I am trying to create a Samba Admin account in FDS as per the final steps of http://directory.fedora.redhat.com/wiki/Howto:Samba I''ve created a sambaAdmin file with contents: Administrator:x:0:0:Samba Admin:/root:/bin/bash I then ran: /usr/share/openldap/migration/migrate_passwd.pl /tmp/sambaAdmin > /tmp/sambaAdmin.ldif but when I get to converting the ldif to ldap via: /opt/fedora-ds/slapd-<server>/ldif2ldap "cn=Directory manager" password /tmp/sambaAdmin.ldif I get the following error: adding new entry uid=Administrator,ou=People,dc=forayadams,dc=foray,dc=com ldap_add: Object class violation ldap_add: additional info: unknown object class "kerberosSecurityObject" As far as I know I haven''t enabled kerberos anywhere. Does anyone know what I need to do to resolve this? Thanks, -Mont
A suggestion was made that I should add the contents of my
sambaAdmin.ldiffile to this post. They are below.
The kerberosSecurityObject isn''t in my schema, so thus the error. But
why
did migrate_password.pl put that in my ldif? Is there a config option
somewhere that should be switched to disable Kerberos or do I just need to
manually edit the ldif and delete the offending line?
Thanks,
-Mont
dn: uid=Administrator,ou=People,dc=forayadams,dc=foray,dc=com
uid: Administrator
cn: Samba Admin
givenName: Samba
sn: Admin
mail: Administrator@forayadams.foray.com
mailRoutingAddress: Administrator@mail.forayadams.foray.com
mailHost: mail.forayadams.foray.com
objectClass: inetLocalMailRecipient
objectClass: person
objectClass: organizationalPerson
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: top
objectClass: kerberosSecurityObject
userPassword: {crypt}x
krbName: Administrator@FORAYADAMS.FORAY.COM
loginShell: /bin/bash
uidNumber: 0
gidNumber: 0
homeDirectory: /root
gecos: Samba Admin
On Fri, 2006-03-24 at 10:26 -0800, Mont Rothstein wrote:> A suggestion was made that I should add the contents of my > sambaAdmin.ldif file to this post. They are below. > > The kerberosSecurityObject isn''t in my schema, so thus the error. But > why did migrate_password.pl put that in my ldif? Is there a config > option somewhere that should be switched to disable Kerberos or do I > just need to manually edit the ldif and delete the offending line? > > Thanks, > -Mont > > > dn: uid=Administrator,ou=People,dc=forayadams,dc=foray,dc=com > uid: Administrator > cn: Samba Admin > givenName: Samba > sn: Admin > mail: Administrator@forayadams.foray.com > mailRoutingAddress: Administrator@mail.forayadams.foray.com > mailHost: mail.forayadams.foray.com > objectClass: inetLocalMailRecipient > objectClass: person > objectClass: organizationalPerson > objectClass: inetOrgPerson > objectClass: posixAccount > objectClass: top > objectClass: kerberosSecurityObject > userPassword: {crypt}x > krbName: Administrator@FORAYADAMS.FORAY.COM > loginShell: /bin/bash > uidNumber: 0 > gidNumber: 0 > homeDirectory: /root > gecos: Samba Admin---- the option of course is yours. If you read through the source within the padl migration scripts (I''m assuming that you used the ones installed by openldap-server package from the distribution, you will probably notice how and why it is put there...presumably because you have chosen to use an extended schema. I think the object is to test, tune, test, tune until you get what you want from the migration scripts. I suspect the reasons no one else answered this question was that the source isn''t part of FDS, the DSA setup will be as you design it to be and the source is lightweight and should be simple enough to comprehend and adjust as needed. Craig
Thank you for your reply. I grabbed the migration scripts from http://www.padl.com/download/ because I wanted to avoid installing openldap when all I needed was the scripts. Looking at the source the kerberosSecurityObject is inserted as long as there is a default realm, though the extended schema does cause a problem with mail related values (see below). It sounds like what I was missing is the fact that editing the migration scripts is expected. I was under the impression that if my migration didn''t work it was a mistake I had made. After commenting out the following items in the password_migration script my admin user finally added: - mailRoutingAddress - mailHost - inetLocalMailRecipient - kerberosSecurityObject - krbName Is not having these in my schema common/normal? Thanks, -Mont* * On 3/24/06, Craig White <craigwhite@azapple.com> wrote:> > On Fri, 2006-03-24 at 10:26 -0800, Mont Rothstein wrote: > > A suggestion was made that I should add the contents of my > > sambaAdmin.ldif file to this post. They are below. > > > > The kerberosSecurityObject isn''t in my schema, so thus the error. But > > why did migrate_password.pl put that in my ldif? Is there a config > > option somewhere that should be switched to disable Kerberos or do I > > just need to manually edit the ldif and delete the offending line? > > > > Thanks, > > -Mont > > > > > > dn: uid=Administrator,ou=People,dc=forayadams,dc=foray,dc=com > > uid: Administrator > > cn: Samba Admin > > givenName: Samba > > sn: Admin > > mail: Administrator@forayadams.foray.com > > mailRoutingAddress: Administrator@mail.forayadams.foray.com > > mailHost: mail.forayadams.foray.com > > objectClass: inetLocalMailRecipient > > objectClass: person > > objectClass: organizationalPerson > > objectClass: inetOrgPerson > > objectClass: posixAccount > > objectClass: top > > objectClass: kerberosSecurityObject > > userPassword: {crypt}x > > krbName: Administrator@FORAYADAMS.FORAY.COM > > loginShell: /bin/bash > > uidNumber: 0 > > gidNumber: 0 > > homeDirectory: /root > > gecos: Samba Admin > ---- > the option of course is yours. > > If you read through the source within the padl migration scripts (I''m > assuming that you used the ones installed by openldap-server package > from the distribution, you will probably notice how and why it is put > there...presumably because you have chosen to use an extended schema. > > I think the object is to test, tune, test, tune until you get what you > want from the migration scripts. > > I suspect the reasons no one else answered this question was that the > source isn''t part of FDS, the DSA setup will be as you design it to be > and the source is lightweight and should be simple enough to comprehend > and adjust as needed. > > Craig > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >
On Mon, 2006-03-27 at 09:08 -0800, Mont Rothstein wrote:> Thank you for your reply. > > I grabbed the migration scripts from http://www.padl.com/download/ > because I wanted to avoid installing openldap when all I needed was > the scripts. > > Looking at the source the kerberosSecurityObject is inserted as long > as there is a default realm, though the extended schema does cause a > problem with mail related values (see below). > > It sounds like what I was missing is the fact that editing the > migration scripts is expected. I was under the impression that if my > migration didn''t work it was a mistake I had made. > > After commenting out the following items in the password_migration > script my admin user finally added: > > * mailRoutingAddress > * mailHost > * inetLocalMailRecipient > * kerberosSecurityObject > * krbName > > Is not having these in my schema common/normal?---- I don''t know what is common - I think the issue is that it is your DSA and you should be able to configure the desired attributes and eliminate the attributes that aren''t desired - I think that is the point of the migration scripts in general. Thus you should be able to take a flat file such as /etc/passwd, using the padl migration scripts output it into whatever form you desire for your directory. Craig ----> > Thanks, > -Mont > > On 3/24/06, Craig White <craigwhite@azapple.com> wrote: > On Fri, 2006-03-24 at 10:26 -0800, Mont Rothstein wrote: > > A suggestion was made that I should add the contents of my > > sambaAdmin.ldif file to this post. They are below. > > > > The kerberosSecurityObject isn''t in my schema, so thus the > error. But > > why did migrate_password.pl put that in my ldif? Is there a > config > > option somewhere that should be switched to disable Kerberos > or do I > > just need to manually edit the ldif and delete the offending > line? > > > > Thanks, > > -Mont > > > > > > dn: > uid=Administrator,ou=People,dc=forayadams,dc=foray,dc=com > > uid: Administrator > > cn: Samba Admin > > givenName: Samba > > sn: Admin > > mail: Administrator@forayadams.foray.com > > mailRoutingAddress: Administrator@mail.forayadams.foray.com > > mailHost: mail.forayadams.foray.com > > objectClass: inetLocalMailRecipient > > objectClass: person > > objectClass: organizationalPerson > > objectClass: inetOrgPerson > > objectClass: posixAccount > > objectClass: top > > objectClass: kerberosSecurityObject > > userPassword: {crypt}x > > krbName: Administrator@FORAYADAMS.FORAY.COM > > loginShell: /bin/bash > > uidNumber: 0 > > gidNumber: 0 > > homeDirectory: /root > > gecos: Samba Admin > ---- > the option of course is yours. > > If you read through the source within the padl migration > scripts (I''m > assuming that you used the ones installed by openldap-server > package > from the distribution, you will probably notice how and why it > is put > there...presumably because you have chosen to use an extended > schema. > > I think the object is to test, tune, test, tune until you get > what you > want from the migration scripts. > > I suspect the reasons no one else answered this question was > that the > source isn''t part of FDS, the DSA setup will be as you design > it to be > and the source is lightweight and should be simple enough to > comprehend > and adjust as needed. > > Craig > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users
> > > * mailRoutingAddress > * mailHost > * inetLocalMailRecipient > * kerberosSecurityObject > * krbName > > Is not having these in my schema common/normal?I''m sure there''s plenty of directories out there that don''t maintain these attributes on account objects. If all you want to do is import the UNIX /etc/passwd attributes, you definitely don''t need these. Mont Rothstein wrote:> Thank you for your reply. > > I grabbed the migration scripts from http://www.padl.com/download/ > because I wanted to avoid installing openldap when all I needed was > the scripts. > > Looking at the source the kerberosSecurityObject is inserted as long > as there is a default realm, though the extended schema does cause a > problem with mail related values (see below). > > It sounds like what I was missing is the fact that editing the > migration scripts is expected. I was under the impression that if my > migration didn''t work it was a mistake I had made. > > After commenting out the following items in the password_migration > script my admin user finally added: > > * mailRoutingAddress > * mailHost > * inetLocalMailRecipient > * kerberosSecurityObject > * krbName > > > Is not having these in my schema common/normal? > > Thanks, > -Mont/ > / > On 3/24/06, *Craig White* < craigwhite@azapple.com > <mailto:craigwhite@azapple.com>> wrote: > > On Fri, 2006-03-24 at 10:26 -0800, Mont Rothstein wrote: > > A suggestion was made that I should add the contents of my > > sambaAdmin.ldif file to this post. They are below. > > > > The kerberosSecurityObject isn''t in my schema, so thus the > error. But > > why did migrate_password.pl put that in my ldif? Is there a config > > option somewhere that should be switched to disable Kerberos or do I > > just need to manually edit the ldif and delete the offending line? > > > > Thanks, > > -Mont > > > > > > dn: uid=Administrator,ou=People,dc=forayadams,dc=foray,dc=com > > uid: Administrator > > cn: Samba Admin > > givenName: Samba > > sn: Admin > > mail: Administrator@forayadams.foray.com > <mailto:Administrator@forayadams.foray.com> > > mailRoutingAddress: Administrator@mail.forayadams.foray.com > <mailto:Administrator@mail.forayadams.foray.com> > > mailHost: mail.forayadams.foray.com > <http://mail.forayadams.foray.com> > > objectClass: inetLocalMailRecipient > > objectClass: person > > objectClass: organizationalPerson > > objectClass: inetOrgPerson > > objectClass: posixAccount > > objectClass: top > > objectClass: kerberosSecurityObject > > userPassword: {crypt}x > > krbName: Administrator@FORAYADAMS.FORAY.COM > <mailto:Administrator@FORAYADAMS.FORAY.COM> > > loginShell: /bin/bash > > uidNumber: 0 > > gidNumber: 0 > > homeDirectory: /root > > gecos: Samba Admin > ---- > the option of course is yours. > > If you read through the source within the padl migration scripts (I''m > assuming that you used the ones installed by openldap-server package > from the distribution, you will probably notice how and why it is put > there...presumably because you have chosen to use an extended schema. > > I think the object is to test, tune, test, tune until you get what you > want from the migration scripts. > > I suspect the reasons no one else answered this question was that the > source isn''t part of FDS, the DSA setup will be as you design it to be > and the source is lightweight and should be simple enough to > comprehend > and adjust as needed. > > Craig > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > <mailto:Fedora-directory-users@redhat.com> > https://www.redhat.com/mailman/listinfo/fedora-directory-users > <https://www.redhat.com/mailman/listinfo/fedora-directory-users> > > > ------------------------------------------------------------------------ > > -- > Fedora-directory-users mailing list > Fedora-directory-users@redhat.com > https://www.redhat.com/mailman/listinfo/fedora-directory-users >