Zimbra 6.0.x + Samba

[strikermdd]

Hello guys, i'm trying to implement the Zimbra 6 with Samba, but i having some issues in the way ... samba can't access the ldap base.

I have two virtual machines, one with Zimbra installed, and other with samba. I can make the Samba machine authenticate users via PAM, but when i use the command smbpasswd -a root, then its says :

root@ubuntu:~# smbpasswd -a root
Failed to issue the StartTLS instruction: Can't contact LDAP server
New SMB password:
Retype new SMB password:
Failed to issue the StartTLS instruction: Can't contact LDAP server
Failed to issue the StartTLS instruction: Can't contact LDAP server
Failed to add entry for user root.

My ldap.conf its like this :

host 192.168.10.2
base dc=marechal,dc=saude,dc=al,dc=gov,dc=br
binddn uid=zimbra,cn=admins,cn=zimbra
bindpw MYPASSWD
rootbinddn uid=zimbra,cn=admins,cn=zimbra
port 389
bind_policy soft
nss_reconnect_tries 2
uri ldap://192.168.10.2/
ssl start_tls
tls_cacertdir /opt/zimbra
tls_checkpeer no
pam_password md5
nss_base_passwd ou=people,dc=marechal,dc=saude,dc=al,dc=gov,dc=br
nss_base_shadow ou=people,dc=marechal,dc=saude,dc=al,dc=gov,dc=br? one
nss_base_group ou=Grupos,dc=marechal,dc=saude,dc=al,dc=gov,dc=br? one
nss_base_hosts ou=Computadores,dc=marechal,dc=saude,dc=al,dc=gov, dc=br?one
nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,list,lp, mail,man,news,ntop,openldap,proxy,root,sshd,sync,s ys,syslog,uucp,www-data
nss_initgroups_ignoreusers backup,bin,daemon,games,gnats,irc,libuuid,list,lp, mail,man,news,ntop,openldap,proxy,root,sshd,sync,s ys,syslog,uucp,www-data

In Zimbra Server i can't use the ldapsearch :

[zimbra@marechal ~]$ ldapsearch -x
ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

or

[zimbra@marechal ~]$ ldapsearch -ZZ -h marechal.saude.al.gov.br
SASL/GSSAPI authentication started
ldap_sasl_interactive_bind_s: Local error (-2)
additional info: SASL(-1): generic failure: GSSAPI Error: Miscellaneous failure (see text) (open(/tmp/krb5cc_500): )

But when i use a client like Apache Directory Studio, i can see all base ok.

I can create users and groups. The only problem it's with samba by now ...

And one little other question ... Its possible to revert the cn=config style of config file to the old slapd.conf ? It's far more easy to handle i think ...

If anyone can help me, please do ...

Thanks

[strikermdd]

Sorry for the reply, but i really need this, i am trying to move from a old email server to a Zimbra Server, maybe in the future one Zimbra Enterprise version, but first i need to integrate Zimbra with Samba, i read the wiki, but don't work.

Thanks

[phoenix]

I assume you followed the instructions here: UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI 6.0 - Zimbra :: Wiki? Did you take note about Anonymous Access in this section: UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI 6.0 - Zimbra :: Wiki?

[strikermdd]

well, i use this wiki article yes, and i see the Anonymous, but not work. In the zimbra machine, if i run a getent passwd i can see my users, but i think the 389 port its not allowed for the network, because running a nmap locally for example :

[root@marechal ~]# nmap 192.168.10.2

Starting Nmap 4.11 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2010-05-03 13:24 BRT
Interesting ports on marechal.saude.al.gov.br (192.168.10.2):
Not shown: 1671 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
143/tcp open imap
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s

But if i use the name of machine, the ldap service its ok :

[root@marechal ~]# nmap marechal

Starting Nmap 4.11 ( Nmap - Free Security Scanner For Network Exploration & Security Audits. ) at 2010-05-03 13:25 BRT
Interesting ports on marechal.saude.al.gov.br (10.50.80.21):
Not shown: 1670 closed ports
PORT STATE SERVICE
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
143/tcp open imap
389/tcp open ldap
465/tcp open smtps
587/tcp open submission
993/tcp open imaps
995/tcp open pop3s

Nmap finished: 1 IP address (1 host up) scanned in 0.041 second

s

In any other machine, i can't access the 389 ldap port, and i not using iptables ( service off and without any rules ), and SELINUX off too ...

Exist any option in ldap with block the access to this port ? And how i can change this for my entire network can bind and search my ldap in 389 port ?

Thanks.

[phoenix]

Exist any option in ldap with block the access to this port ? And how i can change this for my entire network can bind and search my ldap in 389 port ?

Did you follow those anonymous access instructions exactly? You should also read the Release Notes about Anonymous Access to LDAP.

[strikermdd]

in my comment above i say that ... i create a ldif with this :

dn: olcDatabase={2}hdb,cn=config
changetype:modify
add: olcAccess
olcAccess: {10}to dn.subtree="dc=marechal,dc=saude,dc=al,dc=gov,dc=b r" by dn.children="cn=admins,cn=zimbra" write by * read
olcAccess: {11}to dn.subtree="ou=machines,dc=saude,dc=al,dc=gov,dc=b r" by dn.children="cn=admins,cn=zimbra" write by * read
olcAccess: {12}to dn.subtree="ou=groups,dc=saude,dc=al,dc=gov,dc=br" by dn.children="cn=admins,cn=zimbra" write by * read
olcAccess: {13}to dn.subtree="ou=people,dc=saude,dc=al,dc=gov,dc=br" by dn.children="cn=admins,cn=zimbra" write by * read

i add to my directory using :

ldapmodify -f anonymousaccess.ldif -x -H ldapi:/// -D cn=config -w mypasswd

In the machine, i can login anonymous ( using only the hostname, not the ip), in other machines, i CAN'T see the 389 ldap port.

obs. :
Zimbra 6.0.6_64 bits - Centos 5.4
Samba - Ubuntu 9.10 ( tried in Centos 5.4 too ... )

[strikermdd]

In some way, the service of ldap it's only running to the zimbra machine, not for the network, because i can't see via nmap the port 389 active, but imap, smpt, etc, its ok ...

Any idea of how i can fix this ?

Thanks