[Freeipa-users] Trouble creating userobjectlass sambaSAMAccount

Christopher Lamb christopher.lamb at ch.ibm.com
Fri Mar 18 16:19:43 UTC 2016 

Hi Jeff

As far as I can see, your command looks ok (though I don't know what your
dn should look like).

Did you run the "kinit admin" command before?

When I was doing the Samba + FreeIPA integration I found using an LDAP
browser (Apache Directory Studio) very useful to visualise the LDAP
"tree" (and even if required to manually edit objects ....)

Chris





From:	Jeff Goddard <jgoddard at emerlyn.com>
To:	Christopher Lamb/Switzerland/IBM at IBMCH
Cc:	freeipa-users at redhat.com
Date:	18.03.2016 16:43
Subject:	Re: [Freeipa-users] Trouble creating userobjectlass
            sambaSAMAccount



Christopher,

Thank you for the response. IT seems my syntax is still not correct. HEre
is the command and output I received:

[root at id-management-1 ~]# ldapmodify -Y GSSAPI <<EOF
dn: cn=etc,cn=ipaconfig,dc=internal,dc=emerlyn,dc=com
changetype: modify
add: ipaUserObjectClasses
ipaUserObjectClasses: sambaSAMAccount
-
add: ipaGroupObjectClasses
ipaGroupObjectClasses: sambaGroupMapping
EOF
SASL/GSSAPI authentication started

SASL username: admin at INTERNAL.EMERLYN.COM
SASL SSF: 56
SASL data security layer installed.
modifying entry "cn=etc,cn=ipaconfig,dc=internal,dc=emerlyn,dc=com"
ldap_modify: No such object (32)

Do you have any more pointers?


Thanks,

Jeff


On Fri, Mar 18, 2016 at 11:35 AM, Christopher Lamb <
christopher.lamb at ch.ibm.com> wrote:
  Hi Jeff

  When I last integrated FreeIPA and Samba I used ldapmodify to
  successfully add sambaSAMAccount and sambaGroupMapping.


  ldapmodify -Y GSSAPI <<EOF
  dn: cn=etc,cn=ipaconfig,dc=my,dc=silly,dc=example,dc=com
  changetype: modify
  add: ipaUserObjectClasses
  ipaUserObjectClasses: sambaSAMAccount
  -
  add: ipaGroupObjectClasses
  ipaGroupObjectClasses: sambaGroupMapping
  EOF

  Note, also there is a notorious spelling mistake under Point 5 of the
  Fedora instructions you are following

  cosAttribute: sambaGrouptType

  should be:

  cosAttribute: sambaGroupType

  i.e. sambaGroupType has only one "T".

  Chris

  Inactive hide details for Jeff Goddard ---18.03.2016 16:11:10---Hello
  all, I'm following this guide:Jeff Goddard ---18.03.2016 16:11:10---Hello
  all, I'm following this guide:

  From: Jeff Goddard <jgoddard at emerlyn.com>
  To: freeipa-users at redhat.com
  Date: 18.03.2016 16:11
  Subject: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount
  Sent by: freeipa-users-bounces at redhat.com




  Hello all,

  I'm following this guide:
  https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html
   in attempts to have a SAMBA server with freeipa as the back-end
  authentication method. My problem is that the command: ipa config-mod
  --userobjectclasses=top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount
 fails with the message: ipa: ERROR: objectclass
  top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount
 not found.

  Using the web GUI I was able to add this field but it doesn't dynamically
  add it to my existing users and so I get errors such as:

  [2016/03/18 10:20:21.052605,  3] ../source3/lib/smbldap.c:579
  (smbldap_start_tls)
    StartTLS issued: using a TLS connection
  [2016/03/18 10:20:21.052661,  2] ../source3/lib/smbldap.c:794
  (smbldap_open_connection)
    smbldap_open_connection: connection opened
  [2016/03/18 10:20:21.055250,  3] ../source3/lib/smbldap.c:1013
  (smbldap_connect_system)
    ldap_connect_system: successful connection to the LDAP server
  [2016/03/18 10:20:21.056774,  4] ../source3/passdb/pdb_ldap.c:1496
  (ldapsam_getsampwnam)
    ldapsam_getsampwnam: Unable to locate user [jgoddard] count=0
  [2016/03/18 10:20:21.056856,  3, pid=9121, effective(0, 0), real(0, 0),
  class=auth] ../source3/auth/check_samsec.c:400(check_sam_security)
    check_sam_security: Couldn't find user 'jgoddard' in passdb.
  [2016/03/18 10:20:21.056890,  5, pid=9121, effective(0, 0), real(0, 0),
  class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password)
    check_ntlm_password: sam authentication for user [jgoddard] FAILED with
  error NT_STATUS_NO_SUCH_USER
  [2016/03/18 10:20:21.056944,  2, pid=9121, effective(0, 0), real(0, 0),
  class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password)
    check_ntlm_password:  Authentication for user [jgoddard] -> [jgoddard]
  FAILED with error NT_STATUS_NO_SUCH_USER
  [2016/03/18 10:20:21.056972,  2] ../auth/gensec/spnego.c:746
  (gensec_spnego_server_negTokenTarg)
    SPNEGO login failed: NT_STATUS_NO_SUCH_USER
  [2016/03/18 10:20:21.057837,  3] ../source3/smbd/server_exit.c:249
  (exit_server_common)
    Server exit (NT_STATUS_CONNECTION_RESET)

  When trying to authenticate to my share.

  The search from the samba server: ldapsearch -LLL -x -h
  id-management-1.internal.emerlyn.com uid=jgoddard
   does not return a value for sambaSAMAccount either. Can anyone provide
  me a pointer or documentation on where I'm going wrong?

  Thanks,

  Jeff--
  Manage your subscription for the Freeipa-users mailing list:
  https://www.redhat.com/mailman/listinfo/freeipa-users
  Go to http://freeipa.org for more info on the project












-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160318/0e708540/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/freeipa-users/attachments/20160318/0e708540/attachment.gif>

More information about the Freeipa-users mailing list