Hello again, Just realised by re-reading this thread that I still needed to create the DNA plugin.
I've now done that and I can add users, sorry for being stupid... Dylan. On 3 June 2014 14:44, Dylan Evans <[email protected]> wrote: > Hi Petr & Sumit, > > I've been trying to get further with my setup. > > 1. Thanks Petr, the groups.js plugin seems to work fine, it shows the > correct info on the GUI screen and seems to be ok. > > 2. Sumit, I'm afraid that I'm having a few more problems after running > " ipa-adtrust-install --add-sids". I cannot now add any users on the > server (Fedora 20, ipa-server 3.3.5-1) via the command-line or GUI. I > get the following error: > > GUI: > IPA Error 4205 > missing attribute: "sambaSID" required by object class "sambaSamAccount" > > Command-line: > ipa user-add test1234 ..... > ipa: ERROR: missing attribute "sambaSID" required by object class > "sambaSamAccount" > > Also, when editing an existing user, there is no sambaSID field > available to edit. > > If you have any ideas, please let me know. > > Thanks, > > Dylan. > > > On 26 May 2014 11:40, Petr Vobornik <[email protected]> wrote: >> On 23.5.2014 16:31, Dylan Evans wrote: >>> >>> Hi Sumit and Petr, >>> >>> Thanks both of you for your replies, I've now got to go and try to >>> implement all your suggestions but I have some more questions, sorry! >>> The guide at techslaves was fine, I just got stuck with the changes in >>> the JavaScript packages and the Samba server questions. >>> >>> 1. Petr, I put your samba.js plugin into >>> /usr/share/ipa/ui/js/plugins/samba but you'll have to pardon my lack >>> of JS knowledge, anything more than simple Bash scripts tends to leave >>> me confused! Do I need to do anything else apart from restart the IPA >>> service? I read your info at >>> http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins which says the >>> plugins have to be registered, but I couldn't work out if it's a >>> manual process or if it's done by /usr/share/ipa/wsgi/plugins.py on >>> restart? I'll add the relevant bits to /usr/share/ipa/wsgi/plugins.py >>> for the CLI as well. >> >> >> Should be automatically handled by the plugin.py wsgi handler and related >> logic in Web UI. Just make sure that the file and the directory have same >> names (except the extension in file's case of course). >> >> >>> >>> 2. Sumit, thanks for the info on Samba, I'll have to leave that now >>> and try it next week. BTW, the version of Samba I'm testing against is >>> 3.6.9-168 on CentOS 6.5. >>> >>> Thanks again for your information and patience, >>> >>> Dylan. >>> >>> On 22 May 2014 14:19, Petr Vobornik <[email protected]> wrote: >>>> >>>> On 22.5.2014 14:19, Sumit Bose wrote: >>>>> >>>>> >>>>> On Tue, May 20, 2014 at 02:00:18PM +0100, Dylan Evans wrote: >>>>>> >>>>>> >>>>>> Hello, >>>>>> >>>>>> I need some help with getting Samba and FreeIPA working together. >>>>>> >>>>>> I’ve been following the guide at >>>>>> http://techslaves.org/2011/08/24/freeipa-and-samba-3-integration but >>>>>> that seems quite out of date for IPAv3 and I need some help: >>>>> >>>>> >>>>> >>>>> yes, it is a bit outdated but still useful. Please note that we are >>>>> currently working on making the integration of samba more easy. Recently >>>>> I send a patch to the samba-technical mailing list with a library which >>>>> would allow samba to use SSSD instead of winbind to look up users and >>>>> SID-to-name mapping. Alexander is planning to go through the ipasam >>>>> modules to see how to make integration with Samba file-servers more >>>>> easy. >>>>> >>>>> But coming back to your questions. >>>>> >>>>>> >>>>>> 1. The guide deals with setting a Samba server SID for one Samba >>>>>> server, but as we have multiple stand-alone Samba3 servers, which SID >>>>>> do I use to create the DNA plugin? Can I enter more than 1 SID? Can I >>>>>> have more than 1 plugin (seems unlikely)? >>>>> >>>>> >>>>> >>>>> 'net getlocalsid' returns the domain SID and since all you Samba >>>>> file-servers are member of the IPA domain you can use a common SID here. >>>>> >>>>> With IPAv3 SID generation for users and groups is even more easy because >>>>> you can get it for free by running ipa-adtrust-install (please use the >>>>> option --add-sids) if you already have users and groups in your IPA >>>>> server. This prepares the IPA server to be able to create trust >>>>> relationships to Active Directory and one requirement here is that all >>>>> users and groups have SID. >>>>> >>>>> 'ipa-adtrust-install' will also create a domain SID. 'ipa >>>>> trustconfig-show' will show the domain SID together with the DNS domain >>>>> name and the NetBIOS domain name. On your Samba server you should set >>>>> 'workgroup' to the NetBIOS domain name (see 'net conf list' on the IPA >>>>> server after running ipa-adtrust-install for a config example). >>>>> >>>>> Additionally on your Samba servers you have to set the domain SID in >>>>> /var/lib/samba/private/secrets.tdb with tdbtool. You will need 3 >>>>> keys with the same SID >>>>> >>>>> SECRETS/SID/DOMNETBIOS <- NetBIOS domain name, workgroup in smb.conf >>>>> SECRETS/SID/DNS.DOMAIN.NAME <- DNS domain name, will match realm in >>>>> smb.conf >>>>> SECRETS/SID/CLINETBIOS <- NetBIOS name of the client, 'netbios name' in >>>>> smb.conf >>>>> >>>>> The SID has to be given in a special binary format. The easiest way to >>>>> get it is to call 'tdbdump /var/lib/samba/private/secrets.tdb' on the >>>>> IPA server after running ipa-adtrust-install. The domain SID will always >>>>> start with \01\04\00\00\00\00\00\05\15\... . You can use this sequence >>>>> as data for the insert command of tdbtool. >>>>> >>>>> Now everything should be done with respect to SID handling. >>>>> >>>>>> >>>>>> 2. There’s no “/usr/share/ipa/ui/group.js” file to patch in >>>>>> IPAv3. What do I need to patch instead? >>>>>> >>>>>> I’ve seen ticket https://fedorahosted.org/freeipa/ticket/3999 , which >>>>>> shows the need is there but I could do with getting it working ASAP. >>>>> >>>>> >>>>> >>>>> group.js is compliend with the other UI files in >>>>> /usr/share/ipa/ui/js/freeipa/app.js (see >>>>> install/ui/doc/guides/debugging_web_ui/README.md in the FreeIPA sources >>>>> for details). For your convenience I copied some section here: >>>>> >>>>> "The compiled Web UI layer is located in >>>>> `/usr/share/ipa/ui/js/freeipa/app.js` file. One can copy files from >>>>> source git repository in `install/ui/src/freeipa/` directory to the >>>>> `/usr/share/ipa/ui/js/freeipa/` directory (in will replace the `app.js` >>>>> file). By doing that, next reload of Web UI will use source files >>>>> (clearing browser cache may be required). After that all JavaScript >>>>> errors will contain proper source code name and line number." >>>> >>>> >>>> >>>> Better approach is to create a custom UI plugin which would add those >>>> fields. Since it's only 3 fields, I create an example which works on >>>> FreeIPA >>>> 4.0 and theoretically it should work on 3.2 as well: >>>> >>>> http://pvoborni.fedorapeople.org/plugins/samba/samba.js >>>> >>>> put the file into `/usr/share/ipa/ui/js/plugins/samba` directory. >>>> >>>> I did not test it with backend (no labels + doesn't do anything). >>>> >>>> More about plugin development: >>>> * http://www.freeipa.org/images/5/5b/FreeIPA33-extending-freeipa.pdf >>>> * http://pvoborni.fedorapeople.org/doc/#!/guide/Plugins >>>> >>>> Creating CLI plugin is IMO also better approach. >>>> >>>> >>>>> >>>>>> >>>>>> I may be missing something obvious but some help would be greatly >>>>>> appreciated! >>>>> >>>>> >>>>> >>>>> I hope my comments will help you. Feel free to ask for more help if >>>>> needed. It would be nice to hear from any success as well. >>>>> >>>>> bye, >>>>> Sumit >>>>> >>>>>> >>>>>> Thanks, >>>>>> >>>>>> Dylan. >>>>>> >>>>>> Background: >>>>>> >>>>>> Brief: Need to expand from the current single-office-ish NIS/YP scheme >>>>>> to a multi-location/multi-national auth scheme which FreeIPA seems >>>>>> ideally suited for. >>>>>> >>>>>> >>>>>> Requirement: To continue to provide console/SSH and GUI/X logins to >>>>>> Linux hosts, access to home and project directories via NFS from the >>>>>> Linux machines using autofs/automount and access to Samba file-shares >>>>>> from Windows machines but not using AD creds as this is a totally >>>>>> separate environment. Several locations will each have a FreeIPA >>>>>> replica server, NFS/Samba fileserver and “application” server. >>>>>> Currently use 2 passwords for each user – one for NIS, one for Samba – >>>>>> and need to consolidate to one password for everything. >>>>>> >>>>>> >>>>>> Progress: Linux-based NFS stuff working fine – automount of home and >>>>>> project directories all OK. Currently using Fedora 20 & CentOS 6.5 VMs >>>>>> as a prototyping environment but will probably use RHEL/CentOS 7 when >>>>>> available for production. FreeIPA versions 3.0.0 on CentOS 6.5 and >>>>>> 3.3.5 on Fedora 20. >>>>>> >>>> -- >>>> Petr Vobornik >> >> >> >> -- >> Petr Vobornik _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
