On 08/16/2011 03:50 PM, Ryan Thomson wrote: > Hello, > > I'm trying to follow various steps and instructions I've found online for > extending FreeIPA v2 for use with Samba 3 as the LDAP backend. Things have > mostly gone well but I've hit a road block that I can't quite figure out. > > Basically, I'm trying to get every new group added to FreeIPA (either via CLI > or Web UI) to automagically become a valid samba group with sambaGroupMapping > (and thus sambaSid and sambaGroupType). > > Here's what I've done this far: > > 1. Added an ipaUserObjectClasses attribute with value sambaSAMAccount to > cn=ipaConfig,cn=etc,$SUFFIX. This works as expected for generating Samba > hashes for users on password changes. > > 2. Configured the DNA plugin to automatically add a sambaSid attribute to > every user with a sambaSAMAccount objectClass and group with > sambaGroupMapping objectClass: > > # SambaSid, Distributed Numeric Assignment Plugin, plugins, config > dn: cn=SambaSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config > objectClass: top > objectClass: extensibleObject > dnatype: sambaSID > dnaprefix: S-1-5-21-3180075094-3347106287-3821849995- > dnainterval: 1 > dnamagicregen: assign > dnafilter: (|(objectclass=sambasamaccount)(objectclass=sambagroupmapping)) > dnascope: dc=fmri,dc=ubc,dc=ca > cn: SambaSid > dnanextvalue: 15289 > > This works as expected. > > 3. Added an ipaGroupObjectClasses attribute with value sambaGroupMapping to > cn=ipaConfig,cn=etc,$SUFFIX. This works as expected, adding the objectClass > sambaGroupMapping to every new group (and thus requiring sambaSid and > sambaGroupType attributes). > > 4. Extended the schema (correct terminology?) using ipaCustomFields with > (unquoted) value "Samba Group Type,sambagrouptype,true". > > 5. Extended the CLI in group.py (.../site-packages/ipalib/plugins/group.py) > like so: > > --- group.py.orig 2011-08-15 14:59:48.570715207 -0700 > +++ group.py 2011-08-16 12:43:43.493236507 -0700 > @@ -118,6 +118,13 @@ > label=_('GID'), > doc=_('GID (use this option to set it manually)'), > ), > + Int('sambagrouptype', > + cli_name='sgt', > + label=_('Samba Group Type'), > + doc=_('Samba Group Type (default is 4)'), > + default=4, > + autofill=True, > + ), > ) > > api.register(group) > > > However, when I try to add a group with "ipa group-add groupname > --desc="Group desc" I get the following output: > > ipa: ERROR: missing attribute "sambaGroupType" required by object class > "sambaGroupMapping" > > and if I turn on the debugging, I see the following lines: > > ipa: DEBUG: raw: group_add(u'groupname', description=u'Group desc', > sambagrouptype=4, nonposix=False, all=False, raw=False, version=u'2.1') > ipa: DEBUG: group_add(u'groupname', description=u'Group desc', > sambagrouptype=4, nonposix=False, all=False, raw=False, version=u'2.1') > > Which looks like my edit of group.py is doing what I expected it to do... but > the IPA server is still returning the missing attribute error. > > However, if I use --addatr="sambagrouptype=4" as an argument to ipa > group-add, it works fine and the attribute is added and the group is created. > > What am I missing? > > Thank you, >
Should we open a ticket and have a way to just turn this integration on? Something like ipa-server-install install flag --samba-integration. Then it will translate into enabling all of the above at the install time or after. -- Thank you, Dmitri Pal Sr. Engineering Manager IPA project, Red Hat Inc. ------------------------------- Looking to carve out IT costs? www.redhat.com/carveoutcosts/ _______________________________________________ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users