On la, 18 maalis 2017, Bob Hinton wrote:
Hi,
The first IPA master we built was ipa001.local.lan. We have since
created a number of subdomains of local.lan and have created a number of
replicas. The current configuration has two clusters of IPA replicas -
ipa001.mgmt.prod.local.lan to ipa003.mgmt.prod.local.lan and
ipa001.mgmt.paas.local.lan to ipa003.mgmt.paas.local.lan
We've recently commenced migrating some of the existing systems to a new
environment and for various reasons have started with a fresh master -
ipa001.mgmt.prod.local.lan.
Quite a lot of sudo rules don't work in the new environment. As far as I
can tell this is because the shadow netgroups have a nisdomain of
mgmt.prod.local.lan instead of local.lan.
I would have thought that the nisdomain should be set to either the
domain or realm i.e. local.lan rather than seemingly taken from the
network portion of the first master mgmt.prod.local.lan. Is this correct ?
Is there a way to change the default nisdomain ? Rebuilding all the new
IPA masters and migrating all the data again would be a lot of work.
The code that handles 'ipa netgroup-add' defaults to IPA domain as
default NIS domain name. You can change that by explicitly adding
'--nisdomain=specific.nis.domain' to 'ipa netgroup-add'. You can change
it for existing netgroups by specifying --nisdomain option to 'ipa
netgroup-mod'.
--
/ Alexander Bokovoy
--
Manage your subscription for the Freeipa-users mailing list:
https://www.redhat.com/mailman/listinfo/freeipa-users
Go to http://freeipa.org for more info on the project
