On Sat, Dec 5, 2009 at 5:20 PM, Simo Sorce <sso...@redhat.com> wrote:
> On Thu, 2009-12-03 at 10:14 -0600, Michael Wisniewski wrote:
>> I've discovered that back in September, a user was attempting to use
>> FreeIPA as a password backend to Samba. I've followed the
>> instructions from Loris, but ran into a problem. Whenever I create a
>> new group, I get the following error through the web interface...
>> Group add failed: A database error occurred
>> Object class violation. missing attribute "sambaGroupType" required by
>> object class "sambaGroupMapping"
>> If I use the command line 'ipa-addgroup', I get a similar error.
> It looks like sambaGroupType is a required attribute for the
> sambaGroupMapping objectclass and it is not being added.
> You need to make sure to add a custom sambaGroupType attribute when you
> create the group.
You are correct, this did the trick. I'm not sure why this is
required yet...I'm still working on it.
>> However, if I use a ldif and set everything, it works...
>> # ldif2ldap "cn=Directory manager" <password> /tmp/s1.ldif
>> # cat /tmp/s1.ldif
>> dn: cn=Cyber,cn=groups,cn=accounts,dc=test,dc=org
>> objectClass: top
>> objectClass: groupofnames
>> objectClass: posixGroup
>> cn: Cyber
>> description: Cyber Security Group
>> gidNumber: 1005
>> Now the strange thing. While I did add the "sambaGroupMapping", I
>> don't see it when I do a ldapsearch and view the group. Also, if I
>> add my user to the newly created group and run "id", it doesn't show
>> up that I belong to that group.
> That may be due to nscd caching, make sure to reload/restart nscd when
> you change group memberships if you need to see the result immediately.
> The default group cache timeout can even be 1h on some system.
What happened is that on the freeipa server, it seemed to
automatically fix itself the next day. I'm guessing that if I
restarted nscd, as you suggested, it would have been fine.
The other issue I was running into was on the remote system that I
have configured for ldap authentication, it wasn't seeing the new
group. It showed the 'ipauser' group for myself, but not the new one.
This was something I forgot to do; add the nss_base_group to the
ldap.conf on the remote system. After I did this, everything is fine.
Freeipa-users mailing list