[Freeipa-users] Re: issue with group's objectclass attributes

[Alexander Bokovoy via FreeIPA-users]

On to, 31 maalis 2022, Kathy Zhu via FreeIPA-users wrote:

Hi List,

Here is what happened in a timely order.


the group "it" was created a long time ago without "groupOfUniqueNames"
objectclass.


I did following to add "groupOfUniqueNames" objectclass:

[root@ipa0 ~]# ipa group-show it --all | grep object

 objectclass: top, groupofnames, nestedgroup, ipausergroup,
ipaobject, posixgroup, ipantgroupattrs

[root@ipa0 ~]#

[root@ipa0 ~]# ipa group-mod it --addattr=objectclass=groupOfUniqueNames

-------------------

Modified group "it"

-------------------

 Group name: it

 Description: IT Team

 GID: 1889600264

 Member users: john, rosy, ben, dan, rob,

 Member of groups: observium

 Member of Sudo rule: itsysadmins

 Member of HBAC rule: allow_it_systems, itadmin_systems, allow_it_sre_systems

[root@ipa0 ~]#

[root@ipa0 ~]# ipa group-show it --all | grep object

 objectclass: top, groupofnames, nestedgroup, ipausergroup,
ipaobject, posixgroup, ipantgroupattrs, groupOfUniqueNames

[root@ipa0 ~]#


After this, I could not create a group (both GUI and cli) with same error
message:

[root@ipa0 ~]# ipa group-add testgroup

ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by object
class "ipaNTGroupAttrs"

You can remove ipaNTGroupAttrs from the objectclass:

 ipa group-mod it --delattr=objectclass=ipantgroupattrs

Also, look at the dirsrv's errors log to see if sidgen plugin has
something to complain about.

[root@ipa0 ~]#


In the log:


[31/Mar/2022:10:18:57.626480360 -0700] - ERR - oc_check_required - Entry
"cn=testgroup,cn=groups,cn=accounts,dc=example,dc=com" missing attribute
"ipaNTSecurityIdentifier" required by object class "ipaNTGroupAttrs"

When checked via GUI - IPA Servers / Configuration, the group attribute
ipaNTGroupAttrs is there.

Any idea what went wrong and how to fix it?

Many thanks.

Kathy.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct: 
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it: 
https://pagure.io/fedora-infrastructure