ipa group-mod it --addattr=objectclass=groupOfUniqueNames
The command went well in term of adding the objectclass groupOfUniqueNames, however, we no long able to create new groups:
> [root@hq-ipa1 ~]# ipa group-add testgroup
> ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by
> object class "ipaNTGroupAttrs"
> [root@hq-ipa1 ~]#
After removing "ipaNTGroupAttrs", we can create a new group now.
Thanks.
Kathy.
What's the history behind this? Did this happen all of a sudden or after
some other change? Did you have a trust that you removed?
rob
Kathy Zhu via FreeIPA-users wrote:
> Hi List,
>
>
> We are not able to create new groups:
>
>
> [root@hq-ipa1 ~]# ipa group-add testgroup
>
> ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by
> object class "ipaNTGroupAttrs"
>
> [root@hq-ipa1 ~]#
>
>
> I believe that we no longer need "ipaNTGroupAttrs" any more. How to
> remove it from all groups? GUI only allows adding but not removing.
>
>
> Many thanks.
>
>
> Kathy.
>
>
>
> On Fri, Apr 1, 2022 at 9:44 AM Kathy Zhu wrote:
>
> Can not remove ipantgroupattrs from group "it":
>
> # ipa group-mod it --delattr=objectclass=ipantgroupattrs
>
> ipa: ERROR: attribute "ipaNTSecurityIdentifier" not allowed
>
>
> On Fri, Apr 1, 2022 at 9:25 AM Kathy Zhu wrote:
>
> Hi Alexander,
>
> Thank you for looking into this.
>
> We need "ipaNTGroupAttrs" for the group "it".
>
> The issue is that I am no longer to create new group:
>
> # ipa group-add testgroup
>
> ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required
> by object class "ipaNTGroupAttrs"
>
> #
>
>
> Yes, there are errors like this:
>
>
> [01/Apr/2022:09:17:59.735602736 -0700] - ERR -
> ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing
> target entry.
>
>
> What should I do to be able to create new groups?
>
>
> Thanks.
>
>
> Kathy.
>
>
>
>
>
> On Fri, Apr 1, 2022 at 3:49 AM Alexander Bokovoy
> <abokovoy@redhat.com <mailto:abokovoy@redhat.com>> wrote:
>
> On to, 31 maalis 2022, Kathy Zhu via FreeIPA-users wrote:
> >Hi List,
> >
> >Here is what happened in a timely order.
> >
> >
> >the group "it" was created a long time ago without
> "groupOfUniqueNames"
> > objectclass.
> >
> >
> >I did following to add "groupOfUniqueNames" objectclass:
> >
> >[root@ipa0 ~]# ipa group-show it --all | grep object
> >
> > objectclass: top, groupofnames, nestedgroup, ipausergroup,
> >ipaobject, posixgroup, ipantgroupattrs
> >
> >[root@ipa0 ~]#
> >
> >[root@ipa0 ~]# ipa group-mod it
> --addattr=objectclass=groupOfUniqueNames
> >
> >-------------------
> >
> >Modified group "it"
> >
> >-------------------
> >
> > Group name: it
> >
> > Description: IT Team
> >
> > GID: 1889600264
> >
> > Member users: john, rosy, ben, dan, rob,
> >
> > Member of groups: observium
> >
> > Member of Sudo rule: itsysadmins
> >
> > Member of HBAC rule: allow_it_systems, itadmin_systems,
> allow_it_sre_systems
> >
> >[root@ipa0 ~]#
> >
> >[root@ipa0 ~]# ipa group-show it --all | grep object
> >
> > objectclass: top, groupofnames, nestedgroup, ipausergroup,
> >ipaobject, posixgroup, ipantgroupattrs, groupOfUniqueNames
> >
> >[root@ipa0 ~]#
> >
> >
> >After this, I could not create a group (both GUI and cli)
> with same error
> >message:
> >
> >[root@ipa0 ~]# ipa group-add testgroup
> >
> >ipa: ERROR: missing attribute "ipaNTSecurityIdentifier"
> required by object
> >class "ipaNTGroupAttrs"
>
> You can remove ipaNTGroupAttrs from the objectclass:
>
> ipa group-mod it --delattr=objectclass=ipantgroupattrs
>
> Also, look at the dirsrv's errors log to see if sidgen
> plugin has
> something to complain about.
>
>
> >
> >[root@ipa0 ~]#
> >
> >
> >In the log:
> >
> >
> >[31/Mar/2022:10:18:57.626480360 -0700] - ERR -
> oc_check_required - Entry
> >"cn=testgroup,cn=groups,cn=accounts,dc=example,dc=com"
> missing attribute
> >"ipaNTSecurityIdentifier" required by object class
> "ipaNTGroupAttrs"
> >
> >When checked via GUI - IPA Servers / Configuration, the
> group attribute
> >ipaNTGroupAttrs is there.
> >
> >Any idea what went wrong and how to fix it?
> >
> >Many thanks.
> >
> >Kathy.
>
>
>
>
> --
> / Alexander Bokovoy
> Sr. Principal Software Engineer
> Security / Identity Management Engineering
> Red Hat Limited, Finland
>
>
> _______________________________________________
> FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
> To unsubscribe send an email to freeipa-users-leave@lists.fedorahosted.org
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
> Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
>