and another using the IP of the DC and see what happens.

I'm also assuming that there are no firewall or SElinus issues on your zimbra server or between you and the DC, have you checked?

[ask1]

Hi phoenix

currently Zimbra is working and output as per your request are as per below

Code:

[root@emailz ~]# netstat -rn
Kernel IP routing table
Destination     Gateway         Genmask         Flags   MSS Window  irtt Iface
192.168.5.0     0.0.0.0         255.255.255.0   U         0 0          0 eth1
172.16.32.0     0.0.0.0         255.255.255.0   U         0 0          0 eth0
169.254.0.0     0.0.0.0         255.255.0.0     U         0 0          0 eth1
0.0.0.0         172.16.32.13    0.0.0.0         UG        0 0          0 eth0

Code:

[root@emailz ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1       localhost.localdomain   localhost       emailz
::1     localhost6.localdomain6 localhost6

Code:

[root@emailz ~]# cat /etc/resolv.conf
search internal.mitacademy
nameserver 172.16.32.2
nameserver 172.16.32.3
nameserver 172.16.56.2
nameserver 172.16.56.3

Code:

[root@emailz ~]# host `hostname`
emailz.internal.mitacademy has address 172.16.32.21
emailz.internal.mitacademy mail is handled by 10 emailz.internal.mitacademy.

Code:

[root@emailz ~]# dig internal.mitacademy mx

; <<>> DiG 9.3.3rc2 <<>> internal.mitacademy mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6427
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;internal.mitacademy.           IN      MX

;; AUTHORITY SECTION:
internal.mitacademy.    3600    IN      SOA     pokhara.internal.mitacademy. hostmaster.internal.mitacademy. 17737 900 600 86400 3600

;; Query time: 0 msec
;; SERVER: 172.16.32.2#53(172.16.32.2)
;; WHEN: Mon Nov 17 09:20:26 2008
;; MSG SIZE  rcvd: 92

Code:

[root@emailz ~]# dig internal.mitacademy any

; <<>> DiG 9.3.3rc2 <<>> internal.mitacademy any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 21597
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 4

;; QUESTION SECTION:
;internal.mitacademy.           IN      ANY

;; ANSWER SECTION:
internal.mitacademy.    600     IN      A       172.16.32.7
internal.mitacademy.    600     IN      A       172.16.32.3
internal.mitacademy.    600     IN      A       172.16.32.2
internal.mitacademy.    3600    IN      NS      s-academic-1.syd.internal.mitaca
demy.
internal.mitacademy.    3600    IN      NS      s-academic2.syd.internal.mitacad
emy.
internal.mitacademy.    3600    IN      NS      l-pokhara.internal.mitacademy.
internal.mitacademy.    3600    IN      NS      pokhara.internal.mitacademy.
internal.mitacademy.    3600    IN      SOA     pokhara.internal.mitacademy. hos
tmaster.internal.mitacademy. 17737 900 600 86400 3600

;; ADDITIONAL SECTION:
s-academic-1.syd.internal.mitacademy. 3600 IN A 172.16.56.2
s-academic2.syd.internal.mitacademy. 3600 IN A  172.16.56.3
l-pokhara.internal.mitacademy. 3600 IN  A       172.16.32.3
pokhara.internal.mitacademy. 3600 IN    A       172.16.32.2

;; Query time: 1 msec
;; SERVER: 172.16.32.2#53(172.16.32.2)
;; WHEN: Mon Nov 17 09:20:57 2008
;; MSG SIZE  rcvd: 299

Code:

[root@emailz ~]# dig syd.internal.mitacademy mx

; <<>> DiG 9.3.3rc2 <<>> syd.internal.mitacademy mx
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17675
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;syd.internal.mitacademy.       IN      MX

;; AUTHORITY SECTION:
internal.mitacademy.    3600    IN      SOA     pokhara.internal.mitacademy. hostmaster.internal.mitacademy. 17737 900 600 86400 3600

;; Query time: 0 msec
;; SERVER: 172.16.32.2#53(172.16.32.2)
;; WHEN: Mon Nov 17 09:21:38 2008
;; MSG SIZE  rcvd: 96

Code:

[root@emailz ~]# dig syd.internal.mitacademy any

; <<>> DiG 9.3.3rc2 <<>> syd.internal.mitacademy any
;; global options:  printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 48064
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;syd.internal.mitacademy.       IN      ANY

;; ANSWER SECTION:
syd.internal.mitacademy. 600    IN      A       172.16.56.50
syd.internal.mitacademy. 600    IN      A       172.16.56.2
syd.internal.mitacademy. 600    IN      A       172.16.56.3

;; Query time: 0 msec
;; SERVER: 172.16.32.2#53(172.16.32.2)
;; WHEN: Mon Nov 17 09:21:59 2008
;; MSG SIZE  rcvd: 89

Code:

[zimbra@emailz ~]$ zmcontrol -v

Release 5.0.10_GA_2638.RHEL5_20081003052615 CentOS5 FOSS edition

we tried running ldapsearch with different options and we are receiving few error such as below (we can only run ldapsearch after loging in as a zimbra user). so we were wondering if you want us to run specific command and we will appreciate if you could advise us.

