Talk:UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI

From Zimbra :: Wiki

Jump to: navigation, search

Contents

Introduction

This link seems to be dead. So I guess another nice how-to about authenticating with LDAP should be found.


LDAP: error code 65 - attribute 'gidNumber' not allowed

Any ideas? I thought I followed the instructions rather well. The following appears when trying to add posix details to user.

Message: invalid request: LDAP schema violation: [LDAP: error code 65 - attribute 'gidNumber' not allowed] Error code: service.INVALID_REQUEST Method: ZmCsfeCommand.prototype.invoke Details:soap:Sender

Linux password & Zimbra password is not match

Please! anyone can help me. I follow this document. I run samba server on fedora core 5 untillI Creating Linux and Samba users using Zimbra Admin UI. After I create a user "chan".then I run this command as root on Samba server. 

  [root@samba ~]# getent group
   root:x:0:root
   !
   !
   .
   .
   t2:x:10003:
   zimbra:x:10004:
   test:*:10001:20001

And 

  [root@samba ~]# getent passwd
   root:x:0:0:root:/root:/bin/bash
  !
  !
  .
  t2:x:10002:10003::/home/t2:/bin/bash
  zimbra:x:10003:10004::/home/zimbra:/bin/bash
  test:*:10001:10001:s:/home/test:/bin/bash
  chan:*:10002:10001:chan chan:/home/chan:/bin/bash

Everything is fine. But when I creats a home folder and I try to change the current user to the newly created one. 

    [root@samba ~]# su - test
    su: incorrect password
    [root@samba ~]#

And I try to change to local user also it is the same 

   [root@samba ~]# useradd local
   [root@samba ~]# passwd local
   Changing password for user local.
   New UNIX password:
   BAD PASSWORD: it is too simplistic/systematic
   Retype new UNIX password:
   passwd: all authentication tokens updated successfully.
   [root@samba ~]# su - local
   su: incorrect password
   [root@samba ~]#

It mean I can't joint the Domain Can anyone help me Please!!!!

Few issues

First - thank you immensely for creating this page/plugins/capability - this is EXCELLENT! - a great single sign on solution!

Have run across a number of issues using this capability...

- when creating new users, and selecting a primary Posix group - it does not seem to add them to the group - at least when you view the Posix groups in the Zimbra administrator interface, the members don't show up

- each time you upgrade Zimbra to a new version, you have to redo all of the parts of this process on the Zimbra server as the uninstall old/install new process appears to wipe out most of the changes

- updating properties on existing users doesn't work - if you complete the process after you already have users, when you go to the Posix and Samba tabs you can not complete them - seems to hang on the login shell parameter

- for those not as familiar with the Samba parameters, there are some other critical ones to get the samba part to work

Suggestions for future work - really need a better way of adding users to groups... drag and drop???

/usr/sbin/adduser for Centos5

if installing onto redhat-like distro's, you should use into smb.conf: 

 add user script = /usr/sbin/adduser -c "" %u
 add machine script = /usr/sbin/adduser --shell /bin/false -c "machine account" %u

adduser into redhat is different by debian (or debian like) systems.

Regarding security issue in part 2 of config

In part 2 of the configuration - another alternative is to create a new 'user' - for example 'ldapbind' with home /dev/null and shell /bin/false -- use this user as the binddn in ldap.conf file on the client machine and then the lines in /opt/zimbra/conf/slapd.conf.in become 

  access to dn.subtree="ou=people,dc=gregzimbra1,dc=zimbra,dc=com"
      by ldapbind read

  access to dn.subtree="ou=groups,dc=gregzimbra1,dc=zimbra,dc=com"
      by ldapbind read

Thanks and a few questions

Thanks so much for this guide, it's excellent. I've followed the guide and have things running, but still have a few questions. I saw this question posed earlier, but is there a way to add posix and samba account details to existing accounts? That seems to be a feature that would be incredibly beneficial to us admins.

Second question is with the final net rpc command. When I run 

   net rpc rights grant "MYDOMAIN\Domain Admins" SeAddUsersPrivilege SeMachineAccountPrivilege SePrintOperatorPrivilege

I get the error message: 

   "Could not connect to server 127.0.0.1
   The username or password was not correct.
   Connection failed: NT_STATUS_LOGON_FAILURE

Is there something I'm missing? I'm running the command as root on my samba server system.

And finally, which password is used when I create a new account and assign posix and samba details? The password from the initial account creation form?

Thanks again

Once an account is created in the Zimbra web interface... and the user changes their password via the interface... how do you sync or set the samba password? When the user changes their Zimbra password - it changes it in LDAP and anything that points to the LDAP server sees the new password. However, the samba password does not appear to be changed or updated to keep it in sync with the LDAP password. This is a huge problem since the configuration does not allow the user to change their password from the windoze side.

What mechanism or process is recommended to keep the LDAP and Samba passwords in sync?

Thanks!


06:40, 17 November 2007 (PST) Answer Found: Well worked for me anyway... Ubuntu Server 7.04

Found the issue with inability to add privileges in Samba, I had in /etc/samba/smb.conf the following enabled:

Existing: 

 ;   guest account = nobody

invalid users = root

Change to: 

 ;   guest account = nobody
 ;invalid users = root

Restart samba (/etc/init.d/samba restart)

I disabled this and was able to add the privileges.

Now able to add machines to domain!


11:10, 12 May 2009 (CST) Answer Found: This worked for me (TT) CentOS 5.3 x86_64

I'll admit I'm very junior at this stuff but what worked for me was dropping the assumption that when you make the move to ldap backend you stop authenticating (in any way) with your passdb.tdb file. This does not appear to be the case.

Once I added the root user I was able to grant rights to Domain Admins. 

# smbpasswd -a root
New SMB password: <enter root password>
Retype new SMB password: <enter root password>

Then, I hit the up arrow a few times, so that I would run the same exact "net rpc rights grant" command, and that did it. I hope this helps someone.

Cannot run zmprov in 4.5.0.RC2

Nice document. But I have the following problem 

      [zimbra@mailserver ~]$ zmprov mcf  +zimbraAccountExtraObjectClass posixAccount
      ERROR: account.INVALID_ATTR_NAME (invalid attr name: [LDAP: error code 17 - zimbraAccountExtraObjectClass: attribute    type undefined])


I am running 

        zcs-4.5.0_RC2_566.FC5.tgz


From what I can understand of the message I need to maybe just add an attribute in the schema for zimbra . Where can I find the defenitions for this attribute . Is there any solution to get this working on the same server without upgrading

Adding resources with LDAP causes an error

When I try to add a resource with the zimbra ldap-addon installed (zimbra v5.0.0 RC2), I get this error:

Message: invalid request: createAccount invalid schema change: [LDAP: error code 65 - object class 'posixAccount' requires attribute 'uidNumber'] Error code: service.INVALID_REQUEST Method: ZmCsfeCommand.prototype.invoke Details:soap:Sender

Everything else works like a charm, so this was a showstopper. Anyone got a solution?


Adding users with zimbra_posixaccount zimlet causes a similar error 

$ zmprov ca nobody1@ptest.us password
ERROR: service.INVALID_REQUEST (invalid request: createAccount invalid schema change: [LDAP: error code 65 - object class 'posixAccount' requires attribute 'uidNumber'])

Are there any support docs that go into this depth of detail?

Error of calculation for attribute sambaSID in groups

I think there is an error in calculation of sambaSID attribute for posix Groups. The actual sambaSID is calculated with : SID_of_server-(2xGIDnumber+1001) If your GID is 1005 obviously the sambaSID is ...-3011 . The sambaSID is always odd for groups The calculation of sambaSID for a user is SID_of_server-(2xUIDnumber+1000) if your UID is 1005 the sambaSID is ...-3010 . The sambaSID is always pair for users

So you cannot have the same SID for a user and a group and it is not actualy the case sambaSID=...-3010 for the user and the group when UID=GID.

You can verify with smbldap-tools or samba official howto

Unconfigure steps

There should be uninstall/unconfigure steps listed as well.

Managing Users of the posix group membership created not working?

This apparently is supposed to be fixed in 6.0.

To get working in 5.0.x make changes described in [bug report http://bugzilla.zimbra.com/show_bug.cgi?id=26423] patches and it will work in 5.0.x.


admin <==> root

Is there anyone that can tell me if the root account for Linux and Samba can all be tied together with the Admin account in Zimbra? First off, everything is up and running great. This is the only problem I have left and it's minor but I would like the administrative accounts to all be bound together. I've already ran zmprov against default zimbra accounts to give them posix and samba attributes in ldap. I've also experimented with giving the admin account a uid of zero and logging into the domain - no love. I'm a bit green where ldap is concerned. I would appreciate the How's and Why's for its possibility or impossibility. Thanks, TT

Retrieved from "http://wiki.zimbra.com/wiki/Talk:UNIX_and_Windows_Accounts_in_Zimbra_LDAP_and_Zimbra_Admin_UI"