Martin Kosek wrote: > On 01/04/2016 10:41 PM, Rob Crittenden wrote: >> Martin Kosek wrote: > ... >>> I anyway tried to add externalHost to the shadow hostgroup via ldapmodify >>> as DM >>> and it worked: >>> >>> # ipa netgroup-show masters >>> Netgroup name: masters >>> Description: ipaNetgroup masters >>> NIS domain name: rhel72 >>> External host: foo >>> Member Hostgroup: masters >>> >>> I am still unable to add membership as admin though: >>> >>> # ipa netgroup-add-member masters --hosts foo2 >>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the >>> 'externalHost' attribute of entry 'cn=masters,cn=ng,cn=alt,dc=rhel72'. >> >> That is the right way to do it. Unknown hosts to IPA are marked as >> "external" and stored separately. Just be aware that you can put >> anything in there so beware of typoes. >> >> This command works fine for me using IPA using ipa-server-4.2.0-15.el7 >> so I'm not sure where the permission bug lies. > > Did you try it on native netgroup (added via netgroup-add) or hostgroup shadow > group? As it works for me on native netgroups, but not on shadow netgroups, > where I can only add the external host with as DM. >
I didn't but I can reproduce it. It is probably due to this deny ACI: aci: (targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny (write) userdn = "ldap:///all";) Not very nice behavior (and deny ACIs are icky). I guess the netgroup mod commands should look to see if it is a real netgroup before trying to do a write and otherwise raise a more reasonable error. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project