Arief Yudhawarman

Masih belajar buat blog

Instalasi Zimbra 7.2.5 + Samba 3.6.9 PDC di CentOS 6.5

with 4 comments

Prolog

Berbeda dengan instalasi Zimbra + Samba PDC seperti di versi sebelumnya yakni versi 6 untuk instalasi Zimbra 7.2.5 dengan samba PDC menggunakan teknik tersendiri. Teknik ini diperoleh penulis setelah beberapa kali mencoba. Pada prinsipnya instalasi ini mirip seperti di Instalasi Zimbra+Samba PDC Untuk Menggantikan Windows Active Directory+MS Exchange Server namun ada penambahan user root ke dalam ldap menggunakan ldapadd agar Samba bisa sinkron dengan Zimbra LDAP.

Untuk dasar-dasar instalasi Zimbra dan CentOS silahkan pembaca membuka link di bawah ini:

  1. Instalasi Server Linux CLI dengan CentOS 5.4
  2. Konfigurasi DNS dengan Bind
  3. Instalasi Zimbra+Samba PDC Untuk Menggantikan Windows Active Directory+MS Exchange Server


Konfigurasi Domain & Hostname

  • Domain : domain.org
  • Hostname : server.domain.org
  • Zimbra Hostname : mail.domain.org

Pastikan nama domain dan zimbra hostname sudah dikonfigurasikan di DNS dengan benar.

File /etc/hosts

192.168.87.99   server.domain.org       server
127.0.0.1       localhost.localdomain   localhost
::1             localhost6.localdomain6 localhost6


File /etc/resolv.conf

search domain.org
nameserver 127.0.0.1


Kemudian cek konfigurasi DNS dengan dig.

[root@server ~]# dig +short -t ns domain.org
ns1.domain.org.
[root@server ~]# dig +short -t mx domain.org
10 mail.domain.org.
[root@server ~]# dig +short mail.domain.org
192.168.87.99


Instalasi Zimbra ZCS 7.2.5

  1. Download source Zimbra ZCS 7.2.5 64-bit untuk platform Red Hat Enterprise Linux 6
  2. Sebelum instalasi zimbra matikan dahulu service sendmail dan httpd:

    /etc/init.d/sendmail stop /etc/init.d/httpd stop chkconfig --del httpd chkconfig --del sendmail

    Kemudian lakukan instalasi zimbra sesuai dengan referensi nomor 3 di atas.

  3. Selesai instalasi cek apakah zimbra sudah running.
    [root@server ~]#  su - zimbra
    
    [zimbra@server ~]$ zmcontrol -v
    Release 7.2.5_GA_2906.RHEL6_64_20130911101145 CentOS6_64 FOSS edition.
    
    [zimbra@server ~]$ zmcontrol status
    Host mail.domain.org
            antispam                Running
            antivirus               Running
            ldap                    Running
            logger                  Running
            mailbox                 Running
            mta                     Running
            snmp                    Running
            spell                   Running
            stats                   Running
            zmconfigd               Running
    


Konfigurasi Zimbra LDAP

  1. Pada tahap ini kita memerlukan file zcs-7.2.5-posix-samba.zip. Hasil extract file zip :
    • indexes.ldif
    • posixusers.ldif
    • samba-schema.tar.gz
    • script create-file-ldif.sh
    • script zcs-7.2.5-posix-samba.sh
    • zimlet zimbra_posixaccount.zip
    • zimlet zimbra_samba.zip
    • zimbraSambaPassword.zip

    Simpan file-file tersebut di direktori /tmp.

  2. Masih sebagai user zimbra jalankan perintah seperti ini:

    cd /tmp mv zimbra_posixaccount.zip /opt/zimbra/zimlets-extra/ mv zimbra_samba.zip /opt/zimbra/zimlets-extra/ mkdir zcs-samba mv samba-schema.tar.gz zcs-samba/ mv posixusers.ldif zcs-samba/ mv indexes.ldif zcs-samba/ chmod 755 create-file-ldif.sh chmod 755 zcs-7.2.5-posix-samba.sh

  3. Jika script zcs-7.2.5-posix-samba.sh dijalankan tanpa argumen maka SMBSCHEMA akan menggunakan file default /usr/share/doc/samba-3.6.9/LDAP/samba.schema.
    [zimbra@server tmp]$ ./zcs-7.2.5-posix-samba.sh
    File samba schema [/usr/share/doc/samba-3.6.9/LDAP/samba.schema]? 
    
    Press any key to continue.
    
    

  4. Hasil eksekusi script zcs-7.2.5-posix-samba.sh.
    ==> Getting Zimbra parameter...
    Domain : domain.org
    Hostname : server.domain.org
    LDAP Root Password : zu__p2AShI
    LDAP Prefix : dc=domain,dc=org
    
    ==> Configuring NIS Schema...
    Killing slapd with pid 624 done.
    Started slapd: pid 5621
    
    ==> Configuring Samba Schema...
    ./
    ./cn=config.ldif
    ./test.conf
    ./schema/
    ./schema/samba.schema
    ./cn=config/
    ./cn=config/olcDatabase={-1}frontend.ldif
    ./cn=config/olcDatabase={0}config.ldif
    ./cn=config/cn=schema/
    ./cn=config/cn=schema/cn={11}samba.ldif
    ./cn=config/cn=schema/cn={1}cosine.ldif
    ./cn=config/cn=schema/cn={2}inetorgperson.ldif
    ./cn=config/cn=schema/cn={0}core.ldif
    ./cn=config/cn=schema.ldif
    Killing slapd with pid 5621 done.
    Started slapd: pid 6026
    
    ==> Add indexes for PAM & Samba...
    modifying entry "olcDatabase={2}hdb,cn=config"
    
    ==> Create user for local posix and Samba...
    adding new entry "uid=zmposix,cn=appaccts,cn=zimbra"
    adding new entry "uid=zmposixroot,cn=appaccts,cn=zimbra"
    
    ==> Adjust LDAP ACL...
    modifying entry "olcDatabase={2}hdb,cn=config"
    modifying entry "olcDatabase={2}hdb,cn=config"
    
    ==> Configuring posixAccount and sambaSamAccount...
    Deleting root alias.....
    
    Proceed to Installing zimbra_posixaccount and zimbra_samba extensions for Zimbra Admin
    [] INFO: Deploying on mail.domain.org
    [] INFO: Deploy initiated.  Check the server's mailbox.log for the status.
    [] INFO: Deploying on mail.domain.org
    [] INFO: Deploy initiated.  Check the server's mailbox.log for the status.
    [] INFO: Configure zimlet on mail.domain.org
    [] INFO: Configure initiated.  (check the servers mailbox.log for the status)
    [] INFO: Configure zimlet on mail.domain.org
    [] INFO: Configure initiated.  (check the servers mailbox.log for the status)
    
    Zimbra LDAP configuration has been setup successfully...
    


Konfigurasi Samba Server untuk menggunakan Zimbra LDAP sebagai Centralized Database dan Primary Domain Controller

Edit file konfigurasi samba /etc/samba/smb.conf. Simpan file konfigurasi sebelumnya menjadi /etc/samba/smb.conf.orig.
Isi file /etc/samba/smb.conf:

[global]
  workgroup = DOMAIN
  netbios name = MAIL
  os level = 33
  preferred master = yes
  # enable privileges = yes
  server string = %h Server (SAMBA)
  wins support =yes
  dns proxy = no
  name resolve order = wins bcast hosts
  log file = /var/log/samba/log.%m
  log level = 3
  max log size = 1000
  syslog only = no
  syslog = 0
  panic action = /usr/share/samba/panic-action %d
  security = user
  encrypt passwords = true
  ldap passwd sync = yes
  passdb backend = ldapsam:ldap://mail.domain.org/
  ldap admin dn = "cn=config"
  ldap suffix = dc=domain,dc=org
  ldap group suffix = ou=groups
  ldap user suffix = ou=people
  ldap machine suffix = ou=machines
  obey pam restrictions = no
  passwd program = /usr/bin/passwd %u
  passwd chat = *Enter\snew\sUNIX\spassword:* %n\n *Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
  domain logons = yes
  # logon path di bawah ini untuk roaming profile
  #logon path = \\%L\profiles\%U
  #logon home = \\%L\%U
  #logon drive = P:
  logon path =
  ldap ssl = no
  logon home = 
  logon script = logon.cmd
  add user script = /usr/sbin/useradd "%u" -n -g users
  add group script = /usr/sbin/groupadd "%g"
  add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d /nohome -s /bin/false "%u"
  delete user script = /usr/sbin/userdel "%u"
  delete user from group script = /usr/sbin/userdel "%u" "%g"
  delete group script = /usr/sbin/groupdel "%g"
  socket options = TCP_NODELAY
  domain master = yes
  local master = yes
  ldap debug level = 1
  #username map = /etc/samba/smbusers
[homes]
  comment = Home Directories
  browseable =no
  read only = No
  valid users = %S
[netlogon]
  comment = Network Logon Service
  path = /var/lib/samba/netlogon
  guest ok = yes
  locking = no
[profiles]
  comment = Users profiles
  path = /var/lib/samba/profiles
  read only = No
#Tambahan
  store dos attributes = Yes
  create mask = 0600
  directory mask = 0700
  browseable = no
  guest ok = no
  printable = no 

[profdata]
  comment = Profile Data Share
  path = /var/lib/samba/profdata
  read only = No
  profile acls = Yes
[printers]
  comment = All Printers
  browseable = no
  path = /tmp
  printable = yes
  public = no
  writable = no
  create mode = 0700
[print$]
  comment = Printer Drivers
  path = /var/lib/samba/printers
  browseable = yes
  read only = yes
  guest ok = no


Konfigurasi Server Linux untuk menggunakan Zimbra LDAP sebagai Centralized Database

  1. Sebagai user root lihat resources yang digunakan untuk autentikasi sistem dengan perintah
    authconfig --test
    .
    caching is disabled
    nss_files is always enabled
    nss_compat is disabled
    nss_db is disabled
    nss_hesiod is disabled
     hesiod LHS = ""
     hesiod RHS = ""
    nss_ldap is disabled
     LDAP+TLS is disabled
     LDAP server = "ldap://127.0.0.1/"
     LDAP base DN = "dc=example,dc=com"
    nss_nis is disabled
     NIS server = ""
     NIS domain = ""
    nss_nisplus is disabled
    nss_winbind is disabled
     SMB workgroup = "DOMAIN"
     SMB servers = ""
     SMB security = "user"
     SMB realm = ""
     Winbind template shell = "/bin/false"
     SMB idmap range = "16777216-33554431"
    nss_sss is disabled by default
    nss_wins is disabled
    nss_mdns4_minimal is disabled
    DNS preference over NSS or WINS is disabled
    pam_unix is always enabled
     shadow passwords are enabled
     password hashing algorithm is sha512
    pam_krb5 is disabled
     krb5 realm = "EXAMPLE.COM"
     krb5 realm via dns is disabled
     krb5 kdc = "kerberos.example.com"
     krb5 kdc via dns is disabled
     krb5 admin server = "kerberos.example.com"
    pam_ldap is disabled
     LDAP+TLS is disabled
     LDAP server = "ldap://127.0.0.1/"
     LDAP base DN = "dc=example,dc=com"
     LDAP schema = "rfc2307"
    pam_pkcs11 is disabled
     use only smartcard for login is disabled
     smartcard module = ""
     smartcard removal action = ""
    pam_fprintd is disabled
    pam_winbind is disabled
     SMB workgroup = "DOMAIN"
     SMB servers = ""
     SMB security = "user"
     SMB realm = ""
    pam_sss is disabled by default
     credential caching in SSSD is enabled
     SSSD use instead of legacy services if possible is enabled
    IPAv2 is disabled
    IPAv2 domain was not joined
     IPAv2 server = "None"
     IPAv2 realm = "None"
     IPAv2 domain = "None"
    pam_cracklib is enabled (try_first_pass retry=3 type=)
    pam_passwdqc is disabled ()
    pam_access is disabled ()
    pam_mkhomedir or pam_oddjob_mkhomedir is disabled ()
    Always authorize local users is enabled ()
    Authenticate system accounts against network services is disabled
    

  2. Perintah authconfig berikutnya akan memodifikasi file /etc/nsswitch.conf dan /etc/pam.d/system-auth-ac untuk menggunakan resource LDAP sebagai autentikasi.
    [root@server ~]# authconfig --enableldap --enableldapauth --disablenis --enablecache --ldapserver=mail.domain.org --ldapbasedn=dc=domain,dc=org --updateall
    Starting nslcd:                                            [  OK  ]
    Starting nscd:                                             [  OK  ]
    

  3. Lihat kembali resources yang digunakan untuk autentikasi sistem dengan perintah
    authconfig --test
    .
    caching is enabled
    nss_files is always enabled
    nss_compat is disabled
    nss_db is disabled
    nss_hesiod is disabled
     hesiod LHS = ""
     hesiod RHS = ""
    nss_ldap is enabled
     LDAP+TLS is disabled
     LDAP server = "ldap://mail.domain.org/"
     LDAP base DN = "dc=domain,dc=org"
    nss_nis is disabled
     NIS server = ""
     NIS domain = ""
    nss_nisplus is disabled
    nss_winbind is disabled
     SMB workgroup = "DOMAIN"
     SMB servers = ""
     SMB security = "user"
     SMB realm = ""
     Winbind template shell = "/bin/false"
     SMB idmap range = "16777216-33554431"
    nss_sss is disabled by default
    nss_wins is disabled
    nss_mdns4_minimal is disabled
    DNS preference over NSS or WINS is disabled
    pam_unix is always enabled
     shadow passwords are enabled
     password hashing algorithm is sha512
    pam_krb5 is disabled
     krb5 realm = "EXAMPLE.COM"
     krb5 realm via dns is disabled
     krb5 kdc = "kerberos.example.com"
     krb5 kdc via dns is disabled
     krb5 admin server = "kerberos.example.com"
    pam_ldap is enabled
     LDAP+TLS is disabled
     LDAP server = "ldap://mail.domain.org/"
     LDAP base DN = "dc=domain,dc=org"
     LDAP schema = "rfc2307"
    pam_pkcs11 is disabled
     use only smartcard for login is disabled
     smartcard module = ""
     smartcard removal action = ""
    pam_fprintd is disabled
    pam_winbind is disabled
     SMB workgroup = "DOMAIN"
     SMB servers = ""
     SMB security = "user"
     SMB realm = ""
    pam_sss is disabled by default
     credential caching in SSSD is enabled
     SSSD use instead of legacy services if possible is enabled
    IPAv2 is disabled
    IPAv2 domain was not joined
     IPAv2 server = ""
     IPAv2 realm = ""
     IPAv2 domain = ""
    pam_cracklib is enabled (try_first_pass retry=3 type=)
    pam_passwdqc is disabled ()
    pam_access is disabled ()
    pam_mkhomedir or pam_oddjob_mkhomedir is disabled ()
    Always authorize local users is enabled ()
    Authenticate system accounts against network services is disabled
    

  4. Selanjutnya dapatkan password zimbra ldap.
    [root@server ~]# sudo -u zimbra /opt/zimbra/bin/zmlocalconfig -s zimbra_ldap_password
    zimbra_ldap_password = zu__p2AShI
    

  5. Setup koneksi samba ke Zimbra LDAP menggunakan password root dalam hal ini menggunakan password zimbra ldap.
    [root@server ~]# smbpasswd -w  zu__p2AShI
    Setting stored password for "cn=config" in secrets.tdb
    
    [root@server ~]# tdbdump /var/lib/samba/private/secrets.tdb 
    {
    key(30) = "SECRETS/LDAP_BIND_PW/cn=config"
    data(10) = "zu__p2AShI"
    }
    

    Sampai langkah ini kita belum akan menambahkan user root dengan perintah smbpasswd -a root.

  6. Kemudian edit file /etc/nslcd.conf secara manual, gunakan password zimbra ldap yang telah diperoleh dari langkah sebelumnya.
    binddn cn=config
    bindpw zu__p2AShI
    uri ldap://mail.domain.org/
    base dc=domain,dc=org
    ssl no
    tls_cacertdir /etc/openldap/cacerts
    timelimit 120
    bind_timelimit 120
    
  7. Restart nscd dan nslcd.

    /etc/init.d/nscd restart /etc/init.d/nslcd restart


Menambahkan user & group linux dan samba serta entry root menggunakan utility ldapadd

  1. Dapatkan Samba SID (Security IDentifier).
    [root@server ~]# /usr/bin/net GETLOCALSID |cut -f6 -d' '
    S-1-5-21-2200292274-1775603229-3162050125
    
    [root@server ~]# /usr/bin/net GETLOCALSID MAIL |cut -f6 -d' '
    S-1-5-21-2200292274-1775603229-3162050125
    

  2. Masih sebagai user root install zimbraSambaPassword.

    cd /tmp/ unzip zimbraSambaPassword.zip chmod 755 install.sh ./install.sh -i

  3. Sebagai user zimbra buat file-file bertipe ldif sbb:
    • sambaDomainName.ldif
    • groups.ldif
    • machines.ldif
    • DomainAdmins.ldif
    • DomainUsers.ldif
    • root.ldif

    Untuk membuat file-file bertipe ldif di atas eksekusi script create-file-ldif.sh.

