[Freeipa-users] Bug or feature regarding External Host in IPA net groups?
Rob Crittenden
rcritten at redhat.com
Tue May 15 16:41:16 UTC 2012
Gelen James wrote:
>
> Hi all,
>
> Not sure whether it is bug or a feature, but when I evaluate the IPA net
> groups, the 'external host' feature brings me some unexpected results.
> I'll listed them below -- I am running IPA 2.1.3-9 on Redhat 6.2.
>
> 1, when I added a host into IPA netgroup in command line mode, 'ipa
> netgroup-add-member <netgroup> --hosts=<client>'. When the host is not
> yet installed/configured into an IPA client, it shows in 'external host'
> category, in the output of 'ipa netgroup-find <netgroup>' command.
> The 'external host' doesn't show up in the Web interface for IPA net
> group. But it does show up when run 'ipa net group-find', or even
> 'getent <netgroup>' by sssd.
>
> 2, After the 'external host' is configured into an IPA client -- 'ipa
> user-find <client> proves it' -- it is still reported as 'external host'
> by command 'ipa netgroup-find', and still not show up in web interface
> neither. Could this is a bug?
>
> 3, because of #2 above, when this machine is reconfigured, and removed
> with 'ipa user-del <client>', it is show up in the containing netgroups
> and nested netgroups, and has to be removed manually. :(
>
> 4, This could be a real bug: You can add an 'external host' with either
> a host's bare name, or FQDN name. Then after the machine is installed,
> and you would like to remove it from 'external host' category with
> command 'ipa user-del <client>', it will remove the FQDN name entry
> only! and leave the bare name there forever, until you delete the whole
> containing netgroup!
>
> [root at ipaclient02 ~]# ipa netgroup-find external-ng
> -------------------
> 1 netgroups matched
> -------------------
> Netgroup name: external-ng
> Description: netgroup for external hosts
> NIS domain name: example.com
> Member of netgroups: nest-external-ng
> External host: dnsmaster.example.com, ipaclient02,
> ipaclient02.mac.example.com
>
> ----------------------------
> Number of entries returned 1
> ----------------------------
>
> [root at ipaclient02 ~]# getent netgroup external-ng
> external-ng (dnsmaster.example.com, -, example.com)
> (ipaclient02.mac.example.com, -, example.com)
>
> [root at ipaclient02 ~]# ipa netgroup-remove-member external-ng
> --hosts=ipaclient02
> Netgroup name: external-ng
> Description: netgroup for external hosts
> NIS domain name: example.com
> Member of netgroups: nest-external-ng
> External host: dnsmaster.example.com, ipaclient02
> ---------------------------
> Number of members removed 1
> ---------------------------
>
> [root at ipaclient02 ~]# ipa netgroup-remove-member external-ng
> --hosts=ipaclient02
> Netgroup name: external-ng
> Description: netgroup for external hosts
> NIS domain name: example.com
> Member of netgroups: nest-external-ng
> External host: dnsmaster.example.com, ipaclient02
> Failed hosts/hostgroups:
> member host: ipaclient02.example.com: This entry is not a member
> ---------------------------
> Number of members removed 0
> ---------------------------
> [root at ipaclient02 ~]#
>
An external host is one that is never expected to be added as a host in
IPA, however we don't prevent it. There is no reconciliation done if an
external host is added as an IPA host, as you've seen. If you'd like
this please file an enhancement request at https://fedorahosted.org/freeipa/
In 3.0 we have added validation of external host names. Whether this
will prevent a bare name or not I'm not sure. I don't know why we would
care whether it was fully qualified or not, though yeah, it appears we
are automatically adding the domain. I tested this in 2.2 and it worked
as expected, a bare name was deletable.
rob
More information about the Freeipa-users
mailing list