[Freeipa-users] shadow netgroups with wrong domains - sudo problem
Lukas Slebodnik
lslebodn at redhat.com
Fri Mar 17 12:48:57 UTC 2017
On (17/03/17 10:40), Bob Hinton wrote:
>On 17/03/2017 08:41, Jakub Hrozek wrote:
>> On Fri, Mar 17, 2017 at 06:50:34AM +0000, Bob Hinton wrote:
>>> Morning,
>>>
>>> We have a collection of hosts within prod1.local.lan. However, the
>>> domain section of the shadow netgroups for the hosts is
>>> mgmt.prod.local.lan. This seems to prevent sudo rules working on these
>>> hosts unless they specify all hosts -
>>>
>>> -sh-4.2$ getent netgroup oepp_hosts
>>> oepp_hosts
>>> (oeppsdas001.z2.prod1.local.lan,-,mgmt.prod.local.lan)
>>> (oeppsdas002.z2.prod1.local.lan,-,mgmt.prod.local.lan)
>>> (oeppservice001.z2.prod1.local.lan,-,mgmt.prod.local.lan)
>>> (oeppredis002.z4.prod1.local.lan,-,mgmt.prod.local.lan)
>>> (oeppredis001.z4.prod1.local.lan,-,mgmt.prod.local.lan)
>>> -sh-4.2$ hostname
>>> oeppredis001.z4.prod1.local.lan
>>> -sh-4.2$ nisdomainname
>>> local.lan
>>> -sh-4.2$ domainname
>>> local.lan
>>>
>>> The VMs associated with these hosts have recently been migrated and
>>> re-enrolled against a new IPA server. The originals all had netgroup
>>> domains of local.lan so something must have gone wrong in the migration
>>> process. Is there a way to correct the netgroup domains of these hosts,
>>> or is the only option to run ipa-client-install --uninstall followed by
>>> ipa-client-install to reattach them ?
>> Did you remove the sssd cache after the migration?
>> rm -f /var/lib/sss/db/*.ldb
>>
>> (please make sure the clients can reach the server or maybe mv the cache
>> instead of rm so you can restore cached credentials if something goes
>> wrong..)
>>
>Hi Jakub,
>
>I've now tried removing the sssd cache on one of the offending servers
>and it's not made any difference.
>
>getent netgroup oepp_hosts
>
>when run from any host enrolled to the new IPA servers, including the
>IPA masters themselves produces the results with "mgmt.prod" included
>and the same thing run on any of the pre-migrated servers that are still
>commissioned produces them without, so I assume that the netgroup domain
>information is coming from the IPA masters rather than the local host.
>
Could you provide content of LDIF from IPA server?
For this netgroup/hostgroup
LS
More information about the Freeipa-users
mailing list