Results 1 to 4 of 4

Thread: [SOLVED] Problems with pam_ldap,nss_ldap and zimbra integration

  1. #1
    Join Date
    Oct 2010
    Posts
    3
    Rep Power
    5

    Default [SOLVED] Problems with pam_ldap,nss_ldap and zimbra integration

    Hi everyone,

    I'm trying to auth using nss_ldap(1.265_4) and pam_ldap(1.8.5) against zimbra openldap. I'm using zcs 6.0.6 on FreeBSD 8.1RELEASE. ldap.conf is the same for pam_ldap, nss_ldap. pam_ldap throws this error:
    Code:
     pam_ldap: ldap_starttls_s: Can't contact LDAP server
    nss_ldap throws this:
    Code:
    nss_ldap: failed to bind to LDAP server ldap://myhost.net: Invalid credentials
    here is the config of ldap:
    Code:
    base dc=myhost,dc=net
    host myhost.net
    binddn uid=zmposix,cn=appaccts,cn=zimbra
    bindpw mypw
    rootbinddn uid=zmposixroot,cn=appaccts,cn=zimbra
    uri ldap://myhost.com
    bind_policy soft
    ssl start_tls
    tls_cacertdir /opt/zimbra/conf/ca
    tls_checkpeer no
    pam_password md5
    nss_base_passwd ou=people,dc=dc=myhost,dc=net?one
    nss_base_shadow ou=people,dc=dc=myhost,dc=net?one
    nss_base_group ou=groups,dc=myhost,dc=net?one
    nss_base_hosts ou=machines,dc=myhost,dc=net?one
    the bindpw is set to the password that was provided by zmlocalconfig (and the root and ldap passwords are the same). I spent good two days trying to resolve these issues. samba seems to connect to the openldap server with no problems at all but is unable to auth users. relevant parts of the log are probably these:

    Code:
    ntlm_password_check: NO NT password stored for user ciny.
    ntlm_password_check: Lanman passwords NOT PERMITTED for user ciny
    check_ntlm_password:  Authentication for user [ciny] -> [ciny] FAILED with erro NT_STATUS_WRONG_PASSWORD
    error packet at smbd/sesssetup.c(122) cmd=115 (SMBsesssetupX) NT_STATUS_LOGON_FILURE
    I'm getting desperate here if anyone has any suggestions I would be glad.
    thanks

    EDIT1:
    when I try
    Code:
    ldapsearch -H ldap://myhost.net:389 -w ldaprootpass -D uid=zimbra,cn=admins,cn=zimbra -x 'objectclass=*'
    everything works but when I try
    Code:
    ldapsearch -H ldap://172.24.1.15:389 -w myuserpass -D uid=ciny,ou=people,dc=myhost,dc=net -x 'objectclass=*'
    I get

    Code:
    ldap_sasl_bind(SIMPLE): Can't contact LDAP server (-1)
    am I missing something crucial?
    Last edited by ciny; 10-29-2010 at 08:12 AM. Reason: update in progress

  2. #2
    Join Date
    Oct 2010
    Posts
    3
    Rep Power
    5

    Default

    I finally figured it out. I will write up a summary later in the evening.

  3. #3
    Join Date
    Aug 2007
    Location
    outside Philadelphia
    Posts
    214
    Rep Power
    8

    Default and the write-up?

    B/c I just saw this today.....

    thanking you in advance
    Last edited by gnyce; 11-18-2010 at 08:57 AM. Reason: typo

  4. #4
    Join Date
    Oct 2010
    Posts
    3
    Rep Power
    5

    Default

    sorry I got swamped with a lot of other work so I didn't have time. fortunately I don't exacly remember but I will paste here all the relevant config and try to write down some notes on some problems I have run into and how I solved them:
    /usr/local/etc/ldap.conf (mind that I'm using FreeBSD so on linux it will probably be /etc/ldap.conf)
    Code:
    base dc=example,dc=net
    host email.example.net
    binddn uid=zimbra,cn=admins,cn=zimbra
    bindpw # you will get this password by running zmlocalconfig -s ldap_root_password
    rootbinddn uid=zimbra,cn=admins,cn=zimbra
    uri ldap://email.example.com
    bind_policy soft
    ssl start_tls
    tls_cacertdir /opt/zimbra/conf/ca
    tls_checkpeer no
    pam_login_attribute uid
    pam_password md5
    
