Results 1 to 3 of 3

Thread: samba/ldap/zimbra - smb.conf

  1. #1
    Join Date
    Feb 2008
    Location
    San Francisco
    Posts
    360
    Rep Power
    7

    Default samba/ldap/zimbra - smb.conf

    I'm having second thoughts about how EXACTLY the smb.conf global section should look for other servers on the network that are looking to the zimbra server for authentication.

    Currently this is my smb.conf:
    [global]
    name resolve order = wins bcast hosts
    passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
    obey pam restrictions = no
    enable privileges = yes
    passwd program = /usr/bin/passwd %u
    netbios name = emailserver

    ldap passwd sync = yes


    workgroup = WorkSpace
    server string = emailserver

    os level = 60
    syslog only = no

    security = user

    max log size = 1000
    log level = 3
    log file = /var/log/samba/log.%m

    socket options = TCP_NODELAY

    encrypt passwords = yes

    logon home = \\mail.domain.com\%U

    local master = yes
    wins support = yes
    domain logons = yes
    domain master = yes

    passdb backend = ldapsam:ldap://mail.domain.com/
    ldap admin dn = "cn=config"
    ldap suffix = dc=domain,dc=com
    ldap user suffix = ou=people
    ldap group suffix = ou=groups
    ldap machine suffix = ou=machines

    password server = 192.168.1.248 emailserver

    wins server = 192.168.1.248

    logon path =
    logon script =
    add user script = /usr/sbin/useradd "%u" -n -g users
    add group script = /usr/sbin/groupadd "%g"
    add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
    delete user script = /usr/sbin/userdel "%u"
    delete user from group script = /usr/sbin/userdel "%u" "%g"
    delete group script = /usr/sbin/groupdel "%g"

    syslog = 0

    ldap ssl = no

    # realm = mail.domain.com
    # client lanman auth = no
    # client ntlmv2 auth = yes


    hosts allow 192.168.1 192.168.2 192.168.3 192.168.4 192.168.5 192.168.10
    # hosts deny

    [netlogon]
    browseable = no
    comment = Network Logon Service
    locking = no
    public = yes
    path = /etc/samba/netlogon
    available = yes
    [profiles]
    browseable = no
    comment = Users profiles
    writable = yes
    path = /etc/samba/profiles
    available = yes
    [profdata]
    profile acls = Yes
    browseable = no
    comment = Profile Data Share
    writable = yes
    path = /etc/samba/profdata
    available = yes
    now...according to this:
    [Chapter 6] 6.3 Authentication Security
    it says:
    You can configure Samba to use a separate password server under server-level security with the use of the password server global configuration option, as follows:

    [global]
    security = server
    password server = PHOENIX120 HYDRA134

    Note that you can specify more than one machine as the target of the password server ; Samba will move down the list of servers in the event that its first choice is unreachable. The servers identified by the password server option are given as NetBIOS names, not their DNS names or equivalent IP addresses. Also, if any of the servers reject the given password, the connection will automatically fail - Samba will not attempt another server.
    ...based on that security should be SERVER and the password server should not be an IP address...though on my conf I use USER and and IP address...What exactly is the correct setting...?

    I ask because sometimes authentication from the server to the zimbra server fails, and can't find the authentication server....but after restarting samba a million times, it'll eventually find it...I feel it's a setting in the global section that's causing this....hence the needed clarification...

    Thanks!

  2. #2
    Join Date
    Feb 2008
    Location
    San Francisco
    Posts
    360
    Rep Power
    7

    Default

    27 views, but no takers!?! wow...stumped yall!?! LOL

    *bump*

  3. #3
    Join Date
    Feb 2007
    Location
    Portland, OR
    Posts
    1,147
    Rep Power
    10

    Default

    Try reading up on what "server" security actually is here: Chapter*3.*Server Types and Security Modes.

    Basically... don't use it. User level security is what you want, and the password server option is meaningless to this security level so I am not entirely sure why you have it in there.

    When authentication fails do you have any messages in the logs? (Zimbra or Samba)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •