| Welcome to the Zimbra :: Forums! | |
Welcome, if you would like to post a comment please register.
We also encourage you to explore all things Zimbra with our team and members of the community.
|
 | | 
09-28-2009, 06:36 AM
| | Intermediate Member | |
Posts: 24
| |
Hi lithorus!
I created the user "toaddmachines" in Zimbra Administration - https://zimbra.example.com:7071/
Later I also tried to add computers to the domain using the initial password assigned to "toaddmachines" user and also the password changed in webmail. This way I think I covered both possibilities...
There is a way of sync passwords changed in webmail with passwords in Samba? |
09-28-2009, 06:39 AM
| | |
Quote:
Originally Posted by peracchi  Hi lithorus!
I created the user "toaddmachines" in Zimbra Administration - https://zimbra.example.com:7071/
Later I also tried to add computers to the domain using the initial password assigned to "toaddmachines" user and also the password changed in webmail. This way I think I covered both possibilities...
There is a way of sync passwords changed in webmail with passwords in Samba? | If you change the password on the domain it'll update the password for the zimbra account. Just not the other way around. |
09-28-2009, 06:48 AM
| | Intermediate Member | |
Posts: 24
| |
Hi lithorus!
When you made your setup you put Zimbra and Samba in different computers?
Can you please show me the contents of your key files in this setup?
I would like to see the contents of:
/etc/smb.conf
/etc/nsswitch.conf
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-password
/etc/pam.d/common-session
What directories do you need to create in Ubuntu 8.04.3 LTS Server for Samba to use and what permissions do you assign to them? I noticed that default some directories used by the smb.conf of the tutorials are missing in /var/lib/samba
Again, thanks for your help. I am struggling with this setup for days and I am getting crazy...  |
09-28-2009, 07:02 AM
| | | 
Quote:
Originally Posted by peracchi Hi lithorus!
When you made your setup you put Zimbra and Samba in different computers?
Can you please show me the contents of your key files in this setup?
I would like to see the contents of:
/etc/smb.conf
/etc/nsswitch.conf
/etc/pam.d/common-account
/etc/pam.d/common-auth
/etc/pam.d/common-password
/etc/pam.d/common-session
What directories do you need to create in Ubuntu 8.04.3 LTS Server for Samba to use and what permissions do you assign to them? I noticed that default some directories used by the smb.conf of the tutorials are missing in /var/lib/samba
Again, thanks for your help. I am struggling with this setup for days and I am getting crazy... | Same machine for both samba and zimbra.
Never changed any permissions.
/etc/smb.conf : Code: [global]
workgroup = NEWDOMAIN
netbios name = sambatest
os level = 33
preferred master = yes
enable privileges = yes
server string = %h server (Samba, Ubuntu)
wins support =yes
dns proxy = no
name resolve order = wins bcast hosts
log file = /var/log/samba/log.%m
log level = 3
max log size = 1000
syslog only = no
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
ldap passwd sync = yes
passdb backend = ldapsam:ldap://10.0.0.199/
ldap ssl = Off
ldap admin dn = "uid=zmposixroot,cn=appaccts,cn=zimbra"
ldap suffix = dc=newdomain,dc=local
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=machines
obey pam restrictions = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
domain logons = yes
logon path = \\sambatest\%U\profile
logon home = \\sambatest\%U
logon script = logon.cmd
add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u
socket options = TCP_NODELAY
domain master = yes
local master = yes
[homes]
comment = Home Directories
browseable =yes
read only = No
valid users = %S
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
locking = no
[profiles]
comment = Users profiles
path = /var/lib/samba/profiles
read only = No
[profdata]
comment = Profile Data Share
path = /var/lib/samba/profdata
read only = No
profile acls = Yes I never created the netlogon etc in /var/lib/samba
I only created the setup for testing Windows 7 domain logon, so didn't fix these things.
