Re: [Freeipa-users] Problem with FreeIPA and Samba 3...
On Wed, 2010-06-16 at 17:06 -0400, Simo Sorce wrote: On Wed, 16 Jun 2010 21:41:08 +0200 Stjepan Gros sg...@zemris.fer.hr wrote: Hi all, I'm trying to integrate Samba 3 into FreeIPA domain. After following the instructions given in this mailing list (http://www.mail-archive.com/freeipa-users@redhat.com/msg00111.html) I'm unable to add new users. The ipa-adduser command complains with the following error message: A database error occurred: Object class violation: missing attribute sambaSID required by object class sambaSamAccount It seems as if ipa-dna plugin isn't working, i.e. isn't adding sambaSID attribute. Here are the relevant entries from LDAP (with mangled domains): dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject objectClass: nsContainer cn: Distributed Numeric Assignment Plugin nsslapd-pluginInitfunc: dna_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginPath: libdna-plugin nsslapd-plugin-depends-on-type: database nsslapd-pluginId: Distributed Numeric Assignment nsslapd-pluginVersion: 1.2.5 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: Distributed Numeric Assignment plugin # sambaGroupType, Distributed Numeric Assignment Plugin, plugins, config dn: cn=sambaGroupType,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: sambaGroupType dnatype: sambaGroupType dnainterval: 0 dnamagicregen: ASSIGN dnafilter: (objectClass=sambaGroupMapping) dnanextvalue: 2 # SambaSid, Distributed Numeric Assignment Plugin, plugins, config dn: cn=SambaSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject dnatype: sambaSID dnaprefix: S-1-5-21-2932961863-1130097162-856551529 dnainterval: 1 dnamagicregen: assign dnafilter: (|(objectclass=sambaSamAccount)(objectclass=sambaGroupMapping)) dnascope: dc=example,dc=com cn: SambaSid dnanextvalue: 15277 Can someone sched ligth on what's going on, or how to debug these problems? In the log files (/var/log/dirsrv/dirsrv-EXAMPLE-COM) there is nothing useful. SG P.S. dnaprefix has to end with hyphen, but I don't believe it's the problem. It is not, the instructions in that thread are wrong. We already debugged them with another user, and there are quite a few things that need to be changed. First of all sambaGroupType is a fixed value, not a counter, so the DNA configuration for it just need to be removed. Second, in IPa v1.2.2 we are still using the embedded DNA plugin, so the DNS in that configuration are incorrect for v1.2.2, the DN to be used IIRC is cn=ipa-dna,cn=plugins,cn=config There may be something else we found I am missing, but these 2 are pretty fundamental things. First, thank you for your help. It saves me a lot of time. And I hope that I'll document the whole procedure for the others. One important general question. Are there any changes in FreeIPA 2 that will invalidate all this procedure? Back to the main problem, I removed the entries for DNA that were in a wrong place and after adding DNA configuration for sambaSID in cn=ipa-dna,cn=plugins,cn=config I can now add users. All the samba related attributes are added to a new user after I set initial password. But I can not login using smbclient because samba thinks that the password is expired. Either I have to set X in samba flags (password never expires) or I have to properly initialize password related fields for samba. Setting password fields would be preferable, is it possible and how? Easier way (and necessary in case of groups) is to set fixed value when creating new users and groups. The question is, is it possible to configure DNA plugin to set fixed value, or there is specialized (or more appropriate) plugin for that? SG ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
[Freeipa-users] Problem with FreeIPA and Samba 3...
Hi all, I'm trying to integrate Samba 3 into FreeIPA domain. After following the instructions given in this mailing list (http://www.mail-archive.com/freeipa-users@redhat.com/msg00111.html) I'm unable to add new users. The ipa-adduser command complains with the following error message: A database error occurred: Object class violation: missing attribute sambaSID required by object class sambaSamAccount It seems as if ipa-dna plugin isn't working, i.e. isn't adding sambaSID attribute. Here are the relevant entries from LDAP (with mangled domains): dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject objectClass: nsContainer cn: Distributed Numeric Assignment Plugin nsslapd-pluginInitfunc: dna_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginPath: libdna-plugin nsslapd-plugin-depends-on-type: database nsslapd-pluginId: Distributed Numeric Assignment nsslapd-pluginVersion: 1.2.5 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: Distributed Numeric Assignment plugin # sambaGroupType, Distributed Numeric Assignment Plugin, plugins, config dn: cn=sambaGroupType,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: sambaGroupType dnatype: sambaGroupType dnainterval: 0 dnamagicregen: ASSIGN dnafilter: (objectClass=sambaGroupMapping) dnanextvalue: 2 # SambaSid, Distributed Numeric Assignment Plugin, plugins, config dn: cn=SambaSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject dnatype: sambaSID dnaprefix: S-1-5-21-2932961863-1130097162-856551529 dnainterval: 1 dnamagicregen: assign dnafilter: (|(objectclass=sambaSamAccount)(objectclass=sambaGroupMapping)) dnascope: dc=example,dc=com cn: SambaSid dnanextvalue: 15277 Can someone sched ligth on what's going on, or how to debug these problems? In the log files (/var/log/dirsrv/dirsrv-EXAMPLE-COM) there is nothing useful. SG P.S. dnaprefix has to end with hyphen, but I don't believe it's the problem. ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
Re: [Freeipa-users] Problem with FreeIPA and Samba 3...
On Wed, 16 Jun 2010 21:41:08 +0200 Stjepan Gros sg...@zemris.fer.hr wrote: Hi all, I'm trying to integrate Samba 3 into FreeIPA domain. After following the instructions given in this mailing list (http://www.mail-archive.com/freeipa-users@redhat.com/msg00111.html) I'm unable to add new users. The ipa-adduser command complains with the following error message: A database error occurred: Object class violation: missing attribute sambaSID required by object class sambaSamAccount It seems as if ipa-dna plugin isn't working, i.e. isn't adding sambaSID attribute. Here are the relevant entries from LDAP (with mangled domains): dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: nsSlapdPlugin objectClass: extensibleObject objectClass: nsContainer cn: Distributed Numeric Assignment Plugin nsslapd-pluginInitfunc: dna_init nsslapd-pluginType: preoperation nsslapd-pluginEnabled: on nsslapd-pluginPath: libdna-plugin nsslapd-plugin-depends-on-type: database nsslapd-pluginId: Distributed Numeric Assignment nsslapd-pluginVersion: 1.2.5 nsslapd-pluginVendor: 389 Project nsslapd-pluginDescription: Distributed Numeric Assignment plugin # sambaGroupType, Distributed Numeric Assignment Plugin, plugins, config dn: cn=sambaGroupType,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: sambaGroupType dnatype: sambaGroupType dnainterval: 0 dnamagicregen: ASSIGN dnafilter: (objectClass=sambaGroupMapping) dnanextvalue: 2 # SambaSid, Distributed Numeric Assignment Plugin, plugins, config dn: cn=SambaSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject dnatype: sambaSID dnaprefix: S-1-5-21-2932961863-1130097162-856551529 dnainterval: 1 dnamagicregen: assign dnafilter: (|(objectclass=sambaSamAccount)(objectclass=sambaGroupMapping)) dnascope: dc=example,dc=com cn: SambaSid dnanextvalue: 15277 Can someone sched ligth on what's going on, or how to debug these problems? In the log files (/var/log/dirsrv/dirsrv-EXAMPLE-COM) there is nothing useful. SG P.S. dnaprefix has to end with hyphen, but I don't believe it's the problem. It is not, the instructions in that thread are wrong. We already debugged them with another user, and there are quite a few things that need to be changed. First of all sambaGroupType is a fixed value, not a counter, so the DNA configuration for it just need to be removed. Second, in IPa v1.2.2 we are still using the embedded DNA plugin, so the DNS in that configuration are incorrect for v1.2.2, the DN to be used IIRC is cn=ipa-dna,cn=plugins,cn=config There may be something else we found I am missing, but these 2 are pretty fundamental things. Simo. -- Simo Sorce * Red Hat, Inc * New York ___ Freeipa-users mailing list Freeipa-users@redhat.com https://www.redhat.com/mailman/listinfo/freeipa-users
