Discussion:
[Freeipa-users] FreeIPA as a password backend to Samba
Michael Wisniewski
2009-12-03 16:14:44 UTC
Permalink
Hi,

I've discovered that back in September, a user was attempting to use
FreeIPA as a password backend to Samba. I've followed the
instructions from Loris, but ran into a problem. Whenever I create a
new group, I get the following error through the web interface...


Group add failed: A database error occurred
Object class violation. missing attribute "sambaGroupType" required by
object class "sambaGroupMapping"

If I use the command line 'ipa-addgroup', I get a similar error.
However, if I use a ldif and set everything, it works...

# ldif2ldap "cn=Directory manager" <password> /tmp/s1.ldif
# cat /tmp/s1.ldif
dn: cn=Cyber,cn=groups,cn=accounts,dc=test,dc=org
objectClass: top
objectClass: groupofnames
objectClass: posixGroup
cn: Cyber
description: Cyber Security Group
gidNumber: 1005

Now the strange thing. While I did add the "sambaGroupMapping", I
don't see it when I do a ldapsearch and view the group. Also, if I
add my user to the newly created group and run "id", it doesn't show
up that I belong to that group.

If anybody can help me with this, that would be great. Since I'm just
starting, if somebody says FreeIPA v2 has this already, I don't mind
switching to it.


Thanks,
Mike
Simo Sorce
2009-12-05 23:20:45 UTC
Permalink
Post by Michael Wisniewski
Hi,
I've discovered that back in September, a user was attempting to use
FreeIPA as a password backend to Samba. I've followed the
instructions from Loris, but ran into a problem. Whenever I create a
new group, I get the following error through the web interface...
Group add failed: A database error occurred
Object class violation. missing attribute "sambaGroupType" required by
object class "sambaGroupMapping"
If I use the command line 'ipa-addgroup', I get a similar error.
It looks like sambaGroupType is a required attribute for the
sambaGroupMapping objectclass and it is not being added.

You need to make sure to add a custom sambaGroupType attribute when you
create the group.
Post by Michael Wisniewski
However, if I use a ldif and set everything, it works...
# ldif2ldap "cn=Directory manager" <password> /tmp/s1.ldif
# cat /tmp/s1.ldif
dn: cn=Cyber,cn=groups,cn=accounts,dc=test,dc=org
objectClass: top
objectClass: groupofnames
objectClass: posixGroup
cn: Cyber
description: Cyber Security Group
gidNumber: 1005
Now the strange thing. While I did add the "sambaGroupMapping", I
don't see it when I do a ldapsearch and view the group. Also, if I
add my user to the newly created group and run "id", it doesn't show
up that I belong to that group.
That may be due to nscd caching, make sure to reload/restart nscd when
you change group memberships if you need to see the result immediately.
The default group cache timeout can even be 1h on some system.
Post by Michael Wisniewski
If anybody can help me with this, that would be great. Since I'm just
starting, if somebody says FreeIPA v2 has this already, I don't mind
switching to it.
v2 is a bit experimental at the moment. It is great if you want to see
what's going on and help testing but it is not production ready.

Simo.
--
Simo Sorce * Red Hat, Inc * New York
Michael Wisniewski
2009-12-07 16:06:44 UTC
Permalink
Post by Simo Sorce
Post by Michael Wisniewski
Hi,
I've discovered that back in September, a user was attempting to use
FreeIPA as a password backend to Samba.  I've followed the
instructions from Loris, but ran into a problem.  Whenever I create a
new group, I get the following error through the web interface...
Group add failed: A database error occurred
Object class violation. missing attribute "sambaGroupType" required by
object class "sambaGroupMapping"
If I use the command line 'ipa-addgroup', I get a similar error.
It looks like sambaGroupType is a required attribute for the
sambaGroupMapping objectclass and it is not being added.
You need to make sure to add a custom sambaGroupType attribute when you
create the group.
You are correct, this did the trick. I'm not sure why this is
required yet...I'm still working on it.
Post by Simo Sorce
Post by Michael Wisniewski
However, if I use a ldif and set everything, it works...
# ldif2ldap "cn=Directory manager" <password> /tmp/s1.ldif
# cat /tmp/s1.ldif
dn: cn=Cyber,cn=groups,cn=accounts,dc=test,dc=org
objectClass: top
objectClass: groupofnames
objectClass: posixGroup
cn: Cyber
description: Cyber Security Group
gidNumber: 1005
Now the strange thing.  While I did add the "sambaGroupMapping", I
don't see it when I do a ldapsearch and view the group.  Also, if I
add my user to the newly created group and run "id", it doesn't show
up that I belong to that group.
That may be due to nscd caching, make sure to reload/restart nscd when
you change group memberships if you need to see the result immediately.
The default group cache timeout can even be 1h on some system.
What happened is that on the freeipa server, it seemed to
automatically fix itself the next day. I'm guessing that if I
restarted nscd, as you suggested, it would have been fine.

The other issue I was running into was on the remote system that I
have configured for ldap authentication, it wasn't seeing the new
group. It showed the 'ipauser' group for myself, but not the new one.
This was something I forgot to do; add the nss_base_group to the
ldap.conf on the remote system. After I did this, everything is fine.

Thanks!

Loading...