LDAP authentication problem after backup script run

[ask1]

Hi All

We are having some issue with LDAP authentication(windows 2003 AD) for one of our domain(sub). we are using script from Open Source Edition Backup Procedure - Zimbra :: Wiki ( A Simple Shell Script Method)
we are not very good at scripting and we have backup server (windows 2003) and found this to be simpler way of backing up data for us.

we have windows AD internal.test, sub.internal.test. we have set ldap search path dc=internal,dc=test

Now we are running this script every night, every week and every month and uploading to windows based ftp backup server.

after every backup ran user are not able to log on to zimbra server specially for sub.internal.test some time user can log in after restarting zimbra service but some time we have to reboot whole system.

we were wondering if any one have any suggestion for us and will be appreciated.

Thank you in advance

[bdial]

could it be that your script is not closing connections that it opens to the 2003 server, and maybe it's causing too many connections to be open? just a shot in the dark here.

[ask1]

hi bdial

is there any easy way of checking connections as you suggested? only connection i know connection between zimbra and windows 2003 backup server is FTP connection to upload archieved backup file.

we also found out that after the backup script ran user of internal.test is able to logon to server without any issue only users from sub.internal.test is not able to logon to zimbra server using their winodws AD user name and password.

Thank you

[ask1]

we thought update you guys bit

we added command to restart service as well as reboot server after backup job complet. all command seems to do the job it suppose to do but still user from sub domain can not log on to zimbra server after this. there is not issue what so ever for the top level domain users.

our sub domain DC is sitting on different city, could this be the problem as it travels through wan and so on? we couldn't also understand that if we do not run backup script and do not do backup everything runs without any problem.

Thank you

[ask1]

Thought update you here

we are currently monitoring traffic between zimbra server and DC from sub domain.

When user can log on success fully we can see traffic between Zimbra server and DC from sub domain.

But

When user can not log on there is not traffic between these two servers.

Now we are thinking that there must be something that not right between zimbra and our primary DC in other words its have some difficulty on doing full LDAP search (for sub domain).

if you could think of something we will appreciate it.

Thank you

[phoenix]

Once the backup script has run and the users can't login, can you actually see the DC? Can you try running an ldapsearch on your zimbra server against the DC (try the domain and subdomain) and see if it gives any results? Can you ping the DC from the Zimbra server after the failure? I assume the Zimbra server can still send and receive mail after the backup?

Do all your other machines and services that authenticate against the DC are still working OK at this point. I'm also assuming that the Zimbra server is just a Zimbra server and nothing else is on it, is that correct? What size file are you transferring to your backup server? I'm also making the assumption that your backup transfer is completed OK, have you ever verified that the backup file is correct? Is this a single or multiple NIC and/or IPs in the Zimbra server?

Which version/release of Zimbra is this?

[ask1]

Hi phoenix Thank you for your reply

I think it will be better if I answer you point by point

Once the backup script has run and the users can't login, can you actually see the DC?
Ans:- yes we can ping we can connect to DC of sub domain and we have whole network running with out any problem. Zimbra still authenticate user to top level domain and user on this domain doesn't have any issue.

Can you try running an ldapsearch on your zimbra server against the DC (try the domain and sub domain) and see if it gives any results?
Ans:- once I rebooted Zimbra it’s working now but do you think I should try particular method or normal ldap search will do.

Can you ping the DC from the Zimbra server after the failure? I assume the Zimbra server can still send and receive mail after the backup?
Ans:- yes I can still ping DCS but we are not sure if we can send and receive emails as we have tried that. We also assume that we will only be able to do testing with top level users as they are the only one who can logon.

Do all your other machines and services that authenticate against the DC are still working OK at this point.
Ans:- Yes as per my previous answer.

I'm also assuming that the Zimbra server is just a Zimbra server and nothing else is on it, is that correct?
Ans:- yes and it is running on virtual server (virtual iron) with os being centos5.1

What size file are you transferring to your backup server? I'm also making the assumption that your backup transfer is completed OK, have you ever verified that the backup file is correct?
Ans:- File size is only around 3GB and it is transfer to our windows backup server which is not stand alone server.

Is this a single or multiple NIC and/or IPs in the Zimbra server?
Ans:- it has two NICs one for public/user network and another for backup network.

Which version/release of Zimbra is this?
Ans:- Release 5.0.7_GA_2444.RHEL5_20080626020941 CentOS5 FOSS edition

Please let me know if you want more information.

We are thinking to upgrade to newer version but we are not sure if that will help us. We have been working in this case for while now so we may have consider alternatives if this thing doesn't work out.

Thank you for your help

[phoenix]

I'd always prefer you to be on the most current release for testing if bugs exist but I know that's not always practical.

You might consider implementing Auhentication fallback to overcome this problem in the short term. Run the following command:

Code:

zmprov md sub.domain.com zimbraAuthFallbackToLocal TRUE

That will, of course, require the passwords to be kept in sync. There's currently no facility in Zimbra to do that but I seem to remember there's an RFE in bugzilla if you'd like to search and vote on it.

I can't really understand why the TLD would authenticate and not a subdomain. Try an ldapsearch on the subdomain before you reboot after the next failure.

Does the server have sufficient RAM? Which particular backup script are you running from that wiki page?

[ask1]

Hi phoenix thanks again

we used "A Simple Shell Script Method" from wikii and now we are using scripts from www.swedcore.net Blog Archive Zimbra OSE backup script.

This server is assigned 1GB of RAM and even though we have lots of users they are not heavy users and all of them are casual staffs and they use this email server for 1-4 hrs a day in average and we have around 100-200 users.

we have been puzzled by the this LDAP issue and thing we couldn't understand is at the time it failed to validate user from sub domain, this server is not initiating anny connection to sub domain’s DC at all.

we have set search LDAP path to dc=top,dc=internal is something wrong here? i believed ldap search should be able to get user from dc=sub,dc=top,dc=internal am i right to say that? LDAP server ip addresses are pointing to DC from top domain as well as DC from sub domain.

we are planning to for upgrade to new version soon but we are not sure if this will solve our problem.

Thank you

[soulskater]

Hi.

I saw that you are using my backup script, i want to know if you get this behavior outside of script usage, for example when you stop & start zimbra services manually, will this reappear or is this isolated to the running of the script?

Try following as root or zimbra user.

Code:

/etc/init.d/zimbra stop && sleep 20 && /etc/init.d/zimbra start

/Marcus