[Freeipa-users] shadow netgroups with wrong domains - sudo problem

Bob Hinton bob at rha-ltd.co.uk
Fri Mar 17 21:52:22 UTC 2017 

On 17/03/2017 14:01, Lukas Slebodnik wrote:
> On (17/03/17 13:52), Bob Hinton wrote:
>> On 17/03/2017 12:48, Lukas Slebodnik wrote:
>>> On (17/03/17 10:40), Bob Hinton wrote:
>>>> On 17/03/2017 08:41, Jakub Hrozek wrote:
>>>>> On Fri, Mar 17, 2017 at 06:50:34AM +0000, Bob Hinton wrote:
>>>>>> Morning,
>>>>>>
>>>>>> We have a collection of hosts within prod1.local.lan. However, the
>>>>>> domain section of the shadow netgroups for the hosts is
>>>>>> mgmt.prod.local.lan. This seems to prevent sudo rules working on these
>>>>>> hosts unless they specify all hosts -
>>>>>>
>>>>>> -sh-4.2$ getent netgroup oepp_hosts
>>>>>> oepp_hosts           
>>>>>> (oeppsdas001.z2.prod1.local.lan,-,mgmt.prod.local.lan)
>>>>>> (oeppsdas002.z2.prod1.local.lan,-,mgmt.prod.local.lan)
>>>>>> (oeppservice001.z2.prod1.local.lan,-,mgmt.prod.local.lan)
>>>>>> (oeppredis002.z4.prod1.local.lan,-,mgmt.prod.local.lan)
>>>>>> (oeppredis001.z4.prod1.local.lan,-,mgmt.prod.local.lan)
>>>>>> -sh-4.2$ hostname
>>>>>> oeppredis001.z4.prod1.local.lan
>>>>>> -sh-4.2$ nisdomainname
>>>>>> local.lan
>>>>>> -sh-4.2$ domainname
>>>>>> local.lan
>>>>>>
>>>>>> The VMs associated with these hosts have recently been migrated and
>>>>>> re-enrolled against a new IPA server. The originals all had netgroup
>>>>>> domains of local.lan so something must have gone wrong in the migration
>>>>>> process. Is there a way to correct the netgroup domains of these hosts,
>>>>>> or is the only option to run ipa-client-install --uninstall followed by
>>>>>> ipa-client-install to reattach them ?
>>>>> Did you remove the sssd cache after the migration?
>>>>>     rm -f /var/lib/sss/db/*.ldb
>>>>>
>>>>> (please make sure the clients can reach the server or maybe mv the cache
>>>>> instead of rm so you can restore cached credentials if something goes
>>>>> wrong..)
>>>>>
>>>> Hi Jakub,
>>>>
>>>> I've now tried removing the sssd cache on one of the offending servers
>>>> and it's not made any difference.
>>>>
>>>> getent netgroup oepp_hosts
>>>>
>>>> when run from any host enrolled to the new IPA servers, including the
>>>> IPA masters themselves produces the results with "mgmt.prod" included
>>>> and the same thing run on any of the pre-migrated servers that are still
>>>> commissioned produces them without, so I assume that the netgroup domain
>>>> information is coming from the IPA masters rather than the local host.
>>>>
>>> Could you provide content of LDIF from IPA server?
>>> For this netgroup/hostgroup
>>>
>>> LS
>> Hi Jakub,
>>
>> I extracted the following from the userRoot ldif produced by "ipa-backup
>> --data".
>>
>> It appears to have the incorrect domain set against nisDomainName. Could
>> this be changed with ldapmodify ?
>>
>> Thanks
>>
>> Bob
>>
>> # entry-id: 1485
>> dn: cn=oepp_hosts,cn=ng,cn=alt,dc=local,dc=lan
>> ipaUniqueID: 186461fa-f91d-11e6-b43d-06642ebde14b
>> modifyTimestamp: 20170222163643Z
>> createTimestamp: 20170222163643Z
>> modifiersName: cn=Managed Entries,cn=plugins,cn=config
>> creatorsName: cn=Managed Entries,cn=plugins,cn=config
>> mepManagedBy: cn=oepp_hosts,cn=hostgroups,cn=accounts,dc=local,dc=lan
>> description: ipaNetgroup oepp_hosts
>> memberHost: cn=oepp_hosts,cn=hostgroups,cn=accounts,dc=local,dc=lan
>> cn: oepp_hosts
>> nisDomainName: mgmt.prod.local.lan
> And value of this attribute is an explanation to your question
> why there is a different domain in netgroups.
>
>> objectClass: ipanisnetgroup
>> objectClass: ipaobject
>> objectClass: mepManagedEntry
>> objectClass: ipaAssociation
>> objectClass: top
>> nsUniqueId: f834f7a7-f91c11e6-a7d5eda5-d52d2b10
> LS
>
Hi Jakub,

I've tried using ldapsearch to retrieve this record but the results
don't include the nisDomainName field. Can you give me any pointers how
to access this attribute so I can edit it ?

Many thanks

Bob

More information about the Freeipa-users mailing list