Martin Kosek wrote: > On 01/05/2016 04:24 PM, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On 01/04/2016 10:41 PM, Rob Crittenden wrote: >>>> Martin Kosek wrote: >>> ... >>>>> I anyway tried to add externalHost to the shadow hostgroup via ldapmodify >>>>> as DM >>>>> and it worked: >>>>> >>>>> # ipa netgroup-show masters >>>>> Netgroup name: masters >>>>> Description: ipaNetgroup masters >>>>> NIS domain name: rhel72 >>>>> External host: foo >>>>> Member Hostgroup: masters >>>>> >>>>> I am still unable to add membership as admin though: >>>>> >>>>> # ipa netgroup-add-member masters --hosts foo2 >>>>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the >>>>> 'externalHost' attribute of entry 'cn=masters,cn=ng,cn=alt,dc=rhel72'. >>>> >>>> That is the right way to do it. Unknown hosts to IPA are marked as >>>> "external" and stored separately. Just be aware that you can put >>>> anything in there so beware of typoes. >>>> >>>> This command works fine for me using IPA using ipa-server-4.2.0-15.el7 >>>> so I'm not sure where the permission bug lies. >>> >>> Did you try it on native netgroup (added via netgroup-add) or hostgroup >>> shadow >>> group? As it works for me on native netgroups, but not on shadow netgroups, >>> where I can only add the external host with as DM. >>> >> >> I didn't but I can reproduce it. >> >> It is probably due to this deny ACI: >> >> aci: (targetfilter = "(objectClass=mepManagedEntry)")(targetattr = >> "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny >> (write) userdn = "ldap:///all";;) > > Ah, good catch. I was suspecting something like that, I just did not know we > went that far to create deny ACI. > >> Not very nice behavior (and deny ACIs are icky). >> >> I guess the netgroup mod commands should look to see if it is a real >> netgroup before trying to do a write and otherwise raise a more >> reasonable error. > > Potentially yes, although I do not see that as the most important part. I > rather do not know how to solve Roderick's issue and add external hosts as > part > of the shadow netgroups. > > Currently, the only workaround is to create plain host/ghost entries for these > non-ipa clients and use them in host groups. >
That or use real netgroups created via netgroup-add instead of hostgroups. That is the only way to have control over the advertised NIS domain in the triple anyway. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
