[Freeipa-users] shadow netgroups with wrong domains - sudo problem [SOLVED]

Bob Hinton bob at rha-ltd.co.uk
Mon Mar 20 08:35:33 UTC 2017 

On 20/03/2017 08:29, Jakub Hrozek wrote:
> On Fri, Mar 17, 2017 at 01:52:17PM +0000, Bob Hinton wrote:
>> On 17/03/2017 12:48, Lukas Slebodnik wrote:
>>> On (17/03/17 10:40), Bob Hinton wrote:
>>>> On 17/03/2017 08:41, Jakub Hrozek wrote:
>>>>> On Fri, Mar 17, 2017 at 06:50:34AM +0000, Bob Hinton wrote:
>>>>>> Morning,
>>>>>>
>>>>>> We have a collection of hosts within prod1.local.lan. However, the
>>>>>> domain section of the shadow netgroups for the hosts is
>>>>>> mgmt.prod.local.lan. This seems to prevent sudo rules working on these
>>>>>> hosts unless they specify all hosts -
>>>>>>
>>>>>> -sh-4.2$ getent netgroup oepp_hosts
>>>>>> oepp_hosts           
>>>>>> (oeppsdas001.z2.prod1.local.lan,-,mgmt.prod.local.lan)
>>>>>> (oeppsdas002.z2.prod1.local.lan,-,mgmt.prod.local.lan)
>>>>>> (oeppservice001.z2.prod1.local.lan,-,mgmt.prod.local.lan)
>>>>>> (oeppredis002.z4.prod1.local.lan,-,mgmt.prod.local.lan)
>>>>>> (oeppredis001.z4.prod1.local.lan,-,mgmt.prod.local.lan)
>>>>>> -sh-4.2$ hostname
>>>>>> oeppredis001.z4.prod1.local.lan
>>>>>> -sh-4.2$ nisdomainname
>>>>>> local.lan
>>>>>> -sh-4.2$ domainname
>>>>>> local.lan
>>>>>>
>>>>>> The VMs associated with these hosts have recently been migrated and
>>>>>> re-enrolled against a new IPA server. The originals all had netgroup
>>>>>> domains of local.lan so something must have gone wrong in the migration
>>>>>> process. Is there a way to correct the netgroup domains of these hosts,
>>>>>> or is the only option to run ipa-client-install --uninstall followed by
>>>>>> ipa-client-install to reattach them ?
>>>>> Did you remove the sssd cache after the migration?
>>>>>     rm -f /var/lib/sss/db/*.ldb
>>>>>
>>>>> (please make sure the clients can reach the server or maybe mv the cache
>>>>> instead of rm so you can restore cached credentials if something goes
>>>>> wrong..)
>>>>>
>>>> Hi Jakub,
>>>>
>>>> I've now tried removing the sssd cache on one of the offending servers
>>>> and it's not made any difference.
>>>>
>>>> getent netgroup oepp_hosts
>>>>
>>>> when run from any host enrolled to the new IPA servers, including the
>>>> IPA masters themselves produces the results with "mgmt.prod" included
>>>> and the same thing run on any of the pre-migrated servers that are still
>>>> commissioned produces them without, so I assume that the netgroup domain
>>>> information is coming from the IPA masters rather than the local host.
>>>>
>>> Could you provide content of LDIF from IPA server?
>>> For this netgroup/hostgroup
>>>
>>> LS
>> Hi Jakub,
>>
>> I extracted the following from the userRoot ldif produced by "ipa-backup
>> --data".
>>
>> It appears to have the incorrect domain set against nisDomainName. Could
>> this be changed with ldapmodify ?
> Sorry, I'm not sure. I hope someone with better insight into the IPA
> framework knows.

Morning Jakub, I sent a related post "default nisdomain appears to be
derived from hostname of first master rather than set to domain or
realm" and Alexander Bukovoy explained how to fix this.

Many Thanks

Bob Hinton

More information about the Freeipa-users mailing list