[Freeipa-users] Problem with FreeIPA and Samba 3...

Simo Sorce ssorce at redhat.com
Wed Jun 16 21:06:10 UTC 2010 

On Wed, 16 Jun 2010 21:41:08 +0200
Stjepan Gros <sgros at zemris.fer.hr> wrote:

> Hi all,
> 
> I'm trying to integrate Samba 3 into FreeIPA domain. After following
> the instructions given in this mailing list
> (http://www.mail-archive.com/freeipa-users@redhat.com/msg00111.html)
> I'm unable to add new users. The ipa-adduser command complains with
> the following error message:
> 
> A database error occurred: Object class violation: missing attribute
> "sambaSID" required by object class "sambaSamAccount"
> 
> It seems as if ipa-dna plugin isn't working, i.e. isn't adding
> sambaSID attribute.
> 
> Here are the relevant entries from LDAP (with mangled domains):
> 
> dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: nsSlapdPlugin
> objectClass: extensibleObject
> objectClass: nsContainer
> cn: Distributed Numeric Assignment Plugin
> nsslapd-pluginInitfunc: dna_init
> nsslapd-pluginType: preoperation
> nsslapd-pluginEnabled: on
> nsslapd-pluginPath: libdna-plugin
> nsslapd-plugin-depends-on-type: database
> nsslapd-pluginId: Distributed Numeric Assignment
> nsslapd-pluginVersion: 1.2.5
> nsslapd-pluginVendor: 389 Project
> nsslapd-pluginDescription: Distributed Numeric Assignment plugin
> 
> # sambaGroupType, Distributed Numeric Assignment Plugin, plugins,
> config dn: cn=sambaGroupType,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: extensibleObject
> cn: sambaGroupType
> dnatype: sambaGroupType
> dnainterval: 0
> dnamagicregen: ASSIGN
> dnafilter: (objectClass=sambaGroupMapping)
> dnanextvalue: 2
> 
> # SambaSid, Distributed Numeric Assignment Plugin, plugins, config
> dn: cn=SambaSid,cn=Distributed Numeric Assignment
> Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: extensibleObject
> dnatype: sambaSID
> dnaprefix: S-1-5-21-2932961863-1130097162-856551529
> dnainterval: 1
> dnamagicregen: assign
> dnafilter:
> (|(objectclass=sambaSamAccount)(objectclass=sambaGroupMapping))
> dnascope: dc=example,dc=com
> cn: SambaSid
> dnanextvalue: 15277
> 
> Can someone sched ligth on what's going on, or how to debug these
> problems? In the log files (/var/log/dirsrv/dirsrv-EXAMPLE-COM) there
> is nothing useful.
> 
> SG
> 
> P.S. dnaprefix has to end with hyphen, but I don't believe it's the
> problem.

It is not, the instructions in that thread are wrong.

We already debugged them with another user, and there are quite a few
things that need to be changed.

First of all sambaGroupType is a fixed value, not a counter, so the 
DNA configuration for it just need to be removed.

Second, in IPa v1.2.2 we are still using the embedded DNA plugin, so
the DNS in that configuration are incorrect for v1.2.2, the DN to be
used IIRC is cn=ipa-dna,cn=plugins,cn=config

There may be something else we found I am missing, but these 2 are
pretty fundamental things.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

More information about the Freeipa-users mailing list