[Freeipa-users] shadow netgroups with wrong domains - sudo problem

Mon Mar 20 08:29:26 UTC 2017

On Fri, Mar 17, 2017 at 01:52:17PM +0000, Bob Hinton wrote:
> On 17/03/2017 12:48, Lukas Slebodnik wrote:
> > On (17/03/17 10:40), Bob Hinton wrote:
> >> On 17/03/2017 08:41, Jakub Hrozek wrote:
> >>> On Fri, Mar 17, 2017 at 06:50:34AM +0000, Bob Hinton wrote:
> >>>> Morning,
> >>>>
> >>>> We have a collection of hosts within prod1.local.lan. However, the
> >>>> domain section of the shadow netgroups for the hosts is
> >>>> mgmt.prod.local.lan. This seems to prevent sudo rules working on these
> >>>> hosts unless they specify all hosts -
> >>>>
> >>>> -sh-4.2$ getent netgroup oepp_hosts
> >>>> oepp_hosts           
> >>>> (oeppsdas001.z2.prod1.local.lan,-,mgmt.prod.local.lan)
> >>>> (oeppsdas002.z2.prod1.local.lan,-,mgmt.prod.local.lan)
> >>>> (oeppservice001.z2.prod1.local.lan,-,mgmt.prod.local.lan)
> >>>> (oeppredis002.z4.prod1.local.lan,-,mgmt.prod.local.lan)
> >>>> (oeppredis001.z4.prod1.local.lan,-,mgmt.prod.local.lan)
> >>>> -sh-4.2$ hostname
> >>>> oeppredis001.z4.prod1.local.lan
> >>>> -sh-4.2$ nisdomainname
> >>>> local.lan
> >>>> -sh-4.2$ domainname
> >>>> local.lan
> >>>>
> >>>> The VMs associated with these hosts have recently been migrated and
> >>>> re-enrolled against a new IPA server. The originals all had netgroup
> >>>> domains of local.lan so something must have gone wrong in the migration
> >>>> process. Is there a way to correct the netgroup domains of these hosts,
> >>>> or is the only option to run ipa-client-install --uninstall followed by
> >>>> ipa-client-install to reattach them ?
> >>> Did you remove the sssd cache after the migration?
> >>>     rm -f /var/lib/sss/db/*.ldb
> >>>
> >>> (please make sure the clients can reach the server or maybe mv the cache
> >>> instead of rm so you can restore cached credentials if something goes
> >>> wrong..)
> >>>
> >> Hi Jakub,
> >>
> >> I've now tried removing the sssd cache on one of the offending servers
> >> and it's not made any difference.
> >>
> >> getent netgroup oepp_hosts
> >>
> >> when run from any host enrolled to the new IPA servers, including the
> >> IPA masters themselves produces the results with "mgmt.prod" included
> >> and the same thing run on any of the pre-migrated servers that are still
> >> commissioned produces them without, so I assume that the netgroup domain
> >> information is coming from the IPA masters rather than the local host.
> >>
> > Could you provide content of LDIF from IPA server?
> > For this netgroup/hostgroup
> >
> > LS
> 
> Hi Jakub,
> 
> I extracted the following from the userRoot ldif produced by "ipa-backup
> --data".
> 
> It appears to have the incorrect domain set against nisDomainName. Could
> this be changed with ldapmodify ?

Sorry, I'm not sure. I hope someone with better insight into the IPA
framework knows.