5.0.x to 6.0 Upgrade with Samba/Posix Extensions

[mackoftrack]

Hey all,

Has anyone successfully upgraded to 6.0 NE with Samba/Posix Extensions?
Last weekend was hellish as I attempted to follow the various wiki pages, and ended up with a broken system that Zimbra support had no idea how to fix (they spent 12 hours logged into my server and couldn't figure out how to fix the problem). I ended up having to restore 5.0.18 from backups (my 50 users had no Email, Windows, or Linux access the entire day).

I wish someone would create *1* wiki page for admins in my scenario. The updated wiki's (1,2,3,4) could be integrated better. I'd like to see 1 wiki page with instructions, *in order*, to successfully complete this upgrade.

Your thoughts?

[mackoftrack]

bump

[quanah]

Which wiki pages did you use? I've talked with several people using the 6.0 Samba/Posix wiki to upgrade without issue.

[mackoftrack]

I listed them in my post above.
Can one of the "several people" you've talked to respond to my post?

[quanah]

You can talk to a few on IRC, if you sign onto freenode and join the #zimbra channel.

[ArcaneMagus]

If it helps at all the steps that I used are basically as follows:
1. install.sh -s
To get the new LDAP software to work with
2. Installing custom ldap schema 6.0 - Zimbra :: Wiki
This wiki is pretty much a howto for NIS and Samba schema installation however the "ldap start" start ran for a few minutes and never appeared to actually complete, but it did create the config files which I modified later so it got what I needed accomplished. I only called it once at the end of doing the steps on that page
3. Optimizing 50 to 60 LDAP upgrade - Zimbra :: Wiki
Do what it says to add the indicies. (I ignored Adding ldap indices 6.0 - Zimbra :: Wiki as that is only applicable if the LDAP database is up, running, and the key part... updated to 6.0 schema already)
4. /opt/zimbra/libexec/zmsetup.pl
Run the upgrade process to update all the schema and actually make your system 6.0.0
5. zmcontrol stop
After it is all setup... shut all the zimbra processes down.
6. UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI 6.0 - Zimbra :: Wiki
Finally got to things in here, I ignored all of the steps related to configuring the zmposix and zmposixroot accounts as the Samba server is separate on my setup and uses the admin user to authenticate.
You do need to do the modificiations at the end of Part 1 related to the ACL, but I didn't bother messing around with an .ldiff file and instead directly modified /opt/zimbra/data/ldap/config/cn=config/olcDatabase={2}hdb.ldif when the LDAP server was shut down.
7. zmcontrol start
8. redeploy the samba and posix admin extensions, remembering to modify the values as described at the beginning of part 2.

I ignored most of the rest of the UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI 6.0 - Zimbra :: Wiki document as it was already setup before and didn't change for me since the Samba server is separate.

Hope this helps.

[mackoftrack]

Thanks. That sort of helps. I'd still like to see more formal instructions issued by Zimbra. When you're dealing with live systems, there's just too much at stake to take chances, even with backups readily available. You want to go into the upgrade knowing that it will succeed...

[mackoftrack]

I ignored all of the steps related to configuring the zmposix and zmposixroot accounts as the Samba server is separate on my setup and uses the admin user to authenticate.
You do need to do the modificiations at the end of Part 1 related to the ACL, but I didn't bother messing around with an .ldiff file and instead directly modified /opt/zimbra/data/ldap/config/cn=config/olcDatabase={2}hdb.ldif when the LDAP server was shut down.

I'm a little unclear about this. The wiki says you need to create these 2 users, doesn't it? I have a separate Samba server too, but I don't understand what the difference is. In the 5.0.x setup, doesn't Zimbra use "cn=config" as the bind DN?
Please explain...

[quanah]

I'm a little unclear about this. The wiki says you need to create these 2 users, doesn't it? I have a separate Samba server too, but I don't understand what the difference is. In the 5.0.x setup, doesn't Zimbra use "cn=config" as the bind DN?
Please explain...

The difference is security. The original wiki should never, ever have suggested using the cn=config user, as that user can add/modify/delete *anything* in the OpenLDAP database, including the server configuration. It is particularly bad, since it uses the cn=config as the less secure user over the zimbra admin user, even though it has more access. That is why when I wrote the 6.0 wiki, I set it up so that two brand new users are used, with very limited access to the LDAP database, and no ability to modify the server configuration.

[mackoftrack]

The difference is security. The original wiki should never, ever have suggested using the cn=config user, as that user can add/modify/delete *anything* in the OpenLDAP database, including the server configuration. It is particularly bad, since it uses the cn=config as the less secure user over the zimbra admin user, even though it has more access. That is why when I wrote the 6.0 wiki, I set it up so that two brand new users are used, with very limited access to the LDAP database, and no ability to modify the server configuration.

Ok. So that being said, I *should* follow the new Wiki's instructions and create those two users?