Hi Rob, It was a long time ago, we tried to integrate with AD but that was dropped later, however, the group objectclass "ipaNTGroupAttrs" stayed.
Then we added objectclass=groupOfUniqueNames, "it" group was created before that so I tried to manually modify it by this command: ipa group-mod it --addattr=objectclass=groupOfUniqueNames The command went well in term of adding the objectclass groupOfUniqueNames, however, we no long able to create new groups: > [root@hq-ipa1 ~]# ipa group-add testgroup > ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by > object class "ipaNTGroupAttrs" > [root@hq-ipa1 ~]# After removing "ipaNTGroupAttrs", we can create a new group now. Thanks. Kathy. On Tue, Apr 5, 2022 at 2:29 PM Rob Crittenden <[email protected]> wrote: > What's the history behind this? Did this happen all of a sudden or after > some other change? Did you have a trust that you removed? > > rob > > Kathy Zhu via FreeIPA-users wrote: > > Hi List, > > > > > > We are not able to create new groups: > > > > > > [root@hq-ipa1 ~]# ipa group-add testgroup > > > > ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by > > object class "ipaNTGroupAttrs" > > > > [root@hq-ipa1 ~]# > > > > > > I believe that we no longer need "ipaNTGroupAttrs" any more. How to > > remove it from all groups? GUI only allows adding but not removing. > > > > > > Many thanks. > > > > > > Kathy. > > > > > > > > On Fri, Apr 1, 2022 at 9:44 AM Kathy Zhu wrote: > > > > Can not remove ipantgroupattrs from group "it": > > > > # ipa group-mod it --delattr=objectclass=ipantgroupattrs > > > > ipa: ERROR: attribute "ipaNTSecurityIdentifier" not allowed > > > > > > On Fri, Apr 1, 2022 at 9:25 AM Kathy Zhu wrote: > > > > Hi Alexander, > > > > Thank you for looking into this. > > > > We need "ipaNTGroupAttrs" for the group "it". > > > > The issue is that I am no longer to create new group: > > > > # ipa group-add testgroup > > > > ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required > > by object class "ipaNTGroupAttrs" > > > > # > > > > > > Yes, there are errors like this: > > > > > > [01/Apr/2022:09:17:59.735602736 -0700] - ERR - > > ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing > > target entry. > > > > > > What should I do to be able to create new groups? > > > > > > Thanks. > > > > > > Kathy. > > > > > > > > > > > > On Fri, Apr 1, 2022 at 3:49 AM Alexander Bokovoy > > <[email protected] <mailto:[email protected]>> wrote: > > > > On to, 31 maalis 2022, Kathy Zhu via FreeIPA-users wrote: > > >Hi List, > > > > > >Here is what happened in a timely order. > > > > > > > > >the group "it" was created a long time ago without > > "groupOfUniqueNames" > > > objectclass. > > > > > > > > >I did following to add "groupOfUniqueNames" objectclass: > > > > > >[root@ipa0 ~]# ipa group-show it --all | grep object > > > > > > objectclass: top, groupofnames, nestedgroup, ipausergroup, > > >ipaobject, posixgroup, ipantgroupattrs > > > > > >[root@ipa0 ~]# > > > > > >[root@ipa0 ~]# ipa group-mod it > > --addattr=objectclass=groupOfUniqueNames > > > > > >------------------- > > > > > >Modified group "it" > > > > > >------------------- > > > > > > Group name: it > > > > > > Description: IT Team > > > > > > GID: 1889600264 > > > > > > Member users: john, rosy, ben, dan, rob, > > > > > > Member of groups: observium > > > > > > Member of Sudo rule: itsysadmins > > > > > > Member of HBAC rule: allow_it_systems, itadmin_systems, > > allow_it_sre_systems > > > > > >[root@ipa0 ~]# > > > > > >[root@ipa0 ~]# ipa group-show it --all | grep object > > > > > > objectclass: top, groupofnames, nestedgroup, ipausergroup, > > >ipaobject, posixgroup, ipantgroupattrs, groupOfUniqueNames > > > > > >[root@ipa0 ~]# > > > > > > > > >After this, I could not create a group (both GUI and cli) > > with same error > > >message: > > > > > >[root@ipa0 ~]# ipa group-add testgroup > > > > > >ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" > > required by object > > >class "ipaNTGroupAttrs" > > > > You can remove ipaNTGroupAttrs from the objectclass: > > > > ipa group-mod it --delattr=objectclass=ipantgroupattrs > > > > Also, look at the dirsrv's errors log to see if sidgen > > plugin has > > something to complain about. > > > > > > > > > >[root@ipa0 ~]# > > > > > > > > >In the log: > > > > > > > > >[31/Mar/2022:10:18:57.626480360 -0700] - ERR - > > oc_check_required - Entry > > >"cn=testgroup,cn=groups,cn=accounts,dc=example,dc=com" > > missing attribute > > >"ipaNTSecurityIdentifier" required by object class > > "ipaNTGroupAttrs" > > > > > >When checked via GUI - IPA Servers / Configuration, the > > group attribute > > >ipaNTGroupAttrs is there. > > > > > >Any idea what went wrong and how to fix it? > > > > > >Many thanks. > > > > > >Kathy. > > > > > > > > > > -- > > / Alexander Bokovoy > > Sr. Principal Software Engineer > > Security / Identity Management Engineering > > Red Hat Limited, Finland > > > > > > _______________________________________________ > > FreeIPA-users mailing list -- [email protected] > > To unsubscribe send an email to > [email protected] > > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > > > >
_______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
