[Freeipa-users] default nisdomain appears to be derived from hostname of first master rather than set to domain or realm. Bug ?

[Bob Hinton]

On 18/03/2017 17:03, Alexander Bokovoy wrote:
> On la, 18 maalis 2017, Bob Hinton wrote:
>> Hi,
>>
>> The first IPA master we built was ipa001.local.lan. We have since
>> created a number of subdomains of local.lan and have created a number of
>> replicas. The current configuration has two clusters of IPA replicas -
>> ipa001.mgmt.prod.local.lan to ipa003.mgmt.prod.local.lan and
>> ipa001.mgmt.paas.local.lan to ipa003.mgmt.paas.local.lan
>>
>> We've recently commenced migrating some of the existing systems to a new
>> environment and for various reasons have started with a fresh master -
>> ipa001.mgmt.prod.local.lan.
>>
>> Quite a lot of sudo rules don't work in the new environment. As far as I
>> can tell this is because the shadow netgroups have a nisdomain of
>> mgmt.prod.local.lan instead of local.lan.
>>
>> I would have thought that the nisdomain should be set to either the
>> domain or realm i.e. local.lan rather than seemingly taken from the
>> network portion of the first master mgmt.prod.local.lan. Is this
>> correct ?
>>
>> Is there a way to change the default nisdomain ? Rebuilding all the new
>> IPA masters and migrating all the data again would be a lot of work.
> The code that handles 'ipa netgroup-add' defaults to IPA domain as
> default NIS domain name. You can change that by explicitly adding
> '--nisdomain=specific.nis.domain' to 'ipa netgroup-add'. You can change
> it for existing netgroups by specifying --nisdomain option to 'ipa
> netgroup-mod'.
>
Hi Alexander,

Thanks for the information. Unfortunately, it's the shadow netgroups
created for hostgroups that are the problem. These aren't visible so can
I modify them with "ipa netgroup-mod" ? Also the default NIS domain name
doesn't match the IPA domain on our system, which is why I'm wondering
if we've hit a bug. This is IPA version 4.4.0.

Many thanks

Bob