Can not remove ipantgroupattrs from group "it":
# ipa group-mod it --delattr=objectclass=ipantgroupattrs
ipa: ERROR: attribute "ipaNTSecurityIdentifier" not allowed
On Fri, Apr 1, 2022 at 9:25 AM Kathy Zhu <kzhu(a)nuro.ai> wrote:
Hi Alexander,
Thank you for looking into this.
We need "ipaNTGroupAttrs" for the group "it".
The issue is that I am no longer to create new group:
# ipa group-add testgroup
ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by object
class "ipaNTGroupAttrs"
#
Yes, there are errors like this:
[01/Apr/2022:09:17:59.735602736 -0700] - ERR - ipa_sidgen_add_post_op -
[file ipa_sidgen.c, line 128]: Missing target entry.
What should I do to be able to create new groups?
Thanks.
Kathy.
On Fri, Apr 1, 2022 at 3:49 AM Alexander Bokovoy <abokovoy(a)redhat.com>
wrote:
> On to, 31 maalis 2022, Kathy Zhu via FreeIPA-users wrote:
> >Hi List,
> >
> >Here is what happened in a timely order.
> >
> >
> >the group "it" was created a long time ago without
"groupOfUniqueNames"
> > objectclass.
> >
> >
> >I did following to add "groupOfUniqueNames" objectclass:
> >
> >[root@ipa0 ~]# ipa group-show it --all | grep object
> >
> > objectclass: top, groupofnames, nestedgroup, ipausergroup,
> >ipaobject, posixgroup, ipantgroupattrs
> >
> >[root@ipa0 ~]#
> >
> >[root@ipa0 ~]# ipa group-mod it --addattr=objectclass=groupOfUniqueNames
> >
> >-------------------
> >
> >Modified group "it"
> >
> >-------------------
> >
> > Group name: it
> >
> > Description: IT Team
> >
> > GID: 1889600264
> >
> > Member users: john, rosy, ben, dan, rob,
> >
> > Member of groups: observium
> >
> > Member of Sudo rule: itsysadmins
> >
> > Member of HBAC rule: allow_it_systems, itadmin_systems,
> allow_it_sre_systems
> >
> >[root@ipa0 ~]#
> >
> >[root@ipa0 ~]# ipa group-show it --all | grep object
> >
> > objectclass: top, groupofnames, nestedgroup, ipausergroup,
> >ipaobject, posixgroup, ipantgroupattrs, groupOfUniqueNames
> >
> >[root@ipa0 ~]#
> >
> >
> >After this, I could not create a group (both GUI and cli) with same error
> >message:
> >
> >[root@ipa0 ~]# ipa group-add testgroup
> >
> >ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by
> object
> >class "ipaNTGroupAttrs"
>
> You can remove ipaNTGroupAttrs from the objectclass:
>
> ipa group-mod it --delattr=objectclass=ipantgroupattrs
>
> Also, look at the dirsrv's errors log to see if sidgen plugin has
> something to complain about.
>
>
> >
> >[root@ipa0 ~]#
> >
> >
> >In the log:
> >
> >
> >[31/Mar/2022:10:18:57.626480360 -0700] - ERR - oc_check_required - Entry
> >"cn=testgroup,cn=groups,cn=accounts,dc=example,dc=com" missing
attribute
> >"ipaNTSecurityIdentifier" required by object class
"ipaNTGroupAttrs"
> >
> >When checked via GUI - IPA Servers / Configuration, the group attribute
> >ipaNTGroupAttrs is there.
> >
> >Any idea what went wrong and how to fix it?
> >
> >Many thanks.
> >
> >Kathy.
>
>
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
>