[Freeipa-users] Extending Schema, CLI and Web UI for use with Samba 3 (groups!)

Ryan Thomson ryan at pet.ubc.ca
Tue Aug 16 19:50:19 UTC 2011 

Hello,

I'm trying to follow various steps and instructions I've found online for extending FreeIPA v2 for use with Samba 3 as the LDAP backend. Things have mostly gone well but I've hit a road block that I can't quite figure out.

Basically, I'm trying to get every new group added to FreeIPA (either via CLI or Web UI) to automagically become a valid samba group with sambaGroupMapping (and thus sambaSid and sambaGroupType).

Here's what I've done this far:

1. Added an ipaUserObjectClasses attribute with value sambaSAMAccount to cn=ipaConfig,cn=etc,$SUFFIX. This works as expected for generating Samba hashes for users on password changes.

2. Configured the DNA plugin to automatically add a sambaSid attribute to every user with a sambaSAMAccount objectClass and group with sambaGroupMapping objectClass:

# SambaSid, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=SambaSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
dnatype: sambaSID
dnaprefix: S-1-5-21-3180075094-3347106287-3821849995-
dnainterval: 1
dnamagicregen: assign
dnafilter: (|(objectclass=sambasamaccount)(objectclass=sambagroupmapping))
dnascope: dc=fmri,dc=ubc,dc=ca
cn: SambaSid
dnanextvalue: 15289

This works as expected.

3. Added an ipaGroupObjectClasses attribute with value sambaGroupMapping to cn=ipaConfig,cn=etc,$SUFFIX. This works as expected, adding the objectClass sambaGroupMapping to every new group (and thus requiring sambaSid and sambaGroupType attributes).

4. Extended the schema (correct terminology?) using ipaCustomFields with (unquoted) value "Samba Group Type,sambagrouptype,true".

5. Extended the CLI in group.py (.../site-packages/ipalib/plugins/group.py) like so:

--- group.py.orig	2011-08-15 14:59:48.570715207 -0700
+++ group.py	2011-08-16 12:43:43.493236507 -0700
@@ -118,6 +118,13 @@
             label=_('GID'),
             doc=_('GID (use this option to set it manually)'),
         ),
+        Int('sambagrouptype',
+            cli_name='sgt',
+            label=_('Samba Group Type'),
+            doc=_('Samba Group Type (default is 4)'),
+            default=4,
+            autofill=True,
+        ),
     )
 
 api.register(group)


However, when I try to add a group with "ipa group-add groupname --desc="Group desc" I get the following output:

ipa: ERROR: missing attribute "sambaGroupType" required by object class "sambaGroupMapping"

and if I turn on the debugging, I see the following lines:

ipa: DEBUG: raw: group_add(u'groupname', description=u'Group desc', sambagrouptype=4, nonposix=False, all=False, raw=False, version=u'2.1')
ipa: DEBUG: group_add(u'groupname', description=u'Group desc', sambagrouptype=4, nonposix=False, all=False, raw=False, version=u'2.1')

Which looks like my edit of group.py is doing what I expected it to do... but the IPA server is still returning the missing attribute error.

However, if I use --addatr="sambagrouptype=4" as an argument to ipa group-add, it works fine and the attribute is added and the group is created.

What am I missing?

Thank you,

-- 
Ryan Thomson
Systems Administrator, UBC PET

More information about the Freeipa-users mailing list