Help to make a Zimbra + Samba Tutorial for Ubuntu 8.04.3 Server and Zimbra 6.0.1

[lithorus]

I have an idead as what has happened in your case. What does 'zmprov getAllDomains' output?

Have created a slightly improved 02-zimbra.sh :

Code:

#!/bin/bash

if [ "$USER" != "zimbra" ]
then
        echo "You need to be user zimbra to run this script"
        exit
fi

clear

# domain name of the zimbra installation
DOMAIN=`zmprov getAllDomains`
# get full hostname
HOSTNAME=`hostname --long`
# get Zimbra LDAP password
ZIMBRA_LDAP_PASSWORD=`zmlocalconfig -s zimbra_ldap_password | cut -d ' ' -f3`

# set LDAP prefix
LDAP_PREFIX="dc="${DOMAIN//\./,dc=}

# set password for the posix ldap accounts
ZMPOSIX_LDAP_PASSWORD=`/opt/zimbra/openldap/sbin/slappasswd -s zmposix`
ZMPOSIXROOT_LDAP_PASSWORD=`/opt/zimbra/openldap/sbin/slappasswd -s zmposixroot`

# include NIS schema into Zimbra LDAP
ldap stop
cp /opt/zimbra/openldap/etc/openldap/schema/nis.ldif /opt/zimbra/data/ldap/config/cn\=config/cn\=schema/cn\=\{10\}nis.ldif
cd /opt/zimbra/data/ldap/config/cn\=config/cn=\schema
sed -i 's/dn: cn=nis,cn=schema,cn=config/dn: cn={10}nis/' cn\=\{10\}nis.ldif
sed -i 's/cn: nis/cn: {10}nis/' cn\=\{10\}nis.ldif
chmod 600 cn\=\{10\}nis.ldif
ldap start


# include Samba schema into Zimbra LDAP
mkdir -p /tmp/ldap/schema
cd /tmp/ldap
cp /usr/share/doc/samba-doc/examples/LDAP/samba.schema /tmp/ldap/schema
tee test.conf > /dev/null <<- 'EOF'
        include /opt/zimbra/openldap/etc/openldap/schema/core.schema
        include /opt/zimbra/openldap/etc/openldap/schema/cosine.schema
        include /opt/zimbra/openldap/etc/openldap/schema/inetorgperson.schema
        include /tmp/ldap/schema/samba.schema
EOF
/opt/zimbra/openldap/sbin/slaptest -f /tmp/ldap/test.conf -F /tmp/ldap
cd cn\=config/cn\=schema
mv cn\=\{3\}samba.ldif cn\=\{11\}samba.ldif
sed -i 's/dn: cn={3}samba/dn: cn={11}samba/' cn\=\{11\}samba.ldif
sed -i 's/cn: {3}samba/cn: {11}samba/' cn\=\{11\}samba.ldif
ldap stop
cp /tmp/ldap/cn\=config/cn\=schema/cn\=\{11\}samba.ldif /opt/zimbra/data/ldap/config/cn\=config/cn\=schema/
ldap start

# add indexes for PAM and Samba
tee /tmp/indexes.ldif > /dev/null <<- 'EOF'
        dn: olcDatabase={2}hdb,cn=config
        changetype:modify
        add: olcDbIndex
        olcDbIndex: uidNumber eq
        olcDbIndex: gidNumber eq
        olcDbIndex: memberUid eq
        olcDbIndex: sambaSID eq
        olcDbIndex: sambaPrimaryGroupSID eq
        olcDbIndex: sambaDomainName eq
EOF
ldapmodify -f /tmp/indexes.ldif -x -H ldapi:/// -D cn=config -w $ZIMBRA_LDAP_PASSWORD

# create two new users for the local posix and samba processes to use to access the information from the LDAP server
tee /tmp/posixusers.ldif > /dev/null <<- EOF
        dn: uid=zmposix,cn=appaccts,cn=zimbra
        uid: zmposix
        objectClass: zimbraAccount
        objectClass: organizationalPerson
        cn: zmposix
        sn: zmposix
        zimbraAccountStatus: active
        zimbraIsSystemResource: TRUE
        zimbraId: 59BC2282-98CC-11DE-9492-C023E3CEB16B
        description: The zimbra posix account
        userPassword: $ZMPOSIX_LDAP_PASSWORD

        dn: uid=zmposixroot,cn=appaccts,cn=zimbra
        uid: zmposixroot
        objectClass: zimbraAccount
        objectClass: organizationalPerson
        cn: zmposixroot
        sn: zmposixroot
        zimbraAccountStatus: active
        zimbraIsSystemResource: TRUE
        zimbraId: 6ED47B38-98CC-11DE-AAC1-9F159BA35B33
        description: The zimbra posix root account
        userPassword: $ZMPOSIXROOT_LDAP_PASSWORD
EOF
ldapadd -f /tmp/posixusers.ldif -x -H ldapi:/// -D cn=config -w $ZIMBRA_LDAP_PASSWORD

