Ajcody-Zimlet-Notes

Zimlets

   KB 2565        Last updated on 06/21/2016  




0.00
(0 votes)
24px ‎  - This is Zeta Alliance Certified Documentation. The content has been tested by the Community.


Actual Zimlet Notes Homepage

Please see Ajcody-Zimlet-Notes

Zimlets In ZCS 8+

List Of Supported Zimlets

$ find /opt/zimbra/zimlets -name *.zip -print
/opt/zimbra/zimlets/com_zimbra_url.zip
/opt/zimbra/zimlets/com_zimbra_tooltip.zip
/opt/zimbra/zimlets/com_zimbra_clientuploader.zip
/opt/zimbra/zimlets/com_zimbra_srchhighlighter.zip
/opt/zimbra/zimlets/com_zimbra_viewmail.zip
/opt/zimbra/zimlets/com_zimbra_ymemoticons.zip
/opt/zimbra/zimlets/com_zimbra_date.zip
/opt/zimbra/zimlets/com_zimbra_email.zip
/opt/zimbra/zimlets/com_zimbra_adminversioncheck.zip
/opt/zimbra/zimlets/com_zimbra_bulkprovision.zip
/opt/zimbra/zimlets/com_zimbra_attachmail.zip
/opt/zimbra/zimlets/com_zimbra_cert_manager.zip
/opt/zimbra/zimlets/com_zimbra_webex.zip
/opt/zimbra/zimlets/com_zimbra_phone.zip
/opt/zimbra/zimlets/com_zimbra_attachcontacts.zip
/opt/zimbra/zimlets/com_zimbra_proxy_config.zip


$ find /opt/zimbra/zimlets-network -name *.zip -print
/opt/zimbra/zimlets-network/com_zimbra_backuprestore.zip
/opt/zimbra/zimlets-network/com_zimbra_archive.zip
/opt/zimbra/zimlets-network/com_zimbra_click2call_mitel.zip
/opt/zimbra/zimlets-network/com_zimbra_voiceprefs.zip
/opt/zimbra/zimlets-network/com_zimbra_click2call_cisco.zip
/opt/zimbra/zimlets-network/com_zimbra_smime_cert_admin.zip
/opt/zimbra/zimlets-network/com_zimbra_convertd.zip
/opt/zimbra/zimlets-network/com_zimbra_smime.zip
/opt/zimbra/zimlets-network/com_zimbra_license.zip
/opt/zimbra/zimlets-network/com_zimbra_delegatedadmin.zip
/opt/zimbra/zimlets-network/com_zimbra_mobilesync.zip
/opt/zimbra/zimlets-network/com_zimbra_xmbxsearch.zip
/opt/zimbra/zimlets-network/com_zimbra_cluster.zip
/opt/zimbra/zimlets-network/com_zimbra_hsm.zip
/opt/zimbra/zimlets-network/com_zimbra_ucconfig.zip

Undeploy All Zimlets And Redeploy Supported Zimlets

Let's flush the cache in regards to zimlets before we start:

zmprov fc zimlet

Create a text file of your currently deployed zimlets . Note - save this for future reference so you can recall what was removed.

/opt/zimbra/bin/zmzimletctl listZimlets

and

ls /opt/zimbra/zimlets-deployed 

Add the zimlets to a file - This Is An Example Below - Be Sure Your Text File Lists YOUR Zimlets:

vi /tmp/list
com_zimbra_adminversioncheck
com_zimbra_apptsummary
com_zimbra_attachcontacts
com_zimbra_attachmail
com_zimbra_backuprestore
com_zimbra_bulkprovision
com_zimbra_cert_manager
com_zimbra_coloredemails
com_zimbra_contactcleaner
com_zimbra_contactorganizer
com_zimbra_convertd
com_zimbra_date
com_zimbra_delegatedadmin
com_zimbra_dnd
com_zimbra_email
com_zimbra_emailreminder
com_zimbra_emailtemplates
com_zimbra_hsm
com_zimbra_license
com_zimbra_linkedin
com_zimbra_local
com_zimbra_meebo
com_zimbra_mobilesync
com_zimbra_smime
com_zimbra_social
com_zimbra_srchhighlighter
com_zimbra_stickynotes
com_zimbra_tracking
com_zimbra_url
com_zimbra_webex
com_zimbra_xmbxsearch
com_zimbra_ycurrency
com_zimbra_yfinance
com_zimbra_ymaps
com_zimbra_ymemoticons

Use the file to undeploy:

  for i in `cat /tmp/list`; do ; zmzimletctl undeploy $i ; done

To deploy the basic supported zimlets:

vi /tmp/install-list
/opt/zimbra/zimlets/com_zimbra_url.zip
/opt/zimbra/zimlets/com_zimbra_tooltip.zip
/opt/zimbra/zimlets/com_zimbra_clientuploader.zip
/opt/zimbra/zimlets/com_zimbra_srchhighlighter.zip
/opt/zimbra/zimlets/com_zimbra_viewmail.zip
/opt/zimbra/zimlets/com_zimbra_ymemoticons.zip
/opt/zimbra/zimlets/com_zimbra_date.zip
/opt/zimbra/zimlets/com_zimbra_email.zip
/opt/zimbra/zimlets/com_zimbra_adminversioncheck.zip
/opt/zimbra/zimlets/com_zimbra_bulkprovision.zip
/opt/zimbra/zimlets/com_zimbra_attachmail.zip
/opt/zimbra/zimlets/com_zimbra_cert_manager.zip
/opt/zimbra/zimlets/com_zimbra_webex.zip
/opt/zimbra/zimlets/com_zimbra_phone.zip
/opt/zimbra/zimlets/com_zimbra_attachcontacts.zip
/opt/zimbra/zimlets/com_zimbra_proxy_config.zip
/opt/zimbra/zimlets-network/com_zimbra_backuprestore.zip
/opt/zimbra/zimlets-network/com_zimbra_smime_cert_admin.zip
/opt/zimbra/zimlets-network/com_zimbra_convertd.zip
/opt/zimbra/zimlets-network/com_zimbra_smime.zip
/opt/zimbra/zimlets-network/com_zimbra_license.zip
/opt/zimbra/zimlets-network/com_zimbra_delegatedadmin.zip
/opt/zimbra/zimlets-network/com_zimbra_mobilesync.zip
/opt/zimbra/zimlets-network/com_zimbra_xmbxsearch.zip
/opt/zimbra/zimlets-network/com_zimbra_hsm.zip

Those that are absent from the above list from /opt/zimbra/zimlets & /opt/zimbra/zimlets-network are:

/opt/zimbra/zimlets-network/com_zimbra_archive.zip
/opt/zimbra/zimlets-network/com_zimbra_click2call_mitel.zip
/opt/zimbra/zimlets-network/com_zimbra_voiceprefs.zip
/opt/zimbra/zimlets-network/com_zimbra_click2call_cisco.zip
/opt/zimbra/zimlets-network/com_zimbra_cluster.zip
/opt/zimbra/zimlets-network/com_zimbra_ucconfig.zip

To deploy the zimlets from /tmp/install-list :

   for i in `cat /tmp/install-list`; do ; zmzimletctl deploy $i ; done

Or to deploy ALL supported zimlets:

  cd /opt/zimbra/zimlets
  for i in `ls` ; do zmzimletctl deploy $i ; done
  cd /opt/zimbra/zimlets-network
  for i in `ls` ; do zmzimletctl deploy $i ; done

Flush the cache again in regards to zimlets:

zmprov fc zimlet

Depending on issue or further troubles, you might want to restart the mailboxd service:

zmmailboxdctl restart

Do a current listing of your installed zimlets and confirm it's what you expect:

/opt/zimbra/bin/zmzimletctl listZimlets

Zimlet Changes In ZCS 6

New Directory Path For Deployed Zimlets

From ZCS 5, it was:

zmlocalconfig zimlet_directory
zimlet_directory = ${mailboxd_directory}/webapps/service/zimlet
**where mailboxd was /opt/zimbra/jetty/**

Under ZCS 6:

zimlet_directory = zimlet_directory = /opt/zimbra/zimlets-deployed

The related bug/rfe:

Can't Deploy Zimlets - Admin Or Others

This variable & directory seems to have been dropped with 6.0.5+ .

If you can't deploy zimlets and mailbox.log is logging an error about unable to locate file, check the following exists.

drwxr-xr-x   17 zimbra  zimbra  578 Nov  4 13:55 /opt/zimbra/zimlets-properties
zmlocalconfig zimlet_properties_directory
zimlet_properties_directory = /opt/zimbra/zimlets-properties

Location Of Zimlets

Zimlets should be already located on the zimbra server in one of these directories:

/opt/zimbra/zimlets/
/opt/zimbra/zimlets-admin-extra/
/opt/zimbra/zimlets-extra/
/opt/zimbra/zimlets-experimental/
/opt/zimbra/zimlets-network/

How To List Currently Installed Zimlets

Do the following:

zmzimletctl listZimlets

You can also see them in the admin console.

Configuration > Zimlets

Configuration > Admin Extensions

How To Deploy Zimlets

To deploy a zimlet, simply cd to the directory where the zimlet is located and issue this command:

/opt/zimbra/bin/zmzimletctl deploy <zimlet_name>

Something like:

zmzimletctl deploy /opt/zimbra/zimlets-extra/com_zimbra_ycurrency.zip

You can also deploy them via the admin console.

Configuration > Zimlets

Configuration > Admin Extensions

How To Undeploy / Uninstall Zimlets

See how the zimlet is named:

zmzimletctl listZimlets

Now run the following with the naming convention used from the above output:

zmzimletctl undeploy com_zimbra_ycurrency

You can also undeploy them via the admin console.

Configuration > Zimlets

Configuration > Admin Extensions

Samba & Posix Zimlet - ZCS 6x

Main Samba & Posix How-To Reference

Please see:

Important Bugs-RFE's Related To Samba Posix Issues

Please see:

Samba & Posix Zimlet - ZCS 5x

Main Samba & Posix How-To Reference

Please see:

Important Bugs-RFE's Related To Samba Posix Issues

Please see:

  • Other Issues
    • "Have the Unix Windows LDAP Samba extensions installed and configured by default"
    • "Suggestions to improve Posix and Samba Zimlets"
      • Items requested:
        • a) Add an option to expire the Samba password to force them change the password.
        • b) In the memberuid option under Posix Groups: Could you add an option to allow the users to select a single or multiple zimbra users to fill them up quickly?
        • c) Add an additional button to display all users that belongs to this particular Posix Group.
        • d) Add an additional button in the user profile screen that displays all the groups that he/she belongs to.
      • http://bugzilla.zimbra.com/show_bug.cgi?id=18141

Samba - LDAP - Overlays

We don't [officially] support running additional overlays with OpenLDAP.

SLAPO-RWM OVERLAY RWM

slapo-rwm is known to be buggy in OpenLDAP 2.3.43 and continues to be buggy to this day in OpenLDAP 2.4. It certainly won't work with ZCS 5.0.16.

We would advise customers to avoid using it until it stabilizes, though they need to understand it's still going to be unsupported by us.

Where one places "overlay rwm" in the slapd.conf file has been known to cause issues as well. RWM has problems in the order in which it is loaded. There are at least 2 open bugs currently in the OpenLDAP ITS tracker.

Can't Manage Users After Removing Samba & Posix Zimlet

This is after you have removed the samba & posix zimlets and now can't see or manage old accounts in the admin ui. You might need to remove the samba/posix references in each user account. You'll need the nis.schema and samba.schema configured for ldap for this to work.

Untested comment, 3 things needed for this.

1. deployed samba/posix zimlet

2. add/have the samba/nis schema

3. add/have the extra oc's

zmprov mcf +zimbraAccountExtraObjectClass posixAccount 
zmprov mcf +zimbraAccountExtraObjectClass sambaSamAccount

If you do this on one of the old accounts:

zmprov ga user@domain.com

And you see:

objectClass: posixAccount
objectClass: sambaSamAccount

These steps might need to be done.

Create a file called mod.ldif . Modify the dn line - dn: uid=posix1,ou=people,dc=testdomain,dc=com - for your server and user.

# posix1, people, testdomain.com
dn: uid=posix1,ou=people,dc=testdomain,dc=com
changetype: modify
delete: objectClass
objectClass: posixAccount
-
delete: objectClass
objectClass: sambaSamAccount
-
delete: uidNumber
-
delete: gidNumber
-
delete: loginShell
-
delete: sambaAcctFlags
-
delete: sambaSID
-
delete: homeDirectory
-
delete: sambaNTPassword

# posix2, people, testdomain.com
dn: uid=posix2,ou=people,dc=testdomain,dc=com
changetype: modify
delete: objectClass
objectClass: posixAccount
-
delete: objectClass
objectClass: sambaSamAccount
-
delete: uidNumber
-
delete: gidNumber
-
delete: loginShell
-
delete: sambaSID
-
delete: homeDirectory
-
delete: sambaNTPassword

Then run a command similar to this, modify it for your environment:

ldapmodify -D uid=zimbra,cn=admins,cn=zimbra -w PassWord -H ldap://ldapmaster.hostname.com:389 -x -f /tmp/mod.ldif
Problems With The Above Steps?

Please see :

http://wiki.zimbra.com/index.php?title=King0770-Notes#LDAP_-_Export_.26_Reimport

It should be possible to modify the dump and the re-import. This has not been tested yet, though.

Steps done in one test. Please note, you'll still need to visually review the ldap file to see what lines need to be remove, this can't be scripted out.

-as zimbra-
zimbra$ libexec/zmslapcat /tmp/ldap
zimbra$ egrep -iv 'sambaSamAccount|posixAccount|uidNumber|gidNumber|loginShell|sambaAcctFlags|sambaSID|homeDirectory|sambaNTPassword' ldap.bak > ldap.bak2
zimbra$ egrep -i 'samba|posix' ldap.bak2
zimbra$ vi ldap.bak2
zimbra$ egrep -i 'loginshell|HOMEDIRECTORY|MEMBERUID' ldap.bak2
zimbra$ vi ldap.bak2
zimbra$ zmcontrol stop
zimbra$ ps -aux | grep slapd

6) su - root
7) mv /opt/zimbra/openldap-data /opt/zimbra/openldap-data.OLD
8) mkdir -p /opt/zimbra/openldap-data/logs
9) chown -R zimbra:zimbra /opt/zimbra/openldap-data/
10) su - zimbra

zimbra$ cd /opt/zimbra/openldap-data.OLD
zimbra$ cp DB_CONFIG ../openldap-data/
zimbra$ cd
zimbra$ /opt/zimbra/openldap/sbin/slapadd -f /opt/zimbra/conf/slapd.conf -l /tmp/ldap/ldap.bak2 
The first database does not allow slapadd; using the first available one (2)
is_entry_objectclass("cn=IT,ou=groups,dc=XXXXX,dc=com", "2.16.840.1.113730.3.2.6") no objectClass attribute
slapadd: dn="cn=IT,ou=groups,dc=XXXXX,dc=com" (line=11179): no objectClass attribute
zimbra$ zmcontrol start

### Output ###
assigned-72-29-183-240:~ zimbra$ libexec/zmslapcat /tmp/ldap2/
UNKNOWN attributeDescription "LOGINSHELL" inserted.
UNKNOWN attributeDescription "HOMEDIRECTORY" inserted.
UNKNOWN attributeDescription "SAMBAACCTFLAGS" inserted.
UNKNOWN attributeDescription "SAMBASID" inserted.
UNKNOWN attributeDescription "SAMBADOMAINNAME" inserted.
UNKNOWN attributeDescription "SAMBANTPASSWORD" inserted.
UNKNOWN attributeDescription "SAMBAALGORITHMICRIDBASE" inserted.
UNKNOWN attributeDescription "SAMBANEXTUSERRID" inserted.
UNKNOWN attributeDescription "SAMBAMINPWDLENGTH" inserted.
UNKNOWN attributeDescription "SAMBALOGONTOCHGPWD" inserted.
UNKNOWN attributeDescription "SAMBAMAXPWDAGE" inserted.
UNKNOWN attributeDescription "SAMBAMINPWDAGE" inserted.
UNKNOWN attributeDescription "SAMBALOCKOUTDURATION" inserted.
UNKNOWN attributeDescription "SAMBALOCKOUTOBSERVATIONWINDOW" inserted.
UNKNOWN attributeDescription "SAMBALOCKOUTTHRESHOLD" inserted.
UNKNOWN attributeDescription "SAMBAFORCELOGOFF" inserted.
UNKNOWN attributeDescription "SAMBAREFUSEMACHINEPWDCHANGE" inserted.
UNKNOWN attributeDescription "SAMBAPWDHISTORYLENGTH" inserted.
UNKNOWN attributeDescription "SAMBAGROUPTYPE" inserted.
UNKNOWN attributeDescription "MEMBERUID" inserted.
UNKNOWN attributeDescription "SAMBAPASSWORDHISTORY" inserted.
UNKNOWN attributeDescription "SAMBAPWDLASTSET" inserted.

I Lost My Users After An Upgrade - Samba Posix Zimlet

This is from a case I saw and how a customer fixed it.

In order to fix this we did.
1. Replace slapd.conf.in
2. restarted zimbra (not sure if this is necessary, but its what we did.)
3. zmprov mcf +zimbraAccountExtraObjectClass posixAccount
4. zmprov mcf +zimbraAccountExtraObjectClass sambaSamAccount
5. ldap stop && ldap start && ldap stop && ldap start
The odd thing is, I looked in the zmprov gcf originally and posixAccount and sambaSamAccount had already been added?

Upgrade Or Installation Of New Package On Zimbra Broken Samba - Another Situation

And customer was kind enough to write up a summary of our session when troubling shooting this. We believe it will be of use for others.

Brief overview of your configuration/setup

The Zimbra server is used as LDAP master server. It's easy to maintain and it's very easy to manage hybrid Zimbra/Posix/Samba user accounts. It provides LDAP service for Samba 3.0.24 and PAM on Debian Etch 4.0 servers and desktops. Additionally, I've got few LDAP replica servers which use syncrepl mechanism to get required Posix and Samba data from Zimbra server. As Posix and Samba objects are in use it's very important to keep the tweaked /opt/zimbra/conf/slapd.conf.in file the same after upgrade/ re-installation.

System spec:

  • OS is Ubuntu 7.10 with all latest patches
  • Zimbra 5.0.11
  • LDAP 2.3.43.5z (/opt/zimbra/conf/slapd.conf configuration file)
  • Zimbra zimlets-admin-extra: zimbra_posixaccount, zimbra_samba
  • native packages Samba 3.0.24 on Debian 4.0 Etch with PAM and libnss-ldap, pam-ldap
  • smbldap-tools 0.9.5 from tar file
The symptoms and what you did to confirm the issue
Operations that failed at end-user & admin

Because of the other issue with Zimbra server we had to install convertd on the box. To avoid any other unknown problems we were advised to re-run installation script from the zcs-NETWORK-5.0.11_GA_2695.UBUNTU6.20081117023813 folder on local file system.

During the process we confirmed installation of 'convertd'. So, from this point of time it's installed. The Zimbra installer restarted a few times slapd service. I'm not sure but I believe that during this process it dumps whole LDAP objects and clears it in directory. Then it loads them back to directory.

The odd thing is that THE INSTALLER RE-GENERATES the '/opt/zimbra/conf/slapd.conf.in' file to the standard one from the new package.

This is the real source of the problem for other objects than Zimbra's ones. i.e. Posix and Samba

After I restored the changes required for Posix and Samba in /opt/zimbra/conf/slapd.conf.in' file as described on Zimbra Wiki it seems that Samba and Posix attributes were unaccessible on all clients. ( UNIX_and_Windows_Accounts_in_Zimbra_LDAP_and_Zimbra_Admin_UI )

Symptoms

[ Documentation substituted 'my_corp.net' for real domain name ]


1. "Samba can't join any new box to domain MY_CORP" but this is just tip of the iceberg.

# grep machine /etc/samba/smb.conf
  ldap machine suffix = ou=machines
  add machine script = /usr/sbin/smbldap-useradd -t 0 -W "%u"

Firstly, I've tried to test existing object I know in LDAP directory via ldapsearch and it's fails giving zero results.

1A.
zimbra# ldapsearch -x -D cn=config -W -h <name-of-zimbra-server> -b ou=machines,dc=my_corp,dc=net uid=my-pc$

I'm trying to query the object itself and then it works which means that all attributes are in directory.

1B.
zimbra# ldapsearch -x -D cn=config -W  -h <name-of-zimbra-server> -b uid=my-pc$, ou=machines,dc=my_corp,dc=net
  # extended LDIF
  #
  # LDAPv3
  # base <uid=my-pc$,ou=machines,dc=my_corp,dc=net> with scope subtree
  # filter: (objectclass=*)
  # requesting: ALL
  #
  # my-pc$, machines, my_corp.net
  dn: uid=my-pc$,ou=machines,dc=my_corp,dc=net
  cn: my-pc$
  uid: my-pc$
  uidNumber: 1001
  gidNumber: 515
  loginShell: /bin/false
  description: Computer
  gecos: Computer
  objectClass: posixAccount
  objectClass: account
  objectClass: sambaSamAccount
  displayName: my-pc$
  sambaDomainName: MY_CORP
  sambaSID: S-1-5-21-XXXXXXX-XXXXXXXXXX-XXXXX-3002

1C. One more test to be sure and no results as well:

zimbra# ldapsearch -x -D cn=config -W  -h <name-of-zimbra-server> -b dc=my_corp,dc=net uid=my-pc$

1D. Then tests on Samba side.

pdc# pdbedit -Lv my-pc$

  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MY_CORP))]
  smbldap_open_connection: connection opened
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MY_CORP))]
  smbldap_open_connection: connection opened
  init_sam_from_ldap: Entry found for user: my-pc$
  Unix username:        my-pc$
  NT username:          my-pc$
  Account Flags:        [W          ]
  User SID:             S-1-5-21-XXXXXXX-XXXXXXXXXX-XXXXX-3002
  pdb_get_group_sid: Failed to find Unix account for my-pc$    
 *Primary Group SID:    (NULL SID)                               # THIS FAILS as well
  Full Name:            my-pc$
  Home Directory:       \\pdc\my-pc_
  HomeDir Drive:        F:
  Logon Script:         logon.cmd
  Profile Path:
  Domain:               MY_CORP
  Account desc:         Computer
  Workstations:
  Munged dial:
  Logon time:          
  Logoff time:          Tue, 19 Jan 2038 03:14:07 GMT
  Kickoff time:         Tue, 19 Jan 2038 03:14:07 GMT
  Password last set:    Mon, 05 Jan 2009 04:20:59 GMT
  Password can change:  
  Password must change: Tue, 19 Jan 2038 03:14:07 GMT
  Last bad password   :
  Bad password count  :
  Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

So Samba finds the object but can't link it to the Posix account via PAM query.

1E. Let's check also Posix attribute on Samba server.

pdc# getent passwd my-pc$

Nothing.

After I switched the log level to 5 in Samba I'd see the communication with LDAP in log.my-pc file on Samba server.

pdc# grep "log level" /etc/samba/smb.conf
  log level = 5

pdc# grep -v "\[200" /var/log/samba/log.my-pc|less

It turns out that the Samba's search base for machines does not work (see 1A,1C tests above).

I checked also other objects in other branches and situation was similar for ou=people ,ou=machines, ou=groups. No sambaSID or uidNumber/gidNumber attributes were visible for Samba in 'dc=my_corp,dc=net' search base.

Steps To Fix Issue

To fix this problem it is necessary to 're-fresh' affected attributes.

In our case:

  • ou=people branch - "sambaSID"
  • ou=machines branch - "sambaSID,uidNumber,gidNumber"
  • ou=groups branch - "sambaSID,gidNumber"
  • ( basedn - root for above branches is dc=my_corp,dc=net)
For ou=people

For ou=people it seems very easy to fix as there is zmprov command you can use to do it.

The syntax should be like this:

zimbra# zmprov ma <full-name>@my_corp.net sambaSID <Samba-SID>

To avoid a manual method (mistype), it's possible to use ldapsearch to create a ready zmprov command list. It requires egrep, awk and sed - standard posix tools present in every Linux system.

As the 'zimbra' user on the Zimbra server I'm sending the output to /tmp/sambaSID-refresh.sh file:

zimbra# ldapsearch -x -h <zimbra-server> -D "cn=config" -W -b ou=people,dc=my-corp,dc=net sambaSID=* uid sambaSID|egrep -v "(^#|^dn)" |awk ' /uid:/ {print "zmprov ma "$2"@my_corp.net"}; /sambaSID/ {print "sambaSID " $2};'|sed '/com$/N;s/\n */ /' > /tmp/user-sambaSID-refresh.sh

It gives the possibility to edit the file before you apply it and remove some entries if not relevant.

To apply the changes simply run the file by bash.

zimbra# bash /tmp/user-sambaSID-refresh.sh

Depends on the amount of users it can take a while. For ~300 users it takes approximately 5-10 min. on busy server.

For ou-machines

For ou=machines it's not as easy and requires using ldapmodify tool and ldif file to be created and imported.

According to the ldapmodify manual we need to create file with multiple entries like the one below

dn: uid=my-pc$,ou=machines,dc=my_corp,dc=net
changetype: modify
replace: uidNumber
uidNumber: 1001
-
replace: sambaSID
sambaSID: S-1-5-21-XXXXXXX-XXXXXXXXXX-XXXXX-3002

dn: (.....)

Make sure there is empty line before next 'dn:'.

So this task could be also automated by ldap-tools. The command below will create ldif output we can forward to the /tmp/machine-posix-smb-fix.ldif file.

zimbra# ldapsearch -x -h <zimbra-server-name> -D "cn=config" -W -b ou=machines,dc=my_corp,dc=net sambaSID=* uidNumber sambaSID|egrep -v "(^#)"|awk '/dn:/ {print "\n"$0"\nchangetype: modify"}; /uidNumber:/ {print "replace: uidNumber\nuidNumber: "$2"\n-"};/sambaSID:/ {print "replace: sambaSID\nsambaSID: "$2};' > /tmp/machine-posix-smb-fix.ldif

Please review the /tmp/machine-posix-smb-fix.ldif file as this example assumes the uidNumber attribute comes first then sambaSID one.

Then using ldapmodify we can replace the existing attributes from our file. Change command if necessary.

zimbra# ldapmodify -x -h <zimbra-server-name> -D cn=config -W -f /tmp/machine-posix-smb-fix.ldif
For ou=groups

For ou=groups it is possible to use Zimbra Admin web interface(RECOMMENDED).

If you don't have to many Posix groups you can easily go to Zimbra Admin web interface and click on "Posix Groups" in the menu. Then double-click on the required group and edit the 'gidNumber' and 'sambaSID' adding one extra digit and save. Then open again and return to the previous value and save again.

But as I mentioned before it's very easy to mistype/remove something important. We can use ldapsearch and create the appropriate ldif file as in ou=machines case above.

zimbra# ldapsearch -x -h <zimbra-server-name> -D "cn=config" -W -b ou=groups,dc=my_corp,dc=net sambaSID=* gidNumber sambaSID|egrep -v "(^#)"|awk '/dn:/ {print "\n"$0"\nchangetype: modify"}; /gidNumber:/ {print "replace: gidNumber\ngidNumber: "$2"\n-"};/sambaSID:/ {print "replace: sambaSID\nsambaSID: "$2"\n"};' > /tmp/groups-posix-smb-fix.ldif

Please review the /tmp/groups-posix-smb-fix.ldif file as this example assumes the gidNumber attribute comes first then sambaSID one. Change this command if necessary. </pre>

Admin/End-User test that were performed to confirm complete resolution

Last step is to test previously failed searches on Zimbra server. (Step Symptoms 1C from above)

zimbra# ldapsearch -x -h <name-of-zimbra-server> -b dc=my_corp,dc=net uid=my-pc$

This time it gives full list of attributes for my-pc$

Then on Samba server

  pdc# pdbedit -Lv my-pc$

  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MY_CORP))]
  smbldap_open_connection: connection opened
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MY_CORP))]
  smbldap_open_connection: connection opened
  init_sam_from_ldap: Entry found for user: my-pc$
  Unix username:        my-pc$
  NT username:          my-pc$
  Account Flags:        [W          ]
  User SID:             S-1-5-21-XXXXXXX-XXXXXXXXXX-XXXXX-3002
  init_group_from_ldap: Entry found for group: 515
  init_group_from_ldap: Entry found for group: 515
  Primary Group SID:    S-1-5-21-XXXXXXX-XXXXXXXXXX-XXXXX-515
  Full Name:            my-pc$
  Home Directory:       \\pdc\my-pc_
  HomeDir Drive:        F:
  Logon Script:         logon.cmd
  Profile Path:
  Domain:               MY_CORP
  Account desc:         Computer
  Workstations:
  Munged dial:
  Logon time:          
  Logoff time:          Tue, 19 Jan 2038 03:14:07 GMT
  Kickoff time:         Tue, 19 Jan 2038 03:14:07 GMT
  Password last set:    Mon, 05 Jan 2009 04:20:59 GMT
  Password can change:  
  Password must change: Tue, 19 Jan 2038 03:14:07 GMT
  Last bad password   :
  Bad password count  :
  Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

Let's check also Posix attribute on Samba server. (Step Symptoms 1E from above)

  pdc# getent passwd my-pc$
  my-pc$:*:1001:515:Computer::/bin/false

Great it works.

Now Let's see if we can join new box to the Domain

  pdc# /usr/sbin/smbldap-useradd -t 0 -W my-pc2

  pdc# pdbedit -Lv my-pc2$

  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MY_CORP))]
  smbldap_open_connection: connection opened
  smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MY_CORP))]
  smbldap_open_connection: connection opened
  init_sam_from_ldap: Entry found for user: my-pc2$
  Unix username:        my-pc2$
  NT username:          my-pc2$
  Account Flags:        [W          ]
  User SID:             S-1-5-21-XXXXXXX-XXXXXXXXXX-XXXXX-3004
  init_group_from_ldap: Entry found for group: 515
  init_group_from_ldap: Entry found for group: 515
  Primary Group SID:    S-1-5-21-XXXXXXX-XXXXXXXXXX-XXXXX-515
  Full Name:            my-pc2$
  Home Directory:       \\pdc\my-pc2_
  HomeDir Drive:        F:
  Logon Script:         logon.cmd
  Profile Path:
  Domain:               MY_CORP
  Account desc:         Computer
  Workstations:
  Munged dial:
  Logon time:          
  Logoff time:          Tue, 19 Jan 2038 03:14:07 GMT
  Kickoff time:         Tue, 19 Jan 2038 03:14:07 GMT
  Password last set:    Mon, 05 Jan 2009 04:20:59 GMT
  Password can change:  
  Password must change: Tue, 19 Jan 2038 03:14:07 GMT
  Last bad password   :
  Bad password count  :
  Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

  pdc# getent passwd my-pc2$
  my-pc2$:*:1002:515:Computer::/bin/false

Yes, everything seems to be back up and running.

Conclusions (Of Customer)

In my personal opinion Zimbra installer should prevent changes to the /opt/zimbra/conf/slapd.conf.in file. Or if not to all file then just to the 'include /<path>/*.schema' directives.

So, "include /<path>/samba.schema" and "include /<path>/nis.schema" should be populated in the re-generated file. Any other changes seems not important as we can apply them after installation. This is required to ensure that server recognizes these attributes and won't break integrity of data.

Additionally, I'm not sure if there is any better solution. Maybe there is, but this one seem to be the quickest in terms of my knowledge about Zimbra installer behavior.

RFE To Address

Please see:



Jump to: navigation, search