Difference between revisions of "UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI 6.0"

(Configuring Zimbra LDAP)
(24 intermediate revisions by 5 users not shown)
Line 1: Line 1:
#REDIRECT [[UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI]]
This document describes how you can configure Zimbra Collaboration Server (ZCS) and Samba to act as a primary domain controller (PDC) that uses LDAP (Lightweight Directory Access Protocol) as a central password database for authenticating users on Linux and Windows desktops. The motivation behind this document is the need to seamlessly integrate ZCS into corporate network environment based entirely on Open Source server software. This functionality is achieved by configuring Zimbra LDAP to act as a central user database for PAM (Pluggable Authentication Modules), NSS (Name Service Switch), and for Samba's ldapsam password backend. The document also describes Zimbra Admin Extensions that allow managing OS and Samba accounts, groups and domains through Zimbra Admin UI.
The setup described in this document is not the only possible way to make Samba and Zimbra use the same user database for authentication. There are multiple other ways to achieve similar functionality, and it is recommended that you explore Zimbra WIKI at [http://wiki.zimbra.com/ http://wiki.zimbra.com] to see if another solution is a better fit for your needs. However, this solution is the only solution that allows network administrators to manage Windows user accounts and groups using Zimbra Admin UI. It is also highly recommended to get familiar with Zimbra, Samba, LDAP and PAM, before you start the installation. Particularly helpful are the following sources of information:
* LDAP Authentication HOWTO http://ldots.org/ldap/
* Authenticating with LDAP http://imaginator.com/~simon/ldap/
* pam.d(5) man page (explains syntax of pam.d configuration files which you will have to edit during the installation) http://www.die.net/doc/linux/man/man5/pam.d.5.html
* PAM FAQ http://www.kernel.org/pub/linux/libs/pam/FAQ
* The Official Samba-3 HOWTO and Reference Guide http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/
* Zimbra Documentation http://www.zimbra.com/products/documentation.html
* LDAP-Samba PDC (for Linux and Windows) https://help.ubuntu.com/community/LDAP-Samba_PDC_(for_Linux_and_Windows)
==Intended audience==
This document is intended mainly for network administrators who are faced with the task of integrating multiple OpenSource software packages to support a corporate network. The author assumes that the reader has basic knowledge of Linux/Unix OS, is capable of using a text editor and is at least vaguely familiar with Zimbra, Samba, LDAP and PAM. If these four words sound foreign to you, please take some time to look at the aforementioned sources of helpful information, or even better – have them open in separate tabs in Firefox on your second monitor while you are following the directions in this document ;)
* Write AJAX SMB client Zimlet to mail UI, http://freshmeat.net/projects/davenport/ sounds like a good option.
* Add hooks to Zimbra Server to allow calling extensions when an account's password is changed and write an extension that will change Samba password hashes in LDAP (Solved by zimbraSambaPassword Extension - http://gallery.zimbra.com/gallery.php?act=viewProd&productId=71)
* Make zimbra's password change update the NT password. (Solved by zimbraSambaPassword Extension - http://gallery.zimbra.com/gallery.php?act=viewProd&productId=71)
* Fix creation of resources from the admin UI to work with the uidNumber attribute (you can provision them manually using zmprov as a workaround)
* During new account creation, don't allow clicking of the finish button until user has filled out all required fields, including the posix and samba ones.  Or maybe put in some reasonable default values so the finish button does not raise an error.
* UBUNTU: you will hit this bug after installing the ldap libraries for pam and nss [http://bugzilla.zimbra.com/show_bug.cgi?id=27848] (Fixed in 5.0.7_GA_2444.UBUNTU6)
* The use of memberUid in POSIX Groups doesn't work (version 5.0.9). It requests an integer but it should contain the username [http://bugzilla.zimbra.com/show_bug.cgi?id=26423]. ldapadd and ldapmodify can be used until this is fixed.
==How this guide is organized:==
'''Part 1 '''describes how to configure Zimbra LDAP and Zimbra Admin to store information required by Linux password backend and allow managing Samba and Posix accounts via Zimbra Admin.
'''Part 2 '''describes what software you need to download and install
'''Part 3 '''describes how to configure Samba server to use Zimbra LDAP as a source of user information and as a Primary Domain Controller
'''Part 4 '''describes how to configure a Linux server to use Zimbra LDAP as a central source of user information.
==Part 1==
====Installing Zimbra====
# First, Install Zimbra Collaboration Suite (it can be an Open Source or a Network Edition) following Zimbra Installation guides that you can download from the Zimbra website (http://www.zimbra.com/products/documentation.html). Make note of the root LDAP password that is selected during the installation, you will need it to modify your LDAP configuration.
# If you have an existing functioning ZCS server, you can use it instead of a new one, but make sure to back up all your data and that you know your LDAP root password (this password was created during ZCS installation - can be found by running the command '''zmlocalconfig -s zimbra_ldap_password''' as the zimbra user). This setup works with single- as well as with multi-server Zimbra setups.
====Configuring Zimbra LDAP====
Before you can configure Zimbra LDAP you need to have the nis.ldif and samba.schema files.
* The nis.ldif file already exists in /opt/zimbra/openldap/etc/openldap/schema/ on your ldap server.  Skip to the next bullet for instructions on installing it.
* samba.schema file depends on the version of Samba that you will be installing. Therefore, I recommend downloading Samba source package for the latest stable version of Samba available for your server's OS and taking samba.schema from examples/LDAP folder in the source package. In this document I am using Samba 3.3.4.
Log in to the shell on your Zimbra LDAP server and become the zimbra user. If you have a multi-server setup this is the machine(s) where the ldap service is running.  You will need to install the nis.ldif file and the converted samba.ldif following the instructions found in [[Installing_custom_ldap_schema_6.0]] on every LDAP server you have installed.
You may also want to add the following indexes.  See [[Adding_ldap_indices_6.0]] for how to do this.  They cannot be added until after the schema files are in place.
<nowiki>#indexes for PAM</nowiki>
olcDbIndex: uidNumber eq
olcDbIndex: gidNumber eq
olcDbIndex: memberUid eq
<br />
<nowiki>#indexes for Samba</nowiki>
olcDbIndex: sambaSID eq
olcDbIndex: sambaPrimaryGroupSID eq
olcDbIndex: sambaDomainName eq
Note: For these indices to take effect in an existing database that already has values for these attrributes it is advised that you run slapindex with the updated indexing configuration.  slapd must be stopped (via '''ldap stop''') prior to running slapindex.  This is only an issue for databases where these attributes existed but were not previously indexed.
After you have installed the new schema, restart Zimbra services and make sure that they started successfully.
Now you will need to create two new users for the local posix and samba processes to use to access the information from the LDAP server.  Each user will need to have its own unique password for security purposes.  You can generate the hash of the password for use with creating the user in ldap with the '''/opt/zimbra/openldap/slappasswd''' command.  For example, if I wanted to use the passwords "zimbra" and "zimbratoo", I would run:
/opt/zimbra/openldap/sbin/slappasswd -s zimbra
/opt/zimbra/openldap/sbin/slappasswd -s zimbratoo
This will return the SSHA hash I need for the user entries.  Create a text file called /tmp/posixusers.ldif that looks similar to the following.  You will need to use one password for the uid=zmposix user, and the other password for the uid=zmposixroot user.  Write down which password is for what user, as you will need this information later to configure Samba and posix access.
dn: uid=zmposix,cn=appaccts,cn=zimbra
uid: zmposix
objectClass: zimbraAccount
objectClass: organizationalPerson
cn: zmposix
sn: zmposix
zimbraAccountStatus: active
zimbraIsSystemResource: TRUE
zimbraId: 59BC2282-98CC-11DE-9492-C023E3CEB16B
description: The zimbra posix account
userPassword: {SSHA}QWkRtX5CQPDVzzhJKH9kDoLE5rP/hBu8
dn: uid=zmposixroot,cn=appaccts,cn=zimbra
uid: zmposixroot
objectClass: zimbraAccount
objectClass: organizationalPerson
cn: zmposixroot
sn: zmposixroot
zimbraAccountStatus: active
zimbraIsSystemResource: TRUE
zimbraId: 6ED47B38-98CC-11DE-AAC1-9F159BA35B33
description: The zimbra posix root account
userPassword: {SSHA}QWkRtX5CQPDVzzhJKH9kDoLE5rP/hBu8
Now add these two new users to the LDAP master.  If you have multiple ldap servers, they will be replicated out.  You will be prompted for a password, use the password from '''zmlocalconfig -s ldap_root_password'''
ldapadd -f /tmp/posixusers.ldif -x -H ldapi:/// -D cn=config -W
Now, you need to adjust the LDAP acls so that these new users can read the data necessary from the LDAP server.  This will need to be done on each LDAP server that exists.  Create a file called /tmp/acl.ldif and add the following to it.  If this is a master with replicas, you need to change the olcDatabase line to be olcDatabase={3}hdb,cn=config in both sections.
In this example I will use the domain gregzimbra1.zimbra.com, which is the name of my Ubuntu Linux machine running inside a VMWare instance, hence my ldapSuffix is
Be sure to replace '''dc=gregzimbra1,dc=zimbra,dc=com''' with your actual domain
dn: olcDatabase={2}hdb,cn=config
delete: olcAccess
olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write  by * read
add: olcAccess
olcAccess: {9}to attrs=entry  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by * read
dn: olcDatabase={2}hdb,cn=config
add: olcAccess
olcAccess: {10}to dn.subtree="dc=gregzimbra1,dc=zimbra,dc=com"  by dn.children="cn=admins,cn=zimbra" write by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read  by * none
olcAccess: {11}to dn.subtree="ou=machines,dc=gregzimbra1,dc=zimbra,dc=com"  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read  by * none
olcAccess: {12}to dn.subtree="ou=groups,dc=gregzimbra1,dc=zimbra,dc=com"  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read  by * none
olcAccess: {13}to dn.subtree="ou=people,dc=gregzimbra1,dc=zimbra,dc=com"  by dn.children="cn=admins,cn=zimbra" write  by dn.exact="uid=zmposixroot,cn=appaccts,cn=zimbra" write  by dn.exact="uid=zmposix,cn=appaccts,cn=zimbra" read  by * none
Now apply this ACL modification to the LDAP server:
ldapmodify -f /tmp/acl.ldif -x -H ldapi:/// -D cn=config -W
Now run the following zmprov commands as user zimbra:
>zmprov mcf +zimbraAccountExtraObjectClass posixAccount
>zmprov mcf +zimbraAccountExtraObjectClass sambaSamAccount
==Part 2==
====Installing zimbra_posixaccount and zimbra_samba extensions for Zimbra Admin====
'''''Important''': If you are upgrading you may need to redeploy these zimlets because the settings in config_template.xml are not remembered.
# Extract files from /opt/zimbra/zimlets-admin-extra/zimbra_posixaccount.zip to a folder on your desktop computer, open zimbra_posixaccount folder and edit config_template.xml.
# Edit <font size="2"><font face="Courier New, monospace">ldapSuffix</font></font> property in config_template.xml. This property is the path in your LDAP tree where all Linux and Samba user information will be stored. This can be the name of your primary email domain written in the ldap syntax. E.g. if your domain is mycompany.com, then <font size="2"><font face="Courier New, monospace">ldapSuffix</font></font> will be
<font size="2"><font face="Courier New, monospace">dc=mycompany,dc=com</font></font>
In this example I will use the domain gregzimbra1.zimbra.com, which is the name of my Ubuntu Linux machine running inside a VMWare instance, hence my <font size="2"><font face="Courier New, monospace">ldapSuffix</font></font> is
<font size="2"><font face="Courier New, monospace">dc=gregzimbra1,dc=zimbra,dc=com</font></font>
# Edit <font size="2"><font face="Courier New, monospace">uidBase</font></font> property in config_template.xml. <font size="2"><font face="Courier New, monospace">uidBase</font></font> is the base for creating Linux user IDs for user accounts that will be stored in LDAP. The first account that you will create through Zimbra Admin UI will have user ID = <font size="2"><font face="Courier New, monospace">uidBase</font></font>+1. If you already have user accounts in your current password database (most likely /etc/passwd) it is recommended that you set this value higher than the maximum existing user account.
# Edit <font size="2"><font face="Courier New, monospace">gidBase</font></font> property in config_template.xml. <font size="2"><font face="Courier New, monospace">gidBase</font></font> is the base for creating Linux group IDs for groups that will be stored in LDAP. The first group that you will create through Zimbra Admin UI will have group ID = <font size="2"><font face="Courier New, monospace">gidBase</font></font>+1. It is recommended to make gidBase much bigger than uidBase to avoid ID conflicts with SSID for users and groups (eg. gidBase=uidBase+10000).
