1.

0 PROJECT OVERVIEW
Server Setup
A Zimbra mail server carrying out the functions of receiving mail for organizational users as
well as enabling them send out mail messages.
Samba domain set up to add users and authenticate them against credentials stored in the
server.
A central LDAP server to store user information and provide authentication for the above 2
services and any other services that may be require these.

2.0 THE SYSTEM

Installation Requirements
- Cent OS 5.1 setup DVD
- Working internet connection
- A server computer or Linux machine
Installing Zimbra
You can use the link below to install CentOS
http://www.howtoforge.com/zimbra-collaboration-suite-open-source-edition-on-centos
or follow the steps below:-

Insert your CentOS 5.1 install CD into your system and boot from it. Hit Enter to start the installation.
Enter the default settings till the Network Devices part. Network Devices gives you the opportunity to enter IP
address information for your network. Keep in mind that you cannot run an email server using DHCP. Use the
edit button and enter information appropriate for your network. Don't forget to enter your gateway and
nameservers as well.
Then follow the remaining steps using the default setting. Enter a root password for the system. Then you will be
prompted to choose the packages to install. Choose the packages to install. Uncheck all boxes in the upper pane
and check the box for the CentOS Extra Packages in the lower pane. Click the radio button for Customize Now
and click Next. As shown in the image below then click next:
A box will pop up verifying your IP address information. The next screen allows you to choose packages for
your installation. You should the following packages:
Applications
Editors
Text-based Internet
Development
Development Libraries
Development Tools
Legacy Software Development
Base System
Base
Legacy Software Support
and ensure that gcc and perl are installed plus all the other packages.
Start the installation and reboot once the installation has ended.
Once the system reboots you are presented with the firstboot screen to put in your necessary details. You will be
prompted to enable the firewall and SELinux. You should disable this since it will bring problems to the Zimbra
installation. This should be in a computer thats behind a firewall less it will cause security issues.
NB: But will enable the firewall later to allow only specific ports that are to be used by Zimbra.
The system will reboot and load the login screen. Once logged in you are to disable the loading of the following
services iptables, ip6tables and sendmail :-
chkconfig sendmail off
chkconfig ip6tables off
chkconfig iptables off
Cancel the update of the entire system. This might take some time depending on the internet speeds but is
necessary in my experience. It helps ensure that the above selected packages are the latest and helps correct
some instabilities that are inherent in CentOS 5.1
We need one package before we can continue:
yum install libtool-ltdl and update perl
yum install perl

On the next page we will setup Split DNS which is essential for ZCS
This part of installation is working off of the assumption that you are behind a firewall. If you are not
behind a firewall (not recommended) you can skip this part of the installation.

yum install bind bind-chroot bind-libs bind-utils

REMINDER: Be sure to use the ip address and hostname/FQDN that is appropriate for your
installation.

Create the /var/named/chroot/etc/named.conf file:

vim /var/named/chroot/etc/named.conf

options {
directory "/var/named";
dump-file "/var/named/data/cache_dump.db";
statistics-file "/var/named/data/named_stats.txt";
forwarders { 212.49.70.11 ; 212.49.70.12; 212.49.70.23 };
};
include "/etc/rndc.key";
// We are the master server for openworld.co.ke
zone "openworld.co.ke" {
type master;
file "db.openworld.co.ke";
};

The ip address for forwarders should be the ip address of your dns server.

Now you need to create your /var/named/chroot/var/named/db.openworld.co.ke file

vim /var/named/chroot/var/named/db.openworld.co.ke

;
; Addresses and other host information.
;
@ IN SOA openworld.co.ke. hostmaster.openworld.co.ke. (
10118 ; Serial
43200 ; Refresh
3600 ; Retry
3600000 ; Expire
 2592000 ) ; Minimum
; Define the nameservers and the mail servers
IN NS 192.168.111.113
IN A 192.168.111.113
IN MX 10 openworld.co.ke.

Change your resolv.conf to use your mail server's IP address as it's primary DNS.

vim /etc/resolv.conf

search openworld.co.ke
nameserver 192.168.111.113

Start named on your server

/etc/init.d/named start

Enable autostart for named.

chkconfig named on

To verify that it is working do the following:

nslookup openworld.co.ke

It should return something similar to this:

Server: 192.168.111.113
Address: 192.168.111.113#53
Name: openworld.co.ke
Address: 192.168.111.113

Notice that the ip address returned is the same as the local machine. That means success.

Now we can move on to installing ZCS.

Zimbra mail server installation

Move to the folder containing the extracted ZCS files and run the command/file
./install.sh --platform-override
Answer the installation questions appropriately and when it gets to the part of setting the host, enter the name of
the domain you configured with splitDNS. If the computer is not behind a firewall, enter the name of the mail
domain of the organization. Zimbra installation will not work without a domain name that is properly resolved
either internally by splitDNS or on the internet.
On the installation the important things to set are the zimbra admin password, ldap root password and the
domain name. the hostname entered is used by openldap bundled into zimbra to create the base of its record tree.
Everything else in the setup is dependent on the ldap tree structure.
After setting up zimbra correctly, go to the zimbra Admin Interface;
on the local machine http://localhost:7071/zimbraAdmin/
on a computer on the network http://Ip_of_zimbra_server:7071/zimbraAdmin/
and login as user admin using the password set during the installation.
Deploying zimbra Posix and Samba Admin Extensions
Installing zimbra_posixaccount and zimbra_samba extensions for Zimbra Admin
1. Extract files from /opt/zimbra/zimlets-admin-extra/zimbra_posixaccount.zip to a folder on your
desktop computer, open zimbra_posixaccount folder and edit config_template.xml.
2. Edit ldapSuffix property in config_template.xml. This property is the path in your LDAP tree
where all Linux and Samba user information will be stored. This will be the name of the
primary email domain written in the ldap syntax. i.e.
dc=openworld,dc=co,dc=ke
Edit uidBase property in config_template.xml. uidBase is the base for creating Linux user IDs for user
accounts that will be stored in LDAP. The first account that you will create through Zimbra Admin UI
will have user ID = uidBase+1. If you already have user accounts in your current password database
(most likely /etc/passwd) it is recommended that you set this value higher than the maximum existing
user account.
1. Edit gidBase property in config_template.xml. gidBase is the base for creating Linux group
IDs for groups that will be stored in LDAP. The first group that you will create through Zimbra
Admin UI will have group ID = gidBase+1.
2. Zip all the files that are in zimbra_posixaccount folder into zimbra_posixaccount.zip together
with modified config_template.xml (make a flat zip file without folders)
cd zimbra_posixaccount zip zimbra_posixaccount *.*
1. Log in to Zimbra Admin (https://Ip_of_server:7071/zimbraAdmin) as administrator, navigate to
Admin Extensions and deploy zimbra_posixaccount extension using the
zimbra_posixaccount.zip file (refer to ZCS Admin Guide for more information about installing
Admin Extensions)
2. Extract files from /opt/zimbra/zimlets-admin-extra/zimbra_samba.zip to a folder on your
desktop computer and open config_template.xml (this file is in zimbra_samba folder along with
other extension files).
3. Edit ldapSuffix, uidBase and gidBase properties using the same values as you used in for
zimbra_posixaccount.zip
4. Zip all the files zimbra_samba folder into zimbra_samba.zip together with modified
config_template.xml into a flat ZIP file and deploy zimbra_samba Admin Extension.
5. Reload your Zimbra Admin to initialize the extensions. When the extensions are loaded for the
first time, they will check if OUs defined by ldapMachineSuffix and ldapGroupSuffix
propertiesin config_template.xml files exist and create these OUs, if they do not exist.

Configure openLDAP
search for the samba schema of your samba installation
copy the samba schema to openldap
cp /usr/share/doc/samba-3.0.28/LDAP/samba.schema /opt/zimbra/openldap/etc/openldap/schema/
nis.schema already exists in /opt/zimbra/openldap/etc/openldap/schema/ for ZCS-5.*
edit slapd.conf.in - [/opt/zimbra/conf/slapd.conf.in] (not slapd.conf as changes for it are read from slapd.conf.in
and effected when zimbra server is restart)
add these lines where other schema are defined
include "/opt/zimbra/openldap/etc/openldap/schema/nis.schema"
include "/opt/zimbra/openldap/etc/openldap/schema/samba.schema"
Add these after all the other indexes
#indexes for PAM
index uidNumber eq
index gidNumber eq
index memberUID eq

#indexes for Samba

index sambaSID eq
index sambaPrimaryGroupSID eq
index sambaDomainName eq

after copying schema and editing slapd.conf.in restart zimbra (zmcontrol stop then zmcontrol start)and run this
command as user zimbra (su - zimbra)

zmprov mcf +zimbraAccountExtraObjectClass posixAccount

zmprov mcf +zimbraAccountExtraObjectClass sambaSamAccount

Install and configure nss_ldap

This part will install configure pam_ldap and nss_ldap. As root
yum install nss_ldap
This package bundles pam_ldap and nss_ldap on centOS
Edit the /etc/ldap.conf file with these values
host openworld.co.ke
base dc=openworld,dc=co,dc=ke
binddn cn=config
bindpw ldapadmin
rootbinddn uid=zimbra,cn=admins,cn=zimbra
port 389
bind_policy soft
To obtain your mysecret value, run this command as zimbra
zmlocalconfig -s ldap_root_password
Important: a file /etc/ldap.secret should exist containing the password for uid=zimbra,cn=admins,cn=zimbra
user with a password obtained by running this command as zimbra
zmlocalconfig -s zimbra_ldap_password
Run this command as user root
authconfig --enableldap --enableldapauth --disablenis --enablecache \
--ldapserver=openworld.co.ke --ldapbasedn=dc=openworld,dc=co,dc=ke --updateall
This configures /etc/nsswitch.conf, /etc/ldap.conf and /etc/pam.d/system-auth (common-auth, common-session,
common-account and common-password)
This command disables the host line (host openworld.co.ke) in /etc/ldap.conf Enable it by uncommenting it
Install and configure Samba
After installing the server component of CentOS and updating the system packages, at the time of doing this
server, I have Samba 3.0.28 installed. this has LDAP support enabled.
Make a copy of the existing /etc/samba/smb.conf file for future reference.
cp /etc/samba/smb.conf /etc/samba/smb.conf.old
I like making edits to a samba configuration file and then pushing the configs to the main .conf file using
testparm so as to check for any typing/definition errors in the configs.
cp /etc/samba/smb.conf /etc/samba/smb.conf.master
Edit smb.conf.master and then
testparm -s /etc/samba/smb.conf.master > /etc/samba/smb.conf
should work fine if you dont have errors or configs that your samba does not unserstand.
smb.conf
[global]
workgroup = OPENWORLD
netbios name = OPENWORLD_SERVER
server string = Samba Server Version %v
passdb backend = ldapsam:ldap://openworld.co.ke/
log file = /var/log/samba/%m.log
max log size = 50
add user script = /usr/sbin/useradd -m "%u"
add machine script = /usr/sbin/useradd -d /var/lib/nobody -g 100 -s /bin/false -M %u
logon script = %u.bat
logon home = \\OPENWORLD_SERVER\\Homes\%U
; logon path = \\OPENWORLD_SERVER\profiles\%U
domain logons = Yes
domain master = Yes
ldap passwd sync = yes
ldap admin dn = "cn=config"
ldap group suffix = ou=groups
ldap machine suffix = ou=machines
ldap suffix = dc=openworld,dc=co,dc=ke
ldap user suffix = ou=people
cups options = raw
[homes]
comment = Home Directories
read only = No
 browseable = No
[printers]
comment = All Printers
path = /var/spool/samba
printable = Yes
browseable = No
[netlogon]
comment = Network Logon Service
path = /var/lib/samba/netlogon
share modes = No
[profiles]
comment = Profiles Folder
path = /var/lib/samba/profiles
read only = no
profile acls = yes
the logon path here is disabled so as not to allow roaming profiles for network users. If you want to enable this,
uncomment this line.
Run this command to store ldap root password for samba
smbpasswd -w ldapadmin
Restart samba
/etc/init.d/smb restart

NB: Ensure that you have only three accounts (amavisAccount, posixAccount, sambaSamAccount). It you have
a sambaAccount, remove it since it will cause problems in creating a user.
To check available accounts - /opt/zimbra/bin/zmprov gacf | grep zimbraAccountExtraObjectClass
To remove the sambaAccount - zmprov mcf -zimbraAccountExtraObjectClass sambaAccount
3. SYSTEM TESTING
Test the Server
Go back to the Zimbra admin UI. Go to Posix Groups, click the tab for Samba and select the Samba domain
name from the drop down menu. Once you save the Samba domain in the Posix group, then you click “New”. If
you do not know what to type in group type field – type 2, this is the default value.
To test if PAM on your Samba server is reading the group information correctly from Zimbra LDAP, go back to
your Samba server shell and run this command as root:
getent group
you should see the group(s) that you just created in the list that is produced.
Back to the Zimbra Admin UI:). Go to Accounts and hit New, fill in the information on the first screen and
follow the wizard to the Posix Account screen. Fill in all the required fields on the Posix Account screen and
click Next to go to Samba Account screen. To test if PAM on your Samba server is reading the user password
information correctly from Zimbra LDAP, go back to your Samba server shell and run this command as root:
getent passwd
you should see the Zimbra accounts that you just created in the list

Create a home folder for the new Zimbra user and try to change the current user to the newly created one. In this
example, I create a user usertest, and home folder /home/usertest

su - usertest

Now test if Samba authenticates your new user correctly. Got to the shell on my Zimbra server box and ran this
command as root:
smbclient -U usertest //openworld.co.ke/usertest

It should prompt you for the password and then log in to ubuntu2's home folder on aphrc.orgSamba server.

Next, log in to Zimbra Admin UI, click on Aliases and remove [email protected] alias. Then run
smbpasswd -a root

and enter the samba root user password.

To add posixAccount attributes to the previously established users (before ldap schema change) you can run
command:

zmprov ma [email protected] +objectClass posixAccount uidNumber 10003

gidNumber 10001 homeDirectory /home/admin loginShell /bin/bash

and for update sambaSamAccount run:

zmprov ma [email protected] +objectClass sambaSamAccount sambaDomainName
GREGZIMBRA1 sambaSID S-1-5-21-3745602466-621825477-2613676135-21006 sambaAcctFlags
[UX]

Create “admins” group using Zimbra Admin UI, on Samba tab select Special Windows group type “Domain
Admins”. Then you need to grant privileges to this group. Run the following command as root on your Samba
server.

net rpc rights grant "OPENWORLD\Admins" SeAddUsersPrivilege

SeMachineAccountPrivilege SePrintOperatorPrivilege

Log in to an Windows desktop as a local administrator and join the Samba domain. Use a member of “Domain
Admins” group to join the domain. After you joined the domain, verify that the machine account was added to
ldap directory.

4. MIGRATION
Samba accounts Migration
Referring to this...
must be identical
domain SID
Run the command on your current server
net getlocalsid
Copy this value, go to the zimbra samba admin UI and edit the APHRC domain SID value by copying this value
there
user & machine RIDs
Taken care of when joining machine to domain or transferring the mail accounts
machine account password hashes
logon scripts (drive assignments)

should be identical (not critical)

user account password hashes
the password here changes to the email password so we don't migrate these
server & share names
server name is different

can be all different

backend
Linux server
management
The Zimbra admin management UI

Mail migration
Transfer/Create the users
Obtain the list of usernames and passwords from Qmail by going to the server's vqamin interface
http://IP_of_qmail_server/cgi-bin/vqadmin/vqadmin.cgi
Here, you will be prompted for an admin password. For the username, enter the name within the prompt. The
system/network administrator that setup the server should be having this.
Upon successful login, you can then view the current usernames and passwords in the system together with the
respective names by specifying a particular domain. Use these to create a list in this fashion
test:test123:Test Account
amaina:hispsswd:Antony Maina
athithu:herpsswd:Alice Thith u
give this file a name. e.g. psswd_name
Go to the Zimbra wiki in a page with a heading User Migration and copy a Perl script to create Zimbra Accounts
using the above data. Modify it to fit the current scenario's need. I have included my modified script in the
containing folder under the name passwd2zmprov. To run the script with the data from psswd_name run the
command as root
perl passwd2zmprov -domain aphrc.org < psswd_name > create_users.zmp
the output file create_users.zmp contains commands that zimbra can take in and process such as
ca "[email protected]" "hispasswd" uidNumber "10017" gidNumber "10009" givenName "Antony" sn "Maina"
cn "amaina" displayName "Antony Maina" loginShell "/bin/bash/" sambaSID "S-1-5-21-2015017091-
1876940603-389962325-21034" homeDirectory "/home/amaina" zimbraNotes "Migrated Thu Aug 7 19:57:11
2008" zimbraPasswordMustChange FALSE
to create zimbra users, run this command as user zimbra
zmprov < create_users.zmp
Go to the zimbra admin UI, click on accounts and you should see a list of user accounts created using the above
command.
Transfer the mail
To migrate the email contents copy a batch-migrate script in the above mentioned source and modify it to suit
the current scenario. Find the perl script that I used in the containing folder; batch_process. This file requires as
input a userlist.txt file that contains mail account usernames and passwords in this fashion
user1:password1
user2:password2
Run as root
perl batch_process
This should transfer mail from the current server to the new one.

Mail Transfer
Install imapsync using the following script
#!/bin/bash
#CopyLeft 2006 Steve Fink
#stevef-at-ublug.org
#This script will get all of the necessary packages to build imapsync 1.219 except OpenSSL
#OpenSSL & it's development libraries are required and OpenSSL is usually installed already so check and get the matching libraries
#you have to run this script as root or under sudo so it can do all the installs I don't recommend doing the extended tests they mostly fail
anyway but imapsync still works
mkdir imapsync
cd imapsync

wget http://search.cpan.org/CPAN/authors/id/D/DC/DCONWAY/Parse-RecDescent-1.94.tar.gz
tar xvfpz Parse-RecDescent-1.94.tar.gz
rm Parse-RecDescent-1.94.tar.gz
cd Parse-RecDescent-1.94/
perl Makefile.PL
make
make install
#
cd ..
wget http://search.cpan.org/CPAN/authors/id/G/GA/GAAS/Digest-MD5-2.33.tar.gz
tar xvfpz Digest-MD5-2.33.tar.gz
rm Digest-MD5-2.33.tar.gz
cd Digest-MD5-2.33/
perl Makefile.PL
make
make install
#
cd ..
wget http://search.cpan.org/CPAN/authors/id/J/JS/JSTOWE/TermReadKey-2.30.tar.gz
tar xvfpz TermReadKey-2.30.tar.gz
rm TermReadKey-2.30.tar.gz
cd TermReadKey-2.30/
perl Makefile.PL
make
make install
#
cd ..
wget http://search.cpan.org/CPAN/authors/id/A/AS/ASPA/IO-Socket-SSL-0.81.tar.gz
tar xvfpz IO-Socket-SSL-0.81.tar.gz
rm IO-Socket-SSL-0.81.tar.gz
cd IO-Socket-SSL-0.81/
perl Makefile.PL
make
make install
#
cd ..
wget http://search.cpan.org/CPAN/authors/id/F/FL/FLORA/Net_SSLeay.pm-1.30.tar.gz
tar xvfpz Net_SSLeay.pm-1.30.tar.gz
rm Net_SSLeay.pm-1.30.tar.gz
cd Net_SSLeay.pm-1.30/
./Makefile.PL -t
make install
#
cd ..
wget http://search.cpan.org/CPAN/authors/id/D/DJ/DJKERNEN/Mail-IMAPClient-2.2.9.tar.gz
tar xvfpz Mail-IMAPClient-2.2.9.tar.gz
rm Mail-IMAPClient-2.2.9.tar.gz
cd Mail-IMAPClient-2.2.9/
perl Makefile.PL
make
make test
make install
#
cd ..
wget http://www.linux-france.org/prj/imapsync/dist/imapsync-1.219.tgz
tar xvfpz imapsync-1.219.tgz
rm imapsync-1.219.tgz
cd imapsync-1.219/
perl -c imapsync
make install
#
cd ..
cd ..
rm -Rf imapsync/
then run the following command after installation to synchronize mail from the two servers
imapsync --host1 mail.itura.net --user1 [email protected] --password1 kevin --host2 linuxbox.bimsoft.co.ke --
user2 [email protected] --password2 daddida24 --noauthmd5

5.0 SYSTEM EVALUATION

The system is functional and providing required services
The LDAP server will be extended to provide a password back end for other network application such as
plone website.
A way to migrate machine accounts from one LDAP database to another is being explored.