  4. Jalankan script dengan argumen pertama berupa Samba Domain dan kedua berupa password root.
    [zimbra@server ~]$ cd /tmp
    [zimbra@server tmp]$ ./create-file-ldif.sh DOMAIN password1
    

  5. Sebagai user zimbra gunakan perintah ldapadd untuk menambahkan file-file ldif ke Zimbra LDAP.

    PASSLDAP=`zmlocalconfig -s zimbra_ldap_password | awk '{print $3}'` ldapadd -v -h `zmhostname` -x -w $PASSLDAP -c -D "uid=zimbra,cn=admins,cn=zimbra" -f /tmp/sambaDomainName.ldif ldapadd -v -h `zmhostname` -x -w $PASSLDAP -c -D "uid=zimbra,cn=admins,cn=zimbra" -f /tmp/groups.ldif ldapadd -v -h `zmhostname` -x -w $PASSLDAP -c -D "uid=zimbra,cn=admins,cn=zimbra" -f /tmp/machines.ldif ldapadd -v -h `zmhostname` -x -w $PASSLDAP -c -D "uid=zimbra,cn=admins,cn=zimbra" -f /tmp/DomainAdmins.ldif ldapadd -v -h `zmhostname` -x -w $PASSLDAP -c -D "uid=zimbra,cn=admins,cn=zimbra" -f /tmp/DomainUsers.ldif ldapadd -v -h `zmhostname` -x -w $PASSLDAP -c -D "uid=zimbra,cn=admins,cn=zimbra" -f /tmp/root.ldif

  6. Sebagai user root restart samba.
    [root@server ~]# /etc/init.d/smb start
    Starting SMB services:                                     [  OK  ]
    [root@server ~]# /etc/init.d/nmb start
    Starting NMB services:                                     [  OK  ]
    

  7. Tambahkan user root dengan smbpasswd. Password sama seperti yang digunakan user root untuk login ke server yakni password1.
    [root@server ~]# smbpasswd -a root
    smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MAIL))]
    smbldap_open_connection: connection opened
    ldap_connect_system: successful connection to the LDAP server
    New SMB password:
    Retype new SMB password:
    init_sam_from_ldap: Entry found for user: root
    Forcing Primary Group to 'Domain Users' for root
    init_ldap_from_sam: Setting entry for user: root
    ldapsam_modify_entry: LDAP Password changed for user root
    ldapsam_update_sam_account: successfully modified uid = root in the LDAP database
    

    Apa yang terjadi jika kita eksekusi smbpasswd -a root tanpa menambahkan entry root.ldif dengan ldapadd seperti di langkah 4 di atas?

    [root@server ~]# smbpasswd -a root
    smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MAIL))]
    smbldap_open_connection: connection opened
    ldap_connect_system: successful connection to the LDAP server
    smbldap_search_domain_info: Got no domain info entries for domain
    add_new_domain_info: Adding new domain
    add_new_domain_info: added: domain = MAIL in the LDAP database
    add_new_domain_account_policies: Adding new account policies for domain
    smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MAIL))]
    New SMB password:
    Retype new SMB password:
    smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MAIL))]
    init_ldap_from_sam: Setting entry for user: root
    ldapsam_create_user: Creating new posix user
    ldapsam_create_user: Unable to get the Domain Users gid: bailing out!
    Failed to add entry for user root.
    

  8. Jalankan perintah di bawah untuk memberi kewenangan pada group Domain Admins. Gunakan password root.
    [root@server ~]# net rpc rights grant "domain.org\Domain Admins" SeAddUsersPrivilege SeMachineAccountPrivilege SePrintOperatorPrivilege
    Enter root's password:
    Successfully granted rights.
    

  9. Sebagai user zimbra update profile user admin.

    zmprov ma admin@domain.org +objectClass posixAccount uidNumber 11000 gidNumber 12001 homeDirectory /home/admin loginShell /bin/false zmprov ma admin@domain.org +objectClass sambaSamAccount sambaDomainName MAIL sambaSID "S-1-5-21-2200292274-1775603229-3162050125-23000" sambaAcctFlags [UX]

  10. Test dengan getent dan pdbedit.
    [zimbra@server ~]$ getent passwd|tail
    tcpdump:x:72:72::/:/sbin/nologin
    nscd:x:28:28:NSCD Daemon:/:/sbin/nologin
    rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
    nfsnobody:x:65534:65534:Anonymous NFS User:/var/lib/nfs:/sbin/nologin
    nslcd:x:65:55:LDAP Client User:/:/sbin/nologin
    zimbra:x:500:500::/opt/zimbra:/bin/bash
    postfix:x:501:501::/opt/zimbra/postfix:/bin/bash
    vm1-winxpsp3$:x:11002:100:Workstation (vm1-winxpsp3$):/nohome:/bin/false
    admin:*:11000:12001:admin:/home/admin:/bin/false
    root:*:1000:12002:root:/root:
    
    [zimbra@server ~]$ getent group|tail
    nscd:x:28:
    slocate:x:21:
    rpcuser:x:29:
    nfsnobody:x:65534:
    ldap:x:55:
    zimbra:x:500:
    postfix:x:501:zimbra
    postdrop:x:502:
    Domain Admins:*:12001:1
    Domain Users:*:12002:2
    

    [root@server ~]# pdbedit -Lv admin
    smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MAIL))]
    smbldap_open_connection: connection opened
    ldap_connect_system: successful connection to the LDAP server
    init_sam_from_ldap: Entry found for user: admin
    init_group_from_ldap: Entry found for group: 12001
    init_group_from_ldap: Entry found for group: 12001
    Unix username:        admin
    NT username:          admin
    Account Flags:        [UX         ]
    User SID:             S-1-5-21-2200292274-1775603229-3162050125-23000
    Primary Group SID:    S-1-5-21-2200292274-1775603229-3162050125-512
    Full Name:            admin
    Home Directory:       \\mail\admin
    HomeDir Drive:        P:
    Logon Script:         logon.cmd
    Profile Path:         
    Domain:               MAIL
    Account desc:         Administrative Account
    Workstations:         
    Munged dial:          
    Logon time:           0
    Logoff time:          never
    Kickoff time:         never
    Password last set:    0
    Password can change:  0
    Password must change: 0
    Last bad password   : 0
    Bad password count  : 0
    Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    
    [root@server ~]# pdbedit -Lv root 
    smbldap_search_domain_info: Searching for:[(&(objectClass=sambaDomain)(sambaDomainName=MAIL))]
    smbldap_open_connection: connection opened
    ldap_connect_system: successful connection to the LDAP server
    init_sam_from_ldap: Entry found for user: root
    Forcing Primary Group to 'Domain Users' for root
    Unix username:        root
    NT username:          root
    Account Flags:        [U          ]
    User SID:             S-1-5-21-2200292274-1775603229-3162050125-1000
    Primary Group SID:    S-1-5-21-2200292274-1775603229-3162050125-513
    Full Name:            root
    Home Directory:       \\mail\root
    HomeDir Drive:        P:
    Logon Script:         logon.cmd
    Profile Path:         
    Domain:               MAIL
    Account desc:         
    Workstations:         
    Munged dial:          
    Logon time:           0
    Logoff time:          never
    Kickoff time:         never
    Password last set:    Fri, 22 Aug 2014 13:22:35 WIB
    Password can change:  Fri, 22 Aug 2014 13:22:35 WIB
    Password must change: never
    Last bad password   : 0
    Bad password count  : 0
    Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
    


Membuat script untuk menambah account zimbra dan lakukan login domain dari komputer windows

  1. Sebagai user root buat script /usr/local/bin/add-account-zimbra-ldap.sh untuk menambah account zimbra + ldap.
    #!/bin/sh
    #
    # /usr/local/bin/add-account-zimbra-ldap.sh
    #
     
    if [ "$USER" != "zimbra" ]
    then
      echo "You need to be user zimbra to run this script"
      exit
    fi
    
    if [ "$#" -ne 2 ]
    then
      echo ""
      echo "Usage: $0 USER NAME"
      echo "Note:"
      echo "* Password akan dibuat otomatis oleh system."
      echo "* Argumen pertama harus 1 kata tanpa spasi."
      echo "* Argumen kedua jika mengandung spasi harus diapit tanda kutip tunggal '"
      echo "Eg. user1 'User 1'"
      echo ""
      exit 0
    fi
     
    #
    # DYNAMIC VARIABLE
    #
    DOMAIN=`zmprov getAllDomains`
    HOSTNAME=`zmhostname`
    GROUP="Domain Users"
    LDAP_PREFIX="dc="${DOMAIN//\./,dc=}
    BINDDN="uid=zimbra,cn=admins,cn=zimbra"
    LDAPPASS=`zmlocalconfig -s zimbra_ldap_password | awk '{print $3}'`
    
    # Variable
    ACCOUNT=$1
    PASSWD=`/usr/local/bin/randpass.sh 6 0`
    NAME=$3
     
    #
    # Posix account
    #
    GIDUSR=`ldapsearch -x -LLL -h $HOSTNAME -b "cn=$GROUP,ou=groups,$LDAP_PREFIX" -D "$BINDDN" \
      -w $LDAPPASS |grep 'gidNumber'|awk '{print $2}'`
     
