[Samba] Smbpasswd -m -x not working, "object class violation" error

Fermin Molina fermin at asic.udl.es
Sat Feb 18 14:15:59 GMT 2006


On Thu, 2006-02-16 at 11:43 -0300, Andrés Yacopino wrote:
> This time i add values to cn , the object class inetOrgPerson and a value
> for sn.
> After that i try to delete the machine account and it works.
> Apparently it needs this object class as you said.
> How can i do to add this class automatically when a add a machine account
> using smbpasswd?


Are you using "smbldap-tools"?

In my case, I need to put some aditional information to new machine
accounts like you. I modified the "sub add_posix_machine" in
"smbldap_tools.pm" perl script to add the information I need. But I
think class inetOrgPerson is added by this scripts...

I use smbldap-tool 0.9.1 version.

Hope this helps.

/Fermin



> 2006/2/16, Daniel Wilson <daniel.wilson at sunderland.ac.uk>:
> >
> >
> > > I also found that displayName belongs to inetorgperson object class.
> > > I try to add this object class to the user but i obtain and object
> > > class violation.
> > Usually objectclasses have a set of required attributes that must have
> > values before you can commit adding the object class. Did you just try
> > and add the object class without adding values to the new attributes?
> > >
> > > I see that a user account(not a machine account) has a lot of object
> > > class, the machine account account has only the three classes
> > > sambaSamAccount,account,top.
> > ok so mayby its trying to delete the attribute displayName from the
> > inetorgperson which a machines doesnt have then...?
> > > Thanks.
> > >
> > >
> > >
> > >
> > > 2006/2/16, Andrés Yacopino <ayacopino at gmail.com
> > > <mailto:ayacopino at gmail.com>>:
> > >
> > >     I see the attribute displayName(as allowed attribute) in these
> > >     user object classes:
> > >
> > >     -pabperson
> > >     -sambasamaccount
> > >     -smabagroupmapping
> > >
> > >     The user account has only this classes:
> > >
> > >     sambaSamAccount
> > >     account
> > >     top
> > >
> > >     Is this wrong?, the attribute could be in some classes at the same
> > >     time?
> > >     Thanks,
> > >     Andres.
> > >
> > >     2006/2/15, Daniel Wilson < daniel.wilson at sunderland.ac.uk
> > >     <mailto:daniel.wilson at sunderland.ac.uk>>:
> > >
> > >         What object class is the displayName in and does the user
> > >         account have
> > >         that object class ? Im sure you need to have the object class
> > >         before you
> > >         can add/remove the attribute assigned to the object classs.
> > >
> > >         Attributes belong to and are grouped in objectclasses.
> > >
> > >         Regards
> > >
> > >         Daniel Wilson
> > >         Systems Manager
> > >         Student and Learning Support
> > >         University of Sunderland
> > >         Tel: 0191 515 2695
> > >
> > >
> > >
> > >         Andrés Yacopino wrote:
> > >
> > >         > Thanks for replying Daniel, i execute :grep -il displayName
> > >         *.ldif
> > >         >
> > >         > and i obtain:
> > >         >
> > >         > 00core.ldif
> > >         > 50ns-admin.ldif
> > >         > 50ns-iabs.ldif
> > >         > 99samba-schema-netscapeds5.x.ldif
> > >         > 99user.ldif
> > >         >
> > >         > And also see the configuration in the console and i see:
> > >         >
> > >         > Standard Attribute(Read Only):
> > >         >
> > >         > Name: displayName
> > >         > OID: 2.16.840.1.113730.3.1.241
> > >         > Syntax: DirectoryString
> > >         > Multivalued: not checked
> > >         >
> > >         > Do you know what is wrong with this?
> > >         > Thanks a lot,
> > >         > Andrés.
> > >         >
> > >         > 2006/2/14, Daniel Wilson <daniel.wilson at sunderland.ac.uk
> > >         <mailto:daniel.wilson at sunderland.ac.uk>
> > >         > <mailto: daniel.wilson at sunderland.ac.uk
> > >         <mailto:daniel.wilson at sunderland.ac.uk>>>:
> > >         >
> > >         >     Im sure this means that its trying to delete the
> > >         displayName attribute
> > >         >     which is more than likely not in your LDAP schema.
> > >         >
> > >         >     Look in "<install_dir>/slapd-<hostname>/config/schema/"
> > >         directory for
> > >         >     your schema
> > >         >
> > >         >     To see if "displayName" is part of any object classes in
> > >         your LDAP
> > >         >     schema search the schema files:
> > >         >
> > >         >     bash# grep -il displayName
> > >         >     <install_dir>/slapd-<hostname>/config/schema/*.ldif
> > >         >
> > >         >     If its not part of your schema you may want to add this
> > >         attribute to
> > >         >     your 99user.ldif schema file or add the attribute via the
> > >         Sun LDAP
> > >         >     console (recommended):
> > >         >
> > >         >     bash # <install_dir>/startconsole &
> > >         >     Server Group > Directory  Server (Open) > Configuration >
> > >         Schema >
> > >         >     Attributes > Create
> > >         >
> > >         >     -or-
> > >         >
> > >         >     you may want to just disable schema checking in your LDAP
> > >         server :
> > >         >
> > >         >     bash # <install_dir>/startconsole &
> > >         >     Server Group > Directory  Server (Open) > Configuration >
> > >         Schema
> > >         >     (Disable)
> > >         >
> > >         >     Regards
> > >         >
> > >         >     Daniel Wilson
> > >         >     Systems Manager
> > >         >     Student and Learning Support
> > >         >     University of Sunderland
> > >         >     Tel: 0191 515 2695
> > >         >
> > >         >
> > >         >
> > >         >     Andrés Yacopino wrote:
> > >         >
> > >         >     > Daniel, check the log as you said and i hit this:
> > >         >     >
> > >         >     > [14/Feb/2006:14:19:10 +0300] - ERROR<5897> - Schema  -
> > >         conn=-1 op=-1
> > >         >     > msgId=-1 -
> > >         >     > User error:  Entry "uid=aprueba$,ou=computers,o=
> > >         acasalud.com.ar <http://acasalud.com.ar>
> > >         >     <http://acasalud.com.ar>
> > >         >     > < http://acasalud.com.ar>,dc=acasalud,dc=c
> > >         >     > om,dc=ar", attribute "displayName" is not allowed
> > >         >     >
> > >         >     > What does it means?
> > >         >     >
> > >         >     > Thanks,
> > >         >     > Andrés.
> > >         >     >
> > >         >     >
> > >         >     >
> > >         >     > 2006/2/14, Daniel Wilson <
> > >         daniel.wilson at sunderland.ac.uk
> > >         <mailto:daniel.wilson at sunderland.ac.uk>
> > >         >     <mailto:daniel.wilson at sunderland.ac.uk
> > >         <mailto:daniel.wilson at sunderland.ac.uk>>
> > >         >     > <mailto: daniel.wilson at sunderland.ac.uk
> > >         <mailto:daniel.wilson at sunderland.ac.uk>
> > >         >     <mailto:daniel.wilson at sunderland.ac.uk
> > >         <mailto:daniel.wilson at sunderland.ac.uk>>>>:
> > >         >     >
> > >         >     >     Have you checkes the Sun LDAP errors.log file for
> > the
> > >         >     specific object
> > >         >     >     class violation? Usually at
> > >         >     >     <install_dir>/slapd-<hostname>/logs/errors.log
> > >         >     >
> > >         >     >     Daniel Wilson
> > >         >     >     Systems Manager
> > >         >     >     Student and Learning Support
> > >         >     >     University of Sunderland
> > >         >     >     Tel: 0191 515 2695
> > >         >     >
> > >         >     >
> > >         >     >
> > >         >     >     Andrés Yacopino wrote:
> > >         >     >
> > >         >     >     >I have deployed a samba server with Sun Java Ldap
> > >         Directory.
> > >         >     >     >
> > >         >     >     >I sucessfully create users and deleted them when
> > >         ldap delete
> > >         >     >     dn=yes in
> > >         >     >     >smb.conf, but when ldap delete dn=no i obtain this
> > >         error when i
> > >         >     >     issue a
> > >         >     >     >smbpasswd -m -x command:
> > >         >     >     >
> > >         >     >     >ldapsam_delete_entry: Could not delete attributes
> > for
> > >         >     >     >uid=aprueba$,ou=computers,
> > >         >     >     >o= acasalud.com.ar <http://acasalud.com.ar> <
> > >         http://acasalud.com.ar>
> > >         >     >     <http://acasalud.com.ar>,dc=acasalud,dc=com,dc=ar,
> > >         error:
> > >         >     Object
> > >         >     >     class violation ()
> > >         >     >     >Failed to delete entry for user aprueba$.
> > >         >     >     >Failed to modify password entry for user aprueba$
> > >         >     >     >
> > >         >     >     >My smb.conf is:
> > >         >     >     >
> > >         >     >     >[global]
> > >         >     >     >
> > >         >     >     >   workgroup = ACASALUDROS
> > >         >     >     >   server string = Sun Samba Server
> > >         >     >     >   security = user
> > >         >     >     >   dos filetimes = yes
> > >         >     >     >   time offset = -360
> > >         >     >     >   load printers = yes
> > >         >     >     >   printcap name = /etc/printcap
> > >         >     >     >   printing = cups
> > >         >     >     >   guest account = guest
> > >         >     >     >   log file = /usr/local/samba/var/log.%m
> > >         >     >     >   log level = 5
> > >         >     >     >   max log size = 50
> > >         >     >     >   null passwords = yes
> > >         >     >     >   encrypt passwords = yes
> > >         >     >     >   ldap password sync = yes
> > >         >     >     >   unix password sync = yes
> > >         >     >     >   username level = 2
> > >         >     >     >   password level = 0
> > >         >     >     >   passwd program = /usr/bin/passwd %u
> > >         >     >     >   passwd chat = *New* password* %n\n *new*
> > >         password* %n\n
> > >         >     >     *successfully*
> > >         >     >     >        idmap backend =
> > ldapsam:ldap://localhost:389
> > >         >     >     >        passdb backend =
> > ldapsam:ldap://localhost:389
> > >         >     >     >        ldap admin dn = cn=Directory Manager
> > >         >     >     >        ldap suffix = o= acasalud.com.ar
> > >         <http://acasalud.com.ar>
> > >         >     < http://acasalud.com.ar>
> > >         >     >     < http://acasalud.com.ar>,dc=acasalud,dc=com,dc=ar
> > >         >     >     >        ldap user suffix = ou=people
> > >         >     >     >        ldap group suffix = ou=groups
> > >         >     >     >        ldap machine suffix = ou=computers
> > >         >     >     >        ldap idmap suffix = ou=idmap
> > >         >     >     >        ldap delete dn = no
> > >         >     >     >   socket options = TCP_NODELAY=0
> > >         >     >     >   wins server = 10.11.0.2 <http://10.11.0.2>
> > >         <http://10.11.0.2>
> > >         >     < http://10.11.0.2>
> > >         >     >     >   dns proxy = no
> > >         >     >     >
> > >         >     >     >what is wrong?
> > >         >     >     >
> > >         >     >     >Is that works only when
> > >         >     >     >
> > >         >     >     >   preferred master = yes
> > >         >     >     >   domain master = yes
> > >         >     >     >   local master = yes
> > >         >     >     >   domain logons = yes
> > >         >     >     >
> > >         >     >     >are yes?
> > >         >     >     >Any other ideas?
> > >         >     >     >
> > >         >     >     >Thanks a lot.
> > >         >     >     >
> > >         >     >     >
> > >         >     >     >--
> > >         >     >     >Andrés Yacopino
> > >         >     >     >
> > >         >     >     >
> > >         >     >
> > >         >     >
> > >         >     >
> > >         >     >
> > >         >     >
> > >         >     > --
> > >         >     > Andrés Yacopino
> > >         >
> > >         >
> > >         >
> > >         >
> > >         >
> > >         >
> > >         > --
> > >         > Andrés Yacopino
> > >
> > >
> > >
> > >
> > >
> > >
> > >     --
> > >     Andrés Yacopino
> > >
> > >
> > >
> > >
> > > --
> > > Andrés Yacopino
> >
> > --
> > Daniel Wilson
> > Systems Manager
> > Student and Learning Support
> > University of Sunderland
> > Tel: 0191 515 2695
> >
> >
> 
> 
> --
> Andrés Yacopino



More information about the samba mailing list