[zimbra@emailz ~]$ ldapsearch -h pokhara
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (open(/tmp/krb5cc_500): No such file or directory)
--------------------------------------------------------------------------

there is no problem accessing dcs for Sub domain from zimbra server(linux) box at the time of zimbra authenication problem i.e. we can ping, we can trace route with FQDN and with ip address.

Firewll and selinux is all disabled on this server.

Ok here is how our email server is configured.

we have internet address "academic.mit.edu.au" and email address for all users are username@academic.mit.edu.au. we do not have two domains names at this stage. zimbra server uses LDAP to connect to DCS(Windows AD) and we have two internal Domain where zimbra need to search user from.

we are trying to get our head around in implementing authentication fallback as all of us here is from windows background not linux.

we also found that IPV6 is disabled. hopefully this will help you to understand the problem better


Thank you

[ask1]

Hi Again

this morning zimbra could not validate user again so below are the output from the command you provided. let us know if you would like us to try something more

[root@emailz ~]# netstat -rn
Kernel IP routing table
Destination Gateway Genmask Flags MSS Window irtt Iface
192.168.5.0 0.0.0.0 255.255.255.0 U 0 0 0 eth1
172.16.32.0 0.0.0.0 255.255.255.0 U 0 0 0 eth0
169.254.0.0 0.0.0.0 255.255.0.0 U 0 0 0 eth1
0.0.0.0 172.16.32.13 0.0.0.0 UG 0 0 0 eth0
[root@emailz ~]#

------------------------------------------------------------------------

[root@emailz ~]# cat /etc/hosts
# Do not remove the following line, or various programs
# that require network functionality will fail.
127.0.0.1 localhost.localdomain localhost emailz
::1 localhost6.localdomain6 localhost6
--------------------------------------------------------------------------

[root@emailz ~]#cat /etc/resolv.conf
search internal.mitacademy
nameserver 172.16.32.2
nameserver 172.16.32.3
nameserver 172.16.56.2
nameserver 172.16.56.3
-------------------------------------------------------------------------

[root@emailz ~]# host `hostname`
emailz.internal.mitacademy has address 172.16.32.21
emailz.internal.mitacademy mail is handled by 10 emailz.internal.mitacademy.
--------------------------------------------------------------------------

[root@emailz ~]# dig internal.mitacademy mx

; <<>> DiG 9.3.3rc2 <<>> internal.mitacademy mx
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53121
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;internal.mitacademy. IN MX

;; AUTHORITY SECTION:
internal.mitacademy. 3600 IN SOA pokhara.internal.mitacademy. hostmaster.internal.mitacademy. 18509 900 600 86400 3600

;; Query time: 1 msec
;; SERVER: 172.16.32.2#53(172.16.32.2)
;; WHEN: Wed Nov 19 09:21:57 2008
;; MSG SIZE rcvd: 92
--------------------------------------------------------------------------

[root@emailz ~]# dig internal.mitacademy any

; <<>> DiG 9.3.3rc2 <<>> internal.mitacademy any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4031
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 8, AUTHORITY: 0, ADDITIONAL: 5

;; QUESTION SECTION:
;internal.mitacademy. IN ANY

;; ANSWER SECTION:
internal.mitacademy. 600 IN A 172.16.32.7
internal.mitacademy. 600 IN A 172.16.32.2
internal.mitacademy. 600 IN A 172.16.32.3
internal.mitacademy. 3600 IN NS s-academic2.syd.internal.mitacademy.
internal.mitacademy. 3600 IN NS s-academic-1.syd.internal.mitacademy.
internal.mitacademy. 3600 IN NS pokhara.internal.mitacademy.
internal.mitacademy. 3600 IN NS l-pokhara.internal.mitacademy.
internal.mitacademy. 3600 IN SOA pokhara.internal.mitacademy. hostmaster.internal.mitacademy. 18509 900 600 86400 3600

;; ADDITIONAL SECTION:
s-academic2.syd.internal.mitacademy. 3600 IN A 172.16.56.3
s-academic-1.syd.internal.mitacademy. 3600 IN A 172.16.56.2
pokhara.internal.mitacademy. 3600 IN A 172.16.32.2
l-pokhara.internal.mitacademy. 3600 IN A 172.16.32.122
l-pokhara.internal.mitacademy. 3600 IN A 172.16.32.3

;; Query time: 1 msec
;; SERVER: 172.16.32.2#53(172.16.32.2)
;; WHEN: Wed Nov 19 09:22:15 2008
;; MSG SIZE rcvd: 315
--------------------------------------------------------------------------

[root@emailz ~]# dig syd.internal.mitacademy mx

; <<>> DiG 9.3.3rc2 <<>> syd.internal.mitacademy mx
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33570
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0

;; QUESTION SECTION:
;syd.internal.mitacademy. IN MX

;; AUTHORITY SECTION:
internal.mitacademy. 3600 IN SOA pokhara.internal.mitacademy. hostmaster.internal.mitacademy. 18509 900 600 86400 3600

;; Query time: 1 msec
;; SERVER: 172.16.32.2#53(172.16.32.2)
;; WHEN: Wed Nov 19 09:22:46 2008
;; MSG SIZE rcvd: 96
--------------------------------------------------------------------------

[root@emailz ~]# dig syd.internal.mitacademy any

; <<>> DiG 9.3.3rc2 <<>> syd.internal.mitacademy any
;; global options: printcmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46939
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 3, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;syd.internal.mitacademy. IN ANY

;; ANSWER SECTION:
syd.internal.mitacademy. 600 IN A 172.16.56.2
syd.internal.mitacademy. 600 IN A 172.16.56.3
syd.internal.mitacademy. 600 IN A 172.16.56.50

;; Query time: 1 msec
;; SERVER: 172.16.32.2#53(172.16.32.2)
;; WHEN: Wed Nov 19 09:22:56 2008
;; MSG SIZE rcvd: 89
-------------------------------------------------------------------------

[zimbra@emailz ~]$ zmcontrol -v


Release 5.0.10_GA_2638.RHEL5_20081003052615 CentOS5 FOSS edition
------------------------------------------------------------------------

[root@emailz ~]# traceroute 172.16.56.2
traceroute to 172.16.56.2 (172.16.56.2), 30 hops max, 40 byte packets
1 172.16.32.13 (172.16.32.13) 1.616 ms 2.112 ms 2.227 ms
2 192.168.1.254 (192.168.1.254) 3.115 ms 3.608 ms 3.823 ms
3 10.254.254.209 (10.254.254.209) 7.031 ms 8.242 ms 8.280 ms
4 10.254.254.13 (10.254.254.13) 15.049 ms 17.912 ms 18.790 ms
5 10.254.254.14 (10.254.254.14) 21.466 ms 22.495 ms 25.276 ms
6 192.168.11.3 (192.168.11.3) 14.581 ms 13.123 ms 12.714 ms
7 172.16.56.2 (172.16.56.2) 12.509 ms 12.022 ms 12.608 ms
-------------------------------------------------------------------------

[root@emailz ~]# traceroute s-academic-1.syd.internal.mitacademy
traceroute to s-academic-1.syd.internal.mitacademy (172.16.56.2), 30 hops max, 40 byte packets
1 172.16.32.13 (172.16.32.13) 1.581 ms 2.097 ms 2.130 ms
2 192.168.1.254 (192.168.1.254) 4.649 ms 5.172 ms 5.610 ms
3 10.254.254.209 (10.254.254.209) 2.104 ms 2.358 ms 2.346 ms
4 10.254.254.13 (10.254.254.13) 12.061 ms 12.291 ms 12.312 ms
5 10.254.254.14 (10.254.254.14) 17.982 ms 20.704 ms 21.689 ms
6 192.168.11.3 (192.168.11.3) 14.442 ms 14.144 ms 14.016 ms
7 172.16.56.2 (172.16.56.2) 12.738 ms 12.949 ms 13.167 ms
--------------------------------------------------------------------------

[zimbra@emailz ~]$ zmcontrol stop
Host emailz.internal.mitacademy
Stopping stats...Done
Stopping mta...Done
Stopping spell...Done
Stopping snmp...Done
Stopping archiving...Done
Stopping antivirus...Done
Stopping antispam...Done
Stopping imapproxy...Done
Stopping mailbox...Done
Stopping logger...Done
Stopping ldap...Done
--------------------------------------------------------------------------

[zimbra@emailz ~]$ zmcontrol start
Host emailz.internal.mitacademy
Starting ldap...Done.
Starting logger...Done.
Starting mailbox...Done.
Starting imapproxy...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting snmp...Done.
Starting spell...Done.
Starting mta...Done.
Starting stats...Done.
--------------------------------------------------------------------------

LDAP search still gives us error when we try to do it from cli but when we do it from web interface (through management login) we get error as per pervious post.

Thank you