On Thu, 2009-12-03 at 10:14 -0600, Michael Wisniewski wrote:
> Hi,
> I've discovered that back in September, a user was attempting to use
> FreeIPA as a password backend to Samba.  I've followed the
> instructions from Loris, but ran into a problem.  Whenever I create a
> new group, I get the following error through the web interface...
> Group add failed: A database error occurred
> Object class violation. missing attribute "sambaGroupType" required by
> object class "sambaGroupMapping"
> If I use the command line 'ipa-addgroup', I get a similar error.

It looks like sambaGroupType is a required attribute for the
sambaGroupMapping objectclass and it is not being added.

You need to make sure to add a custom sambaGroupType attribute when you
create the group.

> However, if I use a ldif and set everything, it works...
> # ldif2ldap "cn=Directory manager" <password> /tmp/s1.ldif
> # cat /tmp/s1.ldif
> dn: cn=Cyber,cn=groups,cn=accounts,dc=test,dc=org
> objectClass: top
> objectClass: groupofnames
> objectClass: posixGroup
> cn: Cyber
> description: Cyber Security Group
> gidNumber: 1005
> Now the strange thing.  While I did add the "sambaGroupMapping", I
> don't see it when I do a ldapsearch and view the group.  Also, if I
> add my user to the newly created group and run "id", it doesn't show
> up that I belong to that group.

That may be due to nscd caching, make sure to reload/restart nscd when
you change group memberships if you need to see the result immediately.
The default group cache timeout can even be 1h on some system.

> If anybody can help me with this, that would be great.  Since I'm just
> starting, if somebody says FreeIPA v2 has this already, I don't mind
> switching to it.

v2 is a bit experimental at the moment. It is great if you want to see
what's going on and help testing but it is not production ready.


Simo Sorce * Red Hat, Inc * New York

Freeipa-users mailing list

Reply via email to