On Sat, Dec 5, 2009 at 5:20 PM, Simo Sorce <sso...@redhat.com> wrote: > On Thu, 2009-12-03 at 10:14 -0600, Michael Wisniewski wrote: >> Hi, >> >> I've discovered that back in September, a user was attempting to use >> FreeIPA as a password backend to Samba. I've followed the >> instructions from Loris, but ran into a problem. Whenever I create a >> new group, I get the following error through the web interface... >> >> >> Group add failed: A database error occurred >> Object class violation. missing attribute "sambaGroupType" required by >> object class "sambaGroupMapping" >> >> If I use the command line 'ipa-addgroup', I get a similar error. > > It looks like sambaGroupType is a required attribute for the > sambaGroupMapping objectclass and it is not being added. > > You need to make sure to add a custom sambaGroupType attribute when you > create the group. >
You are correct, this did the trick. I'm not sure why this is required yet...I'm still working on it. >> However, if I use a ldif and set everything, it works... >> >> # ldif2ldap "cn=Directory manager" <password> /tmp/s1.ldif >> # cat /tmp/s1.ldif >> dn: cn=Cyber,cn=groups,cn=accounts,dc=test,dc=org >> objectClass: top >> objectClass: groupofnames >> objectClass: posixGroup >> cn: Cyber >> description: Cyber Security Group >> gidNumber: 1005 >> >> Now the strange thing. While I did add the "sambaGroupMapping", I >> don't see it when I do a ldapsearch and view the group. Also, if I >> add my user to the newly created group and run "id", it doesn't show >> up that I belong to that group. > > That may be due to nscd caching, make sure to reload/restart nscd when > you change group memberships if you need to see the result immediately. > The default group cache timeout can even be 1h on some system. > What happened is that on the freeipa server, it seemed to automatically fix itself the next day. I'm guessing that if I restarted nscd, as you suggested, it would have been fine. The other issue I was running into was on the remote system that I have configured for ldap authentication, it wasn't seeing the new group. It showed the 'ipauser' group for myself, but not the new one. This was something I forgot to do; add the nss_base_group to the ldap.conf on the remote system. After I did this, everything is fine. Thanks! _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users