    nss_base_passwd ou=people,dc=example,dc=net?one
    nss_base_shadow ou=people,dc=example,dc=net?one
    nss_base_group ou=groups,dc=example,dc=net?one
    nss_base_hosts ou=machines,dc=example,dc=net?one
    I use the same config for ldap.conf nss_ldap.conf and pam_ldap.conf (actually both nss_ldap.conf and pam_ldap.conf are symlinks for ldap.conf on my system).
    here is my smb.conf:
    Code:
      [global]
      workgroup = EXAMPLE
      netbios name = EXAMPLE.NET
      os level = 33
      preferred master = yes
      enable privileges = yes
      server string = %h server (running FreeBSD 8.1 with ZFS)
      wins support =yes
      dns proxy = no
      name resolve order = wins bcast hosts
      log file = /var/log/samba/log.%m
      log level = 3
      max log size = 1000
      syslog only = no
      syslog = 0
      panic action = /usr/share/samba/panic-action %d
      security = user
      encrypt passwords = true
      ldap passwd sync = yes
      passdb backend = ldapsam:ldap://email.example.net/
      ldap admin dn = "cn=config"
      ldap suffix = "dc=example,dc=net"
      ldap group suffix = ou=groups
      ldap user suffix = ou=people
      ldap machine suffix = ou=machines
      obey pam restrictions = no
      passwd program = /usr/bin/passwd %u
      passwd chat = *blah blah blah blah* .
      inherit acls = no
      nt acl support = yes
      case sensitive = No
    
    [homes]
            comment = Home Directories
            browseable = yes
            read only = no
            write list = %S
            vfs objects = zfsacl
            nfs4:mode = special
            nfs4:acedup = merge
            nfs4:chown = yes
    
    
    
    [studio]
            comment = Studio Share
            browseable = yes
            read only = no
            path = /home/shares/studio
            acl check permissions = True
            vfs objects = zfsacl
            nfs4:mode = special
            nfs4:acedup = merge
            nfs4:chown = yes
    
    [www]
            path = /usr/local/www
            comment = www share
            browseable = yes
            read only = no
            acl check permissions = True
            vfs objects = zfsacl
            nfs4:mode = special
            nfs4:acedup = merge
            nfs4:chown = yes
    Nothing really special there I highlighted the relevant part for auth against your ldap. now you start your samba. then
    Code:
    smbpasswd -w ldap_root_password
    then you can setup groups and user accounts. If you already have some existing zimbra accounts(created before the implementation of zimlets into admin console) you have to do three things:
    as zimbra user
    Code:
    zmprov ma user@example.net +objectClass posixAccount uidNumber 10031 gidNumber 10001 homeDirectory /home/shares/user loginShell /sbin/nologin
    zmprov ma user@example.net +objectClass sambaSamAccount sambaDomainName example.net sambaSID (you can find it with net getlocalsid) sambaAcctFlags [UX]
    smbpasswd -a user - I could'nt get passwords synchronised for accounts existing before samba integration - the user has to enter his password here
    now everything should be up and running. to connect to your samba share from windows go to \\example.net (or let windows scan the whole network). as username enter EXAMPLE.NET\user and the users password. and you should be hopefully relieved that it finally works. I also strongly suggest to read through ACL documentation for fine grained control.

Similar Threads

  1. Zimbra shutdowns every n hours.
    By Andrewb in forum Administrators
    Replies: 13
    Last Post: 08-14-2007, 09:55 AM
  2. upgrade woes -made into new thread
    By JustinHarlow in forum Installation
    Replies: 18
    Last Post: 06-08-2007, 01:11 PM
  3. dspam logrotate errors
    By michaeln in forum Users
    Replies: 7
    Last Post: 02-19-2007, 12:45 PM
  4. huge log size
    By rmvg in forum Administrators
    Replies: 5
    Last Post: 01-02-2007, 10:39 AM
  5. Mail logs
    By Rick Baker in forum Installation
    Replies: 8
    Last Post: 01-17-2006, 04:33 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •