Tuesday, June 8, 2010

Zimbra and Samba Integration Howto

Zimbra and Samba Integration Howto

This howto explains how to implement the zimbra collaboration suite that offers a spam and virus free email solution and how to integrate it with a samba domain so as to manage the domain using zimbra, In lay man terms, every user with an email account could use his/her username to login to any computer within that domain and have access to his/her files that are stored centrally. Easing the administration of such a domain.


Introduction to Zimbra

Zimbra Collaboration Suite (ZCS) 5.0 is a truly modern, innovative messaging and collaboration application. Zimbra is the leading open source solution for enterprise, service provider, education, and government environments; offering administrators and their end-users unmatched benefits. Zimbra is a popular choice for today's growing Mac and Linux email server base.

Ajax based web collaboration is at the heart of ZCS 5.0. The powerful web client integrates email, contacts, shared calendar, VoIP, and online document authoring into a rich browser-based interface. Also, our unique open source Zimlet technology makes it easy to include custom 'mash-ups' in the ZCS web client.

ZCS 5.0 also includes an elegant Ajax based Admin Interface plus full scripting tools to manage the ZCS server. Full support is provided for standards-based APIs (IMAP / POP / iCal / CalDAV) as well as MAPI and iSync, which enable seamless compatibility with other clients like Microsoft Outlook, Apple desktop suite, and Mozilla Thunderbird.

Zimbra also offers Zimbra Mobile, which provides over-the-air "push" synchronization to smartphones as well as a Connector for BlackBerry Enterprise Server.

The Zimbra solution also has a complete high security package including built-in anti-spam and anti-virus scanning.

Zimbra also features Archiving and Discovery, an optional component to save and search email for various compliance issues.

System Requirements for Zimbra Collaboration Suite 5.0

* Intel/AMD CPU 32-bit 2.0 GHZ+. For large deployments (more than 2000 users), 64-bit OS is recommended.
* Minimum - 2 GB RAM, Recommend - 4 GB
* Temp file space for installs and upgrades
* 10 GB free disk space for software and logs (SATA or SCSI for performance, and RAID/Mirroring for redundancy)
* Additional disk space for mail storage

Key End-user Benefits

* Elegant experience. Innovative Ajax-based web client with search, shared calendar and mail that is integrated with contacts and calendar
* Flexibility. Use web client, Microsoft Outlook, or Apple for email, contacts, and calendar
* Stay Connected. Support for mobile smart devices: Blackberry (via partner solutions), Treo and etc
* Freedom of choice. Support of Windows, Apple and Linux computers
* Save time. Zimlet "mash-ups" simplify tasks

Key Administrative Benefits

* Better reliability. Faster online move, backup and recovery of individual or a group of mailboxes
* Cost effective. Native hierarchical storage management and clustering
* Easy to maintain. Simple to integrate with Microsoft Active Directory and existing LDAP directories
* Extensibility. Web services integration with existing enterprise applications
* All in one. Integrated anti-spam and anti-virus

Pre-Installation
1. Preparation

Install a standard Debian Etch system and update it. I used a network installation (only standard system)
2. Hostname

You have to assign the hostname to the server ip. It is very important that the fqdn entry appears before the hostname.

vi /etc/hosts

It should look like this:
127.0.0.1 localhost.localdomain localhost
192.168.16.96 samzimbra.baruatest.com baruatest
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

Afterwards insert the hostname into the hostname file ...

echo samzimbra.baruatest.com > /etc/hostname

... and reboot the system.

reboot

When the system is up again, the output of the both commands ...

hostname

and

hostname -f

should be:
samzimbra.baruatest.com
3. DNS

You need a running DNS server in your LAN that contains a valid A & MX record for this server - otherwise Zimbra won't work.

For this scenario I used another server (192.168.16.245) .

