[Freeipa-users] Extending Schema, CLI and Web UI for use with Samba 3 (groups!)

Sumit Bose sbose at redhat.com
Wed Aug 17 07:54:15 UTC 2011 

On Tue, Aug 16, 2011 at 04:50:56PM -0400, Dmitri Pal wrote:
> On 08/16/2011 03:50 PM, Ryan Thomson wrote:
> > Hello,
> >
> > I'm trying to follow various steps and instructions I've found online for extending FreeIPA v2 for use with Samba 3 as the LDAP backend. Things have mostly gone well but I've hit a road block that I can't quite figure out.
> >
> > Basically, I'm trying to get every new group added to FreeIPA (either via CLI or Web UI) to automagically become a valid samba group with sambaGroupMapping (and thus sambaSid and sambaGroupType).
> >
> > Here's what I've done this far:
> >
> > 1. Added an ipaUserObjectClasses attribute with value sambaSAMAccount to cn=ipaConfig,cn=etc,$SUFFIX. This works as expected for generating Samba hashes for users on password changes.
> >
> > 2. Configured the DNA plugin to automatically add a sambaSid attribute to every user with a sambaSAMAccount objectClass and group with sambaGroupMapping objectClass:
> >
> > # SambaSid, Distributed Numeric Assignment Plugin, plugins, config
> > dn: cn=SambaSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> > objectClass: top
> > objectClass: extensibleObject
> > dnatype: sambaSID
> > dnaprefix: S-1-5-21-3180075094-3347106287-3821849995-
> > dnainterval: 1
> > dnamagicregen: assign
> > dnafilter: (|(objectclass=sambasamaccount)(objectclass=sambagroupmapping))
> > dnascope: dc=fmri,dc=ubc,dc=ca
> > cn: SambaSid
> > dnanextvalue: 15289
> >
> > This works as expected.
> >
> > 3. Added an ipaGroupObjectClasses attribute with value sambaGroupMapping to cn=ipaConfig,cn=etc,$SUFFIX. This works as expected, adding the objectClass sambaGroupMapping to every new group (and thus requiring sambaSid and sambaGroupType attributes).
> >
> > 4. Extended the schema (correct terminology?) using ipaCustomFields with (unquoted) value "Samba Group Type,sambagrouptype,true".
> >
> > 5. Extended the CLI in group.py (.../site-packages/ipalib/plugins/group.py) like so:
> >
> > --- group.py.orig	2011-08-15 14:59:48.570715207 -0700
> > +++ group.py	2011-08-16 12:43:43.493236507 -0700
> > @@ -118,6 +118,13 @@
> >              label=_('GID'),
> >              doc=_('GID (use this option to set it manually)'),
> >          ),
> > +        Int('sambagrouptype',
> > +            cli_name='sgt',
> > +            label=_('Samba Group Type'),
> > +            doc=_('Samba Group Type (default is 4)'),
> > +            default=4,
> > +            autofill=True,
> > +        ),
> >      )
> >  
> >  api.register(group)
> >
> >
> > However, when I try to add a group with "ipa group-add groupname --desc="Group desc" I get the following output:
> >
> > ipa: ERROR: missing attribute "sambaGroupType" required by object class "sambaGroupMapping"
> >
> > and if I turn on the debugging, I see the following lines:
> >
> > ipa: DEBUG: raw: group_add(u'groupname', description=u'Group desc', sambagrouptype=4, nonposix=False, all=False, raw=False, version=u'2.1')
> > ipa: DEBUG: group_add(u'groupname', description=u'Group desc', sambagrouptype=4, nonposix=False, all=False, raw=False, version=u'2.1')
> >
> > Which looks like my edit of group.py is doing what I expected it to do... but the IPA server is still returning the missing attribute error.
> >
> > However, if I use --addatr="sambagrouptype=4" as an argument to ipa group-add, it works fine and the attribute is added and the group is created.
> >
> > What am I missing?
> >
> > Thank you,
> >
> 
> Should we open a ticket and have a way to just turn this integration on?
> Something like ipa-server-install install flag --samba-integration. Then
> it will translate into enabling all of the above at the install time or
> after.

There are already tickets:

- https://fedorahosted.org/freeipa/ticket/1614 to enhance the DNA plugin
  to handle SIDs
- https://fedorahosted.org/freeipa/ticket/1619 to create a utility which
  prepares FreeIPA for AD trust and general Samba usage

Ryan, please feel free to add comments to the tickets if you think we
have missed features which you would like to see in here.

bye,
Sumit

> 
> -- 
> Thank you,
> Dmitri Pal
> 
> Sr. Engineering Manager IPA project,
> Red Hat Inc.
> 
> 
> -------------------------------
> Looking to carve out IT costs?
> www.redhat.com/carveoutcosts/
> 
> 
> 
> _______________________________________________
> Freeipa-users mailing list
> Freeipa-users at redhat.com
> https://www.redhat.com/mailman/listinfo/freeipa-users

More information about the Freeipa-users mailing list