[Freeipa-users] Queries on migrating nis netgroups
Rob Crittenden
rcritten at redhat.com
Tue Jan 5 15:24:31 UTC 2016
Martin Kosek wrote:
> On 01/04/2016 10:41 PM, Rob Crittenden wrote:
>> Martin Kosek wrote:
> ...
>>> I anyway tried to add externalHost to the shadow hostgroup via ldapmodify as DM
>>> and it worked:
>>>
>>> # ipa netgroup-show masters
>>> Netgroup name: masters
>>> Description: ipaNetgroup masters
>>> NIS domain name: rhel72
>>> External host: foo
>>> Member Hostgroup: masters
>>>
>>> I am still unable to add membership as admin though:
>>>
>>> # ipa netgroup-add-member masters --hosts foo2
>>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
>>> 'externalHost' attribute of entry 'cn=masters,cn=ng,cn=alt,dc=rhel72'.
>>
>> That is the right way to do it. Unknown hosts to IPA are marked as
>> "external" and stored separately. Just be aware that you can put
>> anything in there so beware of typoes.
>>
>> This command works fine for me using IPA using ipa-server-4.2.0-15.el7
>> so I'm not sure where the permission bug lies.
>
> Did you try it on native netgroup (added via netgroup-add) or hostgroup shadow
> group? As it works for me on native netgroups, but not on shadow netgroups,
> where I can only add the external host with as DM.
>
I didn't but I can reproduce it.
It is probably due to this deny ACI:
aci: (targetfilter = "(objectClass=mepManagedEntry)")(targetattr =
"*")(version 3.0; acl "Managed netgroups cannot be modified"; deny
(write) userdn = "ldap:///all";)
Not very nice behavior (and deny ACIs are icky).
I guess the netgroup mod commands should look to see if it is a real
netgroup before trying to do a write and otherwise raise a more
reasonable error.
rob
More information about the Freeipa-users
mailing list