On Fri, Mar 17, 2017 at 06:50:34AM +0000, Bob Hinton wrote: > Morning, > > We have a collection of hosts within prod1.local.lan. However, the > domain section of the shadow netgroups for the hosts is > mgmt.prod.local.lan. This seems to prevent sudo rules working on these > hosts unless they specify all hosts - > > -sh-4.2$ getent netgroup oepp_hosts > oepp_hosts > (oeppsdas001.z2.prod1.local.lan,-,mgmt.prod.local.lan) > (oeppsdas002.z2.prod1.local.lan,-,mgmt.prod.local.lan) > (oeppservice001.z2.prod1.local.lan,-,mgmt.prod.local.lan) > (oeppredis002.z4.prod1.local.lan,-,mgmt.prod.local.lan) > (oeppredis001.z4.prod1.local.lan,-,mgmt.prod.local.lan) > -sh-4.2$ hostname > oeppredis001.z4.prod1.local.lan > -sh-4.2$ nisdomainname > local.lan > -sh-4.2$ domainname > local.lan > > The VMs associated with these hosts have recently been migrated and > re-enrolled against a new IPA server. The originals all had netgroup > domains of local.lan so something must have gone wrong in the migration > process. Is there a way to correct the netgroup domains of these hosts, > or is the only option to run ipa-client-install --uninstall followed by > ipa-client-install to reattach them ?
Did you remove the sssd cache after the migration? rm -f /var/lib/sss/db/*.ldb (please make sure the clients can reach the server or maybe mv the cache instead of rm so you can restore cached credentials if something goes wrong..) -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project