# Zip all the files that are in zimbra_posixaccount folder into zimbra_posixaccount.zip together with modified config_template.xml (make a flat zip file without folders)
cd zimbra_posixaccount
zip zimbra_posixaccount *.*
# Log in to Zimbra Admin (<nowiki>https://yourserver.com:7071/zimbraAdmin</nowiki>) as administrator, navigate to Admin Extensions and deploy zimbra_posixaccount extension using the zimbra_posixaccount.zip file (refer to ZCS Admin Guide for more information about installing Admin Extensions)
# Extract files from /opt/zimbra/zimlets-admin-extra/zimbra_samba.zip to a folder on your desktop computer and open config_template.xml (this file is in zimbra_samba folder along with other extension files).
# Edit <font size="2"><font face="Courier New, monospace">ldapSuffix</font></font>, <font size="2"><font face="Courier New, monospace">uidBase</font></font> and <font size="2"><font face="Courier New, monospace">gidBase</font></font> properties using the same values as you used in for zimbra_posixaccount.zip
# Zip all the files zimbra_samba folder into zimbra_samba.zip together with modified config_template.xml into a flat ZIP file and deploy zimbra_samba Admin Extension.
# Reload your Zimbra Admin to initialize the extensions. When the extensions are loaded for the first time, they will check if OUs defined by <font size="2"><font face="Courier New, monospace">ldapMachineSuffix and ldapGroupSuffix </font></font><font size="3"><font face="Times New Roman, serif">properties</font></font><font size="2"></font>in config_template.xml files exist and create these OUs, if they do not exist.
'''''Important''': Once the Zimbra schema is extended with the Samba integration, any previous backups are invalid.  After completing integration, start a full backup of your ZCS server.''
====Installing Samba====
Install Samba 3 on a Linux/Unix box. I used Samba-3.0.28 which I built from sources on Ubuntu 6.06 server running inside a VMWare. If you are building Samba from sources, make sure to enable ldap support. I do not recommend installing Samba on the same machine where you installed Zimbra – better to use a separate machine. I built it with minimum options:
Before you install the needed lib
root@gregzimbra2:/home/ubuntu/samba-3.0.28# apt-get install libldap2-dev gcc build-essential libpam0g-dev
root@gregzimbra2:/home/ubuntu/samba-3.0.28# ./configure --with-pam --with-ldap
root@gregzimbra2:/home/ubuntu/samba-3.0.28# make
root@gregzimbra2:/home/ubuntu/samba-3.0.28# make install
You may choose the options depending on your needs.
====Installing pam_ldap and nss_ldap====
You need to install and configure PAM and NSS on the machine where you installed Samba. You can also install it on any Linux desktop that should use Zimbra LDAP as a user database, e.g. Linux desktops where you want to be able to log in using the same username/password that is used for Zimbra Mail.
You need to download and install pam_ldap and nss_ldap modules for your OS. I used Ubuntu Linux which has these modules available as Debian packages through Synaptic Package Manager. If you are using Synaptic Package Manager, make sure to enable community maintained repositories (see Settings->Repositories) and search for libpam-ldap and libnss-ldap packages. If you are using a different Linux, you might need to build these modules from the sources. You can find the Sources for pam_ldap and nss_ldap on [http://www.padl.com/ http://www.padl.com].
I built and installed both pam_ldap and nss_ldap from the sources downloaded from [http://www.padl.com/ http://www.padl.com]. It take 5 minutes to download and build. If you are building from the sources, you need to edit the LDAP configuration file (ldap.conf) first. This file is in the source folder for both pam_ldap and nss_ldap. This is the contents of my ldap.conf file for both modules:
host gregzimbra1.zimbra.com
base dc=gregzimbra1,dc=zimbra,dc=com
binddn uid=zmposix,cn=appaccts,cn=zimbra
bindpw zimbra
rootbinddn uid=zmposixroot,cn=appaccts,cn=zimbra
port 389
bind_policy soft
nss_reconnect_tries 2
uri ldap://gregzimbra1.zimbra.com/
ssl start_tls
tls_cacertdir /opt/zimbra/conf/ca
# tell to not check the server certificate
tls_checkpeer no
# optional
pam_password md5
# where nss find the information
nss_base_passwd        ou=people,dc=gregzimbra1,dc=zimbra,dc=com?one
nss_base_shadow        ou=people,dc=gregzimbra1,dc=zimbra,dc=com?one
nss_base_group          ou=groups,dc=gregzimbra1,dc=zimbra,dc=com?one
nss_base_hosts          ou=machines,dc=gregzimbra1,dc=zimbra,dc=com?one
After editing ldap.conf file, create /etc/ldap.secret file and put the password for uid=zmposixroot,cn=appaccts,cn=zimbra user there.
Build pam_ldap with the following options:
root@gregzimbra2:/home/ubuntu/pam_ldap-184# ./configure --with-ldap-conf=./ldap.conf --with-ldap-secret=/etc/ldap.secret
root@gregzimbra2:/home/ubuntu/pam_ldap-184# make
root@gregzimbra2:/home/ubuntu/pam_ldap-184# make install
Build nss_ldap with the same options:
root@gregzimbra2:/home/ubuntu/nss_ldap-259# ./configure --with-ldap-conf=./ldap.conf --with-ldap-secret=/etc/ldap.secret
root@gregzimbra2:/home/ubuntu/nss_ldap-259# make
root@gregzimbra2:/home/ubuntu/nss_ldap-259# make install
If you are using Synaptic Package Manager to install libnss_ldap, you will be prompted for the following information:
* LDAP server Uniform Resource Identifier – enter the LDAP URL of your Zimbra LDAP server. i.e. [ldap://zimbra.mydomain.com ldap://zimbra.mydomain.com/] (in my case<font size="2"><font face="Courier New, monospace"> ldap://gregzimbra1.zimbra.com/</font></font>)
* LDAP search base – enter the same value that you used for <font size="2"><font face="Courier New, monospace">ldapSuffix</font></font> property in zimbra_posixaccount and zimbra_samba extensions. I.e.: dc=yourdomain,dc=com (in my case <font size="2"><font face="Courier New, monospace">dc=gregzimbra1,dc=zimbra,dc=com</font></font>)
* LDAP account for root – enter <font size="2"><font face="Courier New, monospace">uid=zmposixroot,cn=appaccts,cn=zimbra</font></font>
* LDAP root account password – enter the LDAP root password that you selected for the zmposixroot user back in part 1.
If you are using Synaptic Package Manager to install libpam_ldap, you will be prompted for the following information:
* LDAP Server – enter the hostname or IP address of your Zimbra LDAP server
* root login account – enter <font size="2"><font face="Courier New, monospace">uid=zmposix,cn=appaccts,cn=zimbra</font></font>
* root login password - enter the LDAP root password that you selected for the zmposix user back in part 1.
'''Ubuntu''' uses 4 files
* /etc/pam_ldap.conf
* /etc/pam_ldap.secret
* /etc/nss_ldap.conf
* /etc/nss_ldap.secret
Just create a symlink for each of these files to /etc/ldap/ldap.conf and /etc/ldap/ldap.secret, so you have only 2 files to configure. Make sure /etc/ldap/ldap.secret is r------.
In '''RHEL5/CentOS5''' both <font face="Courier New, monospace">nss_ldap</font> and <font face="Courier New, monospace">pam_ldap</font> modules are included in a single <font face="Courier New, monospace">nss_ldap</font> rpm package which is a part of base install. They can be configured using <font face="Courier New, monospace">authconfig</font> command line utility. (See <b>Configuring pam_ldap and nss_ldap.</b>)
==Part 3==
====Configuring Samba====
There are many ways to configure Samba depending on what you needs are. In this example I will configure Samba to use Zimbra LDAP as password backend and to act as a primary domain controller for domain GREGZIMBRA1 and as a WINS server for my network. This configuration will allow Windows NT/XP/2000 workstations to join GREGZIMBRA1 domain as if it was an NT domain. Below is the /etc/samba/smb.conf file used in this example.
  workgroup = GREGZIMBRA1
  netbios name = gregzimbra2
  os level = 33
  preferred master = yes
  enable privileges = yes
  server string = %h server (Samba, Ubuntu)
  wins support =yes
  dns proxy = no
  name resolve order = wins bcast hosts
  log file = /var/log/samba/log.%m
  log level = 3
  max log size = 1000
  syslog only = no
  syslog = 0
  panic action = /usr/share/samba/panic-action %d
  security = user
  encrypt passwords = true
  ldap passwd sync = yes
  passdb backend = ldapsam:ldap://gregzimbra1.zimbra.com/
  ldap admin dn = "uid=zmposixroot,cn=appaccts,cn=zimbra"
  ldap suffix = dc=gregzimbra1,dc=zimbra,dc=com
  ldap group suffix = ou=groups
  ldap user suffix = ou=people
  ldap machine suffix = ou=machines
  obey pam restrictions = no
  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
  domain logons = yes
  logon path = \\gregzimbra2.zimbra.com\%U\profile
  logon home = \\gregzimbra2.zimbra.com\%U
  logon script = logon.cmd
  add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
  add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u
  socket options = TCP_NODELAY
  domain master = yes
  local master = yes
  comment = Home Directories
  browseable =yes
  read only = No
  valid users = %S
  comment = Network Logon Service
  path = /var/lib/samba/netlogon
  guest ok = yes
  locking = no
  comment = Users profiles
  path = /var/lib/samba/profiles
  read only = No
  comment = Profile Data Share
  path = /var/lib/samba/profdata
  read only = No
  profile acls = Yes
  comment = All Printers
  browseable = no
  path = /tmp
  printable = yes
  public = no
  writable = no
  create mode = 0700
  comment = Printer Drivers
  path = /var/lib/samba/printers
  browseable = yes
  read only = yes
  guest ok = no
I will not attempt to explain every line in this file, so if you are interested – read the official Samba HOWTO. The key elements that are important for this example are these lines:
passdb backend = ldapsam:ldap://gregzimbra1.zimbra.com/
ldap admin dn = "uid=zmposixroot,cn=appaccts,cn=zimbra"
ldap suffix = dc=gregzimbra1,dc=zimbra,dc=com
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=machines
<br />
* <span lang="en-US"><font face="Courier New, monospace">passdb backend = ldapsam:ldap://gregzimbra1.zimbra.com/</font> - tells Samba to use ldap as the password backend and to contact Zimbra LDAP server at [ldap://gregzimbra1.zimbra.com/].</span>
* <span lang="en-US"><font face="Courier New, monospace">ldap admin dn</font> - LDAP DN of a user that Samba will use to bind to Zimbra LDAP. If you decide to change this value later, don't forget to rerun smbpasswd -w command which tells Samba the password to use for binding to LDAP.</span>
* <span lang="en-US"><font face="Courier New, monospace">ldap suffix</font> - is the name of your Zimbra domain, and it is the same value as the value of <font face="Courier New, monospace">ldapSuffix</font> property in config_template.xml files.</span>
* <span lang="en-US"><font face="Courier New, monospace">ldap group suffix</font> - is the same value as the value of <font face="Courier New, monospace">ldapGroupSuffix</font> in config_template.xml files.</span>
* <span lang="en-US"><font face="Courier New, monospace">ldap machine suffix</font> - is the same value as the value of <font face="Courier New, monospace">ldapMachineSuffix</font> in config_template.xml files. </span>
* the value of <font face="Courier New, monospace">ldap user suffix</font> must be <font face="Courier New, monospace">ou=people</font>, because this is where Zimbra account records are stored in LDAP.
After you edited smb.conf file, you need to tell Samba what is the root password for ldap. On your Samba server, restart samba services (/usr/sbin/smbd and /usr/sbin/nmbd) run the following command (replace <font face="Courier New, monospace">test123</font> with your password for uid=zmposixroot,cn=appaccts,cn=zimbra).
smbpasswd -w test123
You can use http://sourceforge.net/projects/ldapscripts for manage POSIX accounts (users, groups, machines) in an LDAP directory.
====Creating Samba domain using Zimbra Admin UI====
Restart Samba. Then, log in to Zimbra Admin and click on Samba Domains. You should see a domain entry in the list. When Samba started up with the new smb.conf file it should have looked up the domain entry in LDAP and created it if it could not find the entry.
==Part 4==
====Configuring pam_ldap and nss_ldap====
Edit /etc/nsswitch.conf file. Replace these two lines:
passwd: compat
group: compat
with these lines:
passwd: files ldap
group: files ldap
this change will tell nsswitch to use ldap when it looks for uids and gids. It will first look at /etc/passwd and then at ldap. You may want to change these lines differently if you know what you are doing ;)
Edit /etc/pam.d/common-account. It should look like the following:
account sufficient pam_unix.so
account sufficient pam_ldap.so
Edit /etc/pam.d/common-auth. It should look like the following:
auth sufficient pam_ldap.so
auth sufficient pam_unix.so
Edit /etc/pam.d/common-password. It should look like the following:
password sufficient pam_unix.so
password sufficient pam_ldap.so
Edit /etc/pam.d/common-session. It should look like the following:
session sufficient pam_unix.so
session sufficient pam_ldap.so
You may want to first add to the session section the following line to automatically create a home directory when the user login for the first time
session required pam_mkhomedir.so skel=/etc/skel umask=0077
Now you need to test whether pam_ldap and nssswitch are working correctly. Log in to Zimbra Admin UI (<nowiki>https://yourserver.com:7071/zimbraAdmin</nowiki>) as Administrator and create a couple of new user accounts. On the New Account Wizard you should see two additional steps (after “Advanced” step): Posix Account and Samba Account
<b>Configuring on RHEL5/CentOS5/Fedora7 using <font size="2"><font face="Courier New, monospace">authconfig</font></font></b>
As root run <font size="2"><font face="Courier New, monospace">authconfig --test</font></font>. It will display current settings for both <font size="2"><font face="Courier New, monospace">nss_ldap</font></font> and <font size="2"><font face="Courier New, monospace">pam_ldap</font></font>. In most cases the following command will do the job (although some manual editing will still be needed):
authconfig --enableldap --enableldapauth --disablenis --enablecache \
            --ldapserver=gregzimbra1.zimbra.com --ldapbasedn=dc=gregzimbra1,dc=zimbra,dc=com \
The last parameter will update <font size="2"><font face="Courier New, monospace">/etc/ldap.conf, /etc/nsswitch.conf</font></font> and <font size="2"><font face="Courier New, monospace">/etc/pam.d/system-auth</font></font> configuration files. The only file which requires manual editing is <font size="2"><font face="Courier New, monospace">/etc/ldap.conf</font></font>.
The <font size="2"><font face="Courier New, monospace"><b>base</b></font></font> line should be already there. It is inserted by <font size="2"><font face="Courier New, monospace">authconfig</font></font>. You should also see a <font size="2"><font face="Courier New, monospace"><b>uri</b></font></font> line with the address of your ldap server. The <font size="2"><font face="Courier New, monospace"><b>host, binddn, bindpw, rootbinddn</b></font></font>  lines should be added as explained above and <font size="2"><font face="Courier New, monospace">/etc/ldap.secret</font></font> file should exist and contain a password.
The issue with a single <font size="2"><font face="Courier New, monospace">/etc/ldap.conf</font></font> configuration file for both <font size="2"><font face="Courier New, monospace">nss_ldap</font></font> and <font size="2"><font face="Courier New, monospace">pam_ldap</font></font> is that <font size="2"><font face="Courier New, monospace"><b>host</b></font></font> and <font size="2"><font face="Courier New, monospace"><b>uri</b></font></font> can work together in Zimbra-specific configuration only if we also add <font size="2"><font face="Courier New, monospace"><b>bind_policy soft</b></font></font> option. The modified <font size="2"><font face="Courier New, monospace">/etc/ldap.conf</font></font> should look like this:
base dc=gregzimbra1,dc=zimbra,dc=com
host gregzimbra1.zimbra.com
binddn uid=zmposix,cn=appaccts,cn=zimbra
bindpw test123
rootbinddn uid=zmposixroot,cn=appaccts,cn=zimbra
uri ldap://gregzimbra1.zimbra.com
bind_policy soft
nss_base_passwd ou=people,dc=gregzimbra1,dc=zimbra,dc=com?one
nss_base_shadow ou=people,dc=gregzimbra1,dc=zimbra,dc=com?one
# Replace the lines above with
# nss_base_passwd dc=gregzimbra1,dc=zimbra,dc=com?sub
# nss_base_shadow dc=gregzimbra1,dc=zimbra,dc=com?sub
# if you want to store windows computers account in LDAP
nss_base_group ou=groups,dc=gregzimbra1,dc=zimbra,dc=com?one
nss_base_hosts ou=machines,dc=gregzimbra1,dc=zimbra,dc=com?one
The last four lines are optional and are added to make the Zimbra <font size="2"><font face="Courier New, monospace">nss_ldap</font></font> setup compatible with the Webmin’s <font size="2"><font face="Courier New, monospace"><i>LDAP Client</i></font></font> and <font size="2"><font face="Courier New, monospace"><i>LDAP Users and Groups</i></font></font> modules. {The latter module would allow you to add secondary groups to your Zimbra/Samba accounts etc.)
Any additional lines added by authconfig would not hurt. However you shall have to re-check <font size="2"><font face="Courier New, monospace">/etc/ldap.conf</font></font> every time you run <font size="2"><font face="Courier New, monospace">authconfig</font></font> with <font size="2"><font face="Courier New, monospace">–-update</font></font> or <font size="2"><font face="Courier New, monospace">-–updateall</font></font> switch. If it sees the <b>host</b> line, the command disables it and moves the host address value to <b>uri</b> line. This breaks <font size="2"><font face="Courier New, monospace">pam_ldap</font></font> an Zimbra might even fail to start.
====Creating Linux and Samba groups using Zimbra Admin UI====
Log in to Zimbra Admin UI. You should not have logged out of it anyway, because we are not done yet. Go to Posix Groups and click “New”. If you do not know what to type in <font size="2"><font face="Courier New, monospace">group type</font></font> field – type <font size="2"><font face="Courier New, monospace">2</font></font>, this is the default value.
To test if PAM on your Samba server is reading the group information correctly from Zimbra LDAP, go back to your Samba server shell and run this command as root:
<font face="Courier New, monospace"><font size="2">>getent group</font></font>
you should see the group(s) that you just created in the list that is produced.
====Creating Linux and Samba users using Zimbra Admin UI====
Back to the Zimbra Admin UI :). Go to Accounts and hit New, fill in the information on the first screen and follow the wizard to the Posix Account screen. Fill in all the required fields on the Posix Account screen and click Next to go to Samba Account screen. Fill in the required fields and click Finish. To test if PAM on your Samba server is reading the user password information correctly from Zimbra LDAP, go back to your Samba server shell and run this command as root:
  getent passwd
you should see the Zimbra accounts that you just created in the list. Create a home folder for the new Zmbra user and try to change the current user to the newly created one. In this example, I create a user ubuntu2, and home folder /home/ubuntu2
  root@gregzimbra2:/home/ubuntu# su - ubuntu2
Now test if Samba authenticates your new user correctly. In this example I went to the shell on my Zimbra server box and ran this command (as root):
  smbclient -U ubuntu2 //gregzimbra2.zimbra.com/ubuntu2
It should prompt you for the password and then log in to ubuntu2's home folder on gregzimbra2 Samba server.
Next, log in to Zimbra Admin UI, click on Aliases and remove root@.gregzimbra1.zimbra.com alias. Then run
  smbpasswd -a root
To add posixAccount attributes to the previously established users (before ldap schema change) you can run command:
  zmprov ma admin@gregzimbra2.zimbra.com +objectClass posixAccount uidNumber 10003 gidNumber 10001 homeDirectory /home/admin loginShell /bin/bash
and for update sambaSamAccount run:
  zmprov ma admin@gregzimbra2.zimbra.com +objectClass sambaSamAccount sambaDomainName GREGZIMBRA1 sambaSID S-1-5-21-3745602466-621825477-2613676135-21006 sambaAcctFlags [UX]
====Creating Windows NT Domain groups====
Next, create “Domain Admins” group using Zimbra Admin UI, on Samba tab select Special Windows group type “Domain Admins”. Then you need to grant privileges to this group. Run the following command as root on your Samba server. Put your domain name instead of GREGZIMBRA1. More information on this topic is available in Official Samba HOWTO Reference Guide ([http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/ http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/)].
  net rpc rights grant "GREGZIMBRA1\Domain Admins" SeAddUsersPrivilege SeMachineAccountPrivilege SePrintOperatorPrivilege
====Adding Windows NT/2000/XP machines to Samba domain====
Log in to an Windows desktop as a local administrator and join the Samba domain the same way you would be joining a Windows domain. You might need to point your Windows box to your Samba WINS server depending on how your DHCP and DNS servers are configured. Use a member of “Domain Admins” group to join the domain. After you joined the domain, verify that the machine account was added to ldap directory by running <font size="2"><font face="Courier New, monospace">ldapsearch </font></font>command. I.e. if your windows desktop machine name is gregvmxp2:
  root@gregzimbra1:/home/ubuntu# /opt/zimbra/openldap/bin/ldapsearch -h gregzimbra1 | grep gregvmxp
  <nowiki># gregvmxp2$, machines, gregzimbra1.zimbra.com</nowiki>
  dn: uid=gregvmxp2$,ou=machines,dc=gregzimbra1,dc=zimbra,dc=com
  uid: gregvmxp2$
[[Category: LDAP]]
[[Category: Linux]]
[[Category: Samba]]
[[Category: Windows]]

Latest revision as of 22:39, 24 May 2011

Jump to: navigation, search