[Freeipa-users] Getting Samba to authenticate against FreeIPA

Marc Grimme grimme at atix.de
Mon Mar 25 08:54:12 UTC 2013 

Am 24.03.2013 18:14, schrieb Martin:
> That guide at techslaves.org sounds like a perfect match for our needs,
> unfortunately the map and reality didn't quite match...
>
> Point 4.3 says:
>
>> 4.3. Test the CLI. With an “admin” (or equivalent priv) kerberos
>> ticket, try creating a new group:
>>
>> account at ipaserver:~
>> $ ipa group-add testgrp --desc="Testing the group.py CLI mods"
>> ---------------------
>> Added group "testgrp"
>> ---------------------
>>   Group name: testgrp
>>   Description: Testing the group.py CLI mods
>>   GID: 1234500010
>>   Samba Group Type: 4
> So I did. However, all I get is:
>
>> ipa: ERROR: Unknown option: sambagrouptype
> but I've followed the instructions carefully. There's, however, an added
> complication here and that's that the sambaserver runs on a different
> machine than the IPA-server and since it's not obvious (to me at least)
> which part goes where I ran all the commands on the sambaserver. I bet
> at least some of the steps would have to be run on the IPA-server.
>
> Does anyone have an idea what went wrong? All the commands went through
> without a problem until ipa group-add...
>
> Regards
I'm using this configuration with IPA based on 6.3 and had to patch the
ipa python scripts.
I'm also far from an acceptable solution but still I've written some
helper scripts that are making pain little worse and operatable.

I think you should get a step further with the following:

First change the group.py

diff -Naur
/usr/lib/python2.6/site-packages/ipalib/plugins/group.py-20120904
/usr/lib/python2.6/site-packages/ipalib/plugins/group.py
--- /usr/lib/python2.6/site-packages/ipalib/plugins/group.py-20120904  
2012-09-04 14:03:33.943724891 +0200
+++ /usr/lib/python2.6/site-packages/ipalib/plugins/group.py   
2012-09-04 14:06:07.240468927 +0200
@@ -121,6 +121,13 @@
             doc=_('GID (use this option to set it manually)'),
             minvalue=1,
         ),
+        Int('sambagrouptype',
+            cli_name='sgt',
+            label=_('Samba Group Type'),
+            doc=_('Samba Group Type (default is 4)'),
+            default=4,
+            autofill=True,
+        ),
     )
 
 api.register(group)

My script for getting the next available SID:

LDAPbase="dc=example,dc=com"
lastsid=$({ ldapsearch -z0 -LLL -b cn=users,cn=accounts,$LDAPbase
'(objectClass=sambaSAMAccount)' sambaSID 2>/dev/null; ldapsearch -z0
-LLL -b cn=groups,cn=accounts,$LDAPbase
'(objectClass=sambaGroupMapping)' sambaSID 2>/dev/null; }| grep sambaSID
| awk '{ print $2; }' | sort -n -t- -k 7 | tail -1)

echo $lastsid | awk '
BEGIN {
  OFS="-";
  FS="-";
}
{
  print $1,$2,$3,$4,$5,$6,$7+1;
}'

Then create a new group with:
ipa group-add --desc="Testgroup2" testgroup2 --sgt=4
--setattr="sambaSID=$(bash ./ldap-getnext-SID.sh)"

Hope this helps.

Regards Marc.

-- 
Marc Grimme

E-Mail: grimme( at )atix.de
XING: www.xing.com/profile/Marc_Grimme

ATIX - The Linux & Open Source Company

ATIX Informationstechnologie und Consulting AG
Einsteinstraße 10
85716 Unterschleißheim
www.atix.de

More information about the Freeipa-users mailing list