Hi Alexander, Thank you for looking into this.
We need "ipaNTGroupAttrs" for the group "it". The issue is that I am no longer to create new group: # ipa group-add testgroup ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by object class "ipaNTGroupAttrs" # Yes, there are errors like this: [01/Apr/2022:09:17:59.735602736 -0700] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry. What should I do to be able to create new groups? Thanks. Kathy. On Fri, Apr 1, 2022 at 3:49 AM Alexander Bokovoy <[email protected]> wrote: > On to, 31 maalis 2022, Kathy Zhu via FreeIPA-users wrote: > >Hi List, > > > >Here is what happened in a timely order. > > > > > >the group "it" was created a long time ago without "groupOfUniqueNames" > > objectclass. > > > > > >I did following to add "groupOfUniqueNames" objectclass: > > > >[root@ipa0 ~]# ipa group-show it --all | grep object > > > > objectclass: top, groupofnames, nestedgroup, ipausergroup, > >ipaobject, posixgroup, ipantgroupattrs > > > >[root@ipa0 ~]# > > > >[root@ipa0 ~]# ipa group-mod it --addattr=objectclass=groupOfUniqueNames > > > >------------------- > > > >Modified group "it" > > > >------------------- > > > > Group name: it > > > > Description: IT Team > > > > GID: 1889600264 > > > > Member users: john, rosy, ben, dan, rob, > > > > Member of groups: observium > > > > Member of Sudo rule: itsysadmins > > > > Member of HBAC rule: allow_it_systems, itadmin_systems, > allow_it_sre_systems > > > >[root@ipa0 ~]# > > > >[root@ipa0 ~]# ipa group-show it --all | grep object > > > > objectclass: top, groupofnames, nestedgroup, ipausergroup, > >ipaobject, posixgroup, ipantgroupattrs, groupOfUniqueNames > > > >[root@ipa0 ~]# > > > > > >After this, I could not create a group (both GUI and cli) with same error > >message: > > > >[root@ipa0 ~]# ipa group-add testgroup > > > >ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by object > >class "ipaNTGroupAttrs" > > You can remove ipaNTGroupAttrs from the objectclass: > > ipa group-mod it --delattr=objectclass=ipantgroupattrs > > Also, look at the dirsrv's errors log to see if sidgen plugin has > something to complain about. > > > > > >[root@ipa0 ~]# > > > > > >In the log: > > > > > >[31/Mar/2022:10:18:57.626480360 -0700] - ERR - oc_check_required - Entry > >"cn=testgroup,cn=groups,cn=accounts,dc=example,dc=com" missing attribute > >"ipaNTSecurityIdentifier" required by object class "ipaNTGroupAttrs" > > > >When checked via GUI - IPA Servers / Configuration, the group attribute > >ipaNTGroupAttrs is there. > > > >Any idea what went wrong and how to fix it? > > > >Many thanks. > > > >Kathy. > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
