[Freeipa-users] Extending Schema, CLI and Web UI for use with Samba 3 (groups!)

Tue Aug 16 20:50:56 UTC 2011

On 08/16/2011 03:50 PM, Ryan Thomson wrote:
> Hello,
>
> I'm trying to follow various steps and instructions I've found online for extending FreeIPA v2 for use with Samba 3 as the LDAP backend. Things have mostly gone well but I've hit a road block that I can't quite figure out.
>
> Basically, I'm trying to get every new group added to FreeIPA (either via CLI or Web UI) to automagically become a valid samba group with sambaGroupMapping (and thus sambaSid and sambaGroupType).
>
> Here's what I've done this far:
>
> 1. Added an ipaUserObjectClasses attribute with value sambaSAMAccount to cn=ipaConfig,cn=etc,$SUFFIX. This works as expected for generating Samba hashes for users on password changes.
>
> 2. Configured the DNA plugin to automatically add a sambaSid attribute to every user with a sambaSAMAccount objectClass and group with sambaGroupMapping objectClass:
>
> # SambaSid, Distributed Numeric Assignment Plugin, plugins, config
> dn: cn=SambaSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: extensibleObject
> dnatype: sambaSID
> dnaprefix: S-1-5-21-3180075094-3347106287-3821849995-
> dnainterval: 1
> dnamagicregen: assign
> dnafilter: (|(objectclass=sambasamaccount)(objectclass=sambagroupmapping))
> dnascope: dc=fmri,dc=ubc,dc=ca
> cn: SambaSid
> dnanextvalue: 15289
>
> This works as expected.
>
> 3. Added an ipaGroupObjectClasses attribute with value sambaGroupMapping to cn=ipaConfig,cn=etc,$SUFFIX. This works as expected, adding the objectClass sambaGroupMapping to every new group (and thus requiring sambaSid and sambaGroupType attributes).
>
> 4. Extended the schema (correct terminology?) using ipaCustomFields with (unquoted) value "Samba Group Type,sambagrouptype,true".
>
> 5. Extended the CLI in group.py (.../site-packages/ipalib/plugins/group.py) like so:
>
> --- group.py.orig	2011-08-15 14:59:48.570715207 -0700
> +++ group.py	2011-08-16 12:43:43.493236507 -0700
> @@ -118,6 +118,13 @@
>              label=_('GID'),
>              doc=_('GID (use this option to set it manually)'),
>          ),
> +        Int('sambagrouptype',
> +            cli_name='sgt',
> +            label=_('Samba Group Type'),
> +            doc=_('Samba Group Type (default is 4)'),
> +            default=4,
> +            autofill=True,
> +        ),
>      )
>  
>  api.register(group)
>
>
> However, when I try to add a group with "ipa group-add groupname --desc="Group desc" I get the following output:
>
> ipa: ERROR: missing attribute "sambaGroupType" required by object class "sambaGroupMapping"
>
> and if I turn on the debugging, I see the following lines:
>
> ipa: DEBUG: raw: group_add(u'groupname', description=u'Group desc', sambagrouptype=4, nonposix=False, all=False, raw=False, version=u'2.1')
> ipa: DEBUG: group_add(u'groupname', description=u'Group desc', sambagrouptype=4, nonposix=False, all=False, raw=False, version=u'2.1')
>
> Which looks like my edit of group.py is doing what I expected it to do... but the IPA server is still returning the missing attribute error.
>
> However, if I use --addatr="sambagrouptype=4" as an argument to ipa group-add, it works fine and the attribute is added and the group is created.
>
> What am I missing?
>
> Thank you,
>

Should we open a ticket and have a way to just turn this integration on?
Something like ipa-server-install install flag --samba-integration. Then
it will translate into enabling all of the above at the install time or
after.

-- 
Thank you,
Dmitri Pal

Sr. Engineering Manager IPA project,
Red Hat Inc.

-------------------------------
Looking to carve out IT costs?
www.redhat.com/carveoutcosts/