[Freeipa-users] Extending Schema, CLI and Web UI for use with Samba 3 (groups!)

Rob Crittenden rcritten at redhat.com
Tue Aug 16 20:23:17 UTC 2011 

Ryan Thomson wrote:
> Hello,
>
> I'm trying to follow various steps and instructions I've found online for extending FreeIPA v2 for use with Samba 3 as the LDAP backend. Things have mostly gone well but I've hit a road block that I can't quite figure out.
>
> Basically, I'm trying to get every new group added to FreeIPA (either via CLI or Web UI) to automagically become a valid samba group with sambaGroupMapping (and thus sambaSid and sambaGroupType).
>
> Here's what I've done this far:
>
> 1. Added an ipaUserObjectClasses attribute with value sambaSAMAccount to cn=ipaConfig,cn=etc,$SUFFIX. This works as expected for generating Samba hashes for users on password changes.
>
> 2. Configured the DNA plugin to automatically add a sambaSid attribute to every user with a sambaSAMAccount objectClass and group with sambaGroupMapping objectClass:
>
> # SambaSid, Distributed Numeric Assignment Plugin, plugins, config
> dn: cn=SambaSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config
> objectClass: top
> objectClass: extensibleObject
> dnatype: sambaSID
> dnaprefix: S-1-5-21-3180075094-3347106287-3821849995-
> dnainterval: 1
> dnamagicregen: assign
> dnafilter: (|(objectclass=sambasamaccount)(objectclass=sambagroupmapping))
> dnascope: dc=fmri,dc=ubc,dc=ca
> cn: SambaSid
> dnanextvalue: 15289
>
> This works as expected.
>
> 3. Added an ipaGroupObjectClasses attribute with value sambaGroupMapping to cn=ipaConfig,cn=etc,$SUFFIX. This works as expected, adding the objectClass sambaGroupMapping to every new group (and thus requiring sambaSid and sambaGroupType attributes).
>
> 4. Extended the schema (correct terminology?) using ipaCustomFields with (unquoted) value "Samba Group Type,sambagrouptype,true".
>
> 5. Extended the CLI in group.py (.../site-packages/ipalib/plugins/group.py) like so:
>
> --- group.py.orig	2011-08-15 14:59:48.570715207 -0700
> +++ group.py	2011-08-16 12:43:43.493236507 -0700
> @@ -118,6 +118,13 @@
>               label=_('GID'),
>               doc=_('GID (use this option to set it manually)'),
>           ),
> +        Int('sambagrouptype',
> +            cli_name='sgt',
> +            label=_('Samba Group Type'),
> +            doc=_('Samba Group Type (default is 4)'),
> +            default=4,
> +            autofill=True,
> +        ),
>       )
>
>   api.register(group)
>
>
> However, when I try to add a group with "ipa group-add groupname --desc="Group desc" I get the following output:
>
> ipa: ERROR: missing attribute "sambaGroupType" required by object class "sambaGroupMapping"
>
> and if I turn on the debugging, I see the following lines:
>
> ipa: DEBUG: raw: group_add(u'groupname', description=u'Group desc', sambagrouptype=4, nonposix=False, all=False, raw=False, version=u'2.1')
> ipa: DEBUG: group_add(u'groupname', description=u'Group desc', sambagrouptype=4, nonposix=False, all=False, raw=False, version=u'2.1')
>
> Which looks like my edit of group.py is doing what I expected it to do... but the IPA server is still returning the missing attribute error.
>
> However, if I use --addatr="sambagrouptype=4" as an argument to ipa group-add, it works fine and the attribute is added and the group is created.
>
> What am I missing?
>
> Thank you,
>

This all looks fine. Did you restart the httpd process after making the 
changes to group.py?

rob

More information about the Freeipa-users mailing list