Ok, cool! That command is what I was going to suggest but didn't want to do so without a little backstory so I didn't steer you wrong.
Glad you got it working. rob Kathy Zhu via FreeIPA-users wrote: > Never mind. This cmd did it: > > ipa config-mod --groupobjectclasses=oc1,oc2,...ocN > > > ie. not delete, but reset. > > > Thanks. > > > Kathy. > > > On Tue, Apr 5, 2022 at 2:11 PM Kathy Zhu wrote: > > Hi List, > > > We are not able to create new groups: > > > [root@hq-ipa1 ~]# ipa group-add testgroup > > ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by > object class "ipaNTGroupAttrs" > > [root@hq-ipa1 ~]# > > > I believe that we no longer need "ipaNTGroupAttrs" any more. How to > remove it from all groups? GUI only allows adding but not removing. > > > Many thanks. > > > Kathy. > > > > On Fri, Apr 1, 2022 at 9:44 AM Kathy Zhu wrote: > > Can not remove ipantgroupattrs from group "it": > > # ipa group-mod it --delattr=objectclass=ipantgroupattrs > > ipa: ERROR: attribute "ipaNTSecurityIdentifier" not allowed > > > On Fri, Apr 1, 2022 at 9:25 AM Kathy Zhu wrote: > > Hi Alexander, > > Thank you for looking into this. > > We need "ipaNTGroupAttrs" for the group "it". > > The issue is that I am no longer to create new group: > > # ipa group-add testgroup > > ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" > required by object class "ipaNTGroupAttrs" > > # > > > Yes, there are errors like this: > > > [01/Apr/2022:09:17:59.735602736 -0700] - ERR - > ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: > Missing target entry. > > > What should I do to be able to create new groups? > > > Thanks. > > > Kathy. > > > > > > On Fri, Apr 1, 2022 at 3:49 AM Alexander Bokovoy > <[email protected] <mailto:[email protected]>> wrote: > > On to, 31 maalis 2022, Kathy Zhu via FreeIPA-users wrote: > >Hi List, > > > >Here is what happened in a timely order. > > > > > >the group "it" was created a long time ago without > "groupOfUniqueNames" > > objectclass. > > > > > >I did following to add "groupOfUniqueNames" objectclass: > > > >[root@ipa0 ~]# ipa group-show it --all | grep object > > > > objectclass: top, groupofnames, nestedgroup, > ipausergroup, > >ipaobject, posixgroup, ipantgroupattrs > > > >[root@ipa0 ~]# > > > >[root@ipa0 ~]# ipa group-mod it > --addattr=objectclass=groupOfUniqueNames > > > >------------------- > > > >Modified group "it" > > > >------------------- > > > > Group name: it > > > > Description: IT Team > > > > GID: 1889600264 > > > > Member users: john, rosy, ben, dan, rob, > > > > Member of groups: observium > > > > Member of Sudo rule: itsysadmins > > > > Member of HBAC rule: allow_it_systems, > itadmin_systems, allow_it_sre_systems > > > >[root@ipa0 ~]# > > > >[root@ipa0 ~]# ipa group-show it --all | grep object > > > > objectclass: top, groupofnames, nestedgroup, > ipausergroup, > >ipaobject, posixgroup, ipantgroupattrs, groupOfUniqueNames > > > >[root@ipa0 ~]# > > > > > >After this, I could not create a group (both GUI and > cli) with same error > >message: > > > >[root@ipa0 ~]# ipa group-add testgroup > > > >ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" > required by object > >class "ipaNTGroupAttrs" > > You can remove ipaNTGroupAttrs from the objectclass: > > ipa group-mod it --delattr=objectclass=ipantgroupattrs > > Also, look at the dirsrv's errors log to see if sidgen > plugin has > something to complain about. > > > > > >[root@ipa0 ~]# > > > > > >In the log: > > > > > >[31/Mar/2022:10:18:57.626480360 -0700] - ERR - > oc_check_required - Entry > >"cn=testgroup,cn=groups,cn=accounts,dc=example,dc=com" > missing attribute > >"ipaNTSecurityIdentifier" required by object class > "ipaNTGroupAttrs" > > > >When checked via GUI - IPA Servers / Configuration, the > group attribute > >ipaNTGroupAttrs is there. > > > >Any idea what went wrong and how to fix it? > > > >Many thanks. > > > >Kathy. > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > > > _______________________________________________ > FreeIPA-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] > Fedora Code of Conduct: > https://docs.fedoraproject.org/en-US/project/code-of-conduct/ > List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines > List Archives: > https://lists.fedorahosted.org/archives/list/[email protected] > Do not reply to spam on the list, report it: > https://pagure.io/fedora-infrastructure > _______________________________________________ FreeIPA-users mailing list -- [email protected] To unsubscribe send an email to [email protected] Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/[email protected] Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
