I'm trying to follow various steps and instructions I've found online for 
extending FreeIPA v2 for use with Samba 3 as the LDAP backend. Things have 
mostly gone well but I've hit a road block that I can't quite figure out.

Basically, I'm trying to get every new group added to FreeIPA (either via CLI 
or Web UI) to automagically become a valid samba group with sambaGroupMapping 
(and thus sambaSid and sambaGroupType).

Here's what I've done this far:

1. Added an ipaUserObjectClasses attribute with value sambaSAMAccount to 
cn=ipaConfig,cn=etc,$SUFFIX. This works as expected for generating Samba hashes 
for users on password changes.

2. Configured the DNA plugin to automatically add a sambaSid attribute to every 
user with a sambaSAMAccount objectClass and group with sambaGroupMapping 

# SambaSid, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=SambaSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
dnatype: sambaSID
dnaprefix: S-1-5-21-3180075094-3347106287-3821849995-
dnainterval: 1
dnamagicregen: assign
dnafilter: (|(objectclass=sambasamaccount)(objectclass=sambagroupmapping))
dnascope: dc=fmri,dc=ubc,dc=ca
cn: SambaSid
dnanextvalue: 15289

This works as expected.

3. Added an ipaGroupObjectClasses attribute with value sambaGroupMapping to 
cn=ipaConfig,cn=etc,$SUFFIX. This works as expected, adding the objectClass 
sambaGroupMapping to every new group (and thus requiring sambaSid and 
sambaGroupType attributes).

4. Extended the schema (correct terminology?) using ipaCustomFields with 
(unquoted) value "Samba Group Type,sambagrouptype,true".

5. Extended the CLI in group.py (.../site-packages/ipalib/plugins/group.py) 
like so:

--- group.py.orig       2011-08-15 14:59:48.570715207 -0700
+++ group.py    2011-08-16 12:43:43.493236507 -0700
@@ -118,6 +118,13 @@
             doc=_('GID (use this option to set it manually)'),
+        Int('sambagrouptype',
+            cli_name='sgt',
+            label=_('Samba Group Type'),
+            doc=_('Samba Group Type (default is 4)'),
+            default=4,
+            autofill=True,
+        ),

However, when I try to add a group with "ipa group-add groupname --desc="Group 
desc" I get the following output:

ipa: ERROR: missing attribute "sambaGroupType" required by object class 

and if I turn on the debugging, I see the following lines:

ipa: DEBUG: raw: group_add(u'groupname', description=u'Group desc', 
sambagrouptype=4, nonposix=False, all=False, raw=False, version=u'2.1')
ipa: DEBUG: group_add(u'groupname', description=u'Group desc', 
sambagrouptype=4, nonposix=False, all=False, raw=False, version=u'2.1')

Which looks like my edit of group.py is doing what I expected it to do... but 
the IPA server is still returning the missing attribute error.

However, if I use --addatr="sambagrouptype=4" as an argument to ipa group-add, 
it works fine and the attribute is added and the group is created.

What am I missing?

Thank you,

Ryan Thomson
Systems Administrator, UBC PET

