<html><body>Hi Jeff As far as I can see, your command looks ok (though I don't know what your dn should look like). Did you run the "kinit admin" command before? When I was doing the Samba + FreeIPA integration I found using an LDAP browser (Apache Directory Studio) very useful to visualise the LDAP "tree" (and even if required to manually edit objects ....) Chris <img width="16" height="16" src="cid:1__=8FBBF5E9DFC454208f9e8a93df938690918c8FB@" border="0" alt="Inactive hide details for Jeff Goddard ---18.03.2016 16:43:14---Christopher, Thank you for the response. IT seems my syntax is ">Jeff Goddard ---18.03.2016 16:43:14---Christopher, Thank you for the response. IT seems my syntax is still not correct. HEre From: Jeff Goddard <jgoddard@emerlyn.com> To: Christopher Lamb/Switzerland/IBM@IBMCH Cc: freeipa-users@redhat.com Date: 18.03.2016 16:43 Subject: Re: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount <hr width="100%" size="2" align="left" noshade style="color:#8091A5; "> Christopher, Thank you for the response. IT seems my syntax is still not correct. HEre is the command and output I received: [root@id-management-1 ~]# ldapmodify -Y GSSAPI <<EOF dn: cn=etc,cn=ipaconfig,dc=internal,dc=emerlyn,dc=com changetype: modify add: ipaUserObjectClasses ipaUserObjectClasses: sambaSAMAccount - add: ipaGroupObjectClasses ipaGroupObjectClasses: sambaGroupMapping EOF SASL/GSSAPI authentication started SASL username: <a href="mailto:admin@INTERNAL.EMERLYN.COM">admin@INTERNAL.EMERLYN.COM</a> SASL SSF: 56 SASL data security layer installed. modifying entry "cn=etc,cn=ipaconfig,dc=internal,dc=emerlyn,dc=com" ldap_modify: No such object (32) Do you have any more pointers? Thanks, Jeff On Fri, Mar 18, 2016 at 11:35 AM, Christopher Lamb <<a href="mailto:christopher.lamb@ch.ibm.com" target="_blank">christopher.lamb@ch.ibm.com</a>> wrote:<ul>Hi Jeff When I last integrated FreeIPA and Samba I used ldapmodify to successfully add sambaSAMAccount and sambaGroupMapping. <tt> ldapmodify -Y GSSAPI <<EOF dn: cn=etc,cn=ipaconfig,dc=my,dc=silly,dc=example,dc=com changetype: modify add: ipaUserObjectClasses ipaUserObjectClasses: sambaSAMAccount - add: ipaGroupObjectClasses ipaGroupObjectClasses: sambaGroupMapping EOF</tt> Note, also there is a notorious spelling mistake under Point 5 of the Fedora instructions you are following <tt> cosAttribute: sambaGrouptType</tt> should be: <tt> cosAttribute: sambaGroupType</tt> i.e. sambaGroupType has only one "T". Chris <img src="cid:1__=8FBBF5E9DFC454208f9e8a93df938690918c8FB@" width="16" height="16" alt="Inactive hide details for Jeff Goddard ---18.03.2016 16:11:10---Hello all, I'm following this guide:">Jeff Goddard ---18.03.2016 16:11:10---Hello all, I'm following this guide: From: Jeff Goddard <<a href="mailto:jgoddard@emerlyn.com" target="_blank">jgoddard@emerlyn.com</a>> To: <a href="mailto:freeipa-users@redhat.com" target="_blank">freeipa-users@redhat.com</a> Date: 18.03.2016 16:11 Subject: [Freeipa-users] Trouble creating userobjectlass sambaSAMAccount Sent by: <a href="mailto:freeipa-users-bounces@redhat.com" target="_blank">freeipa-users-bounces@redhat.com</a> <hr width="100%" size="2" align="left" noshade> Hello all, I'm following this guide: <a href="https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html" target="_blank">https://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/cifs.html</a> in attempts to have a SAMBA server with freeipa as the back-end authentication method. My problem is that the command: ipa config-mod --userobjectclasses=top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount fails with the message: ipa: ERROR: objectclass top,person,organizationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpolicyaux,ipaobject,sambaSAMAccount not found. Using the web GUI I was able to add this field but it doesn't dynamically add it to my existing users and so I get errors such as: [2016/03/18 10:20:21.052605, 3] ../source3/lib/smbldap.c:579(smbldap_start_tls) StartTLS issued: using a TLS connection [2016/03/18 10:20:21.052661, 2] ../source3/lib/smbldap.c:794(smbldap_open_connection) smbldap_open_connection: connection opened [2016/03/18 10:20:21.055250, 3] ../source3/lib/smbldap.c:1013(smbldap_connect_system) ldap_connect_system: successful connection to the LDAP server [2016/03/18 10:20:21.056774, 4] ../source3/passdb/pdb_ldap.c:1496(ldapsam_getsampwnam) ldapsam_getsampwnam: Unable to locate user [jgoddard] count=0 [2016/03/18 10:20:21.056856, 3, pid=9121, effective(0, 0), real(0, 0), class=auth] ../source3/auth/check_samsec.c:400(check_sam_security) check_sam_security: Couldn't find user 'jgoddard' in passdb. [2016/03/18 10:20:21.056890, 5, pid=9121, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:252(auth_check_ntlm_password) check_ntlm_password: sam authentication for user [jgoddard] FAILED with error NT_STATUS_NO_SUCH_USER [2016/03/18 10:20:21.056944, 2, pid=9121, effective(0, 0), real(0, 0), class=auth] ../source3/auth/auth.c:315(auth_check_ntlm_password) check_ntlm_password: Authentication for user [jgoddard] -> [jgoddard] FAILED with error NT_STATUS_NO_SUCH_USER [2016/03/18 10:20:21.056972, 2] ../auth/gensec/spnego.c:746(gensec_spnego_server_negTokenTarg) SPNEGO login failed: NT_STATUS_NO_SUCH_USER [2016/03/18 10:20:21.057837, 3] ../source3/smbd/server_exit.c:249(exit_server_common) Server exit (NT_STATUS_CONNECTION_RESET) When trying to authenticate to my share. The search from the samba server: ldapsearch -LLL -x -h <a href="http://id-management-1.internal.emerlyn.com/" target="_blank">id-management-1.internal.emerlyn.com</a> uid=jgoddard does not return a value for sambaSAMAccount either. Can anyone provide me a pointer or documentation on where I'm going wrong? Thanks, Jeff<tt>-- Manage your subscription for the Freeipa-users mailing list:</tt><tt> </tt><a href="https://www.redhat.com/mailman/listinfo/freeipa-users" target="_blank"><tt>https://www.redhat.com/mailman/listinfo/freeipa-users</tt></a><tt> Go to </tt><a href="http://freeipa.org/" target="_blank"><tt>http://freeipa.org</tt></a><tt> for more info on the project</tt> </ul> </body></html>