Ajcody-Zimlet-Notes
Zimlets
![]() |
You are looking at legacy Zimlet documentation. For Zimbra Modern UI Zimlet development go to: https://wiki.zimbra.com/wiki/DevelopersGuide#Zimlet_Development_Guide. |
Actual Zimlet Notes Homepage
Please see Ajcody-Zimlet-Notes
Zimlets In ZCS 8+
List Of Supported Zimlets
$ find /opt/zimbra/zimlets -name *.zip -print /opt/zimbra/zimlets/com_zimbra_url.zip /opt/zimbra/zimlets/com_zimbra_tooltip.zip /opt/zimbra/zimlets/com_zimbra_clientuploader.zip /opt/zimbra/zimlets/com_zimbra_srchhighlighter.zip /opt/zimbra/zimlets/com_zimbra_viewmail.zip /opt/zimbra/zimlets/com_zimbra_ymemoticons.zip /opt/zimbra/zimlets/com_zimbra_date.zip /opt/zimbra/zimlets/com_zimbra_email.zip /opt/zimbra/zimlets/com_zimbra_adminversioncheck.zip /opt/zimbra/zimlets/com_zimbra_bulkprovision.zip /opt/zimbra/zimlets/com_zimbra_attachmail.zip /opt/zimbra/zimlets/com_zimbra_cert_manager.zip /opt/zimbra/zimlets/com_zimbra_webex.zip /opt/zimbra/zimlets/com_zimbra_phone.zip /opt/zimbra/zimlets/com_zimbra_attachcontacts.zip /opt/zimbra/zimlets/com_zimbra_proxy_config.zip
$ find /opt/zimbra/zimlets-network -name *.zip -print /opt/zimbra/zimlets-network/com_zimbra_backuprestore.zip /opt/zimbra/zimlets-network/com_zimbra_archive.zip /opt/zimbra/zimlets-network/com_zimbra_click2call_mitel.zip /opt/zimbra/zimlets-network/com_zimbra_voiceprefs.zip /opt/zimbra/zimlets-network/com_zimbra_click2call_cisco.zip /opt/zimbra/zimlets-network/com_zimbra_smime_cert_admin.zip /opt/zimbra/zimlets-network/com_zimbra_convertd.zip /opt/zimbra/zimlets-network/com_zimbra_smime.zip /opt/zimbra/zimlets-network/com_zimbra_license.zip /opt/zimbra/zimlets-network/com_zimbra_delegatedadmin.zip /opt/zimbra/zimlets-network/com_zimbra_mobilesync.zip /opt/zimbra/zimlets-network/com_zimbra_xmbxsearch.zip /opt/zimbra/zimlets-network/com_zimbra_cluster.zip /opt/zimbra/zimlets-network/com_zimbra_hsm.zip /opt/zimbra/zimlets-network/com_zimbra_ucconfig.zip
Undeploy All Zimlets And Redeploy Supported Zimlets
Let's flush the cache in regards to zimlets before we start:
zmprov fc zimlet
Create a text file of your currently deployed zimlets . Note - save this for future reference so you can recall what was removed.
/opt/zimbra/bin/zmzimletctl listZimlets
and
ls /opt/zimbra/zimlets-deployed
Add the zimlets to a file - This Is An Example Below - Be Sure Your Text File Lists YOUR Zimlets:
vi /tmp/list com_zimbra_adminversioncheck com_zimbra_apptsummary com_zimbra_attachcontacts com_zimbra_attachmail com_zimbra_backuprestore com_zimbra_bulkprovision com_zimbra_cert_manager com_zimbra_coloredemails com_zimbra_contactcleaner com_zimbra_contactorganizer com_zimbra_convertd com_zimbra_date com_zimbra_delegatedadmin com_zimbra_dnd com_zimbra_email com_zimbra_emailreminder com_zimbra_emailtemplates com_zimbra_hsm com_zimbra_license com_zimbra_linkedin com_zimbra_local com_zimbra_meebo com_zimbra_mobilesync com_zimbra_smime com_zimbra_social com_zimbra_srchhighlighter com_zimbra_stickynotes com_zimbra_tracking com_zimbra_url com_zimbra_webex com_zimbra_xmbxsearch com_zimbra_ycurrency com_zimbra_yfinance com_zimbra_ymaps com_zimbra_ymemoticons
Use the file to undeploy:
for i in `cat /tmp/list`; do ; zmzimletctl undeploy $i ; done
To deploy the basic supported zimlets:
vi /tmp/install-list /opt/zimbra/zimlets/com_zimbra_url.zip /opt/zimbra/zimlets/com_zimbra_tooltip.zip /opt/zimbra/zimlets/com_zimbra_clientuploader.zip /opt/zimbra/zimlets/com_zimbra_srchhighlighter.zip /opt/zimbra/zimlets/com_zimbra_viewmail.zip /opt/zimbra/zimlets/com_zimbra_ymemoticons.zip /opt/zimbra/zimlets/com_zimbra_date.zip /opt/zimbra/zimlets/com_zimbra_email.zip /opt/zimbra/zimlets/com_zimbra_adminversioncheck.zip /opt/zimbra/zimlets/com_zimbra_bulkprovision.zip /opt/zimbra/zimlets/com_zimbra_attachmail.zip /opt/zimbra/zimlets/com_zimbra_cert_manager.zip /opt/zimbra/zimlets/com_zimbra_webex.zip /opt/zimbra/zimlets/com_zimbra_phone.zip /opt/zimbra/zimlets/com_zimbra_attachcontacts.zip /opt/zimbra/zimlets/com_zimbra_proxy_config.zip /opt/zimbra/zimlets-network/com_zimbra_backuprestore.zip /opt/zimbra/zimlets-network/com_zimbra_smime_cert_admin.zip /opt/zimbra/zimlets-network/com_zimbra_convertd.zip /opt/zimbra/zimlets-network/com_zimbra_smime.zip /opt/zimbra/zimlets-network/com_zimbra_license.zip /opt/zimbra/zimlets-network/com_zimbra_delegatedadmin.zip /opt/zimbra/zimlets-network/com_zimbra_mobilesync.zip /opt/zimbra/zimlets-network/com_zimbra_xmbxsearch.zip /opt/zimbra/zimlets-network/com_zimbra_hsm.zip
Those that are absent from the above list from /opt/zimbra/zimlets & /opt/zimbra/zimlets-network are:
/opt/zimbra/zimlets-network/com_zimbra_archive.zip /opt/zimbra/zimlets-network/com_zimbra_click2call_mitel.zip /opt/zimbra/zimlets-network/com_zimbra_voiceprefs.zip /opt/zimbra/zimlets-network/com_zimbra_click2call_cisco.zip /opt/zimbra/zimlets-network/com_zimbra_cluster.zip /opt/zimbra/zimlets-network/com_zimbra_ucconfig.zip
To deploy the zimlets from /tmp/install-list :
for i in `cat /tmp/install-list`; do ; zmzimletctl deploy $i ; done
Or to deploy ALL supported zimlets:
cd /opt/zimbra/zimlets for i in `ls` ; do zmzimletctl deploy $i ; done
cd /opt/zimbra/zimlets-network for i in `ls` ; do zmzimletctl deploy $i ; done
Flush the cache again in regards to zimlets:
zmprov fc zimlet
Depending on issue or further troubles, you might want to restart the mailboxd service:
zmmailboxdctl restart
Do a current listing of your installed zimlets and confirm it's what you expect:
/opt/zimbra/bin/zmzimletctl listZimlets
Zimlet Changes In ZCS 6
New Directory Path For Deployed Zimlets
From ZCS 5, it was:
zmlocalconfig zimlet_directory zimlet_directory = ${mailboxd_directory}/webapps/service/zimlet **where mailboxd was /opt/zimbra/jetty/**
Under ZCS 6:
zimlet_directory = zimlet_directory = /opt/zimbra/zimlets-deployed
The related bug/rfe:
- "move zimlet repository out of service webapp"
Can't Deploy Zimlets - Admin Or Others
This variable & directory seems to have been dropped with 6.0.5+ .
If you can't deploy zimlets and mailbox.log is logging an error about unable to locate file, check the following exists.
drwxr-xr-x 17 zimbra zimbra 578 Nov 4 13:55 /opt/zimbra/zimlets-properties
zmlocalconfig zimlet_properties_directory zimlet_properties_directory = /opt/zimbra/zimlets-properties
Location Of Zimlets
Zimlets should be already located on the zimbra server in one of these directories:
/opt/zimbra/zimlets/ /opt/zimbra/zimlets-admin-extra/ /opt/zimbra/zimlets-extra/ /opt/zimbra/zimlets-experimental/ /opt/zimbra/zimlets-network/
How To List Currently Installed Zimlets
Do the following:
zmzimletctl listZimlets
You can also see them in the admin console.
Configuration > Zimlets
Configuration > Admin Extensions
How To Deploy Zimlets
To deploy a zimlet, simply cd to the directory where the zimlet is located and issue this command:
/opt/zimbra/bin/zmzimletctl deploy <zimlet_name>
Something like:
zmzimletctl deploy /opt/zimbra/zimlets-extra/com_zimbra_ycurrency.zip
You can also deploy them via the admin console.
Configuration > Zimlets
Configuration > Admin Extensions
How To Undeploy / Uninstall Zimlets
See how the zimlet is named:
zmzimletctl listZimlets
Now run the following with the naming convention used from the above output:
zmzimletctl undeploy com_zimbra_ycurrency
You can also undeploy them via the admin console.
Configuration > Zimlets
Configuration > Admin Extensions
Samba & Posix Zimlet - ZCS 6x
Main Samba & Posix How-To Reference
Please see:
Important Bugs-RFE's Related To Samba Posix Issues
Please see:
- Post Upgrade Issues
- Password sync between ZCS and Windows no longer working after upgrade to 608+
- "Support change password listeners in provisioning and support Samba change password in the samba admin extension"
- https://bugzilla.zimbra.com/show_bug.cgi?id=17321
- See comment 27
- https://bugzilla.zimbra.com/show_bug.cgi?id=17321
- "zimbraPasswordChangeListener resets to syncListener after zcs restart"
- "Support change password listeners in provisioning and support Samba change password in the samba admin extension"
- "Accounts disappear in Admin-Console after Update"
- Note with bug from devs
- "This is because slapd.conf.in is always reset on upgrade. This has been the case for all releases. With the move to cn=config in GnR, it will be possible for people to keep additional schema loaded across upgrades after their first initial move to GnR and adding them back in."
- http://bugzilla.zimbra.com/show_bug.cgi?id=33628
- The below bug will probably be marked a dup of 33628
- "Upgrade for zimbra_posixaccount and zimbra_samba"
- Note with bug from devs
- Password sync between ZCS and Windows no longer working after upgrade to 608+
Samba & Posix Zimlet - ZCS 5x
Main Samba & Posix How-To Reference
Please see:
Important Bugs-RFE's Related To Samba Posix Issues
Please see:
- Post Upgrade Issues
- Password sync between ZCS and Windows no longer working after upgrade to 608+
- "Support change password listeners in provisioning and support Samba change password in the samba admin extension"
- https://bugzilla.zimbra.com/show_bug.cgi?id=17321
- See comment 27
- https://bugzilla.zimbra.com/show_bug.cgi?id=17321
- "zimbraPasswordChangeListener resets to syncListener after zcs restart"
- "Support change password listeners in provisioning and support Samba change password in the samba admin extension"
- "Accounts disappear in Admin-Console after Update"
- Note with bug from devs
- "This is because slapd.conf.in is always reset on upgrade. This has been the case for all releases. With the move to cn=config in GnR, it will be possible for people to keep additional schema loaded across upgrades after their first initial move to GnR and adding them back in."
- http://bugzilla.zimbra.com/show_bug.cgi?id=33628
- The below bug will probably be marked a dup of 33628
- "Upgrade for zimbra_posixaccount and zimbra_samba"
- Note with bug from devs
- "BNR fails to restore accounts that were created and backed up prior to Zimbra-Samba integration"
- "zmrestore fails when posix & samba zimlets are active."
- "posix extension requires memberUid to contain a uidNumber"
- This is related to the restore issues as well.
- http://bugzilla.zimbra.com/show_bug.cgi?id=26423
- Password sync between ZCS and Windows no longer working after upgrade to 608+
- Other Issues
- "Have the Unix Windows LDAP Samba extensions installed and configured by default"
- Basically a request to have Samba/Posix items to more integrated into product and include more admin console UI controls.
- http://bugzilla.zimbra.com/show_bug.cgi?id=22509
- "Suggestions to improve Posix and Samba Zimlets"
- Items requested:
- a) Add an option to expire the Samba password to force them change the password.
- b) In the memberuid option under Posix Groups: Could you add an option to allow the users to select a single or multiple zimbra users to fill them up quickly?
- c) Add an additional button to display all users that belongs to this particular Posix Group.
- d) Add an additional button in the user profile screen that displays all the groups that he/she belongs to.
- http://bugzilla.zimbra.com/show_bug.cgi?id=18141
- Items requested:
- "Have the Unix Windows LDAP Samba extensions installed and configured by default"
Samba - LDAP - Overlays
We don't [officially] support running additional overlays with OpenLDAP.
SLAPO-RWM OVERLAY RWM
slapo-rwm is known to be buggy in OpenLDAP 2.3.43 and continues to be buggy to this day in OpenLDAP 2.4. It certainly won't work with ZCS 5.0.16.
We would advise customers to avoid using it until it stabilizes, though they need to understand it's still going to be unsupported by us.
Where one places "overlay rwm" in the slapd.conf file has been known to cause issues as well. RWM has problems in the order in which it is loaded. There are at least 2 open bugs currently in the OpenLDAP ITS tracker.
Can't Manage Users After Removing Samba & Posix Zimlet
This is after you have removed the samba & posix zimlets and now can't see or manage old accounts in the admin ui. You might need to remove the samba/posix references in each user account. You'll need the nis.schema and samba.schema configured for ldap for this to work.
Untested comment, 3 things needed for this.
1. deployed samba/posix zimlet
2. add/have the samba/nis schema
3. add/have the extra oc's
zmprov mcf +zimbraAccountExtraObjectClass posixAccount zmprov mcf +zimbraAccountExtraObjectClass sambaSamAccount
If you do this on one of the old accounts:
zmprov ga user@domain.com
And you see:
objectClass: posixAccount objectClass: sambaSamAccount
These steps might need to be done.
Create a file called mod.ldif . Modify the dn line - dn: uid=posix1,ou=people,dc=testdomain,dc=com - for your server and user.
# posix1, people, testdomain.com dn: uid=posix1,ou=people,dc=testdomain,dc=com changetype: modify delete: objectClass objectClass: posixAccount - delete: objectClass objectClass: sambaSamAccount - delete: uidNumber - delete: gidNumber - delete: loginShell - delete: sambaAcctFlags - delete: sambaSID - delete: homeDirectory - delete: sambaNTPassword # posix2, people, testdomain.com dn: uid=posix2,ou=people,dc=testdomain,dc=com changetype: modify delete: objectClass objectClass: posixAccount - delete: objectClass objectClass: sambaSamAccount - delete: uidNumber - delete: gidNumber - delete: loginShell - delete: sambaSID - delete: homeDirectory - delete: sambaNTPassword
Then run a command similar to this, modify it for your environment:
ldapmodify -D uid=zimbra,cn=admins,cn=zimbra -w PassWord -H ldap://ldapmaster.hostname.com:389 -x -f /tmp/mod.ldif
Problems With The Above Steps?
Please see :
http://wiki.zimbra.com/index.php?title=King0770-Notes#LDAP_-_Export_.26_Reimport
It should be possible to modify the dump and the re-import. This has not been tested yet, though.
Steps done in one test. Please note, you'll still need to visually review the ldap file to see what lines need to be remove, this can't be scripted out.
-as zimbra- zimbra$ libexec/zmslapcat /tmp/ldap zimbra$ egrep -iv 'sambaSamAccount|posixAccount|uidNumber|gidNumber|loginShell|sambaAcctFlags|sambaSID|homeDirectory|sambaNTPassword' ldap.bak > ldap.bak2 zimbra$ egrep -i 'samba|posix' ldap.bak2 zimbra$ vi ldap.bak2 zimbra$ egrep -i 'loginshell|HOMEDIRECTORY|MEMBERUID' ldap.bak2 zimbra$ vi ldap.bak2 zimbra$ zmcontrol stop zimbra$ ps -aux | grep slapd 6) su - root 7) mv /opt/zimbra/openldap-data /opt/zimbra/openldap-data.OLD 8) mkdir -p /opt/zimbra/openldap-data/logs 9) chown -R zimbra:zimbra /opt/zimbra/openldap-data/ 10) su - zimbra zimbra$ cd /opt/zimbra/openldap-data.OLD zimbra$ cp DB_CONFIG ../openldap-data/ zimbra$ cd zimbra$ /opt/zimbra/openldap/sbin/slapadd -f /opt/zimbra/conf/slapd.conf -l /tmp/ldap/ldap.bak2 The first database does not allow slapadd; using the first available one (2) is_entry_objectclass("cn=IT,ou=groups,dc=XXXXX,dc=com", "2.16.840.1.113730.3.2.6") no objectClass attribute slapadd: dn="cn=IT,ou=groups,dc=XXXXX,dc=com" (line=11179): no objectClass attribute zimbra$ zmcontrol start ### Output ### assigned-72-29-183-240:~ zimbra$ libexec/zmslapcat /tmp/ldap2/ UNKNOWN attributeDescription "LOGINSHELL" inserted. UNKNOWN attributeDescription "HOMEDIRECTORY" inserted. UNKNOWN attributeDescription "SAMBAACCTFLAGS" inserted. UNKNOWN attributeDescription "SAMBASID" inserted. UNKNOWN attributeDescription "SAMBADOMAINNAME" inserted. UNKNOWN attributeDescription "SAMBANTPASSWORD" inserted. UNKNOWN attributeDescription "SAMBAALGORITHMICRIDBASE" inserted. UNKNOWN attributeDescription "SAMBANEXTUSERRID" inserted. UNKNOWN attributeDescription "SAMBAMINPWDLENGTH" inserted. UNKNOWN attributeDescription "SAMBALOGONTOCHGPWD" inserted. UNKNOWN attributeDescription "SAMBAMAXPWDAGE" inserted. UNKNOWN attributeDescription "SAMBAMINPWDAGE" inserted. UNKNOWN attributeDescription "SAMBALOCKOUTDURATION" inserted. UNKNOWN attributeDescription "SAMBALOCKOUTOBSERVATIONWINDOW" inserted. UNKNOWN attributeDescription "SAMBALOCKOUTTHRESHOLD" inserted. UNKNOWN attributeDescription "SAMBAFORCELOGOFF" inserted. UNKNOWN attributeDescription "SAMBAREFUSEMACHINEPWDCHANGE" inserted. UNKNOWN attributeDescription "SAMBAPWDHISTORYLENGTH" inserted. UNKNOWN attributeDescription "SAMBAGROUPTYPE" inserted. UNKNOWN attributeDescription "MEMBERUID" inserted. UNKNOWN attributeDescription "SAMBAPASSWORDHISTORY" inserted. UNKNOWN attributeDescription "SAMBAPWDLASTSET" inserted.
I Lost My Users After An Upgrade - Samba Posix Zimlet
This is from a case I saw and how a customer fixed it.
- In order to fix this we did.
- 1. Replace slapd.conf.in
- 2. restarted zimbra (not sure if this is necessary, but its what we did.)
- 3. zmprov mcf +zimbraAccountExtraObjectClass posixAccount
- 4. zmprov mcf +zimbraAccountExtraObjectClass sambaSamAccount
- 5. ldap stop && ldap start && ldap stop && ldap start
- The odd thing is, I looked in the zmprov gcf originally and posixAccount and sambaSamAccount had already been added?
Upgrade Or Installation Of New Package On Zimbra Broken Samba - Another Situation
And customer was kind enough to write up a summary of our session when troubling shooting this. We believe it will be of use for others.
Brief overview of your configuration/setup
The Zimbra server is used as LDAP master server. It's easy to maintain and it's very easy to manage hybrid Zimbra/Posix/Samba user accounts. It provides LDAP service for Samba 3.0.24 and PAM on Debian Etch 4.0 servers and desktops. Additionally, I've got few LDAP replica servers which use syncrepl mechanism to get required Posix and Samba data from Zimbra server. As Posix and Samba objects are in use it's very important to keep the tweaked /opt/zimbra/conf/slapd.conf.in file the same after upgrade/ re-installation.
System spec:
- OS is Ubuntu 7.10 with all latest patches
- Zimbra 5.0.11
- LDAP 2.3.43.5z (/opt/zimbra/conf/slapd.conf configuration file)
- Zimbra zimlets-admin-extra: zimbra_posixaccount, zimbra_samba
- native packages Samba 3.0.24 on Debian 4.0 Etch with PAM and libnss-ldap, pam-ldap
- smbldap-tools 0.9.5 from tar file
The symptoms and what you did to confirm the issue
Operations that failed at end-user & admin
Because of the other issue with Zimbra server we had to install convertd on the box. To avoid any other unknown problems we were advised to re-run installation script from the zcs-NETWORK-5.0.11_GA_2695.UBUNTU6.20081117023813 folder on local file system.
During the process we confirmed installation of 'convertd'. So, from this point of time it's installed. The Zimbra installer restarted a few times slapd service. I'm not sure but I believe that during this process it dumps whole LDAP objects and clears it in directory. Then it loads them back to directory.
The odd thing is that THE INSTALLER RE-GENERATES the '/opt/zimbra/conf/slapd.conf.in' file to the standard one from the new package.
This is the real source of the problem for other objects than Zimbra's ones. i.e. Posix and Samba
After I restored the changes required for Posix and Samba in /opt/zimbra/conf/slapd.conf.in' file as described on Zimbra Wiki it seems that Samba and Posix attributes were unaccessible on all clients. ( UNIX_and_Windows_Accounts_in_Zimbra_LDAP_and_Zimbra_Admin_UI )
Symptoms
[ Documentation substituted 'my_corp.net' for real domain name ]
1. "Samba can't join any new box to domain MY_CORP" but this is just tip of the iceberg.
# grep machine /etc/samba/smb.conf ldap machine suffix = ou=machines add machine script = /usr/sbin/smbldap-useradd -t 0 -W "%u"
Firstly, I've tried to test existing object I know in LDAP directory via ldapsearch and it's fails giving zero results.
1A.zimbra# ldapsearch -x -D cn=config -W -h <name-of-zimbra-server> -b ou=machines,dc=my_corp,dc=net uid=my-pc$
I'm trying to query the object itself and then it works which means that all attributes are in directory.
1B.zimbra# ldapsearch -x -D cn=config -W -h <name-of-zimbra-server> -b uid=my-pc$, ou=machines,dc=my_corp,dc=net # extended LDIF # # LDAPv3 # base <uid=my-pc$,ou=machines,dc=my_corp,dc=net> with scope subtree # filter: (objectclass=*) # requesting: ALL # # my-pc$, machines, my_corp.net dn: uid=my-pc$,ou=machines,dc=my_corp,dc=net cn: my-pc$ uid: my-pc$ uidNumber: 1001 gidNumber: 515 loginShell: /bin/false description: Computer gecos: Computer objectClass: posixAccount objectClass: account objectClass: sambaSamAccount displayName: my-pc$ sambaDomainName: MY_CORP sambaSID: S-1-5-21-XXXXXXX-XXXXXXXXXX-XXXXX-3002
1C. One more test to be sure and no results as well:
zimbra# ldapsearch -x -D cn=config -W -h <name-of-zimbra-server> -b dc=my_corp,dc=net uid=my-pc$
1D. Then tests on Samba side.
pdc# pdbedit -Lv my-pc$ smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MY_CORP))] smbldap_open_connection: connection opened smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MY_CORP))] smbldap_open_connection: connection opened init_sam_from_ldap: Entry found for user: my-pc$ Unix username: my-pc$ NT username: my-pc$ Account Flags: [W ] User SID: S-1-5-21-XXXXXXX-XXXXXXXXXX-XXXXX-3002 pdb_get_group_sid: Failed to find Unix account for my-pc$ *Primary Group SID: (NULL SID) # THIS FAILS as well Full Name: my-pc$ Home Directory: \\pdc\my-pc_ HomeDir Drive: F: Logon Script: logon.cmd Profile Path: Domain: MY_CORP Account desc: Computer Workstations: Munged dial: Logon time: Logoff time: Tue, 19 Jan 2038 03:14:07 GMT Kickoff time: Tue, 19 Jan 2038 03:14:07 GMT Password last set: Mon, 05 Jan 2009 04:20:59 GMT Password can change: Password must change: Tue, 19 Jan 2038 03:14:07 GMT Last bad password : Bad password count : Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
So Samba finds the object but can't link it to the Posix account via PAM query.
1E. Let's check also Posix attribute on Samba server.
pdc# getent passwd my-pc$
Nothing.
After I switched the log level to 5 in Samba I'd see the communication with LDAP in log.my-pc file on Samba server.
pdc# grep "log level" /etc/samba/smb.conf log level = 5 pdc# grep -v "\[200" /var/log/samba/log.my-pc|less
It turns out that the Samba's search base for machines does not work (see 1A,1C tests above).
I checked also other objects in other branches and situation was similar for ou=people ,ou=machines, ou=groups. No sambaSID or uidNumber/gidNumber attributes were visible for Samba in 'dc=my_corp,dc=net' search base.
Steps To Fix Issue
To fix this problem it is necessary to 're-fresh' affected attributes.
In our case:
- ou=people branch - "sambaSID"
- ou=machines branch - "sambaSID,uidNumber,gidNumber"
- ou=groups branch - "sambaSID,gidNumber"
- ( basedn - root for above branches is dc=my_corp,dc=net)
For ou=people
For ou=people it seems very easy to fix as there is zmprov command you can use to do it.
The syntax should be like this:
zimbra# zmprov ma <full-name>@my_corp.net sambaSID <Samba-SID>
To avoid a manual method (mistype), it's possible to use ldapsearch to create a ready zmprov command list. It requires egrep, awk and sed - standard posix tools present in every Linux system.
As the 'zimbra' user on the Zimbra server I'm sending the output to /tmp/sambaSID-refresh.sh file:
zimbra# ldapsearch -x -h <zimbra-server> -D "cn=config" -W -b ou=people,dc=my-corp,dc=net sambaSID=* uid sambaSID|egrep -v "(^#|^dn)" |awk ' /uid:/ {print "zmprov ma "$2"@my_corp.net"}; /sambaSID/ {print "sambaSID " $2};'|sed '/com$/N;s/\n */ /' > /tmp/user-sambaSID-refresh.sh
It gives the possibility to edit the file before you apply it and remove some entries if not relevant.
To apply the changes simply run the file by bash.
zimbra# bash /tmp/user-sambaSID-refresh.sh
Depends on the amount of users it can take a while. For ~300 users it takes approximately 5-10 min. on busy server.
For ou-machines
For ou=machines it's not as easy and requires using ldapmodify tool and ldif file to be created and imported.
According to the ldapmodify manual we need to create file with multiple entries like the one below
dn: uid=my-pc$,ou=machines,dc=my_corp,dc=net changetype: modify replace: uidNumber uidNumber: 1001 - replace: sambaSID sambaSID: S-1-5-21-XXXXXXX-XXXXXXXXXX-XXXXX-3002 dn: (.....)
Make sure there is empty line before next 'dn:'.
So this task could be also automated by ldap-tools. The command below will create ldif output we can forward to the /tmp/machine-posix-smb-fix.ldif file.
zimbra# ldapsearch -x -h <zimbra-server-name> -D "cn=config" -W -b ou=machines,dc=my_corp,dc=net sambaSID=* uidNumber sambaSID|egrep -v "(^#)"|awk '/dn:/ {print "\n"$0"\nchangetype: modify"}; /uidNumber:/ {print "replace: uidNumber\nuidNumber: "$2"\n-"};/sambaSID:/ {print "replace: sambaSID\nsambaSID: "$2};' > /tmp/machine-posix-smb-fix.ldif
Please review the /tmp/machine-posix-smb-fix.ldif file as this example assumes the uidNumber attribute comes first then sambaSID one.
Then using ldapmodify we can replace the existing attributes from our file. Change command if necessary.
zimbra# ldapmodify -x -h <zimbra-server-name> -D cn=config -W -f /tmp/machine-posix-smb-fix.ldif
For ou=groups
For ou=groups it is possible to use Zimbra Admin web interface(RECOMMENDED).
If you don't have to many Posix groups you can easily go to Zimbra Admin web interface and click on "Posix Groups" in the menu. Then double-click on the required group and edit the 'gidNumber' and 'sambaSID' adding one extra digit and save. Then open again and return to the previous value and save again.
But as I mentioned before it's very easy to mistype/remove something important. We can use ldapsearch and create the appropriate ldif file as in ou=machines case above.
zimbra# ldapsearch -x -h <zimbra-server-name> -D "cn=config" -W -b ou=groups,dc=my_corp,dc=net sambaSID=* gidNumber sambaSID|egrep -v "(^#)"|awk '/dn:/ {print "\n"$0"\nchangetype: modify"}; /gidNumber:/ {print "replace: gidNumber\ngidNumber: "$2"\n-"};/sambaSID:/ {print "replace: sambaSID\nsambaSID: "$2"\n"};' > /tmp/groups-posix-smb-fix.ldif
Please review the /tmp/groups-posix-smb-fix.ldif file as this example assumes the gidNumber attribute comes first then sambaSID one. Change this command if necessary.
Admin/End-User test that were performed to confirm complete resolution
Last step is to test previously failed searches on Zimbra server. (Step Symptoms 1C from above)
zimbra# ldapsearch -x -h <name-of-zimbra-server> -b dc=my_corp,dc=net uid=my-pc$
This time it gives full list of attributes for my-pc$
Then on Samba server
pdc# pdbedit -Lv my-pc$ smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MY_CORP))] smbldap_open_connection: connection opened smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MY_CORP))] smbldap_open_connection: connection opened init_sam_from_ldap: Entry found for user: my-pc$ Unix username: my-pc$ NT username: my-pc$ Account Flags: [W ] User SID: S-1-5-21-XXXXXXX-XXXXXXXXXX-XXXXX-3002 init_group_from_ldap: Entry found for group: 515 init_group_from_ldap: Entry found for group: 515 Primary Group SID: S-1-5-21-XXXXXXX-XXXXXXXXXX-XXXXX-515 Full Name: my-pc$ Home Directory: \\pdc\my-pc_ HomeDir Drive: F: Logon Script: logon.cmd Profile Path: Domain: MY_CORP Account desc: Computer Workstations: Munged dial: Logon time: Logoff time: Tue, 19 Jan 2038 03:14:07 GMT Kickoff time: Tue, 19 Jan 2038 03:14:07 GMT Password last set: Mon, 05 Jan 2009 04:20:59 GMT Password can change: Password must change: Tue, 19 Jan 2038 03:14:07 GMT Last bad password : Bad password count : Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
Let's check also Posix attribute on Samba server. (Step Symptoms 1E from above)
pdc# getent passwd my-pc$ my-pc$:*:1001:515:Computer::/bin/false
Great it works.
Now Let's see if we can join new box to the Domain
pdc# /usr/sbin/smbldap-useradd -t 0 -W my-pc2 pdc# pdbedit -Lv my-pc2$ smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MY_CORP))] smbldap_open_connection: connection opened smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MY_CORP))] smbldap_open_connection: connection opened init_sam_from_ldap: Entry found for user: my-pc2$ Unix username: my-pc2$ NT username: my-pc2$ Account Flags: [W ] User SID: S-1-5-21-XXXXXXX-XXXXXXXXXX-XXXXX-3004 init_group_from_ldap: Entry found for group: 515 init_group_from_ldap: Entry found for group: 515 Primary Group SID: S-1-5-21-XXXXXXX-XXXXXXXXXX-XXXXX-515 Full Name: my-pc2$ Home Directory: \\pdc\my-pc2_ HomeDir Drive: F: Logon Script: logon.cmd Profile Path: Domain: MY_CORP Account desc: Computer Workstations: Munged dial: Logon time: Logoff time: Tue, 19 Jan 2038 03:14:07 GMT Kickoff time: Tue, 19 Jan 2038 03:14:07 GMT Password last set: Mon, 05 Jan 2009 04:20:59 GMT Password can change: Password must change: Tue, 19 Jan 2038 03:14:07 GMT Last bad password : Bad password count : Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF pdc# getent passwd my-pc2$ my-pc2$:*:1002:515:Computer::/bin/false
Yes, everything seems to be back up and running.
Conclusions (Of Customer)
In my personal opinion Zimbra installer should prevent changes to the /opt/zimbra/conf/slapd.conf.in file. Or if not to all file then just to the 'include /<path>/*.schema' directives.
So, "include /<path>/samba.schema" and "include /<path>/nis.schema" should be populated in the re-generated file. Any other changes seems not important as we can apply them after installation. This is required to ensure that server recognizes these attributes and won't break integrity of data.
Additionally, I'm not sure if there is any better solution. Maybe there is, but this one seem to be the quickest in terms of my knowledge about Zimbra installer behavior.
RFE To Address
Please see:
- "Accounts disappear in Admin-Console after Update"