https://bugzilla.redhat.com/show_bug.cgi?id=837604 (Red Hat Enterprise Linux 7)
Description of problem: After configuring samba Group in IPA using documentation: http://docs.redhat.com/docs/en-US/Red_Hat_Enterprise_Linux/6/html-single/Ident ity_Management_Guide/index.html#ipa-samba creating a group through web-ui fails with error: ipa: ERROR: missing attribute "sambaGroupType" required by object class "sambaGroupMapping" Through cmd line using "ipa group-add" also fails with similar error ipa: ERROR: missing attribute "sambaGroupType" required by object class "sambaGroupMapping" sambaGroupType is only added to the existing already created and new groups can be created through cmd line only by specifying attribute "--addattr=sambaGroupType=4" Version-Release number of selected component (if applicable): ipa-server-2.1.3-9.el6.x86_64 How reproducible: * Steps to reproduce the Issue 1. Configure ipa server as samba client to Domain 2. Get the sid of the system $ net getlocalsid SID for domain IPA-TEST-2 is: S-1-5-21-1010801723-2226747923-3221867778 3. Obtain kerberos ticket to before editing IPA configuration $ kinit admin@<REALM> 4. Add two Samba-related object classes, sambaSAMAccount for users and sambaGroupMapping for groups, to the IPA configuration entry. $ ipa config-mod --userobjectclasses=top,person,organiz ationalperson,inetorgperson,inetuser,posixaccount,krbprincipalaux,krbticketpoli cyaux,ipaobject,sambaSAMAccount $ ipa config-mod --groupobjectclasses=top,groupofnames, nestedgroup,ipausergroup,ipaobject,sambaGroupMapping 5. Create a DNA entry for sambaGroupSID with below values: dn: cn=SambaGroupSid,cn=Distributed Numeric Assignment Plugin,cn=plugins,cn=config objectClass: top objectClass: extensibleObject cn: SambaSid dnatype: sambaSID dnaprefix: S-1-5-21-1010801723-2226747923-3221867778- dnafilter: (|(objectclass=sambasamaccount)(objectclass=sambagroupmapping)) dnascope: dc=example,dc=com dnanextvalue: 1 6. Create COS entry so that sambaGroupType [root@ipaserver ~]# ldapadd -x -D "cn=directory manager" -w secret dn: cn=SambaCoS,cn=groups,cn=accounts,dc=example,dc=com objectclass: top objectclass: cosSuperDefinition objectclass: cosPointerDefinition cosTemplateDn: cn=SambaCoS,cn=ipaConfig,cn=etc,dc=example,dc=com cosAttribute: sambaGroupType 7. Create a CoS template [root@ipaserver ~]# ldapadd -x -D "cn=directory manager" -w secret dn: cn=SambaCoS,cn=ipaConfig,cn=etc,dc=example,dc=com changetype: add objectclass: top objectclass: extensibleObject objectclass: cosTemplate sambaGroupType: 4 8. Create a group [root@ipaserver ~]ipa group-add Group name: test Description: testgroup ipa: ERROR: missing attribute "sambaGroupType" required by object class "sambaGroupMapping" The results are same with web UI also Actual results: Group add fails after configuring samba Group with IPA Expected results: Group add should succeed with sambaGroupType attribute and sambaGroupMapping objectclass automatically added to all the existing and newly created groups. Additional info:
Metadata Update from @dpal: - Issue assigned to someone - Issue set to the milestone: Ticket Backlog
The associated downstream BZ is marked as fixed with:
Pull request #3267 pushed to git master:
84201e1 adtrust: add design document for Samba domain member on IPA client cdb94e0 ipaserver.install.installutils: move commonly used utils to ipapython.ipautil d85e055 ipapython.ipautil.run: allow skipping stdout/stderr logging a423526 ipasam: add lookup of an account by SID 91abd1f ipasam: add handling of machine accounts 653f720 kdb: support SMB services on IPA domain members d631e00 adtrust: update Samba domain controller keytab with host keys afb8305 ipaserver.plugins.service: add service-add-smb to set up an SMB service 814592c ipa-client-samba: a tool to configure Samba domain member on IPA client e25392e prci: add test_integration/test_smb to the gating set
Metadata Update from @rcritten: - Issue close_status updated to: fixed - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.