Hi there,
i'm setting up a primary domain controller with samba, that must authenticate users against zimbra LDAP.
Found and followed
this guide with success (i hope), everything is working fine on zimbra, but my samba pdc cannot find users and group.
After having configured samba with the daemon restart it created the samba domain into zimbra, but if i create a user via the admin console and i assign it to the samba domain, seems that samba doesn't find the user (neither the groups i've created) both via getent [user|group] neither via smbclient (with the logon_failure exit error).
I can authenticate on samba only if i create a local unix account via "adduser".
My conf files:
Code:
/etc/samba/smb.conf
[global]
workgroup = MYDOMAIN.IT
netbios name = samba
os level = 33
preferred master = yes
enable privileges = yes
server string = %h server (Samba, Ubuntu)
wins support =yes dns proxy = no
name resolve order = wins bcast hosts
log file = /var/log/samba/log.%m
log level = 3
max log size = 1000
syslog only = no
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
ldap passwd sync = yes
passdb backend = ldapsam:ldap://192.168.0.208/
ldap admin dn = "uid=zmposixroot,cn=appaccts,cn=zimbra"
ldap suffix = dc=mydomain,dc=it
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=machines
obey pam restrictions = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
domain logons = yes
logon path =
logon home =
logon script = logon.cmd
add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u
socket options = TCP_NODELAY
domain master = yes
local master = yes
[homes]
comment = Home Directories
browseable =yes read only = No
valid users = %S
[netlogon]
comment = Network Logon Service
path = /home/netlogon
guest ok = yes
locking = no
[profiles]
comment = Users profiles
path = /home/profiles
read only = No
[profdata]
comment = Profile Data Share
path = /var/lib/samba/profdata
read only = No
profile acls = Yes
[printers]
comment = All Printers
browseable = no
path = /tmp
printable = yes
public = no
writable = no
create mode = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
Code:
#
# /etc/pam.d/common-account - authorization settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authorization modules that define
# the central access policy for use on the system. The default is to
# only deny service to users whose accounts are expired in /etc/shadow.
#
account sufficient pam_unix.so
account sufficient pam_ldap.so
Code:
#
# /etc/pam.d/common-auth - authentication settings common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of the authentication modules that define
# the central authentication scheme for use on the system
# (e.g., /etc/shadow, LDAP, Kerberos, etc.). The default is to use the
# traditional Unix authentication mechanisms.
#
auth sufficient pam_ldap.so
auth sufficient pam_unix.so
Code:
#
# /etc/pam.d/common-password - password-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define the services to be
# used to change user passwords. The default is pam_unix.
# Explanation of pam_unix options:
#
# The "nullok" option allows users to change an empty password, else
# empty passwords are treated as locked accounts.
#
# The "md5" option enables MD5 passwords. Without this option, the
# default is Unix crypt.
#
# The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
# login.defs.
#
# You can also use the "min" option to enforce the length of the new
# password.
#
# See the pam_unix manpage for other options.
password sufficient pam_unix.so
password sufficient pam_ldap.so
Code:
#
# /etc/pam.d/common-session - session-related modules common to all services
#
# This file is included from other service-specific PAM config files,
# and should contain a list of modules that define tasks to be performed
# at the start and end of sessions of *any* kind (both interactive and
# non-interactive). The default is pam_unix.
#
session required pam_mkhomedir.so skel=/etc/skel umask=0077
session sufficient pam_unix.so
session sufficient pam_ldap.so
Code:
#/etc/nsswitch.conf
#
# Example configuration of GNU Name Service Switch functionality.
# If you have the `glibc-doc-reference' and `info' packages installed, try:
# `info libc "Name Service Switch"' for information about this file.
passwd: files ldap
group: files ldap
shadow: compat
hosts: files dns
networks: files
protocols: db files
services: db files
ethers: db files
rpc: db files
netgroup: nis
with "getent user/group" i see only the users/groups of the local samba machine.
Bugzilla
Wiki
Source
Zimbra6.0.1 + Samba PDC and user not found 
Linear Mode
