On 18/03/2017 17:03, Alexander Bokovoy wrote: > On la, 18 maalis 2017, Bob Hinton wrote: >> Hi, >> >> The first IPA master we built was ipa001.local.lan. We have since >> created a number of subdomains of local.lan and have created a number of >> replicas. The current configuration has two clusters of IPA replicas - >> ipa001.mgmt.prod.local.lan to ipa003.mgmt.prod.local.lan and >> ipa001.mgmt.paas.local.lan to ipa003.mgmt.paas.local.lan >> >> We've recently commenced migrating some of the existing systems to a new >> environment and for various reasons have started with a fresh master - >> ipa001.mgmt.prod.local.lan. >> >> Quite a lot of sudo rules don't work in the new environment. As far as I >> can tell this is because the shadow netgroups have a nisdomain of >> mgmt.prod.local.lan instead of local.lan. >> >> I would have thought that the nisdomain should be set to either the >> domain or realm i.e. local.lan rather than seemingly taken from the >> network portion of the first master mgmt.prod.local.lan. Is this >> correct ? >> >> Is there a way to change the default nisdomain ? Rebuilding all the new >> IPA masters and migrating all the data again would be a lot of work. > The code that handles 'ipa netgroup-add' defaults to IPA domain as > default NIS domain name. You can change that by explicitly adding > '--nisdomain=specific.nis.domain' to 'ipa netgroup-add'. You can change > it for existing netgroups by specifying --nisdomain option to 'ipa > netgroup-mod'. > Hi Alexander,
Thanks for the information. Unfortunately, it's the shadow netgroups created for hostgroups that are the problem. These aren't visible so can I modify them with "ipa netgroup-mod" ? Also the default NIS domain name doesn't match the IPA domain on our system, which is why I'm wondering if we've hit a bug. This is IPA version 4.4.0. Many thanks Bob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project