[Freeipa-users] FreeIPA as a password backend to Samba
Michael Wisniewski
wiz561 at gmail.com
Mon Dec 7 16:06:44 UTC 2009
On Sat, Dec 5, 2009 at 5:20 PM, Simo Sorce <ssorce at redhat.com> wrote:
> On Thu, 2009-12-03 at 10:14 -0600, Michael Wisniewski wrote:
>> Hi,
>>
>> I've discovered that back in September, a user was attempting to use
>> FreeIPA as a password backend to Samba. I've followed the
>> instructions from Loris, but ran into a problem. Whenever I create a
>> new group, I get the following error through the web interface...
>>
>>
>> Group add failed: A database error occurred
>> Object class violation. missing attribute "sambaGroupType" required by
>> object class "sambaGroupMapping"
>>
>> If I use the command line 'ipa-addgroup', I get a similar error.
>
> It looks like sambaGroupType is a required attribute for the
> sambaGroupMapping objectclass and it is not being added.
>
> You need to make sure to add a custom sambaGroupType attribute when you
> create the group.
>
You are correct, this did the trick. I'm not sure why this is
required yet...I'm still working on it.
>> However, if I use a ldif and set everything, it works...
>>
>> # ldif2ldap "cn=Directory manager" <password> /tmp/s1.ldif
>> # cat /tmp/s1.ldif
>> dn: cn=Cyber,cn=groups,cn=accounts,dc=test,dc=org
>> objectClass: top
>> objectClass: groupofnames
>> objectClass: posixGroup
>> cn: Cyber
>> description: Cyber Security Group
>> gidNumber: 1005
>>
>> Now the strange thing. While I did add the "sambaGroupMapping", I
>> don't see it when I do a ldapsearch and view the group. Also, if I
>> add my user to the newly created group and run "id", it doesn't show
>> up that I belong to that group.
>
> That may be due to nscd caching, make sure to reload/restart nscd when
> you change group memberships if you need to see the result immediately.
> The default group cache timeout can even be 1h on some system.
>
What happened is that on the freeipa server, it seemed to
automatically fix itself the next day. I'm guessing that if I
restarted nscd, as you suggested, it would have been fine.
The other issue I was running into was on the remote system that I
have configured for ldap authentication, it wasn't seeing the new
group. It showed the 'ipauser' group for myself, but not the new one.
This was something I forgot to do; add the nss_base_group to the
ldap.conf on the remote system. After I did this, everything is fine.
Thanks!
More information about the Freeipa-users
mailing list