Results 1 to 10 of 10

Thread: [SOLVED] Zimbra/Samba integration: posix user not created

  1. #1
    Join Date
    Oct 2005
    Posts
    13
    Rep Power
    10

    Question [SOLVED] Zimbra/Samba integration: posix user not created

    Following Greg's awesome tutorial I was able to get nearly everything set up to auth samba against the zimbra directory on Centos 5.

    However, one curious problem is that I can create the posix/samba groups, but not users. After adding a new user in zimbra, I run getent passwd but do not see the user. I cannot log into the samba shares as that user unless I create them by hand using useradd and smbpasswd -a which defeats the purpose of having it managed in zimbra.

    After I create the user in Manage Addresses, the Samba Account tab shows the hex password in the field sambaNTPassword so I gather that it's creating everything correctly, but samba isn't talking to the ldap server. My smb.conf contains the following:
    Code:
      ldap passwd sync = yes
      passdb backend = ldapsam:ldap://zimbra.asdf.com/
      ldap admin dn = "uid=zimbra,cn=admins,cn=zimbra"
      ldap suffix = dc=zimbra,dc=asdf,dc=com
      ldap group suffix = ou=groups
      ldap user suffix = ou=people
      ldap machine suffix = ou=machines
    I think my problem is with pam. Try as I might, I still haven't wrapped my head around pam . Where should I look for clues next? TIA

    -Scott

  2. #2
    Join Date
    Jul 2007
    Posts
    98
    Rep Power
    8

    Default

    Look for info in /var/log/messages

    So, getent group works?

  3. #3
    Join Date
    Oct 2005
    Posts
    13
    Rep Power
    10

    Default

    Quote Originally Posted by fajarpri View Post
    Look for info in /var/log/messages

    So, getent group works?
    Yes, getent group shows the following:
    ...
    exim:x:93:
    zimbra:x:500:
    postfix:x:501:zimbra
    postdrop:x:502:
    Users:*:10001:
    Admins:*:10002:
    Accounting:*:10003:
    User, Admins, and Accounting are groups I added through the zimbra webadmin interface.

    There's no activity in /var/log/messages when I attempt to make a connection.

    /var/log/samba/log.zimbra shows the following when I attempt to connect:
    [2007/09/02 23:54:22, 3] smbd/uid.c:push_conn_ctx(345)
    push_conn_ctx(0) : conn_ctx_stack_ndx = 0
    [2007/09/02 23:54:22, 3] smbd/sec_ctx.c:set_sec_ctx(241)
    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
    [2007/09/02 23:54:22, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
    [2007/09/02 23:54:22, 3] auth/auth.c:check_ntlm_password(221)
    check_ntlm_password: Checking password for unmapped user [domain]\[testuser]@[ZIMBRA] with the new password interface
    [2007/09/02 23:54:22, 3] auth/auth.c:check_ntlm_password(224)
    check_ntlm_password: mapped user is: [domain]\[testuser]@[ZIMBRA]
    [2007/09/02 23:54:22, 3] smbd/sec_ctx.c:push_sec_ctx(208)
    push_sec_ctx(0, 0) : sec_ctx_stack_ndx = 1
    [2007/09/02 23:54:22, 3] smbd/uid.c:push_conn_ctx(345)
    push_conn_ctx(0) : conn_ctx_stack_ndx = 0
    [2007/09/02 23:54:22, 3] smbd/sec_ctx.c:set_sec_ctx(241)
    setting sec ctx (0, 0) - sec_ctx_stack_ndx = 1
    [2007/09/02 23:54:22, 2] lib/smbldap.c:smbldap_open_connection(788)
    smbldap_open_connection: connection opened
    [2007/09/02 23:54:22, 3] lib/smbldap.c:smbldap_connect_system(992)
    ldap_connect_system: succesful connection to the LDAP server
    [2007/09/02 23:54:22, 3] smbd/sec_ctx.c:pop_sec_ctx(339)
    pop_sec_ctx (0, 0) - sec_ctx_stack_ndx = 0
    [2007/09/02 23:54:22, 3] auth/auth_sam.c:check_sam_security(281)
    check_sam_security: Couldn't find user 'testuser' in passdb.
    [2007/09/02 23:54:22, 3] auth/auth_winbind.c:check_winbind_security(80)
    check_winbind_security: Not using winbind, requested domain [domain] was for this SAM.
    [2007/09/02 23:54:22, 2] auth/auth.c:check_ntlm_password(319)
    check_ntlm_password: Authentication for user [testuser] -> [testuser] FAILED with error NT_STATUS_NO_SUCH_USER

    [2007/09/02 23:54:22, 3] smbd/error.c:error_packet(146)
    error packet at smbd/sesssetup.c(99) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FAILURE
    It appears that samba isn't checking against ldap, but I've configured it to do so in /etc/samba/smb.conf:
    [global]
    workgroup = domain
    netbios name = zimbra
    os level = 33
    preferred master = yes
    enable privileges = yes
    server string = %h server (Samba, Centos)
    wins support =yes
    dns proxy = no
    name resolve order = wins bcast hosts
    log file = /var/log/samba/log.%m
    log level = 3
    max log size = 1000
    syslog only = no
    syslog = 0
    panic action = /usr/share/samba/panic-action %d
    security = user
    encrypt passwords = true
    ldap passwd sync = yes
    passdb backend = ldapsam:ldap://zimbra.domain.com/
    ldap admin dn = "uid=zimbra,cn=admins,cn=zimbra"
    ldap suffix = dc=zimbra,dc=domain,dc=com
    ldap group suffix = ou=groups
    ldap user suffix = ou=people
    ldap machine suffix = ou=machines
    obey pam restrictions = no
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
    domain logons = yes
    logon path = \\zimbra.domain.com\%U\profile
    logon home = \\zimbra.domain.com\%U
    logon script = logon.cmd
    add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
    add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u
    socket options = TCP_NODELAY
    domain master = yes
    local master = yes
    add user script = /usr/sbin/adduser -c "" %u
    add machine script = /usr/sbin/adduser --shell /bin/false -c "machine account" %u
    I pretty much copied the smb.conf from the wiki and added a couple lines myself.

  4. #4
    Join Date
    Jul 2007
    Posts
    98
    Rep Power
    8

    Default

    If samba cannot connect to ldap server, you will see lots of error in /var/log/messages.

    I suspect the mistake could be in the zimlet installation of posix_account and zimbra_samba.

  5. #5
    Join Date
    Oct 2005
    Posts
    13
    Rep Power
    10

    Default

    Quote Originally Posted by fajarpri View Post
    If samba cannot connect to ldap server, you will see lots of error in /var/log/messages.

    I suspect the mistake could be in the zimlet installation of posix_account and zimbra_samba.
    I reinstalled the zimlets... no change . Upon starting the zimbra services I noticed in /var/log/message:
    Code:
    "nscd: nss_ldap: could not search LDAP server - Server is unavailable"
    I looked it up via google and found that removing the line in ldap.conf "bind_policy soft" removed that particular error. I don't think I did anything wrong in the installation of the zimlets. Like I said, I can create groups without any problems. The output from getent passwd doesn't show that the users have been created. If I had errors in my logs I would post them, but I'm turning up nothing! There must be something simple that I'm missing here

  6. #6
    Join Date
    Oct 2005
    Posts
    13
    Rep Power
    10

    Default

    I tried an ldapsearch and got the following error back
    Code:
    ldapsearch -H ldap://zimbra.domain.com/ -v -x -W -D 'uid=zimbra,ou=people,dc=zimbra,dc=domain,dc=com' -s sub '(objectclass=*)' -LL
    LDAP vendor version mismatch: library 20333, header 20327
    I didn't find anything helpful with regards to troubleshooting that error (warning?) via google. Running the command didn't throw anything into /var/log/messages, either.
    Last edited by bucketoftruth; 09-03-2007 at 12:16 PM.

  7. #7
    Join Date
    Oct 2005
    Posts
    13
    Rep Power
    10

    Default

    Here's the output from authconfig --test in case that helps:
    Code:
    # authconfig --test
    caching is enabled
    nss_files is always enabled
    nss_compat is disabled
    nss_db is disabled
    nss_hesiod is disabled
     hesiod LHS = ""
     hesiod RHS = ""
    nss_ldap is enabled
     LDAP+TLS is disabled
     LDAP server = "ldap://zimbra.domain.com"
     LDAP base DN = "dc=zimbra,dc=domain,dc=com"
    nss_nis is disabled
     NIS server = ""
     NIS domain = ""
    nss_nisplus is disabled
    nss_winbind is disabled
     SMB workgroup = "domain"
     SMB servers = ""
     SMB security = "user"
     SMB realm = ""
     Winbind template shell = "/bin/false"
     SMB idmap uid = "16777216-33554431"
     SMB idmap gid = "16777216-33554431"
    nss_wins is disabled
    pam_unix is always enabled
     shadow passwords are enabled
     md5 passwords are enabled
    pam_krb5 is disabled
     krb5 realm = "EXAMPLE.COM"
     krb5 realm via dns is disabled
     krb5 kdc = "kerberos.example.com:88"
     krb5 kdc via dns is disabled
     krb5 admin server = "kerberos.example.com:749"
    pam_ldap is enabled
    
     LDAP+TLS is disabled
     LDAP server = "ldap://zimbra.domain.com"
     LDAP base DN = "dc=zimbra,dc=domain,dc=com"
    pam_pkcs11 is disabled
    
     use only smartcard for login is disabled
     smartcard module = "coolkey"
     smartcard removal action = "Ignore"
    pam_smb_auth is disabled
     SMB workgroup = "domain"
     SMB servers = ""
    pam_winbind is disabled
     SMB workgroup = "domain"
     SMB servers = ""
     SMB security = "user"
     SMB realm = ""
    pam_cracklib is enabled (try_first_pass retry=3)
    pam_passwdqc is disabled ()
    Always authorize local users is disabled ()
    Authenticate system accounts against network services is disabled

  8. #8
    Join Date
    Oct 2005
    Posts
    13
    Rep Power
    10

    Default

    ...And some more results of my testing. I removed the root alias in the Zimbra admin, and ran smbpasswd -a root which produced the following in /var/log/zimbra.log:
    Code:
    zimbra slapd[14560]: Entry (uid=root,ou=people,dc=zimbra,dc=domain,dc=com), attribute 'userPassword' not allowed 
    zimbra slapd[14560]: entry failed schema check: attribute 'userPassword' not allowed

  9. #9
    Join Date
    Oct 2005
    Posts
    13
    Rep Power
    10

    Default

    According to this test samba is talking to ldap.
    Code:
    # pdbedit -L
    smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))]
    smbldap_open_connection: connection opened
    ldap_connect_system: succesful connection to the LDAP server
    smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=DOMAIN))]
    smbldap_open_connection: connection opened
    ldap_connect_system: succesful connection to the LDAP server
    ldapsam_setsampwent: 1 entries in the base dc=zimbra,dc=domain,dc=com
    init_sam_from_ldap: Entry found for user: root
    root:0:root
    It only see's the root user which I created via smbpasswd -a root. I'm posting all this stuff in the hopes that someone might see something obvious. Any ideas?

  10. #10
    Join Date
    Oct 2005
    Posts
    13
    Rep Power
    10

    Default

    Ugh.... I figured it out. Where I was putting in dc=zimbra,dc=domain,dc=com, I should have been entering dc=domain,dc=com.

Similar Threads

  1. Replies: 21
    Last Post: 02-04-2010, 09:06 AM
  2. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 10:38 AM
  3. Services stopped working
    By lilwong in forum Administrators
    Replies: 4
    Last Post: 08-15-2006, 09:19 AM
  4. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 06:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •