Samba extension on existing install?

[bersrker]

with all of the excitement of the new samba/posix admin extensions, I thought I'd give them a look to see how it would integrate into our existing environment. I built a test box and created a couple of accounts before setting up the samba parts. I've got it working to the point that if I create new accounts, they'll be configured with all of the samba/posix goodness. I'd like to see if there's a way to add the samba/posix attributes to the existing accounts.

If I use an LDAP administration program (LDAP Admin), I can manually add the sambaSamAccount and posixAccount objectclasses. When I add the objectclasses, I enter the sambaSID, UID, GID, etc. The only problem is that the samba password never gets set. If I change the user's password in the admin UI, it changes the password associated with Zimbra, but the samba password doesn't get set. Does anybody know of a flag that I'm missing to tell Zimbra to change the sambaNTPassword attribute?

[Greg]

Quote:

Originally Posted by bersrker

with all of the excitement of the new samba/posix admin extensions, I thought I'd give them a look to see how it would integrate into our existing environment. I built a test box and created a couple of accounts before setting up the samba parts. I've got it working to the point that if I create new accounts, they'll be configured with all of the samba/posix goodness. I'd like to see if there's a way to add the samba/posix attributes to the existing accounts.

If I use an LDAP administration program (LDAP Admin), I can manually add the sambaSamAccount and posixAccount objectclasses. When I add the objectclasses, I enter the sambaSID, UID, GID, etc. The only problem is that the samba password never gets set. If I change the user's password in the admin UI, it changes the password associated with Zimbra, but the samba password doesn't get set. Does anybody know of a flag that I'm missing to tell Zimbra to change the sambaNTPassword attribute?

If you manage to add extra object classes to the existing zimbra accounts than there are two simple ways to set sambaNTPassword attribute:
1 - opening each account in Zimbra Admin and change the password (do not use "change password" button in the toolbar though_
or
2 - use phpldapadmin - it can properly set sambaNTPassword using MD4 hash

once you set the passwords, you should add

Code:

 ldap passwd sync = yes

to smb.conf and after this whenever a user changes windows password using CTRL+ALT+DELETE Samba will also update your Zimbra password

[bersrker]

I've discovered that even the new users that I'm creating on this test instance aren't getting their sambaNTPassword entries changed when I change the password though the admin interface. It's like the admin UI doesn't know to change both password entries. Here's what's showing up in the log when I open up a new user and change their password:

Code:

May  3 17:28:24 mail slapd[4372]: conn=6 op=35 SRCH base="" scope=2 deref=3 filter="(&(zimbraMailForwardingAddress=vstigers@test.com)(&(objectClass=zimbraDistributionList)(!(objectClass=zimbraCalendarResource))))"
May  3 17:28:24 mail slapd[4372]: conn=6 op=35 SRCH attr=zimbraCOSId objectClass zimbraAccountCalendarUserType zimbraMailAlias zimbraId uid
May  3 17:28:24 mail slapd[4372]: is_entry_objectclass("", "2.5.6.1") no objectClass attribute
May  3 17:28:24 mail slapd[4372]: conn=6 op=35 SEARCH RESULT tag=101 err=0 nentries=0 text=
May  3 17:28:24 mail slapd[4372]: conn=6 op=36 SRCH base="" scope=2 deref=3 filter="(objectClass=zimbraZimletEntry)"
May  3 17:28:24 mail slapd[4372]: is_entry_objectclass("", "2.5.6.1") no objectClass attribute
May  3 17:28:24 mail slapd[4372]: conn=6 op=36 SEARCH RESULT tag=101 err=0 nentries=7 text=
May  3 17:28:29 mail slapd[4372]: conn=6 op=37 MOD dn="uid=vstigers,ou=people,dc=test,dc=com"
May  3 17:28:29 mail slapd[4372]: conn=6 op=37 MOD attr=zimbraPasswordModifiedTime userPassword
May  3 17:28:29 mail slapd[4372]: conn=6 op=38 SRCH base="uid=vstigers,ou=people,dc=test,dc=com" scope=0 deref=3 filter="(objectClass=*)"
May  3 17:28:29 mail slapd[4372]: conn=6 op=38 SEARCH RESULT tag=101 err=0 nentries=1 text=
May  3 17:28:29 mail slapd[4372]: conn=6 op=37 RESULT tag=103 err=0 text=
May  3 17:28:29 mail slapd[4372]: conn=6 op=39 SRCH base="uid=vstigers,ou=people,dc=test,dc=com" scope=0 deref=3 filter="(objectClass=*)"
May  3 17:28:29 mail slapd[4372]: conn=6 op=39 SEARCH RESULT tag=101 err=0 nentries=1 text=
May  3 17:28:29 mail slapd[4372]: conn=6 op=40 SRCH base="" scope=2 deref=3 filter="(&(zimbraMailForwardingAddress=vstigers@test.com)(&(objectClass=zimbraDistributionList)(!(objectClass=zimbraCalendarResource))))"
May  3 17:28:29 mail slapd[4372]: conn=6 op=40 SRCH attr=zimbraCOSId objectClass zimbraAccountCalendarUserType zimbraMailAlias zimbraId uid
May  3 17:28:29 mail slapd[4372]: is_entry_objectclass("", "2.5.6.1") no objectClass attribute
May  3 17:28:29 mail slapd[4372]: conn=6 op=40 SEARCH RESULT tag=101 err=0 nentries=0 text=
May  3 17:28:29 mail slapd[4372]: conn=6 op=41 SRCH base="" scope=2 deref=3 filter="(objectClass=zimbraZimletEntry)"
May  3 17:28:29 mail slapd[4372]: is_entry_objectclass("", "2.5.6.1") no objectClass attribute
May  3 17:28:29 mail slapd[4372]: conn=6 op=41 SEARCH RESULT tag=101 err=0 nentries=7 text=
May  3 17:28:29 mail slapd[4372]: conn=6 op=42 SRCH base="" scope=2 deref=3 filter="(&(objectClass=zimbraAccount)(!(objectClass=zimbraCalendarResource)))"
May  3 17:28:29 mail slapd[4372]: conn=6 op=42 SRCH attr=zimbraCOSId objectClass zimbraAccountCalendarUserType displayName zimbraId zimbraMailHost uid zimbraAccountStatus description zimbraMailStatus zimbraCalResType zimbraDomainType zimbraDomainName
May  3 17:28:29 mail slapd[4372]: is_entry_objectclass("", "2.5.6.1") no objectClass attribute
May  3 17:28:29 mail slapd[4372]: conn=6 op=42 SEARCH RESULT tag=101 err=0 nentries=9 text=

As you can see, the userPassword attribute is getting modified, but not sambaNTPassword. When the user gets created, the sambaNTPassword entry is created correctly, but from here on, it doesn't seem to get updated. Should I be changing the password in a different location? I can go into the server and manually enter "smbpasswd user" and set it, but that's sort of against the spirit of having Zimbra manage it all. This is happening on a RedHat AS4 box running the latest version of Zimbra.

This is the only hangup that I'm having with getting this up and running. The PAM and Samba modules are talking to the LDAP server just fine...I can log in via SSH with my Zimbra account info, and using the first password I set up, I can log in through Samba to the server. It's just that when the password changes, the Samba password stays the same, but the Zimbra password changes as expected. Any ideas?

[shade]

Same issue here. Our users would primarily be changing their passwords thru the Zimbra UI rather than via Samba. Is there any way to get Zimbra to update the sambaNTPassword?

[jholder]

Ignore this post. I'm bumping it so I don't forget about it
ZFR

[spgator]

ZCS 4.5.4GA Network edition. After deploying posix/samba admin extensions, console hangs at 'loading'

IE debug window complains of "line 158, char 9 Error: Expected identifier, string or number" and "line 22275, char 1 Error:'exception thrown and not caught'

Thanks,

Scott

[bersrker]

Just to give an update, still having the same problems after updating test instance to 4.5.5_GA. sambaNTPassword hash isn't being updated after changing the password for a user through the admin console. Can't seem to get Zimbra to change the second password after adding the schema. It's bizarre because the password is correctly set when creating a new account, but not when changing the password. Is there a mechanism that needs to be changed somewhere?

[bersrker]

Has anybody been able to get the samba password changed when changing a user's password through the admin interface yet? If so, was there anything special to get it to work? This is the last thing that's keeping me from deploying this solution.

[mattwalston]

Another deployment without sambaNTPassword synchronizing


We too are experiencing this issue. It is the final obstacle to deployment. Other than this snafu, everything else works perfect.