5:49 a.m.
On to, 31 maalis 2022, Kathy Zhu via FreeIPA-users wrote:
Hi List,
Here is what happened in a timely order.
the group "it" was created a long time ago without
"groupOfUniqueNames"
objectclass.
I did following to add "groupOfUniqueNames" objectclass:
[root@ipa0 ~]# ipa group-show it --all | grep object
objectclass: top, groupofnames, nestedgroup, ipausergroup,
ipaobject, posixgroup, ipantgroupattrs
[root@ipa0 ~]#
[root@ipa0 ~]# ipa group-mod it --addattr=objectclass=groupOfUniqueNames
-------------------
Modified group "it"
-------------------
Group name: it
Description: IT Team
GID: 1889600264
Member users: john, rosy, ben, dan, rob,
Member of groups: observium
Member of Sudo rule: itsysadmins
Member of HBAC rule: allow_it_systems, itadmin_systems, allow_it_sre_systems
[root@ipa0 ~]#
[root@ipa0 ~]# ipa group-show it --all | grep object
objectclass: top, groupofnames, nestedgroup, ipausergroup,
ipaobject, posixgroup, ipantgroupattrs, groupOfUniqueNames
[root@ipa0 ~]#
After this, I could not create a group (both GUI and cli) with same error
message:
[root@ipa0 ~]# ipa group-add testgroup
ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by object
class "ipaNTGroupAttrs"
You can remove ipaNTGroupAttrs from the objectclass:
ipa group-mod it --delattr=objectclass=ipantgroupattrs
Also, look at the dirsrv's errors log to see if sidgen plugin has
something to complain about.
[root@ipa0 ~]#
In the log:
[31/Mar/2022:10:18:57.626480360 -0700] - ERR - oc_check_required - Entry
"cn=testgroup,cn=groups,cn=accounts,dc=example,dc=com" missing attribute
"ipaNTSecurityIdentifier" required by object class "ipaNTGroupAttrs"
When checked via GUI - IPA Servers / Configuration, the group attribute
ipaNTGroupAttrs is there.
Any idea what went wrong and how to fix it?
Many thanks.
Kathy.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland