On ti, 05 huhti 2022, Kathy Zhu via FreeIPA-users wrote:
Never mind. This cmd did it:
ipa config-mod --groupobjectclasses=oc1,oc2,...ocN
ie. not delete, but reset.
Ok. Any idea why you have it appeared in the groupobjectclasses in the
first place? It shouldn't be there, as with any optional classes.
Thanks.
Kathy.
On Tue, Apr 5, 2022 at 2:11 PM Kathy Zhu wrote:
Hi List,
We are not able to create new groups:
[root@hq-ipa1 ~]# ipa group-add testgroup
ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by object
class "ipaNTGroupAttrs"
[root@hq-ipa1 ~]#
I believe that we no longer need "ipaNTGroupAttrs" any more. How to
remove it from all groups? GUI only allows adding but not removing.
Many thanks.
Kathy.
On Fri, Apr 1, 2022 at 9:44 AM Kathy Zhu wrote:
Can not remove ipantgroupattrs from group "it":
# ipa group-mod it --delattr=objectclass=ipantgroupattrs
ipa: ERROR: attribute "ipaNTSecurityIdentifier" not allowed
On Fri, Apr 1, 2022 at 9:25 AM Kathy Zhu wrote:
Hi Alexander,
Thank you for looking into this.
We need "ipaNTGroupAttrs" for the group "it".
The issue is that I am no longer to create new group:
# ipa group-add testgroup
ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by
object class "ipaNTGroupAttrs"
#
Yes, there are errors like this:
[01/Apr/2022:09:17:59.735602736 -0700] - ERR - ipa_sidgen_add_post_op -
[file ipa_sidgen.c, line 128]: Missing target entry.
What should I do to be able to create new groups?
Thanks.
Kathy.
On Fri, Apr 1, 2022 at 3:49 AM Alexander Bokovoy <aboko...@redhat.com>
wrote:
On to, 31 maalis 2022, Kathy Zhu via FreeIPA-users wrote:
>Hi List,
>
>Here is what happened in a timely order.
>
>
>the group "it" was created a long time ago without "groupOfUniqueNames"
> objectclass.
>
>
>I did following to add "groupOfUniqueNames" objectclass:
>
>[root@ipa0 ~]# ipa group-show it --all | grep object
>
> objectclass: top, groupofnames, nestedgroup, ipausergroup,
>ipaobject, posixgroup, ipantgroupattrs
>
>[root@ipa0 ~]#
>
>[root@ipa0 ~]# ipa group-mod it
--addattr=objectclass=groupOfUniqueNames
>
>-------------------
>
>Modified group "it"
>
>-------------------
>
> Group name: it
>
> Description: IT Team
>
> GID: 1889600264
>
> Member users: john, rosy, ben, dan, rob,
>
> Member of groups: observium
>
> Member of Sudo rule: itsysadmins
>
> Member of HBAC rule: allow_it_systems, itadmin_systems,
allow_it_sre_systems
>
>[root@ipa0 ~]#
>
>[root@ipa0 ~]# ipa group-show it --all | grep object
>
> objectclass: top, groupofnames, nestedgroup, ipausergroup,
>ipaobject, posixgroup, ipantgroupattrs, groupOfUniqueNames
>
>[root@ipa0 ~]#
>
>
>After this, I could not create a group (both GUI and cli) with same
error
>message:
>
>[root@ipa0 ~]# ipa group-add testgroup
>
>ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by
object
>class "ipaNTGroupAttrs"
You can remove ipaNTGroupAttrs from the objectclass:
ipa group-mod it --delattr=objectclass=ipantgroupattrs
Also, look at the dirsrv's errors log to see if sidgen plugin has
something to complain about.
>
>[root@ipa0 ~]#
>
>
>In the log:
>
>
>[31/Mar/2022:10:18:57.626480360 -0700] - ERR - oc_check_required -
Entry
>"cn=testgroup,cn=groups,cn=accounts,dc=example,dc=com" missing
attribute
>"ipaNTSecurityIdentifier" required by object class "ipaNTGroupAttrs"
>
>When checked via GUI - IPA Servers / Configuration, the group attribute
>ipaNTGroupAttrs is there.
>
>Any idea what went wrong and how to fix it?
>
>Many thanks.
>
>Kathy.
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
_______________________________________________
FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org
To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org
Do not reply to spam on the list, report it:
https://pagure.io/fedora-infrastructure
