Results 1 to 5 of 5

Thread: Can't connect to zimbra ldap from different machine

  1. #1
    Join Date
    May 2008
    Location
    Melbourne, Australia
    Posts
    96
    Rep Power
    7

    Default Can't connect to zimbra ldap from different machine

    I'm trying to set up a zimbra samba authentication for a file server that is on the local network, but not the host of the zimbra ldap.

    When I try to connect to a samba share on the file server, the file server can't connect to the zimbra ldap to authenticate. In the samba log files for the desktop that is connecting I get the following

    Code:
    [2009/05/05 17:14:58,  0] lib/smbldap.c:smb_ldap_start_tls(600)
      Failed to issue the StartTLS instruction: Can't contact LDAP server
    [2009/05/05 17:14:58,  1] lib/smbldap.c:another_ldap_try(1175)
      Connection to LDAP server failed for the 1 try!
    log.wb-DOMAIN:
    Code:
      Failed to issue the StartTLS instruction: Can't contact LDAP server
    [2009/05/05 17:17:44,  3] winbindd/winbindd_misc.c:winbindd_dual_list_trusted_domains(367)
      winbindd_dual_list_trusted_domains: trusted_domains returned NT_STATUS_UNSUCCESSFUL
    and log.winbindd-idmap
    Code:
      Failed to issue the StartTLS instruction: Can't contact LDAP server
    [2009/05/05 09:48:48,  1] winbindd/idmap_tdb.c:idmap_tdb_alloc_init(341)
      idmap uid or idmap gid missing
    [2009/05/05 09:48:48,  0] winbindd/idmap.c:idmap_alloc_init(587)
      ERROR: Initialization failed for alloc backend, deferred!
    [2009/05/05 09:48:48,  3] winbindd/idmap.c:idmap_new_mapping(693)
      Could not allocate id: NT_STATUS_UNSUCCESSFUL
    and auth.log
    Code:
    May  5 17:07:15 server1 sshd[19998]: reverse mapping checking getaddrinfo for mhawkins-acer.medalist.com.au [192.168.2.112] failed - POSSIBLE BREAK-IN ATTEMPT!
    May  5 17:07:18 server1 sshd[19998]: pam_ldap: ldap_simple_bind Can't contact LDAP server
    May  5 17:07:18 server1 sshd[19998]: pam_ldap: reconnecting to LDAP server...
    May  5 17:07:18 server1 sshd[19998]: pam_ldap: ldap_simple_bind Can't contact LDAP server
    May  5 17:07:18 server1 sshd[19998]: Accepted password for root from 192.168.2.112 port 37790 ssh2
    May  5 17:07:18 server1 sshd[19998]: pam_unix(sshd:session): session opened for user root by (uid=0)
    What I can't figure out is what to check on the zimbra server side to see what is causing it not to connect, and not even sure which log file would contain the attempted connections.

    The zimbra server is Ubuntu 8.04 and the fileserver is 9.04

    I've tried stopping apparmor on both servers just in case, but that doesn't seem to be the issue. I haven't changed any of the apparmor profiles or installed new ones, so I don't think it should have any affect.

    I'm also trying to test the connection from a desktop using ldapsearch, but I'm not quite sure of the syntax. Can anyone give a simple syntax to test a connection? Also, what user can I use to connect to the LDAP database. Is it possible to use one of the admin accounts?

    Thanks
    Mark Hawkins

    Medalist

  2. #2
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

  3. #3
    Join Date
    May 2008
    Location
    Melbourne, Australia
    Posts
    96
    Rep Power
    7

    Default

    uboxd

    Thanks so much for the reply. Before I go blindly making changes ldap start script as bart did, can I confirm with you that the issue is the same. My zmlocalconfig does not seem to be restricted to localhost:

    Code:
    ldap_bind_url = 
    ldap_master_url = ldap://mail.medalist.com.au:389
    ldap_url = ldap://mail.medalist.com.au:389
    What exactly is Konstantin's iptables setting do?
    Mark Hawkins

    Medalist

  4. #4
    Join Date
    May 2007
    Location
    Zimbra
    Posts
    1,285
    Rep Power
    10

    Default

    Did you make the CA cert avaiable to your other systems? Generally startTLS failures are because the system can't verify the cert provided by the LDAP server. Does using ldapsearch from the remote system with the -ZZZ option work?
    Quanah Gibson-Mount
    Server Architect
    Zimbra, Inc
    --------------------
    Zimbra :: the leader in open source messaging and collaboration

  5. #5
    Join Date
    May 2008
    Location
    Melbourne, Australia
    Posts
    96
    Rep Power
    7

    Default

    I didn't explicitely make the cert available to other systems, so unless it's a default setting then no. I don't know how to make the certificate available, but I'll do some searching to learn more and see if I can find out how.

    I have not fixed my problem yet, but I have come part way there. I have 2 NICs in each machine and to reduce the load on the network and increase the speed between the two servers I connected them directly to each other o the spare NICs. I gave them each an ip on a slightly different subnet and changed the hosts files on each so that each machine would know to use the private subnet address without any other machine on the network trying to use the private network.

    This seemed to work fine for everything else, but not for ldap. I tried changing the ldap_bind_address and also removing the '-h' option as per the other post, but that didn't seem t help, so I ended up removing the private addresses from the hosts file. This did fix it, but of course there's no benefit to the direct connection anymore.

    I still can't get samba on the fileserver to authenticate against the zimbra server, but there's no more ldap errors and getent groups and getent passwds both work properly. I think my problem is with winbind on the fileserver, but I'll need to do some more digging first.
    Mark Hawkins

    Medalist

Similar Threads

  1. [SOLVED] Install Problem in Ubuntu 6.06 Server
    By xtimox in forum Installation
    Replies: 16
    Last Post: 03-27-2008, 09:36 AM
  2. zmperditionctl start asking for password
    By k7sle in forum Administrators
    Replies: 32
    Last Post: 02-20-2008, 10:13 AM
  3. Replies: 31
    Last Post: 12-15-2007, 08:05 PM
  4. Replies: 22
    Last Post: 12-02-2007, 04:05 PM
  5. dspam logrotate errors
    By michaeln in forum Users
    Replies: 7
    Last Post: 02-19-2007, 11:45 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •