Prolog
Artikel ini menjelaskan bagaimana mengkonfigurasi ZCS (Zimbra Collaboration Server) dan
Samba sebagai Server PDC (Primary Domain Controller) yang menggunakan LDAP
(Lightweight Directory Access Protocol) sebagai database user terpusat untuk autentikasi user
Linux maupun Windows. Fungsi ini dicapai dengan mengkonfigurasi Zimbra LDAP yang
bekerja sebagai database user terpusat untuk PAM (Pluggable Authentication Modules), NSS
(Name Service Switch), dan Samba ldapsam password backend. Server Linux menggunakan
CentOS 5.4 yang sudah diinstal mengikuti panduan Instalasi Server Linux CLI dengan CentOS
5.4.
Proses integrasi ini akan memudahkan para Admin dalam mengelola account-account Zimbra
Mail Server dan Samba PDC/Active Directory karena bisa langsung terintegrasi. Jika diterapkan
pada lingkungan perusahaan atau lembaga atau instansi yang selama ini menggunakan Windows
Server, panduan ini bisa digunakan untuk menyiapkan Linux server menggantikan Windows
Active Directory Server dan Microsoft Exchange Server.
Persiapan
Panduan ini menggunakan Zimbra Mail Server 6.0.12 32 bit yang diinstall pada CentOS 5.4
(VirtualBox).
Domain : centos.org
Hostname : vbox-server.centos.org
Zimbra(*) : server.centos.org
(*)
Ini adalah nama server zimbra yang akan diinstal di server linux.
Konfigurasi IP:
IP Address: 192.168.87.103
Gateway : 192.168.87.97
Keperluan
zcs-6.0.12_GA_2883.RHEL5.20110306010832.tgz
systat
zcs-samba.zip
zimbraSambaPassword.zip
12. Tidak ada service sendmail yang berjalan. Jalankan perintah di bawah sebagai user root
untuk mematikan service sendmail.
16. Tidak ada service httpd yang berjalan di tcp port 80. Jalankan perintah di bawah sebagai
user root untuk mematikan service httpd.
22.
mkdir /media/CentOS
23. mount /dev/dvd /media/CentOS
24. yum --disablerepo=\* --enablerepo=c5-media install sysstat
Instalasi Zimbra
1. Extract file zcs-6.0.12_GA_2883.RHEL5.20110306010832.tgz (asumsi file source ada di
direktori /usr/local/src).
2.
cd /usr/local/src
3. tar zxf zcs-6.0.12_GA_2883.RHEL5.20110306010832.tgz
4. Setup zimbra. Perintah yang harus diisi ditampilkan dalam huruf tebal.
5.
cd zcs-6.0.12_GA_2883.RHEL5.20110306010832
6. ./install.sh --platform-override
Found zimbra-core
Found zimbra-ldap
Found zimbra-logger
Found zimbra-mta
Found zimbra-snmp
Found zimbra-store
Found zimbra-apache
Found zimbra-spell
Found zimbra-memcached
Found zimbra-proxy
Installing:
zimbra-core
zimbra-ldap
zimbra-logger
zimbra-mta
zimbra-snmp
zimbra-store
zimbra-apache
zimbra-spell
You appear to be installing packages on a platform different
than the platform for which they were built.
Using packages for a platform in which they were not designed for
may result in an installation that is NOT usable. Your support
options may be limited if you choose to continue.
Removing /opt/zimbra
Removing zimbra crontab entry...done.
done.
Cleaning up zimbra init scripts...done.
Cleaning up /etc/ld.so.conf...done.
Cleaning up /etc/prelink.conf...done.
Cleaning up /etc/security/limits.conf...done.
Installing packages
zimbra-core......zimbra-core-6.0.12_GA_2883.RHEL5-
20110306010832.i386.rpm...done
zimbra-ldap......zimbra-ldap-6.0.12_GA_2883.RHEL5-
20110306010832.i386.rpm...done
zimbra-logger......zimbra-logger-6.0.12_GA_2883.RHEL5-
20110306010832.i386.rpm...done
zimbra-mta......zimbra-mta-6.0.12_GA_2883.RHEL5-
20110306010832.i386.rpm...done
zimbra-snmp......zimbra-snmp-6.0.12_GA_2883.RHEL5-
20110306010832.i386.rpm...done
zimbra-store......zimbra-store-6.0.12_GA_2883.RHEL5-
20110306010832.i386.rpm...done
zimbra-apache......zimbra-apache-6.0.12_GA_2883.RHEL5-
20110306010832.i386.rpm...done
zimbra-spell......zimbra-spell-6.0.12_GA_2883.RHEL5-
20110306010832.i386.rpm...done
Operations logged to /tmp/zmsetup.02082013-150930.log
Installing LDAP configuration database...done.
Interface: 192.168.87.103
Interface: 127.0.0.1
Interface: 192.168.87.103
Interface: 127.0.0.1
done.
Checking for port conflicts
Selanjutnya adalah setup password untuk admin zimbra, mematikan version update
checks dan spell check server, apply config, modifikasi sistem dan seterusnya sampai
zimbra restart.
Main menu
1) Common Configuration:
2) zimbra-ldap: Enabled
3) zimbra-store: Enabled
+Create Admin User: yes
+Admin user to create: admin@centos.org
******* +Admin Password UNSET
+Enable automated spam training: yes
+Spam training user: spam.cu_ulydp@centos.org
+Non-spam(Ham) training user: ham.l4vdnhgf7b@centos.org
+Global Documents Account: wiki@centos.org
+SMTP host: server.centos.org
+Web server HTTP port: 80
+Web server HTTPS port: 443
+Web server mode: http
+IMAP server port: 143
+IMAP server SSL port: 993
+POP server port: 110
+POP server SSL port: 995
+Use spell check server: yes
+Spell server URL:
http://server.centos.org:7780/aspell.php
+Configure for use with mail proxy: FALSE
+Configure for use with web proxy: FALSE
+Enable version update checks: TRUE
+Enable version update notifications: TRUE
+Version update notification email: admin@vbox-
server.centos.org
+Version update source email: admin@vbox-
server.centos.org
4) zimbra-mta: Enabled
5) zimbra-snmp: Enabled
6) zimbra-logger: Enabled
7) zimbra-spell: Enabled
8) Default Class of Service Configuration:
r) Start servers after configuration yes
s) Save config to file
x) Expand menu
q) Quit
Store configuration
1) Status: Enabled
2) Create Admin User: yes
3) Admin user to create: admin@centos.org
** 4) Admin Password UNSET
5) Enable automated spam training: yes
6) Spam training user: spam.cu_ulydp@centos.org
7) Non-spam(Ham) training user: ham.l4vdnhgf7b@centos.org
8) Global Documents Account: wiki@centos.org
9) SMTP host: server.centos.org
10) Web server HTTP port: 80
11) Web server HTTPS port: 443
12) Web server mode: http
13) IMAP server port: 143
14) IMAP server SSL port: 993
15) POP server port: 110
16) POP server SSL port: 995
17) Use spell check server: yes
18) Spell server URL:
http://server.centos.org:7780/aspell.php
19) Configure for use with mail proxy: FALSE
20) Configure for use with web proxy: FALSE
21) Enable version update checks: TRUE
22) Enable version update notifications: TRUE
23) Version update notification email: admin@vbox-
server.centos.org
24) Version update source email: admin@vbox-
server.centos.org
Store configuration
1) Status: Enabled
2) Create Admin User: yes
3) Admin user to create: admin@centos.org
4) Admin Password set
5) Enable automated spam training: yes
6) Spam training user: spam.cu_ulydp@centos.org
7) Non-spam(Ham) training user: ham.l4vdnhgf7b@centos.org
8) Global Documents Account: wiki@centos.org
9) SMTP host: server.centos.org
10) Web server HTTP port: 80
11) Web server HTTPS port: 443
12) Web server mode: http
13) IMAP server port: 143
14) IMAP server SSL port: 993
15) POP server port: 110
16) POP server SSL port: 995
17) Use spell check server: yes
18) Spell server URL:
http://server.centos.org:7780/aspell.php
19) Configure for use with mail proxy: FALSE
20) Configure for use with web proxy: FALSE
21) Enable version update checks: TRUE
22) Enable version update notifications: TRUE
23) Version update notification email: admin@vbox-
server.centos.org
24) Version update source email: admin@vbox-
server.centos.org
Store configuration
1) Status: Enabled
2) Create Admin User: yes
3) Admin user to create: admin@centos.org
4) Admin Password set
5) Enable automated spam training: yes
6) Spam training user: spam.cu_ulydp@centos.org
7) Non-spam(Ham) training user: ham.l4vdnhgf7b@centos.org
8) Global Documents Account: wiki@centos.org
9) SMTP host: server.centos.org
10) Web server HTTP port: 80
11) Web server HTTPS port: 443
12) Web server mode: http
13) IMAP server port: 143
14) IMAP server SSL port: 993
15) POP server port: 110
16) POP server SSL port: 995
17) Use spell check server: yes
18) Spell server URL:
http://server.centos.org:7780/aspell.php
19) Configure for use with mail proxy: FALSE
20) Configure for use with web proxy: FALSE
21) Enable version update checks: FALSE
Store configuration
1) Status: Enabled
2) Create Admin User: yes
3) Admin user to create: admin@centos.org
4) Admin Password set
5) Enable automated spam training: yes
6) Spam training user: spam.cu_ulydp@centos.org
7) Non-spam(Ham) training user: ham.l4vdnhgf7b@centos.org
8) Global Documents Account: wiki@centos.org
9) SMTP host: server.centos.org
10) Web server HTTP port: 80
11) Web server HTTPS port: 443
12) Web server mode: http
13) IMAP server port: 143
14) IMAP server SSL port: 993
15) POP server port: 110
16) POP server SSL port: 995
17) Use spell check server: no
18) Configure for use with mail proxy: FALSE
19) Configure for use with web proxy: FALSE
20) Enable version update checks: FALSE
Main menu
1) Common Configuration:
2) zimbra-ldap: Enabled
3) zimbra-store: Enabled
4) zimbra-mta: Enabled
5) zimbra-snmp: Enabled
6) zimbra-logger: Enabled
7) zimbra-spell: Enabled
8) Default Class of Service Configuration:
r) Start servers after configuration yes
s) Save config to file
x) Expand menu
q) Quit
8.
su - zimbra
9. zmcontrol status
Host server.centos.org
antispam Running
antivirus Running
ldap Running
logger Running
mailbox Running
mta Running
snmp Running
spell Running
stats Running
10. Selanjutnya adalah tuning zimbra. Kita akan matikan service yang tidak begitu perlu:
snmp, spell dan logger.
11.
zmprov ms server.centos.org -zimbraServiceEnabled snmp
12. zmprov ms server.centos.org -zimbraServiceEnabled spell
13. zmprov ms server.centos.org -zimbraServiceEnabled logger
14. zmcontrol restart
Host server.centos.org
Stopping stats...Done.
Stopping mta...Done.
Stopping spell...Done.
Stopping snmp...Done.
Stopping archiving...Done.
Stopping antivirus...Done.
Stopping antispam...Done.
Stopping imapproxy...Done.
Stopping memcached...Done.
Stopping mailbox...Done.
Stopping logger...Done.
Stopping ldap...Done.
Host server.centos.org
Starting ldap...Done.
Starting mailbox...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting mta...Done.
Starting stats...Done.
Menambahkan Admin Extension Zimbra Posfix Account dan Zimbra Samba Extension
Berikut langkah-langkahnya:
2.
mkdir /tmp/zcs-samba
3. Extract file zcs-samba.zip. Simpan filenya ke /tmp/zcs-samba kecuali zcs-samba-
auto.sh simpan di /tmp.
4.
cp zcs-samba-auto.sh /tmp
5. cp samba-schema.tar.gz /tmp/zcs-samba
6. cp posixusers.ldif /tmp/zcs-samba
7. cp indexes.ldif /tmp/zcs-samba
8. chown -R zimbra. /tmp/zcs-samba
10. ..
11. # PARAMETER
12. # Change this password
13. PASSWD="password"
14. # GID & UID
15. gidBase=12000
16. uidBase=11000
17. # change this default home path
18. homePath='/home/%u'
19. # samba schema (sesuaikan file schema sesuai dengan versi samba yang
diinstal)
20. # Jika pakai samba hasil instalasi centos 5.4
21. SMBSCHEMA='/usr/share/doc/samba-3.0.33/LDAP/samba.schema'
22. # Jika pakai samba hasil instalasi dari versi 3.4.8
23. # SMBSCHEMA='/usr/share/doc/samba-doc-3.4.8/LDAP/samba.schema'
...
24. Ubah format file /tmp/zcs-samba-auto.sh menjadi unix dan set file mode ke 755.
25.
cd /tmp
26. dos2unix zcs-samba-auto.sh
27. chmod 755 zcs-samba-auto.sh
28. Eksekusi !
workgroup =
netbios name =
[global]
workgroup = DOMAIN4
netbios name = Server
os level = 33
preferred master = yes
enable privileges = yes
server string = %h Server (SAMBA)
wins support =yes
dns proxy = no
name resolve order = wins bcast hosts
log file = /var/log/samba/log.%m
log level = 3
max log size = 1000
syslog only = no
syslog = 0
panic action = /usr/share/samba/panic-action %d
security = user
encrypt passwords = true
ldap passwd sync = yes
passdb backend = ldapsam:ldap://server.centos.org/
ldap admin dn = "cn=config"
ldap suffix = dc=centos,dc=org
ldap group suffix = ou=groups
ldap user suffix = ou=people
ldap machine suffix = ou=machines
obey pam restrictions = no
passwd program = /usr/bin/passwd %u
passwd chat = *Enter\snew\sUNIX\spassword:* %n\n
*Retype\snew\sUNIX\spassword:* %n\n *password\supdated\ssuccessfully* .
domain logons = yes
# logon path di bawah ini untuk roaming profile
# logon path = \\192.168.87.103\%U\profile
logon path =
ldap ssl = no
logon drive = P:
logon home = \\192.168.87.103\%U
logon script = logon.cmd
add user script = /usr/sbin/useradd "%u" -n -g users
add group script = /usr/sbin/groupadd "%g"
add machine script = /usr/sbin/useradd -n -c "Workstation (%u)" -M -d
/nohome -s /bin/false "%u"
delete user script = /usr/sbin/userdel "%u"
delete user from group script = /usr/sbin/userdel "%u" "%g"
delete group script = /usr/sbin/groupdel "%g"
socket options = TCP_NODELAY
domain master = yes
local master = yes
[homes]
comment = Home Directories
browseable =no
read only = No
valid users = %S
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
guest ok = yes
locking = no
[profiles]
comment = Users profiles
path = /var/lib/samba/profiles
read only = No
store dos attributes = Yes
create mask = 0600
directory mask = 0700
browseable = no
guest ok = no
printable = no
[profdata]
comment = Profile Data Share
path = /var/lib/samba/profdata
read only = No
profile acls = Yes
[printers]
comment = All Printers
browseable = no
path = /tmp
printable = yes
public = no
writable = no
create mode = 0700
[print$]
comment = Printer Drivers
path = /var/lib/samba/printers
browseable = yes
read only = yes
guest ok = no
Konfigurasi Server Linux untuk menggunakan Zimbra LDAP sebagai
Centralized Database
1. Sebagai user root lihat resources yang digunakan untuk autentikasi sistem dengan
perintah autconfig test.
62.
cp /etc/nsswitch.conf /etc/nsswitch.conf.default
63. cp /etc/pam.d/system-auth-ac /etc/pam.d/system-auth-ac.default
64. Sebelum menjalankan perintah authconfig sebagai user root untuk rekonfigurasi sumber
autentikasi sistem dapatkan dahulu password zimbra ldap.
65.
sudo -u zimbra /opt/zimbra/bin/zmlocalconfig -s zimbra_ldap_password
66. zimbra_ldap_password = U0Csv8Ve
67. Lihat kembali resources yang digunakan untuk autentikasi sistem dengan perintah
autconfigtest.
135. Setup koneksi samba ke Zimbra LDAP menggunakan password root dalam hal ini
menggunakan password zimbra ldap.
136.
PASSLDAP=`sudo -u zimbra /opt/zimbra/bin/zmlocalconfig -s
zimbra_ldap_password | awk '{print $3}'`
137. smbpasswd -w $PASSLDAP
Selain itu tambahkan user root ke dalam file lokal smbpasswd. Password sama seperti
yang digunakan user root untuk login ke server.
smbpasswd -a root
Hm, rupanya samba masih error? Jangan kuatir masalah ini akan solve sebentar lagi :).
Menambahkan user & group linux dan samba menggunakan utility
ldapadd
Dalam tahapan ini kita tidak menggunakan Zimbra Admin User Interface untuk mmenambahkan
user & group linux dan samba melainkan menggunakan ldapadd.
[root@vbox-server ~]# /usr/bin/net GETLOCALSID |cut -f6 -d' '
S-1-5-21-1508648254-3288735373-2858972520
Buat file ldif (Lightweight Directory Interchange Format) dengan vi atau nano. Kita
namakan filenya sambaDomainName.ldif dan simpan di folder /tmp. Edit bagian
yang bercetak tebal.
dn: sambaDomainName=DOMAIN4,dc=centos,dc=org
sambaDomainName: DOMAIN4
sambaSID: S-1-5-21-1508648254-3288735373-2858972520
sambaAlgorithmicRidBase: 1000
objectClass: sambaDomain
sambaNextUserRid: 1000
sambaMinPwdLength: 5
sambaLogonToChgPwd: 0
sambaMaxPwdAge: -1
sambaLockoutDuration: 30
sambaLockoutObservationWindow: 30
sambaLockoutThreshold: 0
sambaForceLogoff: -1
sambaRefuseMachinePwdChange: 0
sambaMinPwdAge: 0
sambaPwdHistoryLength: 0
sambaNextRid: 1252
Selanjutnya tambahkan data ldif ke Zimbra LDAP dengan perintah ldapadd. Untuk ini
login sebagai user zimbra.
su - zimbra
PASSLDAP=`zmlocalconfig -s zimbra_ldap_password | awk '{print $3}'`
ldapadd -v -H ldap://server.centos.org/ -x -w $PASSLDAP -c -D
"uid=zimbra,cn=admins,cn=zimbra" -f /tmp/sambaDomainName.ldif
ldap_initialize( ldap://server.centos.org:389/??base )
add sambaDomainName:
DOMAIN4
add sambaSID:
S-1-5-21-1508648254-3288735373-2858972520
add sambaAlgorithmicRidBase:
1000
add objectClass:
sambaDomain
add sambaNextUserRid:
1000
add sambaMinPwdLength:
5
add sambaLogonToChgPwd:
0
add sambaMaxPwdAge:
-1
add sambaLockoutDuration:
30
add sambaLockoutObservationWindow:
30
add sambaLockoutThreshold:
0
add sambaForceLogoff:
-1
add sambaRefuseMachinePwdChange:
0
add sambaMinPwdAge:
0
add sambaPwdHistoryLength:
0
add sambaNextRid:
1252
adding new entry "sambaDomainName=DOMAIN4,dc=centos,dc=org"
modify complete
/tmp/groups.ldif
dn: ou=groups,dc=centos,dc=org
cn: groups
objectClass: organizationalRole
ou: groups
/tmp/machines.ldif
dn: ou=machines,dc=centos,dc=org
cn: machines
objectClass: organizationalRole
ou: machines
/tmp/DomainAdmins.ldif
/tmp/DomainUsers.ldif
Selanjutnya tambahkan ke-4 data ldif tersebut ke Zimbra LDAP dengan perintah
ldapadd.
ldap_initialize( ldap://server.centos.org:389/??base )
add cn:
groups
add objectClass:
organizationalRole
add ou:
groups
adding new entry "ou=groups,dc=centos,dc=org"
modify complete
PASSLDAP=`zmlocalconfig -s zimbra_ldap_password | awk '{print $3}'`
ldapadd -v -H ldap://server.centos.org/ -x -w $PASSLDAP -c -D
"uid=zimbra,cn=admins,cn=zimbra" -f /tmp/machines.ldif
ldap_initialize( ldap://server.centos.org:389/??base )
add cn:
machines
add objectClass:
organizationalRole
add ou:
machines
adding new entry "ou=machines,dc=centos,dc=org"
modify complete
PASSLDAP=`zmlocalconfig -s zimbra_ldap_password | awk '{print $3}'`
ldapadd -v -H ldap://server.centos.org/ -x -w $PASSLDAP -c -D
"uid=zimbra,cn=admins,cn=zimbra" -f /tmp/DomainAdmins.ldif
ldap_initialize( ldap://server.centos.org:389/??base )
add cn:
Domain Admins
add description:
Domain Admins
add gidNumber:
12001
add memberUid:
1
add objectClass:
posixGroup
sambaGroupMapping
add sambaGroupType:
2
add sambaSID:
S-1-5-21-1508648254-3288735373-2858972520-512
adding new entry "cn=Domain Admins,ou=groups,dc=centos,dc=org"
modify complete
PASSLDAP=`zmlocalconfig -s zimbra_ldap_password | awk '{print $3}'`
ldapadd -v -H ldap://server.centos.org/ -x -w $PASSLDAP -c -D
"uid=zimbra,cn=admins,cn=zimbra" -f /tmp/DomainUsers.ldif
ldap_initialize( ldap://server.centos.org:389/??base )
add cn:
Domain Users
add description:
Domain Users
add displayName:
Domain Users
add gidNumber:
12002
add memberUid:
2
add objectClass:
posixGroup
sambaGroupMapping
add sambaGroupType:
2
add sambaSID:
S-1-5-21-1508648254-3288735373-2858972520-513
adding new entry "cn=Domain Users,ou=groups,dc=centos,dc=org"
modify complete
Restart samba.
Setelah itu jalankan perintah di bawah menggunakan hak akses root untuk memberi
kewenangan pada group Domain Admins. Gunakan password root dan ganti nama
domain centos.org dengan yang sesuai:
whoami
root
/usr/bin/net GETLOCALSID |cut -f6 -d' '
S-1-5-21-1508648254-3288735373-2858972520
su - zimbra
zmprov ma admin@centos.org +objectClass posixAccount uidNumber 11000
gidNumber 12001 homeDirectory /home/admin loginShell /bin/false
zmprov ma admin@centos.org +objectClass sambaSamAccount sambaDomainName
DOMAIN4 sambaSID "S-1-5-21-1508648254-3288735373-2858972520-23000"
sambaAcctFlags [UX]
Instalasi zimbraSambaPassword
Ini diperlukan apabila kita menginginkan password samba terintegrasi dengan password user
zimbra. Secara default apabila user mengganti password melalui webmail zimbra ini tidak akan
mengubah password samba (baca: password untuk logon domain).
Download zimbraSambaPassword.zip
Extract zimbraSambaPassword.zip
-h|--help Usage
-i|--install Install extension
-u|--uninstall Uninstall extension
Starting up Zimbra
Host server.centos.org
Starting ldap...Done.
Starting mailbox...Done.
Starting antispam...Done.
Starting antivirus...Done.
Starting mta...Done.
Starting stats...Done.
Screenshot