[Freeipa-users] shadow netgroups with wrong domains - sudo problem
Jakub Hrozek
jhrozek at redhat.com
Fri Mar 17 08:41:51 UTC 2017
On Fri, Mar 17, 2017 at 06:50:34AM +0000, Bob Hinton wrote:
> Morning,
>
> We have a collection of hosts within prod1.local.lan. However, the
> domain section of the shadow netgroups for the hosts is
> mgmt.prod.local.lan. This seems to prevent sudo rules working on these
> hosts unless they specify all hosts -
>
> -sh-4.2$ getent netgroup oepp_hosts
> oepp_hosts
> (oeppsdas001.z2.prod1.local.lan,-,mgmt.prod.local.lan)
> (oeppsdas002.z2.prod1.local.lan,-,mgmt.prod.local.lan)
> (oeppservice001.z2.prod1.local.lan,-,mgmt.prod.local.lan)
> (oeppredis002.z4.prod1.local.lan,-,mgmt.prod.local.lan)
> (oeppredis001.z4.prod1.local.lan,-,mgmt.prod.local.lan)
> -sh-4.2$ hostname
> oeppredis001.z4.prod1.local.lan
> -sh-4.2$ nisdomainname
> local.lan
> -sh-4.2$ domainname
> local.lan
>
> The VMs associated with these hosts have recently been migrated and
> re-enrolled against a new IPA server. The originals all had netgroup
> domains of local.lan so something must have gone wrong in the migration
> process. Is there a way to correct the netgroup domains of these hosts,
> or is the only option to run ipa-client-install --uninstall followed by
> ipa-client-install to reattach them ?
Did you remove the sssd cache after the migration?
rm -f /var/lib/sss/db/*.ldb
(please make sure the clients can reach the server or maybe mv the cache
instead of rm so you can restore cached credentials if something goes
wrong..)
More information about the Freeipa-users
mailing list