On Fri, Mar 17, 2017 at 06:50:34AM +0000, Bob Hinton wrote:
> Morning,
>
> We have a collection of hosts within prod1.local.lan. However, the
> domain section of the shadow netgroups for the hosts is
> mgmt.prod.local.lan. This seems to prevent sudo rules working on these
> hosts unless they specify all hosts -
>
> -sh-4.2$ getent netgroup oepp_hosts
> oepp_hosts
> (oeppsdas001.z2.prod1.local.lan,-,mgmt.prod.local.lan)
> (oeppsdas002.z2.prod1.local.lan,-,mgmt.prod.local.lan)
> (oeppservice001.z2.prod1.local.lan,-,mgmt.prod.local.lan)
> (oeppredis002.z4.prod1.local.lan,-,mgmt.prod.local.lan)
> (oeppredis001.z4.prod1.local.lan,-,mgmt.prod.local.lan)
> -sh-4.2$ hostname
> oeppredis001.z4.prod1.local.lan
> -sh-4.2$ nisdomainname
> local.lan
> -sh-4.2$ domainname
> local.lan
>
> The VMs associated with these hosts have recently been migrated and
> re-enrolled against a new IPA server. The originals all had netgroup
> domains of local.lan so something must have gone wrong in the migration
> process. Is there a way to correct the netgroup domains of these hosts,
> or is the only option to run ipa-client-install --uninstall followed by
> ipa-client-install to reattach them ?
Did you remove the sssd cache after the migration?
rm -f /var/lib/sss/db/*.ldb
(please make sure the clients can reach the server or maybe mv the cache
instead of rm so you can restore cached credentials if something goes
wrong..)
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
