Can not remove ipantgroupattrs from group "it": # ipa group-mod it --delattr=objectclass=ipantgroupattrs
ipa: ERROR: attribute "ipaNTSecurityIdentifier" not allowed On Fri, Apr 1, 2022 at 9:25 AM Kathy Zhu <[email protected]> wrote: > Hi Alexander, > > Thank you for looking into this. > > We need "ipaNTGroupAttrs" for the group "it". > > The issue is that I am no longer to create new group: > > # ipa group-add testgroup > > ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by object > class "ipaNTGroupAttrs" > > # > > > Yes, there are errors like this: > > > [01/Apr/2022:09:17:59.735602736 -0700] - ERR - ipa_sidgen_add_post_op - > [file ipa_sidgen.c, line 128]: Missing target entry. > > > What should I do to be able to create new groups? > > > Thanks. > > > Kathy. > > > > > On Fri, Apr 1, 2022 at 3:49 AM Alexander Bokovoy <[email protected]> > wrote: > >> On to, 31 maalis 2022, Kathy Zhu via FreeIPA-users wrote: >> >Hi List, >> > >> >Here is what happened in a timely order. >> > >> > >> >the group "it" was created a long time ago without "groupOfUniqueNames" >> > objectclass. >> > >> > >> >I did following to add "groupOfUniqueNames" objectclass: >> > >> >[root@ipa0 ~]# ipa group-show it --all | grep object >> > >> > objectclass: top, groupofnames, nestedgroup, ipausergroup, >> >ipaobject, posixgroup, ipantgroupattrs >> > >> >[root@ipa0 ~]# >> > >> >[root@ipa0 ~]# ipa group-mod it --addattr=objectclass=groupOfUniqueNames >> > >> >------------------- >> > >> >Modified group "it" >> > >> >------------------- >> > >> > Group name: it >> > >> > Description: IT Team >> > >> > GID: 1889600264 >> > >> > Member users: john, rosy, ben, dan, rob, >> > >> > Member of groups: observium >> > >> > Member of Sudo rule: itsysadmins >> > >> > Member of HBAC rule: allow_it_systems, itadmin_systems, >> allow_it_sre_systems >> > >> >[root@ipa0 ~]# >> > >> >[root@ipa0 ~]# ipa group-show it --all | grep object >> > >> > objectclass: top, groupofnames, nestedgroup, ipausergroup, >> >ipaobject, posixgroup, ipantgroupattrs, groupOfUniqueNames >> > >> >[root@ipa0 ~]# >> > >> > >> >After this, I could not create a group (both GUI and cli) with same error >> >message: >> > >> >[root@ipa0 ~]# ipa group-add testgroup >> > >> >ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by >> object >> >class "ipaNTGroupAttrs" >> >> You can remove ipaNTGroupAttrs from the objectclass: >> >> ipa group-mod it --delattr=objectclass=ipantgroupattrs >> >> Also, look at the dirsrv's errors log to see if sidgen plugin has >> something to complain about. >> >> >> > >> >[root@ipa0 ~]# >> > >> > >> >In the log: >> > >> > >> >[31/Mar/2022:10:18:57.626480360 -0700] - ERR - oc_check_required - Entry >> >"cn=testgroup,cn=groups,cn=accounts,dc=example,dc=com" missing attribute >> >"ipaNTSecurityIdentifier" required by object class "ipaNTGroupAttrs" >> > >> >When checked via GUI - IPA Servers / Configuration, the group attribute >> >ipaNTGroupAttrs is there. >> > >> >Any idea what went wrong and how to fix it? >> > >> >Many thanks. >> > >> >Kathy. >> >> >> >> >> -- >> / Alexander Bokovoy >> Sr. Principal Software Engineer >> Security / Identity Management Engineering >> Red Hat Limited, Finland >> >>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
