On 12/22/2015 12:10 PM, Roderick Johnstone wrote: > Hi > > I'm migrating our nis environment to freeipa 4.2.0 on Redhat 7. > > I need to have the netgroups set up in freeipa before migrating systems to be > freeipa clients. > > At this point I'm trying to understand the relationship between hostgroups and > netgroups and whether I should just be using ipa netgroup-add and ipa > netgroup-add-member commands or whether I should be using equivalent ipa > hostgroup* commands. > > Section 14.5.1 of the Redhat 7 Domain Identity Authentication and Policy Guide > is telling me that I get a shadow netgroup for every hostgroup I create and > that I can manage these netgroups with the "ipa-host-net-manage" command. > > I don't see the ipa-host-net-manage command. There are > ipa host* commands but these don't include ipa host-net* commands. What am I > missing here?
Good catch, this is actually a doc bug. I filed a Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1295408 Netgroups normally simply mirror host groups, so you do not have to use "netgroup-*" commands if you do not manage native netgroup. > Also the ipa netgroup* commands don't seem to be able to manage the shadow > netgroups so I'm currently unable to manipulate my shadow netgroups to eg > change the nisdomain associated with them. How do I do that? Shadow netgroups should be only manipulated by updating the source hostgroups, AFAIK. > Also it looks like I can't add non-ipa clients into hostgroups so presumable > not into shadow netgroups either, so maybe this is a non-starter for me. Did I > understand that correctly? I personally do not have practical experience with netgroups, but it is true that non-ipa clients cannot be added to host groups. Maybe Rob (CCed) as NIS knowledgeable person knows more what is the best solution here. I anyway tried to add externalHost to the shadow hostgroup via ldapmodify as DM and it worked: # ipa netgroup-show masters Netgroup name: masters Description: ipaNetgroup masters NIS domain name: rhel72 External host: foo Member Hostgroup: masters I am still unable to add membership as admin though: # ipa netgroup-add-member masters --hosts foo2 ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'externalHost' attribute of entry 'cn=masters,cn=ng,cn=alt,dc=rhel72'. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project