Use zimbra LDAP for two UNIX servers

[juanschwartz]

UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI - Zimbra :: Wiki

Using the above guide, is it possible to have two samba shares from two different linux boxes authenticate off of the zimbra ldap?

For example, box 1 is a general fileserver with 4tb of storage space and box 2 is for our production department only and has 16tb of storage. I'd like to give access to the fileserver to everyone, while limiting access to production to the production dept. I read the guide briefly and thought I'd ask before getting to far into it.

[juanschwartz]

Quote:

Originally Posted by juanschwartz

UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI - Zimbra :: Wiki

Using the above guide, is it possible to have two samba shares from two different linux boxes authenticate off of the zimbra ldap?

For example, box 1 is a general fileserver with 4tb of storage space and box 2 is for our production department only and has 16tb of storage. I'd like to give access to the fileserver to everyone, while limiting access to production to the production dept. I read the guide briefly and thought I'd ask before getting to far into it.

Anybody?

[Hivos]

As long as both samba shares are in the same workgroup/domain, then yes. We have one of our smaller offices running with a Zimbra domain controller

[juanschwartz]

Quote:

Originally Posted by Hivos

As long as both samba shares are in the same workgroup/domain, then yes. We have one of our smaller offices running with a Zimbra domain controller

Do you mind expanding on that a bit? Do I need to make them the same domain as the ZCS server?

For example... Our mail server is mail.example.com.

Should I make the 2 file servers: filehost.example.com and production.example.com?

[Hivos]

You may be confusing hostnames and NetBIOS names (don't blame me, blame Microsoft). Within a samba / windows domain, normally NetBIOS is used for name resolution. A servers' "real" hostname may be something completely different, though this does depend on your smb.conf.

To keep a long story short: use the wiki-page from your topicstart to setup a test-environment with 1 zimbra server and 1 samba server (Primary Domain Controller). After that you can easily add a second Samba server to your domain (Domain Member Server or Backup Domain Controller).

[juanschwartz]

Quote:

Originally Posted by Hivos

You may be confusing hostnames and NetBIOS names (don't blame me, blame Microsoft). Within a samba / windows domain, normally NetBIOS is used for name resolution. A servers' "real" hostname may be something completely different, though this does depend on your smb.conf.

To keep a long story short: use the wiki-page from your topicstart to setup a test-environment with 1 zimbra server and 1 samba server (Primary Domain Controller). After that you can easily add a second Samba server to your domain (Domain Member Server or Backup Domain Controller).

Hivos. I got everything setup and tested. All of my groups and everything work. I will soon be adding Windows PCs to our domain and perhaps using openvpn with its auth-ldap plugin to authenticate zimbra users to our VPN and doing away with our Windows server altogether.

One thing I did notice was that if I put someone in a group and they mounted an SMB share, say //server/production and then I removed them from the group, they could still access and browse the folder. Is this normal behavior? Should it remove their rights immediately?

[Hivos]

The user needs to logout / login for the change to take effect. And yes, this is normal windows behaviour (samba is "bug-compatible" with windows). Good to hear you've got it working!

[juanschwartz]

Quote:

Originally Posted by Hivos

The user needs to logout / login for the change to take effect. And yes, this is normal windows behaviour (samba is "bug-compatible" with windows). Good to hear you've got it working!

Yeah, it all made sense once I got in there and read over the docs before I attempted to implement it. I am building another fileserver to run off of the zimbra ldap through SAMBA soon.

I was also able to get OpenVPN to authenticate through zimbra using auth-ldap, but I am having issues using a group or zimbraAccountStatus inside of uid=user,ou=people,dc=example,dc=com as it seems to work with AD as opposed to other LDAP schemas. I submitted a request on their code page for an ability to do that, but it's WAY back in line.

So, if we were to want to prevent an employee from logging in, I'd have to revoke a certificate instead of just disabling them in zimbra. That's better than nothing for the moment... so long as I get rid of that 2003 SBS Domain Controller.

[Hivos]

Just a quick note I thought of: be careful when upgrading either Samba or Zimbra.

Upgrading zimbra may delete the samba ldap scheme, so make sure you keep a copy somewhere to restore after a zimbra upgrade.

When upgrading samba you may get a new version of the samba ldap scheme. If this is the case copy this new version to the zimbra ldap directory and restart zimbra.