# adjust the LDAP acls so that these new users can read the data necessary from the LDAP server
echo 'dn: olcDatabase={2}hdb,cn=config
changetype:modify
delete: olcAccess
olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write  by * read
-
add: olcAccess
olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by * read
dn: olcDatabase={2}hdb,cn=config
changetype:modify
add: olcAccess
olcAccess: {10}to dn.subtree="'$LDAP_PREFIX'"  by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read  by * none
olcAccess: {11}to dn.subtree="ou=machines,'$LDAP_PREFIX'"  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read  by * none
olcAccess: {12}to dn.subtree="ou=groups,'$LDAP_PREFIX'"  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read  by * none
olcAccess: {13}to dn.subtree="ou=people,'$LDAP_PREFIX'"  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read  by * none
' > /tmp/acl.ldif

ldapmodify -f /tmp/acl.ldif -x -H ldapi:/// -D cn=config -w $ZIMBRA_LDAP_PASSWORD

# run the following zmprov commands as user zimbra
zmprov mcf +zimbraAccountExtraObjectClass posixAccount
zmprov mcf +zimbraAccountExtraObjectClass sambaSamAccount

echo
echo Deleting root alias.....
echo

zmprov removeAccountAlias admin@$DOMAIN root@$DOMAIN

echo
echo Proceed to "Installing zimbra_posixaccount and zimbra_samba extensions for Zimbra Admin"
echo

zmzimletctl deploy /opt/zimbra/zimlets-admin-extra/zimbra_posixaccount.zip
zmzimletctl getConfigTemplate /opt/zimbra/zimlets-admin-extra/zimbra_posixaccount.zip > /tmp/posixConfig.xml
zmzimletctl deploy /opt/zimbra/zimlets-admin-extra/zimbra_samba.zip
zmzimletctl getConfigTemplate /opt/zimbra/zimlets-admin-extra/zimbra_samba.zip > /tmp/sambaConfig.xml

sed -i "s/dc=test,dc=com/$LDAP_PREFIX/" /tmp/posixConfig.xml
sed -i "s/dc=test,dc=com/$LDAP_PREFIX/" /tmp/sambaConfig.xml

zmzimletctl configure /tmp/posixConfig.xml
zmzimletctl configure /tmp/sambaConfig.xml

[peracchi]

Hi lithorus!

Great improvements to the script! This way we can achieve our goal faster and less prone to errors.

The output in my zimbra machine for 'zmprov getAllDomains' is:

Code:

zimbra@zimbra:~$ zmprov getAllDomains
example.com

Code:

zimbra@zimbra:~$ hostname --long
zimbra.example.com

What could be the problem with ACLs to to "uid=zmposixroot,cn=appaccts,cn=zimbra"? They are not getting effective or other permissions are needed?

[lithorus]

Quote:

Originally Posted by peracchi

Hi lithorus!

Great improvements to the script! This way we can achieve our goal faster and less prone to errors.

The output in my zimbra machine for 'zmprov getAllDomains' is:

Code:

zimbra@zimbra:~$ zmprov getAllDomains
example.com

Code:

zimbra@zimbra:~$ hostname --long
zimbra.example.com

What could be the problem with ACLs to to "uid=zmposixroot,cn=appaccts,cn=zimbra"? They are not getting effective or other permissions are needed?

I found that the error about insuffecient access when doing "smbpasswd -a root" doesn't matter it does the job anyway.

[peracchi]

Hi lithorus!

Yes, besides the error it does that job...

Look at my previous post: Help to make a Zimbra + Samba Tutorial for Ubuntu 8.04.3 Server and Zimbra 6.0.1

Later, other problems arise (put machines in domain, passwords, etc).

So, I think we must address this ACL problem.

Let me ask you another thing: if I change a password in a domain machine, password in Zimbra webmail is changed correctly; but if I change a password in Zimbra webmail, the corresponding password isn´t changed in Samba. There is a way of achieve this goal?

I read something about a zimlet to do this in Zimbra 5.0.x; will it work on Zimbra 6.0.1?

[lithorus]

Quote:

Originally Posted by peracchi

Let me ask you another thing: if I change a password in a domain machine, password in Zimbra webmail is changed correctly; but if I change a password in Zimbra webmail, the corresponding password isn´t changed in Samba. There is a way of achieve this goal?

I read something about a zimlet to do this in Zimbra 5.0.x; will it work on Zimbra 6.0.1?

Have no idea. Would be worth a try though.

[maxxer]

Quote:

Originally Posted by peracchi

Hi lithorus!

Yes, besides the error it does that job...

Look at my previous post: Help to make a Zimbra + Samba Tutorial for Ubuntu 8.04.3 Server and Zimbra 6.0.1

Later, other problems arise (put machines in domain, passwords, etc).

I got that error as well, but I could add an XP machine to the domain...

anyway, solving would be better

[alekseyn]

Have you guys ever resolved this issue? I am also stuck on adding the machines to the domain (even XP ones) with the message "Access Denied" when entering the member of "Domain Admin" groups...

Update:

When I used

ldap admin dn = "uid=zimbra,cn=admins,cn=zimbra"

instead of

ldap admin dn = "uid=zmposixroot,cn=appaccts,cn=zimbra"

in smb.config, I could change the root password and also I managed to join the XP workstation into the domain, BUT, when I tried logging into that workstation, the error is "a device connected to the system isn´t working".....

any ideas would be appreciated.