Results 1 to 3 of 3

Thread: Zimbra6.0.1 + Samba PDC and user not found

  1. #1
    Join Date
    Oct 2009
    Posts
    42
    Rep Power
    5

    Default Zimbra6.0.1 + Samba PDC and user not found

    Hi there,

    i'm setting up a primary domain controller with samba, that must authenticate users against zimbra LDAP.
    Found and followed this guide with success (i hope), everything is working fine on zimbra, but my samba pdc cannot find users and group.

    After having configured samba with the daemon restart it created the samba domain into zimbra, but if i create a user via the admin console and i assign it to the samba domain, seems that samba doesn't find the user (neither the groups i've created) both via getent [user|group] neither via smbclient (with the logon_failure exit error).

    I can authenticate on samba only if i create a local unix account via "adduser".

    My conf files:

    Code:
    /etc/samba/smb.conf
    [global]
    workgroup = MYDOMAIN.IT
    netbios name = samba
    os level = 33
    preferred master = yes
    enable privileges = yes
    server string = %h server (Samba, Ubuntu)
    wins support =yes dns proxy = no
    name resolve order = wins bcast hosts
    log file = /var/log/samba/log.%m
    log level = 3
    max log size = 1000
    syslog only = no
    syslog = 0
    panic action = /usr/share/samba/panic-action %d
    security = user
    encrypt passwords = true
    ldap passwd sync = yes
    passdb backend = ldapsam:ldap://192.168.0.208/
    ldap admin dn = "uid=zmposixroot,cn=appaccts,cn=zimbra"
    ldap suffix = dc=mydomain,dc=it
    ldap group suffix = ou=groups
    ldap user suffix = ou=people
    ldap machine suffix = ou=machines
    obey pam restrictions = no
    passwd program = /usr/bin/passwd %u
    passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
    domain logons = yes
    logon path =
    logon home =
    logon script = logon.cmd
    add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
    add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u
    socket options = TCP_NODELAY
    domain master = yes
    local master = yes
    [homes]
    comment = Home Directories
    browseable =yes read only = No
    valid users = %S
    [netlogon]
    comment = Network Logon Service
    path = /home/netlogon
    guest ok = yes
    locking = no
    [profiles]
    comment = Users profiles
    path = /home/profiles
    read only = No
    [profdata]
    comment = Profile Data Share
    path = /var/lib/samba/profdata
    read only = No
    profile acls = Yes
    [printers]
    comment = All Printers
    browseable = no
    path = /tmp
    printable = yes
    public = no
    writable = no
    create mode = 0700
    [print$]
    comment = Printer Drivers
    path = /var/lib/samba/printers
    browseable = yes
    read only = yes
    guest ok = no
    Code:
    #
    # /etc/pam.d/common-account - authorization settings common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of the authorization modules that define
    # the central access policy for use on the system.  The default is to
    # only deny service to users whose accounts are expired in /etc/shadow.
    #
    account sufficient pam_unix.so
    account sufficient pam_ldap.so
    Code:
    #
    # /etc/pam.d/common-auth - authentication settings common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of the authentication modules that define
    # the central authentication scheme for use on the system
    # (e.g., /etc/shadow, LDAP, Kerberos, etc.).  The default is to use the
    # traditional Unix authentication mechanisms.
    #
    auth sufficient pam_ldap.so
    auth sufficient pam_unix.so
    Code:
    #
    # /etc/pam.d/common-password - password-related modules common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of modules that define the services to be
    # used to change user passwords.  The default is pam_unix.
    
    # Explanation of pam_unix options:
    #
    # The "nullok" option allows users to change an empty password, else
    # empty passwords are treated as locked accounts.
    #
    # The "md5" option enables MD5 passwords.  Without this option, the
    # default is Unix crypt.
    #
    # The "obscure" option replaces the old `OBSCURE_CHECKS_ENAB' option in
    # login.defs.
    #
    # You can also use the "min" option to enforce the length of the new
    # password.
    #
    # See the pam_unix manpage for other options.
    
    password sufficient pam_unix.so
    password sufficient pam_ldap.so
    Code:
    #
    # /etc/pam.d/common-session - session-related modules common to all services
    #
    # This file is included from other service-specific PAM config files,
    # and should contain a list of modules that define tasks to be performed
    # at the start and end of sessions of *any* kind (both interactive and
    # non-interactive).  The default is pam_unix.
    #
    
    session required pam_mkhomedir.so skel=/etc/skel umask=0077
    session sufficient pam_unix.so
    session sufficient pam_ldap.so
    Code:
     
    #/etc/nsswitch.conf
    #
    # Example configuration of GNU Name Service Switch functionality.
    # If you have the `glibc-doc-reference' and `info' packages installed, try:
    # `info libc "Name Service Switch"' for information about this file.
    
    passwd:         files ldap
    group:          files ldap
    shadow:         compat
    
    hosts:          files dns
    networks:       files
    
    protocols:      db files
    services:       db files
    ethers:         db files
    rpc:            db files
    
    netgroup:       nis

    with "getent user/group" i see only the users/groups of the local samba machine.
    Last edited by sgnaus; 04-19-2010 at 07:11 AM.

  2. #2
    Join Date
    Oct 2009
    Posts
    42
    Rep Power
    5

    Default

    ok..little step forward, i now see users and groups via getent, and the auth via smbclient goes fine.

    But i cannot create via webadmin a group for domain administrators because i miss the "samba" tab under the posix group zimlet....

    any help would be appreciated...

  3. #3
    Join Date
    May 2008
    Posts
    88
    Rep Power
    7

    Default Been there...

    Quote Originally Posted by sgnaus View Post
    ok..little step forward, i now see users and groups via getent, and the auth via smbclient goes fine.

    But i cannot create via webadmin a group for domain administrators because i miss the "samba" tab under the posix group zimlet....

    any help would be appreciated...
    Hey, I had the same issue. I found that I had to remove and re-install the posix extension. When editing the config_template.xml I just used dc=domain,dc=com and not dc=host,dc=domain,dc=com. This seemed to not create the Samba Group Tab. Removing and installing with the acual hostname seemed to work.

    Once I installed and got the samba group I removed the zimlet and re-deployed with just dc=domain,dc=com

    Seemed to fix it for me.
    Last edited by chimaster; 07-12-2010 at 08:46 PM. Reason: learn to preview.

Similar Threads

  1. Replies: 0
    Last Post: 04-01-2010, 01:57 AM
  2. Zimbra Samba PDC with a Trust Relationship to AD
    By kurt.oconnor in forum Administrators
    Replies: 7
    Last Post: 07-30-2007, 09:43 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •