User Account Integration between Samba PDC & Zimbra Mail Server on openSUSE/SLES

Note : This is part one of 2 article. I decided to split the tutorial to make it easier to read (and to write 🙂 )

This tutorial describes how you can configure Zimbra Mail Server & Collaboration Suite and Samba to act as a primary domain controller (PDC) that uses Zimbra LDAP (Lightweight Directory Access Protocol) as a central password database for authenticating users on Linux and Windows desktops. The integration process will make it easier for administrators to manage Zimbra Mail Server and Samba PDC / Active Directory account because it use same LDAP database. If applied in corporate environments or institutions who have been using Windows Server, this guide can be used to set up Linux servers to replace the Windows Active Directory Server and Microsoft Exchange Server.
The setup described in this document is not the only possible way to make Samba and Zimbra use the same user database for authentication. You may also use Zimbra External Authentication with Samba PDC. External authentication are a little bit easy to be setting up, but we must manage the mailbox profile in Zimbra and it doesn’t seamlessly integrate Zimbra into Samba PDC+OpenLDAP. It is highly recommended to get familiar with Zimbra, Samba, LDAP and PAM, before you start the installation.
This tutorial are based on Zimbra wiki article : UNIX and Windows Accounts in Zimbra LDAP and Zimbra Admin UI 6.0 but has been tune up to works successfully on openSUSE/SLES environment. The original wiki using Ubuntu/RedHat environment which doesn’t automatically fit with openSUSE/SLES configuration.
I’m using Zimbra Mail Server 6.0.5 64 bit with the following configuration :
Domain & Hostname

Domain   : vavai.co.id
Hostname : zcspdc.vavai.co.id

IP Address

IP Address    : 192.168.10.1
Name Server 1 : 192.168.10.1
Name Server 2 : 8.8.8.8  (Google public DNS Server)
Name Server 3 : 208.67.222.222 (OpenDNS public DNS Server)
Router        : 192.168.10.254 (ADSL Modem)

File /etc/hosts

127.0.0.1       localhost
192.168.10.1    zcspdc.vavai.co.id zcspdc

ZIMBRA INSTALLATION

Please use following article to install Zimbra on SLES 11 : Installing Zimbra 6.0.5 64 bit on SUSE Linux Enterprise Server (SLES) 11 64 bit or use this tutorial : Installing Zimbra 6.0.4 on openSUSE 11.1 64 bit for Zimbra+openSUSE version.

ZIMBRA LDAP CONFIGURATION

The following script will automatically configure Zimbra LDAP as below :

  • Add Samba Schema into Zimbra LDAP
  • Add proper index into Zimbra LDAP Schema
  • Add 2 user (zmposix and zmposixroot) as Zimbra LDAP Administrative Account with default password : rahasia
  • Adjust Zimbra LDAP ACL to allow administrative task regarding Samba-Zimbra integration
  • Add Admin Extension Zimbra Posfix Account and Zimbra Samba Extension

Thanks to Peracchi and Lithorus on the following thread on Zimbra Forum for idea and a great script.
To run the automated script, run the following commandon console/terminal :
[code language=’cpp’]
su
cd /srv
wget -c http://vavai.com/wp-content/uploads/zcs-samba.tar.gz
tar -zxvf zcs-samba.tar.gz
su – zimbra
cd /srv/zcs-samba
./zcs-samba.sh
[/code]
NOTE : The script will automatically use ‘rahasia’ (Indonesian word means ‘secret’ 😛 ) as default password for zmposixroot and zmposix password. Please modify script to use your own password by change the following code on /srv/zcs-samba/zcs-samba.sh  :
[code language=’cpp’]
# set password for the posix ldap accounts
ZMPOSIX_LDAP_PASSWORD=`/opt/zimbra/openldap/sbin/slappasswd -s rahasia`
ZMPOSIXROOT_LDAP_PASSWORD=`/opt/zimbra/openldap/sbin/slappasswd -s rahasia`
echo “Domain : $DOMAIN”
echo “Hostname : $HOSTNAME”
echo “Zimbra LDAP Password : $ZIMBRA_LDAP_PASSWORD”
echo “LDAP Prefix : $LDAP_PREFIX”
echo “ZMPOSIX_LDAP_PASSWORD : rahasia”
[/code]
Change ‘rahasia’ on the above line with your own password.

SAMBA INSTALLATION

  • Open YAST | Network Service | Samba Server. YAST will automatically added Samba package if you never install it.
  • On the first wizard, fill in the workgroup/domain name. I’m using vavai.co.id as my domain name as shown on top of the tutorial. Click Next.
  • On Samba Server Type, Choose Primary Domain Controller (PDC) and then click Next
  • On start-up, choose Service Start During Boot so Samba will automatically be activated during boot. Don’t forget to open your Firewall port
  • Move to LDAP Setting tab.
  • Click on Use LDAP Password Back-End option
  • Change LDAP Server URL from default entry ldap://127.0.0.1 to be ldap://192.168.10.1 (remember my IP address configuration above). Use same address to  IdMap Back-End
  • Change Search Base DN to Zimbra LDAP DN, mine are dc=vavai,dc=co,dc=id
  • Fill in Administrator DN and the password: uid=zmposixroot,cn=appaccts,cn=zimbra). Click Test Connection to test the connection between Zimbra and Samba machine.
  • Click Advanced Setting | Expert LDAP Setting
  • Change user suffix to be ou=people
  • Change group suffix to be ou=groups
  • Change Machine suffix to be ou=machines
  • Click OK to close Expert LDAP Setting windows
  • Click OK to close Samba Server wizard. Fill in password for Samba root /Administrator password. To prevent any confused setting, I’m using same password between zmposixroot, zmposix and Samba root password 😛

SAMBA CONFIGURATION

  • Open /etc/samba/smb.conf with your preferred text editor (vi, gedit, kate or kwrite)
  • Give it a # (comment mark) on the following line (if you do not use dhcp on your Samba configuration) :

[code language=’cpp’]
include = /etc/samba/dhcp.conf
[/code]

  • Save the configuration

LDAP CLIENT CONFIGURATION

  • Click YAST | Network Services | LDAP Client
  • Click Use LDAP on User Authentication
  • Change Address to use Zimbra IP (192.168.10.1)
  • Fill in LDAP Base DN (dc=vavai,dc=co,dc=id)
  • Leave others as is
  • Click Advanced Configuration
  • Change Password Change Protocol to MD5
  • Leave Group Member Attribute = Member setting
  • Click on Administration Setting tab
  • Fill in uid=zmposixroot,cn=appaccts,cn=zimbra on Administrator DN text box. Leave  Append Base DN setting unchecked
  • Leave Create Default Configuration Objects setting unchecked
  • Click OK
  • Click OK

NSS-LDAP & PAM-LDAP CONFIGURATION

  • Open file /etc/ldap.conf with your preferred text editor and change the following line (remove # mark)

[code language=’cpp’]
host 192.168.10.1
base dc=vavai,dc=co,dc=id
binddn uid=zmposix,cn=appaccts,cn=zimbra
bindpw rahasia
rootbinddn uid=zmposixroot,cn=appaccts,cn=zimbra
port 389
bind_policy soft
nss_reconnect_tries 2
uri ldap://192.168.10.1/
ssl start_tls
tls_cacertdir /opt/zimbra/conf/ca
tls_checkpeer no
pam_password md5
nss_base_passwd ou=people,dc=vavai,dc=co,dc=id?one
nss_base_shadow ou=people,dc=vavai,dc=co,dc=id?one
nss_base_group ou=groups,dc=vavai,dc=co,dc=id?one
nss_base_hosts ou=machines,dc=vavai,dc=co,dc=id?one
[/code]

  • Save the configuration
  • Edit /etc/nsswitch.conf and change the following line :

[code language=’cpp’]
passwd: compat
group: compat
[/code]
with
[code language=’cpp’]passwd: files ldap
group: files ldap
[/code]

  • Edit /etc/pam.d/common-account and change the configuration as below :

[code language=’cpp’]account sufficient pam_unix.so
account sufficient pam_ldap.so
[/code]

  • Edit /etc/pam.d/common-auth and change the configuration as below :

[code language=’cpp’]auth sufficient pam_ldap.so
auth sufficient pam_unix.so
[/code]

  • Edit /etc/pam.d/common-password and change the configuration as below :

[code language=’cpp’]password sufficient pam_unix.so
password sufficient pam_ldap.so
[/code]

  • Edit /etc/pam.d/common-session and change the configuration as below :

[code language=’cpp’]session sufficient pam_unix.so
session sufficient pam_ldap.so
[/code]
Tutorial will be continue to part 2 of User Account Integration between Samba PDC & Zimbra Mail Server on openSUSE / SLES.

3 thoughts on “User Account Integration between Samba PDC & Zimbra Mail Server on openSUSE/SLES

  1. Help!! Samba and pam install/configuration
    I installed suse 11.1 (net install) and zimbra 6.06.
    Should I allow yast to install Yast-ldap once I accept the settings for samba installation?
    what is your actual configuration files for:
    /etc/nsswitch.conf
    /etc/pam.d/common-account
    /etc/pam.d/common-auth
    ……
    …….
    /etc/pam.d/common-session
    my files contain pam_unix2.so
    I get insufficient permission error when I get on to the last stage to add a windows xp machine by granting rights to the ‘Domain Admins’ group:
    net grant…… …..
    I ‘su’, but no luck in granting the group the rights.
    Thanks in advance.

Leave a Reply

Your email address will not be published. Required fields are marked *