/etc/nsswitch.conf : Code: passwd: files ldap
group: files ldap
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis I should mention that I tested with samba 3.4.1 from a ppa.  |
09-28-2009, 07:05 AM
| | |
The thing you are looking for is probably the Something do do with the way that samba uses ldap ssl. |
09-28-2009, 07:17 AM
| | Intermediate Member | |
Posts: 24
| |
Hi lithorus!
I will try with in my smb.conf
When I installed Samba I used: Code: sudo apt-get --yes install samba smbclient libnss-ldap When prompted by libnss-ldap configuration program I gave this answers: Code: ldap://zimbra.example.com/
dc=example,dc=com
3
Yes
Yes
uid=zmposixroot,cn=appaccts,cn=zimbra
zmposixroot
uid=zmposix,cn=appaccts,cn=zimbra
zmposix One thing that I think that I discover by myself was that you need to answer "yes" for the question about the need of authentication to acess the LDAP base. In one of my trials I noticed that when a "normal" user looks its files (at his home folder, for example) it doesnīt get the user/group names; instead, just the numbers showed. When logged in with root user, user/group names showed correctly. I linked that with the two user "zmposix" and "zmposixroot". Itīs a little detail that insīt in the tutorials...
Can you please show me the contents of the modified /etc/pam.d files? Or do you donīt change any of them?  |
09-28-2009, 07:24 AM
| | |
Quote:
Originally Posted by peracchi Can you please show me the contents of the modified /etc/pam.d files? Or do you don´t change any of them? | Never modified those. AFAIK, they are only used if you want to authenticate local logins with ldap. Samba doesn't use pam for authenticating with the option : Code: obey pam restrictions = no Quote: |
One thing that I think that I discover by myself was that you need to answer "yes" for the question about the need of authentication to acess the LDAP base.
| Yes, Zimbra 5.0.x allowed anonymous ldap, but a clean 6.x install does not. An upgraded 5.0.x to 6.x does however. |
09-28-2009, 12:48 PM
| | Intermediate Member | |
Posts: 24
| |
Hi lithorus! 
Everything goes smooth until the part: Then I get on the samba server: Code: user@samba:~$ sudo smbpasswd -a root
New SMB password:
Retype new SMB password:
ldapsam_modify_entry: LDAP Password could not be changed for user root: Insufficient access
unknown
ldapsam_add_sam_account: failed to modify/add user with uid = root (dn = uid=root,ou=people,dc=example,dc=com)
Failed to add entry for user root.
Failed to modify password entry for user root But I have observed Zimbra LDAP before and after the command.
Before I had the root alias: Code: zimbraId: d9cefdae-faf3-4ef1-8c80-a580b059de4b
uid: root
zimbraAliasTargetId: 10f53e81-fbb8-44d7-9565-d3b1856b7b56
zimbraCreateTimestamp: 25/9/2009 20:50:31
objectClass: zimbraAlias After the command sudo smbpasswd -a root I get: Code: uid: root
sambaSID: S-1-5-21-3810401420-4072428212-1875409752-1000
displayName: root
sambaNTPassword: BE2CB981BC8F1F6F43E51DC08CE097A7
sambaPasswordHistory: 0000000000000000000000000000000000000000000000000000000000000000
sambaPwdLastSet: 1254161288
sambaAcctFlags: [U ]
objectClass: sambaSamAccount
objectClass: account Then (I already have added the "Domain Admins" group): Code: user@samba:~$ sudo net rpc rights grant "EXAMPLE\Domain Admins" SeAddUsersPrivilege SeMachineAccountPrivilege SePrintOperatorPrivilege
Password:
Successfully granted rights. Later, I canīt get the Windows XP Pro computer to get in the domain... 
I have created a user called "domainadmin" with password "teste1".
On the first login to the webmail, Zimbra asks for password change. I changed it to "teste2".
When I tried to enter the domain with the last password, it says that user or password is incorrect. I go back to webmail and change the password to "teste3" hoping that Zimbra syncs the password now with Samba.