    # login shell
    SHELL='/bin/false'
    # home directory
    HOMEDIR='/home'
    #
    # Samba account
    #
    # Samba Domain
    SMBDOMNM=`egrep -e "[\s]*workgroup" /etc/samba/smb.conf | awk '{print $3}'`
    # Samba SID
    SMBSID=`sudo /usr/bin/net GETLOCALSID $SMBDOMNM|cut -f6 -d' '`
    #
    # Get last uid
    LUID=`getent passwd|cut -f3 -d':'|sort -n| tail -n 2|head -n 1`
    # new uid
    LUID=$((LUID+1))
    SMBSID="$SMBSID-$(($LUID*2+1000))"
     
    # check if the name already exist
    if `getent passwd | grep -q "^${ACCOUNT}:"`
    then
       STAT=`ldapsearch -x -LLL -h $HOSTNAME -b "ou=people,$LDAP_PREFIX" -D "$BINDDN" -w $LDAPPASS \
         "(zimbraMailDeliveryAddress=${ACCOUNT}@${DOMAIN})"|grep '^zimbraAccountStatus:'|awk '{print $2}'`
       STAT=`echo $STAT | tr [a-z] [A-Z]`
       echo ""
       echo "The account $ACCOUNT already exist and have status $STAT."
       echo "Exit."
       echo ""
       sleep 1
       exit 1
    fi
     
    # check if uid already exist
    if `getent passwd | grep -q "${LUID}:"`
    then
       echo "The uid $LUID already exist."
       echo "Exit."
       echo ""
       sleep 1
       exit 1
    else
       # just wait one second
       sleep 1
    fi
     
    SMBMD4=`mkntpwd -N $PASSWD`
    # add account posix and samba
    echo ""
    echo "Creating account ..."
    echo "zmprov ca ${ACCOUNT}@${DOMAIN} $PASSWD displayName \"$NAME\" \
    uidNumber $LUID gidNumber $GIDUSR homeDirectory ${HOMEDIR}/${ACCOUNT} \
    loginShell $SHELL sambaDomainName $SMBDOMNM sambaSID $SMBSID \
    sambaAcctFlags [UX] sambaNTPassword $SMBMD4"
     
    # execute it
    zmprov ca ${ACCOUNT}@${DOMAIN} $PASSWD displayName "$NAME" \
      uidNumber $LUID gidNumber $GIDUSR homeDirectory ${HOMEDIR}/${ACCOUNT} \
      loginShell $SHELL sambaDomainName $SMBDOMNM sambaSID $SMBSID \
      sambaAcctFlags [UX] sambaNTPassword $SMBMD4
     
    if [ $? -eq 0 ]
    then
      echo ""
      echo "Add account successful."
      echo "User    : $ACCOUNT"
      echo "Password: $PASSWD"
      echo ""
    else
      echo "Add account failed."
      echo ""
    fi
    

    Gunakan visudo untuk memberi akses kepada user zimbra agar bisa menjalankan /usr/bin/net.

    %zimbra ALL=NOPASSWD:/usr/bin/net
    
  2. Sebagai user root buat script /usr/local/bin/randpass.sh untuk menggenerate password otomatis.
    #!/bin/bash
    
    # /usr/local/bin/randpass.sh
    
    [ "$2" == "0" ] && CHAR="[:alnum:]" || CHAR="[:graph:]"
      cat /dev/urandom | tr -cd "$CHAR" | head -c ${1:-32}
    echo
    
  3. Setelah kedua script di atas selesai dibuat dan diubah permission-nya ke 755 maka pindah sebagai user zimbra dan eksekusi add-account-zimbra-ldap.sh untuk menambah user dengan group default Doman Users.
    [zimbra@server ~]$ add-account-zimbra-ldap.sh 
    
    Usage: /usr/local/bin/add-account-zimbra-ldap.sh USER NAME
    Note:
    * Password akan dibuat otomatis oleh system.
    * Argumen pertama harus 1 kata tanpa spasi.
    * Argumen kedua boleh lebih dari 1 kata (mengandung spasi) namun harus diapit tanda kutip tunggal '
    Eg. user1 'User 1'
    
    [zimbra@server ~]$ add-account-zimbra-ldap.sh arief 'Arief Y'
    
    Creating account ...
    zmprov ca arief@domain.org t3hbee displayName "" uidNumber 11004 gidNumber 12002 homeDirectory /home/arief loginShell /bin/false sambaDomainName MAIL sambaSID S-1-5-21-2200292274-1775603229-3162050125-23008 sambaAcctFlags [UX] sambaNTPassword F01CC8BA9A881156D01118A99A39372E
    156a5502-849c-41ec-8622-4c72e9154b64
    
    Add account successful.
    User    : arief
    Password: t3hbee
    

  4. Langkah selanjutnya buat user yang mempunyai privileges sebagai admin domain atau sebagai member Domain Admin. Untuk ini buat user it.admin. Langkahnya sama seperti saat membuat user biasa di atas. Kemudian masukkan user yang baru dibuat ke dalam group Domain Admins dengan zmprov.


    zmprov ma it.admin@domain.org gidNumber 12001

  5. Selanjutnya lakukan join domain dari komputer, misal vm1-winxpsp3, gunakan username it.admin dan password yang sesuai untuk autentikasi join domain. Setelah berhasil join, komputer minta reboot. Kemudian usai reboot login ke domain MAIL sebagai user arief.
  6. Untuk mencek apakah nama komputer telah masuk ke dalam system /etc/passwd dan zimbra ldap.
    [zimbra@server ~]$ grep vm1-winxpsp3 /etc/passwd
    vm1-winxpsp3$:x:11002:100:Workstation (vm1-winxpsp3$):/nohome:/bin/false
    [zimbra@server ~]$ LDAPPASS=`zmlocalconfig -s zimbra_ldap_password | awk '{print $3}'`
    [zimbra@server ~]$ DC="dc=domain,dc=org"
    [zimbra@server ~]$ BINDDN="uid=zimbra,cn=admins,cn=zimbra"
    [zimbra@server ~]$ ldapsearch -x -LLL -h `hostname` -b "ou=machines,$DC" -D "$BINDDN" -w $LDAPPASS "(uid=vm1-winxpsp3$)"
    dn: uid=VM1-WINXPSP3$,ou=machines,dc=domain,dc=org
    uid: VM1-WINXPSP3$
    sambaSID: S-1-5-21-2200292274-1775603229-3162050125-1002
    objectClass: sambaSamAccount
    objectClass: account
    displayName: VM1-WINXPSP3$
    sambaNTPassword: 75DF64BB1A43F64A8EFD5FAE0CB69A85
    sambaPwdLastSet: 1408933296
    sambaAcctFlags: [W          ]
    


Screenshot Zimbra Admin Console

Zimbra Admin Console

Zimbra Admin Console


Zimbra Server Status

Zimbra Server Status


Zimbra Admin Extensions

Zimbra Admin Extensions


Zimbra Posix Groups

Zimbra Posix Groups


Zimbra Samba Domains

Zimbra Samba Domains


Zimbra List Accounts

Zimbra List Accounts



Screenshot Login Domain
System Properties -> Computer Name

System Properties -> Computer Name


Set Member of DOMAIN Domain

Set Member of DOMAIN Domain


Join into DOMAIN Domain with username it.admin

Join into DOMAIN Domain with username it.admin


Welcome to DOMAIN Domain

Welcome to DOMAIN Domain


Log On to Windows using logon domain

Log On to Windows using logon domain




Last update: 2014-11-03 20:00 +07:00

Written by awarmanf

August 27, 2014 at 3:08 pm

Posted in centos, Linux, samba, zimbra

Tagged with , , , ,

4 Responses

Subscribe to comments with RSS.

  1. Mau tanya mas, misalkan kita ingin melihat group tiap user kan menggunakan perintah id, contoh:
    id taufik
    uid=10255(komp02$) gid=10010(IT) groups=10255(komp02$)

    Nah, misalkan kalo ingin melihat group semua user perintahnya apa ya?

    Taufik

    March 4, 2015 at 2:26 am

    • Oya, saya uda cek di passwd, shadow ama group, listnya user dan group sudah beda, mungkin settingan samba PDC ga mengarah kesitu..

      Taufik

      March 4, 2015 at 2:30 am

  2. halo, mau tanya.. ini diisi apa ya?
    saya coba dengan password root tidak bisa
    [zimbra@mx2 tmp]$ ./create-file-ldif.sh GROUPKU passwordku

    We trust you have received the usual lecture from the local System
    Administrator. It usually boils down to these three things:

    #1) Respect the privacy of others.
    #2) Think before you type.
    #3) With great power comes great responsibility.

    [sudo] password for zimbra:

    mafatahna

    May 13, 2016 at 3:50 am

    • sudah fix. cuma ketika jalankan perintah ini getent group|tail
      group belum bertambah.. ada saran?

      mafatahna

      May 13, 2016 at 7:11 am


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: