[Freeipa-users] Queries on migrating nis netgroups
Roderick Johnstone
rmj at ast.cam.ac.uk
Tue Jan 5 21:17:42 UTC 2016
On 05/01/2016 17:17, Rob Crittenden wrote:
> Martin Kosek wrote:
>> On 01/05/2016 04:24 PM, Rob Crittenden wrote:
>>> Martin Kosek wrote:
>>>> On 01/04/2016 10:41 PM, Rob Crittenden wrote:
>>>>> Martin Kosek wrote:
>>>> ...
>>>>>> I anyway tried to add externalHost to the shadow hostgroup via ldapmodify as DM
>>>>>> and it worked:
>>>>>>
>>>>>> # ipa netgroup-show masters
>>>>>> Netgroup name: masters
>>>>>> Description: ipaNetgroup masters
>>>>>> NIS domain name: rhel72
>>>>>> External host: foo
>>>>>> Member Hostgroup: masters
>>>>>>
>>>>>> I am still unable to add membership as admin though:
>>>>>>
>>>>>> # ipa netgroup-add-member masters --hosts foo2
>>>>>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
>>>>>> 'externalHost' attribute of entry 'cn=masters,cn=ng,cn=alt,dc=rhel72'.
>>>>>
>>>>> That is the right way to do it. Unknown hosts to IPA are marked as
>>>>> "external" and stored separately. Just be aware that you can put
>>>>> anything in there so beware of typoes.
>>>>>
>>>>> This command works fine for me using IPA using ipa-server-4.2.0-15.el7
>>>>> so I'm not sure where the permission bug lies.
>>>>
>>>> Did you try it on native netgroup (added via netgroup-add) or hostgroup shadow
>>>> group? As it works for me on native netgroups, but not on shadow netgroups,
>>>> where I can only add the external host with as DM.
>>>>
>>>
>>> I didn't but I can reproduce it.
>>>
>>> It is probably due to this deny ACI:
>>>
>>> aci: (targetfilter = "(objectClass=mepManagedEntry)")(targetattr =
>>> "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny
>>> (write) userdn = "ldap:///all";)
>>
>> Ah, good catch. I was suspecting something like that, I just did not know we
>> went that far to create deny ACI.
>>
>>> Not very nice behavior (and deny ACIs are icky).
>>>
>>> I guess the netgroup mod commands should look to see if it is a real
>>> netgroup before trying to do a write and otherwise raise a more
>>> reasonable error.
>>
>> Potentially yes, although I do not see that as the most important part. I
>> rather do not know how to solve Roderick's issue and add external hosts as part
>> of the shadow netgroups.
>>
>> Currently, the only workaround is to create plain host/ghost entries for these
>> non-ipa clients and use them in host groups.
>>
>
> That or use real netgroups created via netgroup-add instead of
> hostgroups. That is the only way to have control over the advertised NIS
> domain in the triple anyway.
>
> rob
>
Martin/Rob
Thanks for all your analysis on this query.
I had come to the conclusion that using the real netgroups was probably
the way to go on this in my particular circumstances. I'm happy now that
I'm not missing something obvious about the managed netgroups which
would make them a better choice.
Thanks again.
Roderick
More information about the Freeipa-users
mailing list