Again, "user or password incorrect".
If I try the first assigned password (on user creation on Zimbra Admin) "teste1", Windows XP Pro says that "password must be changed before first login"...
If I go back to Zimbra Admin and sets the user password to no expire when I tried to join the domain Windows XP Pro says something like "a device connected to the system isnīt working" (my Windows XP is portuguese BR).
dns-01.example.com = 192.168.1.201
dns-02.example.com = 192.168.1.202
dhcp.example.com = 192.168.1.203
zimbra.example.com = 192.168.1.205
samba.example.com = 192.168.1.206 dhcpd.conf at dhcp.example.com Code: ddns-update-style none;
option domain-name "example.com";
option domain-name-servers 192.168.1.201, 192.168.1.202;
option netbios-name-servers 192.168.1.206;
option subnet-mask 255.255.255.0;
option broadcast-address 192.168.1.255;
option routers 192.168.1.254;
default-lease-time 600;
max-lease-time 7200;
authoritative;
log-facility local7;
subnet 192.168.1.0 netmask 255.255.255.0 {
range 192.168.1.101 192.168.1.109;
} nsswitch.conf at samba.example.com Code: passwd: files ldap
group: files ldap
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis smb.conf at samba.example.com Code: [global]
workgroup = EXAMPLE
netbios name = samba
os level = 33
preferred master = yes
enable privileges = yes
server string = %h server (Samba, Ubuntu)
wins support =yes
dns proxy = no
name resolve order = wins bcast hosts
log file = /var/log/samba/log.%m
log level = 3
max log size = 1000
syslog only = no
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
ldap passwd sync = yes
passdb backend = ldapsam:ldap://zimbra.example.com/
ldap ssl = off
ldap admin dn = "uid=zmposixroot,cn=appaccts,cn=zimbra"
ldap suffix = dc=example,dc=com
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=machines
obey pam restrictions = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
domain logons = yes
logon path = \\samba.example.com\%U\profile
logon home = \\samba.example.com\%U
logon script = logon.cmd
add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u
socket options = TCP_NODELAY
domain master = yes
local master = yes
[homes]
comment = Home Directories
browseable =yes
read only = No
valid users = %S
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
locking = no
[profiles]
comment = Users profiles
path = /var/lib/samba/profiles
read only = No
[profdata]
comment = Profile Data Share
path = /var/lib/samba/profdata
read only = No
profile acls = Yes
[printers]
comment = All Printers
browseable = no
path = /tmp
printable = yes
public = no
writable = no
create mode = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
What else can I inform to help to diagnose why I canīt get this to work? |
09-28-2009, 07:01 PM
| | Intermediate Member | |
Posts: 24
| | 
I have found something! 
If I repeat all steps I have done until now, without a change, but in smb.conf I change: Code: ldap admin dn = "uid=zmposixroot,cn=appaccts,cn=zimbra" to Code: ldap admin dn = "uid=zimbra,cn=admins,cn=zimbra" then the error at: goes away!
So, there is something causing the error at this part of the original wiki article: Quote:
Now, you need to adjust the LDAP acls so that these new users can read the data necessary from the LDAP server. This will need to be done on each LDAP server that exists. Create a file called /tmp/acl.ldif and add the following to it. If this is a master with replicas, you need to change the olcDatabase line to be olcDatabase={3}hdb,cn=config in both sections.
In this example I will use the domain gregzimbra1.zimbra.com, which is the name of my Ubuntu Linux machine running inside a VMWare instance, hence my ldapSuffix is
Code: dc=gregzimbra1,dc=zimbra,dc=com Be sure to replace dc=gregzimbra1,dc=zimbra,dc=com with your actual domain
Code: dn: olcDatabase={2}hdb,cn=config
changetype:modify
delete: olcAccess
olcAccess: {9}to attrs=entry by dn.children="cn=admins,cn=zimbra" write by * read
-
add: olcAccess
olcAccess: {9}to attrs=entry by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by * read
dn: olcDatabase={2}hdb,cn=config
changetype:modify
add: olcAccess
olcAccess: {10}to dn.subtree="dc=gregzimbra1,dc=zimbra,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {11}to dn.subtree="ou=machines,dc=gregzimbra1,dc=zimbra,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {12}to dn.subtree="ou=groups,dc=gregzimbra1,dc=zimbra,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {13}to dn.subtree="ou=people,dc=gregzimbra1,dc=zimbra,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none Now apply this ACL modification to the LDAP server:
Code: ldapmodify -f /tmp/acl.ldif -x -H ldapi:/// -D cn=config -W | I have turned this part of the wiki article into this part of my bash script: Code: # create two new users for the local posix and samba processes to use to access the information from the LDAP server
ZMPOSIX_LDAP_PASSWORD=`/opt/zimbra/openldap/sbin/slappasswd -s zmposix`
ZMPOSIXROOT_LDAP_PASSWORD=`/opt/zimbra/openldap/sbin/slappasswd -s zmposixroot`
tee /tmp/posixusers.ldif > /dev/null <<- EOF
dn: uid=zmposix,cn=appaccts,cn=zimbra
uid: zmposix
objectClass: zimbraAccount
objectClass: organizationalPerson
cn: zmposix
sn: zmposix
zimbraAccountStatus: active
zimbraIsSystemResource: TRUE
zimbraId: 59BC2282-98CC-11DE-9492-C023E3CEB16B
description: The zimbra posix account
userPassword: $ZMPOSIX_LDAP_PASSWORD
dn: uid=zmposixroot,cn=appaccts,cn=zimbra
uid: zmposixroot
objectClass: zimbraAccount
objectClass: organizationalPerson
cn: zmposixroot
sn: zmposixroot
zimbraAccountStatus: active
zimbraIsSystemResource: TRUE
zimbraId: 6ED47B38-98CC-11DE-AAC1-9F159BA35B33
description: The zimbra posix root account
userPassword: $ZMPOSIXROOT_LDAP_PASSWORD
EOF
ldapadd -f /tmp/posixusers.ldif -x -H ldapi:/// -D cn=config -w $ZIMBRA_LDAP_PASSWORD
# adjust the LDAP acls so that these new users can read the data necessary from the LDAP server
tee /tmp/acl.ldif > /dev/null <<- 'EOF'
dn: olcDatabase={2}hdb,cn=config
changetype:modify
delete: olcAccess
olcAccess: {9}to attrs=entry by dn.children="cn=admins,cn=zimbra" write by * read
-
add: olcAccess
olcAccess: {9}to attrs=entry by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by * read
dn: olcDatabase={2}hdb,cn=config
changetype:modify
add: olcAccess
olcAccess: {10}to dn.subtree="dc=example,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {11}to dn.subtree="ou=machines,dc=example,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {12}to dn.subtree="ou=groups,dc=example,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
olcAccess: {13}to dn.subtree="ou=people,dc=example,dc=com" by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read by * none
EOF
ldapmodify -f /tmp/acl.ldif -x -H ldapi:/// -D cn=config -w $ZIMBRA_LDAP_PASSWORD Can anyone spot any error?
Clearly is a problem of ACLs for zmposixroot.
When I made this setup Zimbra 5.0.x the LDAP structure was different, read access to LDAP doesnīt require login (now we must use zmposix).
One more little step toward the goal!
lithorus, thanks for the help but wasnīt that was causing the problem. |
09-28-2009, 10:24 PM
| | |
Ah, will look into that.
However this all needs to go to a wiki page, and the step to remove the root alias can be done in command line aswell. So everything can be done with a single bash script | | Thread Tools | Search this Thread | | | | | Display Modes |  Linear Mode | | Why Join? Registering let's you ask questions, makes it easier to search, displays any files attached to posts, and notifies you about replies.   |
Bugzilla
Wiki
Source
