[Freeipa-users] Trouble creating userobjectlass sambaSAMAccount

Sumit Bose sbose at redhat.com
Fri Mar 18 16:53:23 UTC 2016 

On Fri, Mar 18, 2016 at 12:08:04PM -0400, Jeff Goddard wrote:
> Found the syntax error. Apparently the DN is:
> dn:cn=ipaconfig,cn=etc,dc=internal,dc=emerlyn,dc=com rather than
> dn:cn=etc,cn=ipaconfig,dc=internal,dc=emerlyn,dc=com
> 
> 
> 
> On Fri, Mar 18, 2016 at 11:35 AM, Christopher Lamb <
> christopher.lamb at ch.ibm.com> wrote:
> 
> > Hi Jeff
> >
> > When I last integrated FreeIPA and Samba I used ldapmodify to successfully
> > add sambaSAMAccount and sambaGroupMapping.
> >
> >
> > ldapmodify -Y GSSAPI <<EOF
> > dn: cn=etc,cn=ipaconfig,dc=my,dc=silly,dc=example,dc=com
> > changetype: modify
> > add: ipaUserObjectClasses
> > ipaUserObjectClasses: sambaSAMAccount
> > -
> > add: ipaGroupObjectClasses
> > ipaGroupObjectClasses: sambaGroupMapping
> > EOF
> >
> > Note, also there is a notorious spelling mistake under Point 5 of the
> > Fedora instructions you are following
> >
> > cosAttribute: sambaGrouptType
> >
> > should be:
> >
> > cosAttribute: sambaGroupType
> >
> > i.e. sambaGroupType has only one "T".
> >
> > Chris
> >
> > [image: Inactive hide details for Jeff Goddard ---18.03.2016
> > 16:11:10---Hello all, I'm following this guide:]Jeff Goddard
> > ---18.03.2016 16:11:10---Hello all, I'm following this guide:
> >
> > From: Jeff Goddard <jgoddard at emerlyn.com>
> > To: freeipa-users at redhat.com
> > Date: 18.03.2016 16:11
> > Subject: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount
> > Sent by: freeipa-users-bounces at redhat.com
> > ------------------------------
> >
> >
> >
> >
> > Hello all,
> >
> > I'm following this guide:
> > *https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html*
> > <https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html>
> > in attempts to have a SAMBA server with freeipa as the back-end
> > authentication method. My problem is that the command: ipa config-mod
> > --userobjectclasses=top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount


--userobjectclasses only expects on argument, but the option can be used
multiple times. If you use bash you can use the brace expansion to make
this easier:

ipa config-mod --userobjectclasses={top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount}

(please note no spaces are allowed between the braces}

As a general remark, you can find out about the real attribute names and
the DN by using the --all and --raw options:

ipa config-show --all --raw

HTH

bye,
Sumit

> > fails with the message: ipa: ERROR: objectclass
> > top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount
> > not found.
> >
> > Using the web GUI I was able to add this field but it doesn't dynamically
> > add it to my existing users and so I get errors such as:
> >
> > [2016/03/18 10:20:21.052605,  3]
> > ../source3/lib/smbldap.c:579(smbldap_start_tls)
> >   StartTLS issued: using a TLS connection
> > [2016/03/18 10:20:21.052661,  2]
> > ../source3/lib/smbldap.c:794(smbldap_open_connection)
> >   smbldap_open_connection: connection opened
> > [2016/03/18 10:20:21.055250,  3]
> > ../source3/lib/smbldap.c:1013(smbldap_connect_system)
> >   ldap_connect_system: successful connection to the LDAP server
> > [2016/03/18 10:20:21.056774,  4]
> > ../source3/passdb/pdb_ldap.c:1496(ldapsam_getsampwnam)
> >   ldapsam_getsampwnam: Unable to locate user [jgoddard] count=0
> > [2016/03/18 10:20:21.056856,  3, pid=9121, effective(0, 0), real(0, 0),
> > class=auth] ../source3/auth/check_samsec.c:400(check_sam_security)
> >   check_sam_security: Couldn't find user 'jgoddard' in passdb.
> > [2016/03/18 10:20:21.056890,  5, pid=9121, effective(0, 0), real(0, 0),
> > class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password)
> >   check_ntlm_password: sam authentication for user [jgoddard] FAILED with
> > error NT_STATUS_NO_SUCH_USER
> > [2016/03/18 10:20:21.056944,  2, pid=9121, effective(0, 0), real(0, 0),
> > class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password)
> >   check_ntlm_password:  Authentication for user [jgoddard] -> [jgoddard]
> > FAILED with error NT_STATUS_NO_SUCH_USER
> > [2016/03/18 10:20:21.056972,  2]
> > ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg)
> >   SPNEGO login failed: NT_STATUS_NO_SUCH_USER
> > [2016/03/18 10:20:21.057837,  3]
> > ../source3/smbd/server_exit.c:249(exit_server_common)
> >   Server exit (NT_STATUS_CONNECTION_RESET)
> >
> > When trying to authenticate to my share.
> >
> > The search from the samba server: ldapsearch -LLL -x -h
> > *id-management-1.internal.emerlyn.com*
> > <http://id-management-1.internal.emerlyn.com/> uid=jgoddard
> >  does not return a value for sambaSAMAccount either. Can anyone provide me
> > a pointer or documentation on where I'm going wrong?
> >
> > Thanks,
> >
> > Jeff--
> > Manage your subscription for the Freeipa-users mailing list:
> > https://www.redhat.com/mailman/listinfo/freeipa-users
> > Go to http://freeipa.org for more info on the project
> >
> >
> >



> -- 
> Manage your subscription for the Freeipa-users mailing list:
> https://www.redhat.com/mailman/listinfo/freeipa-users
> Go to http://freeipa.org for more info on the project

More information about the Freeipa-users mailing list