Page 1 of 3 123 LastLast
Results 1 to 10 of 60

Thread: UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI – Problem

Hybrid View

  1. #1
    Join Date
    Feb 2007
    Location
    Jacksonville, FL
    Posts
    12
    Rep Power
    8

    Default UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI – Problem

    We were very excited to try out Greg's extensions but I hit a bit of a snag. I believe that I followed the directions correctly, but...

    When adding a user with posix or samba attributes or editing an existing user, I get error messages such as these:


    Message: invalid request: LDAP schema violation: [LDAP: error code 65 - attribute 'gidNumber' not allowed]
    Error code: service.INVALID_REQUEST
    Method: ZmCsfeCommand.prototype.invoke
    Details:soap:Sender


    Message: invalid request: LDAP schema violation: [LDAP: error code 65 - attribute 'loginShell' not allowed]
    Error code: service.INVALID_REQUEST
    Method: ZmCsfeCommand.prototype.invoke
    Details:soap:Sender


    Any ideas?


    Also, some food for thought, we would purchase a commercial version of Zimbra if this was an officially supported add-on/capability, the documents had versioning and other cms features and assignable task type items existed.
    ----
    Matt Walston
    Entire IT Department
    Air Control Systems

  2. #2
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    12

    Default

    sounds like you're missing posix schema. reread the instructions and make sure you're including all the .schema files in slapd.conf.

  3. #3
    Join Date
    Apr 2006
    Posts
    22
    Rep Power
    9

    Default

    If these are accounts that existed before you installed the new schemas, they don't have the additional objectclasses (posixAccount and sambaSamAccount). You've got to manually add these objectclasses to the LDAP entry, then add the related attributes. I had to use an external LDAP administration tool to get the objectclasses loaded.

  4. #4
    Join Date
    Feb 2007
    Location
    Jacksonville, FL
    Posts
    12
    Rep Power
    8

    Default Schema Files

    They are definetly included in config and are acessable and perms are right. I will see what happens for a new account.
    ----
    Matt Walston
    Entire IT Department
    Air Control Systems

  5. #5
    Join Date
    Feb 2007
    Location
    Jacksonville, FL
    Posts
    12
    Rep Power
    8

    Default Same error

    Same error on new account.
    ----
    Matt Walston
    Entire IT Department
    Air Control Systems

  6. #6
    Join Date
    Sep 2005
    Location
    Tucson - San Francisco - Moscow
    Posts
    127
    Rep Power
    10

    Default

    Make sure you edited slapd.conf.in not slapd.conf file, because slapd.conf get overwritten every time you restart zimbra services. The error that you are describing certainly looks like you are missing samba schema.
    Bugzilla - Wiki - Downloads - Before posting... Search!
    P.S.: don't forget to vote on this bug
    add Samba LDAP entries to Exchange Migration Tool

  7. #7
    Join Date
    Mar 2007
    Location
    Small village in the center of Italy
    Posts
    350
    Rep Power
    8

    Default

    Quote Originally Posted by bersrker View Post
    If these are accounts that existed before you installed the new schemas, they don't have the additional objectclasses (posixAccount and sambaSamAccount). You've got to manually add these objectclasses to the LDAP entry, then add the related attributes. I had to use an external LDAP administration tool to get the objectclasses loaded.
    Interesting, very interesting
    Which external LDAP administration tool have u used?
    I have 150 account and i am terribly disappointed to migrate 1O1 using your tool; how can i do it massively?
    TIA for suggestion

  8. #8
    Join Date
    Jul 2007
    Posts
    98
    Rep Power
    8

    Default

    Bad news
    Although adding additional uidMember into Posix Group successfully shown in getent group, but, when the client actually connect to the shares, only his primary group are honored by Samba.

    Well, it's not the end of the world. I believe we can make a workaround this using creative users grouping and ACLs in the shared directories.

    For example, I set a directory called w2kfinance 770.
    In smb.conf:
    Code:
    [w2kfinance]
            comment = for salesjauh1 and userjauh1
            path = /var/lib/samba/shares/w2kfinance
            write list = @w2kfinance
    I want manager group to be able to "explore" inside the directory. I use ACL for this:
    Code:
    setfacl -m u:managerjauh1:rwx w2kfinance/
    It works

  9. #9
    Join Date
    Oct 2006
    Posts
    45
    Rep Power
    9

    Default

    Quote Originally Posted by bersrker View Post
    If these are accounts that existed before you installed the new schemas, they don't have the additional objectclasses (posixAccount and sambaSamAccount). You've got to manually add these objectclasses to the LDAP entry, then add the related attributes. I had to use an external LDAP administration tool to get the objectclasses loaded.
    Being new to LDAP, it took me a little time to work out how to do this. I used ldapmodify with the following input file to add the posixAccount objectclass and attributes (haven't started playing with Samba yet):

    dn: uid=<USER>,ou=people,dc=MY,dc=DOMAIN
    changetype: modify
    add: objectClass
    objectClass: posixAccount
    -
    add: homeDirectory
    homeDirectory: /home/<USER>
    -
    add: loginShell
    loginShell: /bin/bash
    -
    add: uidNumber
    uidNumber: <UID NUMBER>
    -
    add:gidNumber
    gidNumber: <GID NUMBER>

    Hope that helps. These then appear in the Posix Account section of the Admin UI for the specified user as expected.

    Cheers,
    David

  10. #10
    Join Date
    Jul 2007
    Location
    Ohio
    Posts
    33
    Rep Power
    8

    Default

    Thanks to davidh, I have one of my old users and one new test user successfully configured with Posix and Samba information. Both are showing up when I do a getent passwd, but I can not log in with either SSH or Samba.

    I get this in syslog as well, even though pam_mkhomedir is installed.

    Code:
    Sep 10 06:40:50 diablo sudo: PAM unable to dlopen(/lib/security/pam_mkhomedir)
    Sep 10 06:40:50 diablo sudo: PAM [dlerror: /lib/security/pam_mkhomedir: cannot open shared object file: No such file or directory]
    Sep 10 06:40:50 diablo sudo: PAM adding faulty module: /lib/security/pam_mkhomedir
    Zimbra server is ZCS NE on Ubuntu, server I'm trying to join to it is Debian Etch.

    edit: fixed that one. In the Wiki guide we're told to add the following to /etc/pam.d/common-session

    Code:
    session required pam_mkhomedir skel=/etc/skel umask=0077
    it should be

    Code:
    session required pam_mkhomedir.so skel=/etc/skel umask=0077

    edit2: after rebooting Diablo, I can now log in via SSH. Samba still didn't work for my existing users until I did a "sudo smbpasswd -a <user>" which added the proper password information to LDAP. As of right now the only thing which isn't working is the above mkhomedir functionality, it's not throwing any errors but the home directories are not being created properly.
    Last edited by wolrah; 09-11-2007 at 02:20 PM.

Similar Threads

  1. Zimbra, Samba, Unix SSO
    By drock in forum Administrators
    Replies: 4
    Last Post: 04-30-2007, 12:45 PM
  2. Replies: 1
    Last Post: 02-23-2007, 02:24 PM
  3. Zimbra v/s Windows Server 2003
    By ewakim in forum Administrators
    Replies: 4
    Last Post: 02-23-2007, 09:05 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •