What's the history behind this? Did this happen all of a sudden or after
some other change? Did you have a trust that you removed?

rob

Kathy Zhu via FreeIPA-users wrote:
> Hi List, 
>
>
> We are not able to create new groups:
>
>
> [root@hq-ipa1 ~]# ipa group-add testgroup 
>
> ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by
> object class "ipaNTGroupAttrs"
>
> [root@hq-ipa1 ~]# 
>
>
> I believe that we no longer need "ipaNTGroupAttrs" any more. How to
> remove it from all groups? GUI only allows adding but not removing. 
>
>
> Many thanks.
>
>
> Kathy. 
>
>
>
> On Fri, Apr 1, 2022 at 9:44 AM Kathy Zhu wrote:
>
>     Can not remove ipantgroupattrs from group "it": 
>
>     #  ipa group-mod it --delattr=objectclass=ipantgroupattrs 
>
>     ipa: ERROR: attribute "ipaNTSecurityIdentifier" not allowed
>
>
>     On Fri, Apr 1, 2022 at 9:25 AM Kathy Zhu  wrote:
>
>         Hi Alexander, 
>
>         Thank you for looking into this. 
>
>         We need "ipaNTGroupAttrs" for the group "it". 
>
>         The issue is that I am no longer to create new group: 
>
>         # ipa group-add testgroup
>
>         ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required
>         by object class "ipaNTGroupAttrs"
>
>         #
>
>
>         Yes, there are errors like this: 
>
>
>         [01/Apr/2022:09:17:59.735602736 -0700] - ERR -
>         ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing
>         target entry.
>
>
>         What should I do to be able to create new groups? 
>
>
>         Thanks. 
>
>
>         Kathy. 
>
>
>
>
>
>         On Fri, Apr 1, 2022 at 3:49 AM Alexander Bokovoy
>         <abokovoy@redhat.com <mailto:abokovoy@redhat.com>> wrote:
>
>             On to, 31 maalis 2022, Kathy Zhu via FreeIPA-users wrote:
>             >Hi List,
>             >
>             >Here is what happened in a timely order.
>             >
>             >
>             >the group "it" was created a long time ago without
>             "groupOfUniqueNames"
>             > objectclass.
>             >
>             >
>             >I did following to add "groupOfUniqueNames" objectclass:
>             >
>             >[root@ipa0 ~]# ipa group-show it --all | grep object
>             >
>             >  objectclass: top, groupofnames, nestedgroup, ipausergroup,
>             >ipaobject, posixgroup, ipantgroupattrs
>             >
>             >[root@ipa0 ~]#
>             >
>             >[root@ipa0 ~]# ipa group-mod it
>             --addattr=objectclass=groupOfUniqueNames
>             >
>             >-------------------
>             >
>             >Modified group "it"
>             >
>             >-------------------
>             >
>             >  Group name: it
>             >
>             >  Description: IT Team
>             >
>             >  GID: 1889600264
>             >
>             >  Member users: john, rosy, ben, dan, rob,
>             >
>             >  Member of groups: observium
>             >
>             >  Member of Sudo rule: itsysadmins
>             >
>             >  Member of HBAC rule: allow_it_systems, itadmin_systems,
>             allow_it_sre_systems
>             >
>             >[root@ipa0 ~]#
>             >
>             >[root@ipa0 ~]# ipa group-show it --all | grep object
>             >
>             >  objectclass: top, groupofnames, nestedgroup, ipausergroup,
>             >ipaobject, posixgroup, ipantgroupattrs, groupOfUniqueNames
>             >
>             >[root@ipa0 ~]#
>             >
>             >
>             >After this, I could not create a group (both GUI and cli)
>             with same error
>             >message:
>             >
>             >[root@ipa0 ~]# ipa group-add testgroup
>             >
>             >ipa: ERROR: missing attribute "ipaNTSecurityIdentifier"
>             required by object
>             >class "ipaNTGroupAttrs"
>
>             You can remove ipaNTGroupAttrs from the objectclass:
>
>               ipa group-mod it --delattr=objectclass=ipantgroupattrs
>
>             Also, look at the dirsrv's errors log to see if sidgen
>             plugin has
>             something to complain about.
>
>
>             >
>             >[root@ipa0 ~]#
>             >
>             >
>             >In the log:
>             >
>             >
>             >[31/Mar/2022:10:18:57.626480360 -0700] - ERR -
>             oc_check_required - Entry
>             >"cn=testgroup,cn=groups,cn=accounts,dc=example,dc=com"
>             missing attribute
>             >"ipaNTSecurityIdentifier" required by object class
>             "ipaNTGroupAttrs"
>             >
>             >When checked via GUI - IPA Servers / Configuration, the
>             group attribute
>             >ipaNTGroupAttrs is there.
>             >
>             >Any idea what went wrong and how to fix it?
>             >
>             >Many thanks.
>             >
>             >Kathy.
>
>
>
>
>             --
>             / Alexander Bokovoy
>             Sr. Principal Software Engineer
>             Security / Identity Management Engineering
>             Red Hat Limited, Finland
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>