Re: [Freeipa-users] Problem with FreeIPA and Samba 3...

2010-06-17 Thread Stjepan Gros 
On Wed, 2010-06-16 at 17:06 -0400, Simo Sorce wrote:
> On Wed, 16 Jun 2010 21:41:08 +0200
> Stjepan Gros  wrote:
> 
> > Hi all,
> > 
> > I'm trying to integrate Samba 3 into FreeIPA domain. After following
> > the instructions given in this mailing list
> > (http://www.mail-archive.com/freeipa-users@redhat.com/msg00111.html)
> > I'm unable to add new users. The ipa-adduser command complains with
> > the following error message:
> > 
> > A database error occurred: Object class violation: missing attribute
> > "sambaSID" required by object class "sambaSamAccount"
> > 
> > It seems as if ipa-dna plugin isn't working, i.e. isn't adding
> > sambaSID attribute.
> > 
> > Here are the relevant entries from LDAP (with mangled domains):
> > 
> > dn: cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> > objectClass: top
> > objectClass: nsSlapdPlugin
> > objectClass: extensibleObject
> > objectClass: nsContainer
> > cn: Distributed Numeric Assignment Plugin
> > nsslapd-pluginInitfunc: dna_init
> > nsslapd-pluginType: preoperation
> > nsslapd-pluginEnabled: on
> > nsslapd-pluginPath: libdna-plugin
> > nsslapd-plugin-depends-on-type: database
> > nsslapd-pluginId: Distributed Numeric Assignment
> > nsslapd-pluginVersion: 1.2.5
> > nsslapd-pluginVendor: 389 Project
> > nsslapd-pluginDescription: Distributed Numeric Assignment plugin
> > 
> > # sambaGroupType, Distributed Numeric Assignment Plugin, plugins,
> > config dn: cn=sambaGroupType,cn=Distributed Numeric Assignment
> > Plugin,cn=plugins,cn=config
> > objectClass: top
> > objectClass: extensibleObject
> > cn: sambaGroupType
> > dnatype: sambaGroupType
> > dnainterval: 0
> > dnamagicregen: ASSIGN
> > dnafilter: (objectClass=sambaGroupMapping)
> > dnanextvalue: 2
> > 
> > # SambaSid, Distributed Numeric Assignment Plugin, plugins, config
> > dn: cn=SambaSid,cn=Distributed Numeric Assignment
> > Plugin,cn=plugins,cn=config
> > objectClass: top
> > objectClass: extensibleObject
> > dnatype: sambaSID
> > dnaprefix: S-1-5-21-2932961863-1130097162-856551529
> > dnainterval: 1
> > dnamagicregen: assign
> > dnafilter:
> > (|(objectclass=sambaSamAccount)(objectclass=sambaGroupMapping))
> > dnascope: dc=example,dc=com
> > cn: SambaSid
> > dnanextvalue: 15277
> > 
> > Can someone sched ligth on what's going on, or how to debug these
> > problems? In the log files (/var/log/dirsrv/dirsrv-EXAMPLE-COM) there
> > is nothing useful.
> > 
> > SG
> > 
> > P.S. dnaprefix has to end with hyphen, but I don't believe it's the
> > problem.
> 
> It is not, the instructions in that thread are wrong.
> 
> We already debugged them with another user, and there are quite a few
> things that need to be changed.
> 
> First of all sambaGroupType is a fixed value, not a counter, so the 
> DNA configuration for it just need to be removed.
> 
> Second, in IPa v1.2.2 we are still using the embedded DNA plugin, so
> the DNS in that configuration are incorrect for v1.2.2, the DN to be
> used IIRC is cn=ipa-dna,cn=plugins,cn=config
> 
> There may be something else we found I am missing, but these 2 are
> pretty fundamental things.

First, thank you for your help. It saves me a lot of time. And I hope
that I'll document the whole procedure for the others. One important
general question. Are there any changes in FreeIPA 2 that will
invalidate all this procedure?

Back to the main problem, I removed the entries for DNA that were in a
wrong place and after adding DNA configuration for sambaSID in
cn=ipa-dna,cn=plugins,cn=config I can now add users. All the samba
related attributes are added to a new user after I set initial password.

But I can not login using smbclient because samba thinks that the
password is expired. Either I have to set X in samba flags (password
never expires) or I have to properly initialize password related fields
for samba. Setting password fields would be preferable, is it possible
and how?

Easier way (and necessary in case of groups) is to set fixed value when
creating new users and groups. The question is, is it possible to
configure DNA plugin to set fixed value, or there is specialized (or
more appropriate) plugin for that?

SG

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Problem with FreeIPA and Samba 3...

2010-06-17 Thread Simo Sorce 
On Thu, 17 Jun 2010 11:38:45 +0200
Stjepan Gros  wrote:

> First, thank you for your help. It saves me a lot of time. And I hope
> that I'll document the whole procedure for the others. One important
> general question. Are there any changes in FreeIPA 2 that will
> invalidate all this procedure?

It will not invalidate it, but in v2 we use the plugin provided from DS
directly aqnd do not build our own version anymore so the DN of the
config changes to the one you were using before.

> Back to the main problem, I removed the entries for DNA that were in a
> wrong place and after adding DNA configuration for sambaSID in
> cn=ipa-dna,cn=plugins,cn=config I can now add users. All the samba
> related attributes are added to a new user after I set initial
> password.
> 
> But I can not login using smbclient because samba thinks that the
> password is expired. Either I have to set X in samba flags (password
> never expires) or I have to properly initialize password related
> fields for samba. Setting password fields would be preferable, is it
> possible and how?
> 
> Easier way (and necessary in case of groups) is to set fixed value
> when creating new users and groups. The question is, is it possible to
> configure DNA plugin to set fixed value, or there is specialized (or
> more appropriate) plugin for that?

Unfortunately in v1.x we didn't have enough infrastructure to make it
easier to set additional attributes beyond the default one we set on
user/group creation. v2.x should make this possible.

Simo.

-- 
Simo Sorce * Red Hat, Inc * New York

___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users

Re: [Freeipa-users] Problem with FreeIPA and Samba 3...

2010-06-17 Thread Stjepan Gros 
On Thu, 2010-06-17 at 11:26 -0400, Simo Sorce wrote:

> Unfortunately in v1.x we didn't have enough infrastructure to make it
> easier to set additional attributes beyond the default one we set on
> user/group creation. v2.x should make this possible.

In other words, the only way samba attributes can be added is to create
new user/group and then "manually" add/modify all the relevant
attributes using e.g. ldapmodify?

SG


___
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users