Add the nameserver's IP to the resolve configuration:

vi /etc/resolv.conf

The nameserver on your LAN has to be the first entry. It should look like this:
nameserver 192.168.16.245
4. Exim

Deinstall Exim which is a default install in most systems because Zimbra comes with it's own mail server.

apt-get remove --purge exim4 exim4-base exim4-config exim4-daemon-light

5. Needed packages

We install the dependencies

apt-get install libc6-i686 sudo libidn11 curl fetchmail libgmp3c2 libexpat1

libgetopt-mixed-perl libxml2 libstdc++6 libpcre3 libltdl3 ssh

6. Get Zimbra

Please take a look at http://www.zimbra.com/community/downloads.html to see which is the latest version. Download and unpack it.

cd /tmp/

wget http://files.zimbra.com/downloads/5.0.2_GA/zcs-5.0.2_GA_1975.DEBIAN4.0.20080130234700.tgz

tar xvfz zcs-5.0.2_GA_1975.DEBIAN4.0.20080130234700.tgz

7. Zimbra Installation
7.1 Start The Installation

Be sure that no other services like sendmail, postfix or mysql or apache are running to avoid a conflict of ports!

cd /tmp/zcs-5.0.2_GA_1975.DEBIAN4.0.20080130234700

./install.sh -l

Read the license agreement and press "Enter" to continue. Zimbra will now check if all prequisites are installed on the system. The output should look like this:
Checking for prerequisites...
NPTL...FOUND
sudo...FOUND sudo-1.6.8p12-4
libidn11...FOUND libidn11-0.6.5-1
fetchmail...FOUND fetchmail-6.3.6-1etch1
libpcre3...FOUND libpcre3-6.7+7.4-2
libgmp3c2...FOUND libgmp3c2-2:4.2.1+dfsg-4
libxml2...FOUND libxml2-2.6.27.dfsg-2
libstdc++6...FOUND libstdc++6-4.1.1-21
openssl...FOUND openssl-0.9.8c-4etch1
libltdl3...FOUND libltdl3-1.5.22-4
Prerequisite check complete.
Checking for standard system perl...
perl-5.8.8...FOUND standard system perl-5.8.8
7.2 Select The Packages To Install
Install zimbra-ldap [Y] Y
Install zimbra-logger [Y] Y
Install zimbra-mta [Y] Y
Install zimbra-snmp [Y] Y
Install zimbra-store [Y] Y
Install zimbra-apache [Y] Y
Install zimbra-spell [Y] Y
Install zimbra-proxy [N] N

The system will be modified. Continue? [N] Y

Now the packages are being installed - this could take a while.
7.3 Main Menu

After the packages have been installed you'll see the main menu. It should look like this:
Main menu
1) Common Configuration:
2) zimbra-ldap: Enabled
3) zimbra-store: Enabled
+Create Admin User: yes
+Admin user to create: admin@samzimbra.baruatest.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it
******* +Admin Password UNSET
+Enable automated spam training: yes
+Spam training user: spam.m0bqyoayc@ samzimbra.baruatest.com
+Non-spam(Ham) training user: ham.ygch0qyz1@samzimbra.baruatest.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it
+Global Documents Account: wiki@ samzimbra.baruatest.com
+SMTP host: samzimbra.baruatest.com
+Web server HTTP port: 80
+Web server HTTPS port: 443
+Web server mode: http
+IMAP server port: 143
+IMAP server SSL port: 993
+POP server port: 110
+POP server SSL port: 995
+Use spell check server: yes
+Spell server URL: http://samzimbra.baruatest.com:7780/aspell.php

4) zimbra-mta: Enabled
5) zimbra-snmp: Enabled
6) zimbra-logger: Enabled
7) zimbra-spell: Enabled
8) Default Class of Service Configuration:
r) Start servers after configuration yes
s) Save config to file
x) Expand menu
q) Quit

Address unconfigured (**) items (? - help)

Points that are marked with asterisks to their left have to be configured manually. As you can see you have to set the admin password. Enter "3" (without the quotes) and press "Enter" to switch to the corresponding submenu. The output should look like this:
Store configuration
1) Status: Enabled
2) Create Admin User: yes
3) Admin user to create: admin@samzimbra.baruatest.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it
** 4) Admin Password UNSET
5) Enable automated spam training: yes
6) Spam training user: spam.m0bqyoayc@samzimbra.baruatest.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it
7) Non-spam(Ham) training user: ham.ygch0qyz1@samzimbra.baruatest.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it
8) Global Documents Account: wiki@samzimbra.baruatest.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it
9) SMTP host: server1.example.com
10) Web server HTTP port: 80
11) Web server HTTPS port: 443
12) Web server mode: http
13) IMAP server port: 143
14) IMAP server SSL port: 993
15) POP server port: 110
16) POP server SSL port: 995
17) Use spell check server: yes
18) Spell server URL: http://samzimbra.baruatest.com:7780/aspell.php

Select, or 'r' for previous menu [r]

Enter "4" (without the quotes) and press "Enter" to modify the admin password. Now you'll be asked for the new password.
Password for admin@ samzimbra.baruatest.com (min 6 characters): [TR9Fm7uD]

Enter a desired password and press "Enter".

Afterwards press "Enter" to switch back to the main menu.

The configuration is now complete and the output should look like this:
Main menu

1) Common Configuration:
2) zimbra-ldap: Enabled
3) zimbra-store: Enabled
4) zimbra-mta: Enabled
5) zimbra-snmp: Enabled
6) zimbra-logger: Enabled
7) zimbra-spell: Enabled
8) Default Class of Service Configuration:
r) Start servers after configuration yes
s) Save config to file
x) Expand menu
q) Quit

*** CONFIGURATION COMPLETE - press 'a' to apply

Select from menu, or press 'a' to apply config (? - help)

Enter "a" (without the quotes) and press "Enter" to apply the configuration. You'll be asked a few questions - answer them as follows.
Save configuration data to a file? [Yes] Enter
Save config in file: [/opt/zimbra/config.5422]
Saving config in /opt/zimbra/config.5422...done.
The system will be modified - continue? [No] Y

Now Zimbra configures itself with the given configuration. This could take a while - the output should look like this:
Operations logged to /tmp/zmsetup.02062008-135354.log
Setting local config values...done.
Setting up CA...done.
Creating SSL certificate...done.
Initializing ldap...done.
Setting replication password...done.
Setting Postfix password...done.
Setting amavis password...done.
Deploying CA to /opt/zimbra/conf/ca ...done.
Creating server entry for samzimbra.baruatest.com...done.
Setting spell check URL...done.
Setting service ports on server1.example.com...done.
Adding server1.example.com to zimbraMailHostPool in default COS...done.
Installing skins...
hotrod
lavender
waves
steel
sky
bones
yahoo
sand
lemongrass
beach
bare
done.
Setting zimbraFeatureIMEnabled=FALSE...done.
Setting zimbraFeatureTasksEnabled=TRUE...done.
Setting zimbraFeatureBriefcasesEnabled=TRUE...done.
Setting zimbraFeatureNotebookEnabled=TRUE...done.
Setting MTA auth host...done.
Setting TimeZone? Preference...done.
Creating domain samzimbra.baruatest.com...done.
Creating user admin@samzimbra.baruatest.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it ...done.
Creating postmaster alias...done.
Creating user wiki@samzimbra.baruatest.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it ...done.
Creating user spam.m0bqyoayc@samzimbra.baruatest.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it ...done.
Creating user ham.ygch0qyz1@samzimbra.baruatest.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it ...done.
Setting spam training accounts...done.
Initializing store sql database...done.
Setting zimbraSmtpHostname for samzimbra.baruatest.com...done.
Initializing logger sql database...done.
Initializing mta config...done.
Configuring SNMP...done.
Setting services on samzimbra.baruatest.com...done.
Setting up zimbra crontab...done.
Setting up syslog.conf...done.

Now you'll be asked if you want to notify Zimbra of your installation.

Press "Enter" if you want to do that, or enter "N" (without the quotes) and press "Enter" if you disagree to that.

Afterwards the system will be initialized - it should look like this:
Starting servers...done.
Checking for deprecated zimlets...done.
Installing zimlets...
com_zimbra_date
com_zimbra_url
com_zimbra_cert_manager
com_zimbra_phone
com_zimbra_search
com_zimbra_local
com_zimbra_email
done.
Initializing Documents...done.
Restarting mailboxd...done.

Moving /tmp/zmsetup.02062008-135354.log to /opt/zimbra/log

Press "Enter" to exit. Let's look if all Zimbra services are running proper - switch to the Zimbra account ...

su - zimbra

... and enter the command:

zmcontrol status

The output should look like this:
Host samzimbra.baruatest.com
antispam Running
antivirus Running
ldap Running
logger Running
mailbox Running
mta Running
snmp Running
spell Running
stats Running

If one or more services have not been started, enter the command:

zmcontrol start

Switch back to the root account via:

exit

8. Post Installation
8.1 Zimbra Web Interface

The user interface login can be accessed at http://samzimbra.baruatest.com .

Please have a look at the admin guide and the wiki.
8.2 Administration Console

You can access the administration web interface via https://samzimbra.baruatest.com:7071/zimbraAdmin/

Log in with the username "admin" (without the quotes) and the password that you assigned to this account at step 7.3
Zimbra Samba Integration

Its is possible to configure Zimbra Collaboration Server (ZCS) with Samba acting as a primary domain controller (PDC) that uses LDAP (Lightweight Directory Access Protocol) as a central password database for authenticating users on Linux and Windows desktops.

The motivation behind this is the need to seamlessly integrate ZCS into corporate network environment based entirely on Open Source server software. This functionality is achieved by configuring Zimbra LDAP to act as a central user database for PAM (Pluggable Authentication Modules), NSS (Name Service Switch), and for Samba's ldapsam password backend.

Basically we show how use Zimbra Admin Extensions to manage OS and Samba accounts, groups and domains through the Zimbra Admin UI.
Part 1:
Installing ZimbraPosixAccount and ZimbraSamba extensions for Zimbra Admin

1. Extract files from ZimbraPosixAccount.zip to a folder on your desktop computer, open zimbra_posixaccount folder and edit config_template.xml.

2. Edit ldapSuffix property in config_template.xml. This property is the path in your LDAP tree where all Linux and Samba user information will be stored. This can be the name of your primary email domain written in the ldap syntax. E.g. if your domain is mycompany.com, then ldapSuffix will be
dc=mycompany,dc=com

I used the domain samzimbra.baruatest.com, which is the name of my Linux machine, hence my ldapSuffix is
dc=samzimbra,dc=baruatest,dc=com

3. Edit uidBase property in config_template.xml. uidBase is the base for creating Linux user IDs for user accounts that will be stored in LDAP. The first account that you will create through Zimbra Admin UI will have user ID = uidBase+1. If you already have user accounts in your current password database (most likely /etc/passwd) it is recommended that you set this value higher than the maximum existing user account.

4. Edit gidBase property in config_template.xml. gidBase is the base for creating Linux group IDs for groups that will be stored in LDAP. The first group that you will create through Zimbra Admin UI will have group ID = gidBase+1.

5. Zip all the files that are in zimbra_posixaccount folder into zimbra_posixaccount.zip together with modified config_template.xml

6. Log in to Zimbra Admin (https://yourserver.com:7071/zimbraAdmin) as administrator, navigate to Admin Extensions and deploy zimbra_posixaccount extension using the zimbra_posixaccount .zip file (refer to ZCS Admin Guide for more information about installing Admin Extensions)

7. Extract files from ZimbraSamba.zip to a folder on your desktop computer and open config_template.xml (this file is in zimbra_samba folder along with other extension files).

8. Edit ldapSuffix, uidBase and gidBase properties using the same values as you used in for zimbra_posixaccount.zip

9. Zip all the files zimbra_samba folder into zimbra_samba .zip together with modified config_template.xml and deploy zimbra_samba Admin Extension.

10.Reload your Zimbra Admin to initialize the extensions. When the extensions are loaded for the first time, they will check if OUs defined by ldapMachineSuffix and ldapGroupSuffix properties in config_template.xml files exist and create these OUs, if they do not exist.

Installing Samba

Install Samba 3 on a Linux/Unix box. I installed by executing the command

apt-get install samba

If you are building Samba from sources, make sure to enable ldap support. Zimbra does not recommend installing Samba or any other applicatioin on the same machine where you installed Zimbra – better to use a separate machine however i used one machine and it worked so......

Installing pam_ldap and nss_ldap

You need to install and configure PAM and NSS on the machine where you installed Samba.

You need to download and install pam_ldap and nss_ldap modules for your OS. I used Debian Linux which has these modules available via apt-get

apt-get install libpam-ldap

apt-get install libnss-ldap

If you are using a different Linux, you might need to build these modules from the sources. You can find the Sources for pam_ldap and nss_ldap on http://www.padl.com

If you are using apt-get to install libnss_ldap, you will be prompted for the following information:



* LDAP server Uniform Resource Identifier – enter the LDAP URL of your Zimbra LDAP server. i.e. ldap://zimbra.mydomain.com/ (in my case ldap://samzimbra.baruatest.com/)
* LDAP search base – enter the same value that you used for ldapSuffix property in zimbra_posixaccount and zimbra_samba extensions. I.e.: dc=yourdomain,dc=com (in my case dc=samzimbra,dc=baruatest,dc=com)
* LDAP account for root – enter uid=zimbra,cn=admins,cn=zimbra
* LDAP root account password – enter the LDAP root password that you selected during Zimbra installation (told you make a note of it )



If you don't know the LDAP root account password, you can change it to a know value like this (as the zimbra user):

zimbra@localhost:~$ zmldappasswd --root newpasswd

If you are using apt-get to install libpam_ldap, you will be prompted for the following information:

* LDAP Server – enter the hostname or IP address of your Zimbra LDAP server
* root login account – enter uid=zimbra,cn=admins,cn=zimbra
* root login password - enter the LDAP root password that you selected during Zimbra installation

Part 2
Configuring Zimbra LDAP

Before you can configure Zimbra LDAP you need to download nis.schema and samba.schema files.

If nis.schema file already exists in /opt/zimbra/openldap/etc/openldap/schema/ - skip this step otherwise you need to download it.

nis.schema file depends on your version of OpenLDAP. Therefore, the best way to get the correct nis.schema file is to download OpenLDAP source code from http://www.openldap.org/software/download/ for your version of OpenLDAP and take the nis.schema file from servers/slapd/schema folder in the source package.

samba.schema file depends on the version of Samba that you will be installing. Therefore, I recommend downloading Samba source package for the latest stable version of Samba available for your server's OS and taking samba.schema from examples/LDAP folder in the source package.

Log in to the shell on your Zimbra LDAP server. If you have a multi-server setup this is the machine where ldap service is running. Copy samba.schema and nis.schema files to /opt/zimbra/openldap/etc/openldap/schema/ (or wherever your OpenLDAP schema files are if you are using a different LDAP server).

Next, edit /opt/zimbra/conf/slapd.conf.in file. You need to add these the following two lines after the last “include” statement at the top of the file:
include "/opt/zimbra/openldap/etc/openldap/schema/nis.schema"
include "/opt/zimbra/openldap/etc/openldap/schema/samba.schema”

You may also want to add these ldap indexes at the end of the file:
#indexes for PAM
index uidNumber eq
index gidNumber eq
index memberUID eq

#indexes for Samba

index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq

an example of slapd.conf.in file is in ZimbraSamba.zip in examples/conf folder.

After you edited slapd.conf.in file and copied *.schema files to /opt/zimbra/openldap/etc/openldap/schema/, restart Zimbra services and make sure that they started successfully.

Now run the following zmprov commands as user zimbra:

zmprov mcf +zimbraAccountExtraObjectClass posixAccount

zmprov mcf +zimbraAccountExtraObjectClass sambaSamAccount

Part 3
Configuring Samba

There are many ways to configure Samba depending on what you needs are.

In this example I will configure Samba to use Zimbra LDAP as password backend and to act as a primary domain controller for domain SAMZIMBRA1 and as a WINS server for my network.

This configuration will allow Windows NT/XP/2000 workstations to join SAMZIMBRA1 domain as if it was an NT domain.

Below is the /etc/samba/smb.conf file used in this example.
[global]
workgroup = SAMZIMBRA1
netbios name = samzimbra2
os level = 33
preferred master = yes
enable privileges = yes
server string = %h server (Samba, Debian)
wins support =yes
dns proxy = no
name resolve order = wins bcast hosts
log file = /var/log/samba/log.%m
log level = 3
max log size = 1000
syslog only = no
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
ldap passwd sync = yes
passdb backend = ldapsam:ldap://samzimbra.baruatest.com/
ldap admin dn = "uid=zimbra,cn=admins,cn=zimbra"
ldap suffix = dc=samzimbra,dc=baruatest,dc=com
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=machines
obey pam restrictions = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
domain logons = yes
logon path = \\samzimbra2.samzimbra.baruatest.com\%U\profile
logon home = \\samzimbra2.samzimbra.baruatest.com\%U
logon script = logon.cmd
add user script = /usr/sbin/adduser --quiet --disabled-password --gecos "" %u
add machine script = /usr/sbin/adduser --shell /bin/false --disabled-password --quiet --gecos "machine account" --force-badname %u
socket options = TCP_NODELAY
domain master = yes
local master = yes

[homes]
comment = Home Directories
browseable =yes
read only = No
valid users = %S

[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
locking = no

[profiles]
comment = Users profiles
path = /var/lib/samba/profiles
read only = No

[profdata]
comment = Profile Data Share
path = /var/lib/samba/profdata
read only = No
profile acls = Yes

[printers]
comment = All Printers
browseable = no
path = /tmp
printable = yes
public = no
writable = no
create mode = 0700

[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no

I will not attempt to explain every line in this file, so if you are interested – read the official Samba HOWTO.

The key elements that are important for this example are these lines:

* passdb backend = ldapsam:ldap://samzimbra.baruatest.com/
* ldap admin dn = "uid=zimbra,cn=admins,cn=zimbra"
* ldap suffix = dc=samzimbra,dc=baruatest,dc=com
* ldap group suffix = ou=groups
* ldap user suffix = ou=people
* ldap machine suffix = ou=machines
* passdb backend = ldapsam:ldap://samzimbra.baruatest.com/ tells Samba to use ldap ass password backend and to contact Zimbra LDAP server at ldap://samzimbra.baruatest.com/
* ldap admin dn is the same value as the root LDAP account that you entered when you were installing pam_ldap
* ldap suffix is the name of your Zimbra domain, and it is the same value as the value of ldapSuffix property in config_template.xml files.
* ldap group suffix is the same value as the value of ldapGroupSuffix in config_template.xml files.
* ldap machine suffix is the same value as the value of ldapMachineSuffix in config_template.xml files. The value of ldap user suffix must be ou=people, because this is where Zimbra account records are stored in LDAP.

After you edited smb.conf file, you need to tell Samba what is the root password for ldap.

On your Samba server, restart samba services (/usr/sbin/smbd and /usr/sbin/nmbd) and run the following command (replace test123 with your ldap root password).

smbpasswd -w test123

Creating Samba domain using Zimbra Admin UI

Log in to Zimbra Admin an click on Samba Domains. You should see a domain entry in the list. When Samba started up with the new smb.conf file it should have looked up the domain entry in LDAP and created it if it could not find the entry.
Part 4
Configuring pam_ldap and nss_ldap

Open file /etc/libnss-ldap.conf, make sure that base is set to the same value that you chose for ldapSuffix.

It should look like this (type your root LDAP password instead of test123):
base dc=samzimbra,dc=baruatest,dc=com
host samzimbra.baruatest.com
binddn uid=zimbra,cn=admins,cn=zimbra
bindpw test123
rootbinddn uid=zimbra,cn=admins,cn=zimbra

Make sure that host points to your Zimbra LDAP server.

Next, copy /etc/libnss-ldap.conf to /etc/pam_ldap.conf, both modules have compatible syntax, so the same configuration file will work for both pam_ldap and nss_ldap.

Edit /etc/libnss-ldap.secret and make sure it contains your root LDAP password.

Then, copy /etc/libnss-ldap.secret to /etc/pam_ldap.secret

Edit /etc/nsswitch.conf file. Replace these two lines:
passwd: compat
group: compat

with these lines:
passwd files ldap
group files ldap

this change will tell nsswitch to use ldap when it looks for uids and gids.

It will first look at /etc/passwd and then at ldap. You may want to change these lines differently if you know what you are doing ;)

I got some problems doing the above since at bootup udev needs to access ldap as stated in /etc/nsswitch.conf, however ldap starts much later leading to the server hanging at bootup(more of waiting for access to ldap). So i just left the file as it is, however this means that on the server itself ldap authenticated logins will not work but the rest of the machines will not be affected

Edit /etc/pam.d/common-account. It should look like the following:
account sufficient pam_unix.so
account sufficient pam_ldap.so

Edit /etc/pam.d/common-auth. It should look like the following:
auth sufficient pam_ldap.so
auth sufficient pam_unix.so

Edit /etc/pam.d/common-password. It should look like the following:
password sufficient pam_unix.so
password sufficient pam_ldap.so

Edit /etc/pam.d/common-session. It should look like the following:
session sufficient pam_unix.so
session sufficient pam_ldap.so

Now you need to test whether pam_ldap and nssswitch are working correctly.

Log in to Zimbra Admin UI (https://yourserver.com:7071/zimbraAdmin) as Administrator and create a couple of new user accounts.

On the New Account Wizard you should see two additional steps (after “Advanced” step): Posix Account and Samba Account
Creating Linux and Samba groups using Zimbra Admin UI

Log in to Zimbra Admin UI. You should not have logged out of it anyway, because we are not done yet.

Go to Posix Groups and click “New”. If you do not know what to type in group type field – type 2, this is the default value.

To test if PAM on your Samba server is reading the group information correctly from Zimbra LDAP, go back to your Samba server shell and run this command as root:

getent group

you should see the group(s) that you just created in the list that is produced.
Creating Linux and Samba users using Zimbra Admin UI

Back to the Zimbra Admin UI :). Go to Accounts and hit New, fill in the information on the first screen and follow the wizard to the Posix Account screen. Fill in all the required fields on the Posix Account screen and click Next to go to Samba Account screen.

Fill in the required fields and click Finish. To test if PAM on your Samba server is reading the user password information correctly from Zimbra LDAP, go back to your Samba server shell and run this command as root:

getent passwd

you should see the Zimbra accounts that you just created in the list.

Create a home folder for the new Zimbra user and try to change the current user to the newly created one. In this example, I create a user testbarua, and home folder /home/testbarua

root@samzimbra2:/root# su - testbarua

testbarua@samzimbra2:~$

Now test if Samba authenticates your new user correctly. In this example I went to the shell on my Zimbra server box and ran this command:

root@samzimbra:/home/ubuntu# smbclient -U testbarua //samzimbra2.samzimbra.baruatest.com/testbarua

It should prompt you for the password and then log in to testbarua's home folder on samzimbra2 Samba server.

Next, log in to Zimbra Admin UI, click on Aliases and remove root@samzimbra.baruatest.comThis e-mail address is being protected from spambots, you need JavaScript enabled to view it

This e-mail address is being protected from spam bots, you need JavaScript enabled to view it alias.

Then run

smbpasswd -a root

Creating Windows NT Domain groups

Next, create “Domain Admins” group using Zimbra Admin UI, on Samba tab select Special Windows group type “Domain Admins”.

Then you need to grant privileges to this group.

Run the following command as root on your Samba server. Put your domain name instead of SAMZIMBRA1. More information on this topic is available in Official Samba HOWTO Reference Guide (http://us3.samba.org/samba/docs/man/Samba-HOWTO-Collection/).

net rpc rights grant "SAMZIMBRA1\Domain Admins" SeAddUsersPrivilege SeMachineAccountPrivilege SePrintOperatorPrivilege

Adding Windows NT/2000/XP machines to Samba domain

Log in to an Windows desktop as a local administrator and join the Samba domain the same way you would be joining a Windows domain.

You might need to point your Windows box to your Samba WINS server depending on how your DHCP and DNS servers are configured.

Use a member of “Domain Admins” group to join the domain.

After you joined the domain, verify that the machine account was added to ldap directory by running ldapsearch command. I.e. if your windows desktop machine name is samxp2:

root@samzimbra:/home/ubuntu# /opt/zimbra/openldap/bin/ldapsearch -h samzimbra | grep samxp

the output should be
# samxp2$, machines, samzimbra.baruatest.com

dn: uid=samxp2$,ou=machines,dc=samzimbra,dc=baruatest,dc=com

uid: samxp2$

Now by creating an email account on zimbra, a user with the same login details is created on your domain

Incase of any comments or questions ( muhdoladejo@yahoo.com )

4 comments:

  1. This comment has been removed by a blog administrator.

    ReplyDelete
  2. This comment has been removed by a blog administrator.

    ReplyDelete
  3. Understudies has obligation to get things rapidly and can perform in a split second since training need of everybody while they get online or ofline at home. non-deceptive marketing texts

    ReplyDelete
  4. I all the time emailed this website post page to all my friends, because if like to read it then my friends will too.
    channel letter new orleans

    ReplyDelete