[Freeipa-users] Queries on migrating nis netgroups

Rob Crittenden rcritten at redhat.com
Tue Jan 5 17:17:30 UTC 2016 

Martin Kosek wrote:
> On 01/05/2016 04:24 PM, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On 01/04/2016 10:41 PM, Rob Crittenden wrote:
>>>> Martin Kosek wrote:
>>> ...
>>>>> I anyway tried to add externalHost to the shadow hostgroup via ldapmodify as DM
>>>>> and it worked:
>>>>>
>>>>> # ipa netgroup-show masters
>>>>>   Netgroup name: masters
>>>>>   Description: ipaNetgroup masters
>>>>>   NIS domain name: rhel72
>>>>>   External host: foo
>>>>>   Member Hostgroup: masters
>>>>>
>>>>> I am still unable to add membership as admin though:
>>>>>
>>>>> # ipa netgroup-add-member masters --hosts foo2
>>>>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
>>>>> 'externalHost' attribute of entry 'cn=masters,cn=ng,cn=alt,dc=rhel72'.
>>>>
>>>> That is the right way to do it. Unknown hosts to IPA are marked as
>>>> "external" and stored separately. Just be aware that you can put
>>>> anything in there so beware of typoes.
>>>>
>>>> This command works fine for me using IPA using ipa-server-4.2.0-15.el7
>>>> so I'm not sure where the permission bug lies.
>>>
>>> Did you try it on native netgroup (added via netgroup-add) or hostgroup shadow
>>> group? As it works for me on native netgroups, but not on shadow netgroups,
>>> where I can only add the external host with as DM.
>>>
>>
>> I didn't but I can reproduce it.
>>
>> It is probably due to this deny ACI:
>>
>> aci: (targetfilter = "(objectClass=mepManagedEntry)")(targetattr =
>> "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny
>> (write) userdn = "ldap:///all";)
> 
> Ah, good catch. I was suspecting something like that, I just did not know we
> went that far to create deny ACI.
> 
>> Not very nice behavior (and deny ACIs are icky).
>>
>> I guess the netgroup mod commands should look to see if it is a real
>> netgroup before trying to do a write and otherwise raise a more
>> reasonable error.
> 
> Potentially yes, although I do not see that as the most important part. I
> rather do not know how to solve Roderick's issue and add external hosts as part
> of the shadow netgroups.
> 
> Currently, the only workaround is to create plain host/ghost entries for these
> non-ipa clients and use them in host groups.
> 

That or use real netgroups created via netgroup-add instead of
hostgroups. That is the only way to have control over the advertised NIS
domain in the triple anyway.

rob

More information about the Freeipa-users mailing list