Hi Alexander, My coworker told me, they tried to set up trust with AD sometime ago, that was when they added "ipaNTGroupAttrs" objectclass to the group attributes.
Thank you for confirming that it is never needed. Kathy. On Tue, Apr 5, 2022 at 11:07 PM Alexander Bokovoy <aboko...@redhat.com> wrote: > On ti, 05 huhti 2022, Kathy Zhu via FreeIPA-users wrote: > >Never mind. This cmd did it: > > > >ipa config-mod --groupobjectclasses=oc1,oc2,...ocN > > > > > >ie. not delete, but reset. > > Ok. Any idea why you have it appeared in the groupobjectclasses in the > first place? It shouldn't be there, as with any optional classes. > > > > > > >Thanks. > > > > > >Kathy. > > > >On Tue, Apr 5, 2022 at 2:11 PM Kathy Zhu wrote: > > > >> Hi List, > >> > >> > >> We are not able to create new groups: > >> > >> > >> [root@hq-ipa1 ~]# ipa group-add testgroup > >> > >> ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by > object > >> class "ipaNTGroupAttrs" > >> > >> [root@hq-ipa1 ~]# > >> > >> > >> I believe that we no longer need "ipaNTGroupAttrs" any more. How to > >> remove it from all groups? GUI only allows adding but not removing. > >> > >> > >> Many thanks. > >> > >> > >> Kathy. > >> > >> > >> > >> On Fri, Apr 1, 2022 at 9:44 AM Kathy Zhu wrote: > >> > >>> Can not remove ipantgroupattrs from group "it": > >>> > >>> # ipa group-mod it --delattr=objectclass=ipantgroupattrs > >>> > >>> ipa: ERROR: attribute "ipaNTSecurityIdentifier" not allowed > >>> > >>> On Fri, Apr 1, 2022 at 9:25 AM Kathy Zhu wrote: > >>> > >>>> Hi Alexander, > >>>> > >>>> Thank you for looking into this. > >>>> > >>>> We need "ipaNTGroupAttrs" for the group "it". > >>>> > >>>> The issue is that I am no longer to create new group: > >>>> > >>>> # ipa group-add testgroup > >>>> > >>>> ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by > >>>> object class "ipaNTGroupAttrs" > >>>> > >>>> # > >>>> > >>>> > >>>> Yes, there are errors like this: > >>>> > >>>> > >>>> [01/Apr/2022:09:17:59.735602736 -0700] - ERR - ipa_sidgen_add_post_op > - > >>>> [file ipa_sidgen.c, line 128]: Missing target entry. > >>>> > >>>> > >>>> What should I do to be able to create new groups? > >>>> > >>>> > >>>> Thanks. > >>>> > >>>> > >>>> Kathy. > >>>> > >>>> > >>>> > >>>> > >>>> On Fri, Apr 1, 2022 at 3:49 AM Alexander Bokovoy <aboko...@redhat.com > > > >>>> wrote: > >>>> > >>>>> On to, 31 maalis 2022, Kathy Zhu via FreeIPA-users wrote: > >>>>> >Hi List, > >>>>> > > >>>>> >Here is what happened in a timely order. > >>>>> > > >>>>> > > >>>>> >the group "it" was created a long time ago without > "groupOfUniqueNames" > >>>>> > objectclass. > >>>>> > > >>>>> > > >>>>> >I did following to add "groupOfUniqueNames" objectclass: > >>>>> > > >>>>> >[root@ipa0 ~]# ipa group-show it --all | grep object > >>>>> > > >>>>> > objectclass: top, groupofnames, nestedgroup, ipausergroup, > >>>>> >ipaobject, posixgroup, ipantgroupattrs > >>>>> > > >>>>> >[root@ipa0 ~]# > >>>>> > > >>>>> >[root@ipa0 ~]# ipa group-mod it > >>>>> --addattr=objectclass=groupOfUniqueNames > >>>>> > > >>>>> >------------------- > >>>>> > > >>>>> >Modified group "it" > >>>>> > > >>>>> >------------------- > >>>>> > > >>>>> > Group name: it > >>>>> > > >>>>> > Description: IT Team > >>>>> > > >>>>> > GID: 1889600264 > >>>>> > > >>>>> > Member users: john, rosy, ben, dan, rob, > >>>>> > > >>>>> > Member of groups: observium > >>>>> > > >>>>> > Member of Sudo rule: itsysadmins > >>>>> > > >>>>> > Member of HBAC rule: allow_it_systems, itadmin_systems, > >>>>> allow_it_sre_systems > >>>>> > > >>>>> >[root@ipa0 ~]# > >>>>> > > >>>>> >[root@ipa0 ~]# ipa group-show it --all | grep object > >>>>> > > >>>>> > objectclass: top, groupofnames, nestedgroup, ipausergroup, > >>>>> >ipaobject, posixgroup, ipantgroupattrs, groupOfUniqueNames > >>>>> > > >>>>> >[root@ipa0 ~]# > >>>>> > > >>>>> > > >>>>> >After this, I could not create a group (both GUI and cli) with same > >>>>> error > >>>>> >message: > >>>>> > > >>>>> >[root@ipa0 ~]# ipa group-add testgroup > >>>>> > > >>>>> >ipa: ERROR: missing attribute "ipaNTSecurityIdentifier" required by > >>>>> object > >>>>> >class "ipaNTGroupAttrs" > >>>>> > >>>>> You can remove ipaNTGroupAttrs from the objectclass: > >>>>> > >>>>> ipa group-mod it --delattr=objectclass=ipantgroupattrs > >>>>> > >>>>> Also, look at the dirsrv's errors log to see if sidgen plugin has > >>>>> something to complain about. > >>>>> > >>>>> > >>>>> > > >>>>> >[root@ipa0 ~]# > >>>>> > > >>>>> > > >>>>> >In the log: > >>>>> > > >>>>> > > >>>>> >[31/Mar/2022:10:18:57.626480360 -0700] - ERR - oc_check_required - > >>>>> Entry > >>>>> >"cn=testgroup,cn=groups,cn=accounts,dc=example,dc=com" missing > >>>>> attribute > >>>>> >"ipaNTSecurityIdentifier" required by object class "ipaNTGroupAttrs" > >>>>> > > >>>>> >When checked via GUI - IPA Servers / Configuration, the group > attribute > >>>>> >ipaNTGroupAttrs is there. > >>>>> > > >>>>> >Any idea what went wrong and how to fix it? > >>>>> > > >>>>> >Many thanks. > >>>>> > > >>>>> >Kathy. > >>>>> > >>>>> > >>>>> > >>>>> > >>>>> -- > >>>>> / Alexander Bokovoy > >>>>> Sr. Principal Software Engineer > >>>>> Security / Identity Management Engineering > >>>>> Red Hat Limited, Finland > >>>>> > >>>>> > > > > > -- > / Alexander Bokovoy > Sr. Principal Software Engineer > Security / Identity Management Engineering > Red Hat Limited, Finland > >
_______________________________________________ FreeIPA-users mailing list -- freeipa-users@lists.fedorahosted.org To unsubscribe send an email to freeipa-users-le...@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/freeipa-users@lists.fedorahosted.org Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
