On Wed, 16 Jun 2010 21:41:08 +0200
Stjepan Gros sg...@zemris.fer.hr wrote:
Hi all,
I'm trying to integrate Samba 3 into FreeIPA domain. After following
the instructions given in this mailing list
(http://www.mail-archive.com/freeipa-users@redhat.com/msg00111.html)
I'm unable to add new users. The ipa-adduser command complains with
the following error message:
A database error occurred: Object class violation: missing attribute
sambaSID required by object class sambaSamAccount
It seems as if ipa-dna plugin isn't working, i.e. isn't adding
sambaSID attribute.
Here are the relevant entries from LDAP (with mangled domains):
dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
objectClass: top
objectClass: nsSlapdPlugin
objectClass: extensibleObject
objectClass: nsContainer
cn: Distributed Numeric Assignment Plugin
nsslapd-pluginInitfunc: dna_init
nsslapd-pluginType: preoperation
nsslapd-pluginEnabled: on
nsslapd-pluginPath: libdna-plugin
nsslapd-plugin-depends-on-type: database
nsslapd-pluginId: Distributed Numeric Assignment
nsslapd-pluginVersion: 1.2.5
nsslapd-pluginVendor: 389 Project
nsslapd-pluginDescription: Distributed Numeric Assignment plugin
# sambaGroupType, Distributed Numeric Assignment Plugin, plugins,
config dn: cn=sambaGroupType,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
cn: sambaGroupType
dnatype: sambaGroupType
dnainterval: 0
dnamagicregen: ASSIGN
dnafilter: (objectClass=sambaGroupMapping)
dnanextvalue: 2
# SambaSid, Distributed Numeric Assignment Plugin, plugins, config
dn: cn=SambaSid,cn=Distributed Numeric Assignment
Plugin,cn=plugins,cn=config
objectClass: top
objectClass: extensibleObject
dnatype: sambaSID
dnaprefix: S-1-5-21-2932961863-1130097162-856551529
dnainterval: 1
dnamagicregen: assign
dnafilter:
(|(objectclass=sambaSamAccount)(objectclass=sambaGroupMapping))
dnascope: dc=example,dc=com
cn: SambaSid
dnanextvalue: 15277
Can someone sched ligth on what's going on, or how to debug these
problems? In the log files (/var/log/dirsrv/dirsrv-EXAMPLE-COM) there
is nothing useful.
SG
P.S. dnaprefix has to end with hyphen, but I don't believe it's the
problem.
It is not, the instructions in that thread are wrong.
We already debugged them with another user, and there are quite a few
things that need to be changed.
First of all sambaGroupType is a fixed value, not a counter, so the
DNA configuration for it just need to be removed.
Second, in IPa v1.2.2 we are still using the embedded DNA plugin, so
the DNS in that configuration are incorrect for v1.2.2, the DN to be
used IIRC is cn=ipa-dna,cn=plugins,cn=config
There may be something else we found I am missing, but these 2 are
pretty fundamental things.
Simo.
--
Simo Sorce * Red Hat, Inc * New York
___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users