Can not remove ipantgroupattrs from group "it": 

#  ipa group-mod it --delattr=objectclass=ipantgroupattrs 

ipa: ERROR: attribute "ipaNTSecurityIdentifier" not allowed


On Fri, Apr 1, 2022 at 9:25 AM Kathy Zhu <kzhu@nuro.ai> wrote:
Hi Alexander, 

Thank you for looking into this. 

We need "ipaNTGroupAttrs" for the group "it". 

The issue is that I am no longer to create new group: 

# ipa group-add testgroup

ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by object class "ipaNTGroupAttrs"

#


Yes, there are errors like this: 


[01/Apr/2022:09:17:59.735602736 -0700] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry.


What should I do to be able to create new groups? 


Thanks. 


Kathy. 





On Fri, Apr 1, 2022 at 3:49 AM Alexander Bokovoy <abokovoy@redhat.com> wrote:
On to, 31 maalis 2022, Kathy Zhu via FreeIPA-users wrote:
>Hi List,
>
>Here is what happened in a timely order.
>
>
>the group "it" was created a long time ago without "groupOfUniqueNames"
> objectclass.
>
>
>I did following to add "groupOfUniqueNames" objectclass:
>
>[root@ipa0 ~]# ipa group-show it --all | grep object
>
>  objectclass: top, groupofnames, nestedgroup, ipausergroup,
>ipaobject, posixgroup, ipantgroupattrs
>
>[root@ipa0 ~]#
>
>[root@ipa0 ~]# ipa group-mod it --addattr=objectclass=groupOfUniqueNames
>
>-------------------
>
>Modified group "it"
>
>-------------------
>
>  Group name: it
>
>  Description: IT Team
>
>  GID: 1889600264
>
>  Member users: john, rosy, ben, dan, rob,
>
>  Member of groups: observium
>
>  Member of Sudo rule: itsysadmins
>
>  Member of HBAC rule: allow_it_systems, itadmin_systems, allow_it_sre_systems
>
>[root@ipa0 ~]#
>
>[root@ipa0 ~]# ipa group-show it --all | grep object
>
>  objectclass: top, groupofnames, nestedgroup, ipausergroup,
>ipaobject, posixgroup, ipantgroupattrs, groupOfUniqueNames
>
>[root@ipa0 ~]#
>
>
>After this, I could not create a group (both GUI and cli) with same error
>message:
>
>[root@ipa0 ~]# ipa group-add testgroup
>
>ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by object
>class "ipaNTGroupAttrs"

You can remove ipaNTGroupAttrs from the objectclass:

  ipa group-mod it --delattr=objectclass=ipantgroupattrs

Also, look at the dirsrv's errors log to see if sidgen plugin has
something to complain about.


>
>[root@ipa0 ~]#
>
>
>In the log:
>
>
>[31/Mar/2022:10:18:57.626480360 -0700] - ERR - oc_check_required - Entry
>"cn=testgroup,cn=groups,cn=accounts,dc=example,dc=com" missing attribute
>"ipaNTSecurityIdentifier" required by object class "ipaNTGroupAttrs"
>
>When checked via GUI - IPA Servers / Configuration, the group attribute
>ipaNTGroupAttrs is there.
>
>Any idea what went wrong and how to fix it?
>
>Many thanks.
>
>Kathy.




--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland