[SOLVED] Problems with pam_ldap,nss_ldap and zimbra integration

[ciny]

Hi everyone,

I'm trying to auth using nss_ldap(1.265_4) and pam_ldap(1.8.5) against zimbra openldap. I'm using zcs 6.0.6 on FreeBSD 8.1RELEASE. ldap.conf is the same for pam_ldap, nss_ldap. pam_ldap throws this error:

Code:

 pam_ldap: ldap_starttls_s: Can't contact LDAP server

nss_ldap throws this:

Code:

nss_ldap: failed to bind to LDAP server ldap://myhost.net: Invalid credentials

here is the config of ldap:

Code:

base dc=myhost,dc=net
host myhost.net
binddn uid=zmposix,cn=appaccts,cn=zimbra
bindpw mypw
rootbinddn uid=zmposixroot,cn=appaccts,cn=zimbra
uri ldap://myhost.com
bind_policy soft
ssl start_tls
tls_cacertdir /opt/zimbra/conf/ca
tls_checkpeer no
pam_password md5
nss_base_passwd ou=people,dc=dc=myhost,dc=net?one
nss_base_shadow ou=people,dc=dc=myhost,dc=net?one
nss_base_group ou=groups,dc=myhost,dc=net?one
nss_base_hosts ou=machines,dc=myhost,dc=net?one

the bindpw is set to the password that was provided by zmlocalconfig (and the root and ldap passwords are the same). I spent good two days trying to resolve these issues. samba seems to connect to the openldap server with no problems at all but is unable to auth users. relevant parts of the log are probably these:

Code:

ntlm_password_check: NO NT password stored for user ciny.
ntlm_password_check: Lanman passwords NOT PERMITTED for user ciny
check_ntlm_password:  Authentication for user [ciny] -> [ciny] FAILED with erro NT_STATUS_WRONG_PASSWORD
error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FILURE

I'm getting desperate here if anyone has any suggestions I would be glad.
thanks

EDIT1:
when I try

Code:

ldapsearch -H ldap://myhost.net:389 -w ldaprootpass -D uid=zimbra,cn=admins,cn=zimbra -x 'objectclass=*'

everything works but when I try

Code:

ldapsearch -H ldap://172.24.1.15:389 -w myuserpass -D uid=ciny,ou=people,dc=myhost,dc=net -x 'objectclass=*'

I get

Code:

ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)

am I missing something crucial?

[ciny]

I finally figured it out. I will write up a summary later in the evening.

[gnyce]

B/c I just saw this today.....

thanking you in advance

[ciny]

sorry I got swamped with a lot of other work so I didn't have time. fortunately I don't exacly remember but I will paste here all the relevant config and try to write down some notes on some problems I have run into and how I solved them:
/usr/local/etc/ldap.conf (mind that I'm using FreeBSD so on linux it will probably be /etc/ldap.conf)

Code:

base dc=example,dc=net
host email.example.net
binddn uid=zimbra,cn=admins,cn=zimbra
bindpw # you will get this password by running zmlocalconfig -s ldap_root_password
rootbinddn uid=zimbra,cn=admins,cn=zimbra
uri ldap://email.example.com
bind_policy soft
ssl start_tls
tls_cacertdir /opt/zimbra/conf/ca
tls_checkpeer no
pam_login_attribute uid
pam_password md5

nss_base_passwd ou=people,dc=example,dc=net?one
nss_base_shadow ou=people,dc=example,dc=net?one
nss_base_group ou=groups,dc=example,dc=net?one
nss_base_hosts ou=machines,dc=example,dc=net?one

I use the same config for ldap.conf nss_ldap.conf and pam_ldap.conf (actually both nss_ldap.conf and pam_ldap.conf are symlinks for ldap.conf on my system).
here is my smb.conf:

Code:

  [global]
  workgroup = EXAMPLE
  netbios name = EXAMPLE.NET
  os level = 33
  preferred master = yes
  enable privileges = yes
  server string = %h server (running FreeBSD 8.1 with ZFS)
  wins support =yes
  dns proxy = no
  name resolve order = wins bcast hosts
  log file = /var/log/samba/log.%m
  log level = 3
  max log size = 1000
  syslog only = no
  syslog = 0
  panic action = /usr/share/samba/panic-action %d
  security = user
  encrypt passwords = true
  ldap passwd sync = yes
  passdb backend = ldapsam:ldap://email.example.net/
  ldap admin dn = "cn=config"
  ldap suffix = "dc=example,dc=net"
  ldap group suffix = ou=groups
  ldap user suffix = ou=people
  ldap machine suffix = ou=machines
  obey pam restrictions = no
  passwd program = /usr/bin/passwd %u
  passwd chat = *blah blah blah blah* .
  inherit acls = no
  nt acl support = yes
  case sensitive = No

[homes]
        comment = Home Directories
        browseable = yes
        read only = no
        write list = %S
        vfs objects = zfsacl
        nfs4:mode = special
        nfs4:acedup = merge
        nfs4:chown = yes



[studio]
        comment = Studio Share
        browseable = yes
        read only = no
        path = /home/shares/studio
        acl check permissions = True
        vfs objects = zfsacl
        nfs4:mode = special
        nfs4:acedup = merge
        nfs4:chown = yes

[www]
        path = /usr/local/www
        comment = www share
        browseable = yes
        read only = no
        acl check permissions = True
        vfs objects = zfsacl
        nfs4:mode = special
        nfs4:acedup = merge
        nfs4:chown = yes

Nothing really special there I highlighted the relevant part for auth against your ldap. now you start your samba. then

Code:

smbpasswd -w ldap_root_password

then you can setup groups and user accounts. If you already have some existing zimbra accounts(created before the implementation of zimlets into admin console) you have to do three things:
as zimbra user

Code:

zmprov ma user@example.net +objectClass posixAccount uidNumber 10031 gidNumber 10001 homeDirectory /home/shares/user loginShell /sbin/nologin
zmprov ma user@example.net +objectClass sambaSamAccount sambaDomainName example.net sambaSID (you can find it with net getlocalsid) sambaAcctFlags [UX]
smbpasswd -a user - I could'nt get passwords synchronised for accounts existing before samba integration - the user has to enter his password here

now everything should be up and running. to connect to your samba share from windows go to \\example.net (or let windows scan the whole network). as username enter EXAMPLE.NET\user and the users password. and you should be hopefully relieved that it finally works. I also strongly suggest to read through ACL documentation for fine grained control.