On 05/01/2016 17:17, Rob Crittenden wrote:
Martin Kosek wrote:
On 01/05/2016 04:24 PM, Rob Crittenden wrote:
Martin Kosek wrote:
On 01/04/2016 10:41 PM, Rob Crittenden wrote:
Martin Kosek wrote:
...
I anyway tried to add externalHost to the shadow hostgroup via ldapmodify as DM
and it worked:
# ipa netgroup-show masters
Netgroup name: masters
Description: ipaNetgroup masters
NIS domain name: rhel72
External host: foo
Member Hostgroup: masters
I am still unable to add membership as admin though:
# ipa netgroup-add-member masters --hosts foo2
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'externalHost' attribute of entry 'cn=masters,cn=ng,cn=alt,dc=rhel72'.
That is the right way to do it. Unknown hosts to IPA are marked as
"external" and stored separately. Just be aware that you can put
anything in there so beware of typoes.
This command works fine for me using IPA using ipa-server-4.2.0-15.el7
so I'm not sure where the permission bug lies.
Did you try it on native netgroup (added via netgroup-add) or hostgroup shadow
group? As it works for me on native netgroups, but not on shadow netgroups,
where I can only add the external host with as DM.
I didn't but I can reproduce it.
It is probably due to this deny ACI:
aci: (targetfilter = "(objectClass=mepManagedEntry)")(targetattr =
"*")(version 3.0; acl "Managed netgroups cannot be modified"; deny
(write) userdn = "ldap:///all";;)
Ah, good catch. I was suspecting something like that, I just did not know we
went that far to create deny ACI.
Not very nice behavior (and deny ACIs are icky).
I guess the netgroup mod commands should look to see if it is a real
netgroup before trying to do a write and otherwise raise a more
reasonable error.
Potentially yes, although I do not see that as the most important part. I
rather do not know how to solve Roderick's issue and add external hosts as part
of the shadow netgroups.
Currently, the only workaround is to create plain host/ghost entries for these
non-ipa clients and use them in host groups.
That or use real netgroups created via netgroup-add instead of
hostgroups. That is the only way to have control over the advertised NIS
domain in the triple anyway.
rob
Martin/Rob
Thanks for all your analysis on this query.
I had come to the conclusion that using the real netgroups was probably
the way to go on this in my particular circumstances. I'm happy now that
I'm not missing something obvious about the managed netgroups which
would make them a better choice.
Thanks again.
Roderick
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
