ipa config-mod --groupobjectclasses=oc1,oc2,...ocN
ie. not delete, but reset.
Thanks.
Kathy.
Hi List,
We are not able to create new groups:
[root@hq-ipa1 ~]# ipa group-add testgroup
ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by object class "ipaNTGroupAttrs"
[root@hq-ipa1 ~]#
I believe that we no longer need "ipaNTGroupAttrs" any more. How to remove it from all groups? GUI only allows adding but not removing.
Many thanks.
Kathy.
On Fri, Apr 1, 2022 at 9:44 AM Kathy Zhu wrote:Can not remove ipantgroupattrs from group "it":# ipa group-mod it --delattr=objectclass=ipantgroupattrs
ipa: ERROR: attribute "ipaNTSecurityIdentifier" not allowed
On Fri, Apr 1, 2022 at 9:25 AM Kathy Zhu wrote:Hi Alexander,Thank you for looking into this.We need "ipaNTGroupAttrs" for the group "it".The issue is that I am no longer to create new group:# ipa group-add testgroup
ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by object class "ipaNTGroupAttrs"
#
Yes, there are errors like this:
[01/Apr/2022:09:17:59.735602736 -0700] - ERR - ipa_sidgen_add_post_op - [file ipa_sidgen.c, line 128]: Missing target entry.
What should I do to be able to create new groups?
Thanks.
Kathy.
On Fri, Apr 1, 2022 at 3:49 AM Alexander Bokovoy <abokovoy@redhat.com> wrote:On to, 31 maalis 2022, Kathy Zhu via FreeIPA-users wrote:
>Hi List,
>
>Here is what happened in a timely order.
>
>
>the group "it" was created a long time ago without "groupOfUniqueNames"
> objectclass.
>
>
>I did following to add "groupOfUniqueNames" objectclass:
>
>[root@ipa0 ~]# ipa group-show it --all | grep object
>
> objectclass: top, groupofnames, nestedgroup, ipausergroup,
>ipaobject, posixgroup, ipantgroupattrs
>
>[root@ipa0 ~]#
>
>[root@ipa0 ~]# ipa group-mod it --addattr=objectclass=groupOfUniqueNames
>
>-------------------
>
>Modified group "it"
>
>-------------------
>
> Group name: it
>
> Description: IT Team
>
> GID: 1889600264
>
> Member users: john, rosy, ben, dan, rob,
>
> Member of groups: observium
>
> Member of Sudo rule: itsysadmins
>
> Member of HBAC rule: allow_it_systems, itadmin_systems, allow_it_sre_systems
>
>[root@ipa0 ~]#
>
>[root@ipa0 ~]# ipa group-show it --all | grep object
>
> objectclass: top, groupofnames, nestedgroup, ipausergroup,
>ipaobject, posixgroup, ipantgroupattrs, groupOfUniqueNames
>
>[root@ipa0 ~]#
>
>
>After this, I could not create a group (both GUI and cli) with same error
>message:
>
>[root@ipa0 ~]# ipa group-add testgroup
>
>ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by object
>class "ipaNTGroupAttrs"
You can remove ipaNTGroupAttrs from the objectclass:
ipa group-mod it --delattr=objectclass=ipantgroupattrs
Also, look at the dirsrv's errors log to see if sidgen plugin has
something to complain about.
>
>[root@ipa0 ~]#
>
>
>In the log:
>
>
>[31/Mar/2022:10:18:57.626480360 -0700] - ERR - oc_check_required - Entry
>"cn=testgroup,cn=groups,cn=accounts,dc=example,dc=com" missing attribute
>"ipaNTSecurityIdentifier" required by object class "ipaNTGroupAttrs"
>
>When checked via GUI - IPA Servers / Configuration, the group attribute
>ipaNTGroupAttrs is there.
>
>Any idea what went wrong and how to fix it?
>
>Many thanks.
>
>Kathy.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland