Never mind. This cmd did it: ipa config-mod --groupobjectclasses=oc1,oc2,...ocN
ie. not delete, but reset. Thanks. Kathy. On Tue, Apr 5, 2022 at 2:11 PM Kathy Zhu wrote: > Hi List, > > > We are not able to create new groups: > > > [root@hq-ipa1 ~]# ipa group-add testgroup > > ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by object > class "ipaNTGroupAttrs" > > [root@hq-ipa1 ~]# > > > I believe that we no longer need "ipaNTGroupAttrs" any more. How to > remove it from all groups? GUI only allows adding but not removing. > > > Many thanks. > > > Kathy. > > > > On Fri, Apr 1, 2022 at 9:44 AM Kathy Zhu wrote: > >> Can not remove ipantgroupattrs from group "it": >> >> # ipa group-mod it --delattr=objectclass=ipantgroupattrs >> >> ipa: ERROR: attribute "ipaNTSecurityIdentifier" not allowed >> >> On Fri, Apr 1, 2022 at 9:25 AM Kathy Zhu wrote: >> >>> Hi Alexander, >>> >>> Thank you for looking into this. >>> >>> We need "ipaNTGroupAttrs" for the group "it". >>> >>> The issue is that I am no longer to create new group: >>> >>> # ipa group-add testgroup >>> >>> ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by >>> object class "ipaNTGroupAttrs" >>> >>> # >>> >>> >>> Yes, there are errors like this: >>> >>> >>> [01/Apr/2022:09:17:59.735602736 -0700] - ERR - ipa_sidgen_add_post_op - >>> [file ipa_sidgen.c, line 128]: Missing target entry. >>> >>> >>> What should I do to be able to create new groups? >>> >>> >>> Thanks. >>> >>> >>> Kathy. >>> >>> >>> >>> >>> On Fri, Apr 1, 2022 at 3:49 AM Alexander Bokovoy <[email protected]> >>> wrote: >>> >>>> On to, 31 maalis 2022, Kathy Zhu via FreeIPA-users wrote: >>>> >Hi List, >>>> > >>>> >Here is what happened in a timely order. >>>> > >>>> > >>>> >the group "it" was created a long time ago without "groupOfUniqueNames" >>>> > objectclass. >>>> > >>>> > >>>> >I did following to add "groupOfUniqueNames" objectclass: >>>> > >>>> >[root@ipa0 ~]# ipa group-show it --all | grep object >>>> > >>>> > objectclass: top, groupofnames, nestedgroup, ipausergroup, >>>> >ipaobject, posixgroup, ipantgroupattrs >>>> > >>>> >[root@ipa0 ~]# >>>> > >>>> >[root@ipa0 ~]# ipa group-mod it >>>> --addattr=objectclass=groupOfUniqueNames >>>> > >>>> >------------------- >>>> > >>>> >Modified group "it" >>>> > >>>> >------------------- >>>> > >>>> > Group name: it >>>> > >>>> > Description: IT Team >>>> > >>>> > GID: 1889600264 >>>> > >>>> > Member users: john, rosy, ben, dan, rob, >>>> > >>>> > Member of groups: observium >>>> > >>>> > Member of Sudo rule: itsysadmins >>>> > >>>> > Member of HBAC rule: allow_it_systems, itadmin_systems, >>>> allow_it_sre_systems >>>> > >>>> >[root@ipa0 ~]# >>>> > >>>> >[root@ipa0 ~]# ipa group-show it --all | grep object >>>> > >>>> > objectclass: top, groupofnames, nestedgroup, ipausergroup, >>>> >ipaobject, posixgroup, ipantgroupattrs, groupOfUniqueNames >>>> > >>>> >[root@ipa0 ~]# >>>> > >>>> > >>>> >After this, I could not create a group (both GUI and cli) with same >>>> error >>>> >message: >>>> > >>>> >[root@ipa0 ~]# ipa group-add testgroup >>>> > >>>> >ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by >>>> object >>>> >class "ipaNTGroupAttrs" >>>> >>>> You can remove ipaNTGroupAttrs from the objectclass: >>>> >>>> ipa group-mod it --delattr=objectclass=ipantgroupattrs >>>> >>>> Also, look at the dirsrv's errors log to see if sidgen plugin has >>>> something to complain about. >>>> >>>> >>>> > >>>> >[root@ipa0 ~]# >>>> > >>>> > >>>> >In the log: >>>> > >>>> > >>>> >[31/Mar/2022:10:18:57.626480360 -0700] - ERR - oc_check_required - >>>> Entry >>>> >"cn=testgroup,cn=groups,cn=accounts,dc=example,dc=com" missing >>>> attribute >>>> >"ipaNTSecurityIdentifier" required by object class "ipaNTGroupAttrs" >>>> > >>>> >When checked via GUI - IPA Servers / Configuration, the group attribute >>>> >ipaNTGroupAttrs is there. >>>> > >>>> >Any idea what went wrong and how to fix it? >>>> > >>>> >Many thanks. >>>> > >>>> >Kathy. >>>> >>>> >>>> >>>> >>>> -- >>>> / Alexander Bokovoy >>>> Sr. Principal Software Engineer >>>> Security / Identity Management Engineering >>>> Red Hat Limited, Finland >>>> >>>>
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
