On 01/05/2016 04:24 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> On 01/04/2016 10:41 PM, Rob Crittenden wrote: >>> Martin Kosek wrote: >> ... >>>> I anyway tried to add externalHost to the shadow hostgroup via ldapmodify >>>> as DM >>>> and it worked: >>>> >>>> # ipa netgroup-show masters >>>> Netgroup name: masters >>>> Description: ipaNetgroup masters >>>> NIS domain name: rhel72 >>>> External host: foo >>>> Member Hostgroup: masters >>>> >>>> I am still unable to add membership as admin though: >>>> >>>> # ipa netgroup-add-member masters --hosts foo2 >>>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the >>>> 'externalHost' attribute of entry 'cn=masters,cn=ng,cn=alt,dc=rhel72'. >>> >>> That is the right way to do it. Unknown hosts to IPA are marked as >>> "external" and stored separately. Just be aware that you can put >>> anything in there so beware of typoes. >>> >>> This command works fine for me using IPA using ipa-server-4.2.0-15.el7 >>> so I'm not sure where the permission bug lies. >> >> Did you try it on native netgroup (added via netgroup-add) or hostgroup >> shadow >> group? As it works for me on native netgroups, but not on shadow netgroups, >> where I can only add the external host with as DM. >> > > I didn't but I can reproduce it. > > It is probably due to this deny ACI: > > aci: (targetfilter = "(objectClass=mepManagedEntry)")(targetattr = > "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny > (write) userdn = "ldap:///all";)
Ah, good catch. I was suspecting something like that, I just did not know we went that far to create deny ACI. > Not very nice behavior (and deny ACIs are icky). > > I guess the netgroup mod commands should look to see if it is a real > netgroup before trying to do a write and otherwise raise a more > reasonable error. Potentially yes, although I do not see that as the most important part. I rather do not know how to solve Roderick's issue and add external hosts as part of the shadow netgroups. Currently, the only workaround is to create plain host/ghost entries for these non-ipa clients and use them in host groups. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project