Hi Rob,
Thanks a lot for confirming the effect and clear and plain explanation of
'external host' idea. I've filed a feature request type bug as you have
recommended. The bug link is here for your reference: Bug 821907 - Feature
Request: convert once External Hosts into Member Hosts after
ipa-client-install ..
I'll follow your steps to test the replication recovery on another thread now.
Thanks again for your help.
--Gelen.
________________________________
From: Rob Crittenden <rcrit...@redhat.com>
To: Gelen James <hahaha_...@yahoo.com>
Cc: "d...@redhat.com" <d...@redhat.com>; "Freeipa-users@redhat.com"
<Freeipa-users@redhat.com>
Sent: Tuesday, May 15, 2012 9:41 AM
Subject: Re: [Freeipa-users] Bug or feature regarding External Host in IPA net
groups?
Gelen James wrote:
>
> Hi all,
>
> Not sure whether it is bug or a feature, but when I evaluate the IPA net
> groups, the 'external host' feature brings me some unexpected results.
> I'll listed them below -- I am running IPA 2.1.3-9 on Redhat 6.2.
>
> 1, when I added a host into IPA netgroup in command line mode, 'ipa
> netgroup-add-member <netgroup> --hosts=<client>'. When the host is not
> yet installed/configured into an IPA client, it shows in 'external host'
> category, in the output of 'ipa netgroup-find <netgroup>' command.
> The 'external host' doesn't show up in the Web interface for IPA net
> group. But it does show up when run 'ipa net group-find', or even
> 'getent <netgroup>' by sssd.
>
> 2, After the 'external host' is configured into an IPA client -- 'ipa
> user-find <client> proves it' -- it is still reported as 'external host'
> by command 'ipa netgroup-find', and still not show up in web interface
> neither. Could this is a bug?
>
> 3, because of #2 above, when this machine is reconfigured, and removed
> with 'ipa user-del <client>', it is show up in the containing netgroups
> and nested netgroups, and has to be removed manually. :(
>
> 4, This could be a real bug: You can add an 'external host' with either
> a host's bare name, or FQDN name. Then after the machine is installed,
> and you would like to remove it from 'external host' category with
> command 'ipa user-del <client>', it will remove the FQDN name entry
> only! and leave the bare name there forever, until you delete the whole
> containing netgroup!
>
> [root@ipaclient02 ~]# ipa netgroup-find external-ng
> -------------------
> 1 netgroups matched
> -------------------
> Netgroup name: external-ng
> Description: netgroup for external hosts
> NIS domain name: example.com
> Member of netgroups: nest-external-ng
> External host: dnsmaster.example.com, ipaclient02,
> ipaclient02.mac.example.com
>
> ----------------------------
> Number of entries returned 1
> ----------------------------
>
> [root@ipaclient02 ~]# getent netgroup external-ng
> external-ng (dnsmaster.example.com, -, example.com)
> (ipaclient02.mac.example.com, -, example.com)
>
> [root@ipaclient02 ~]# ipa netgroup-remove-member external-ng
> --hosts=ipaclient02
> Netgroup name: external-ng
> Description: netgroup for external hosts
> NIS domain name: example.com
> Member of netgroups: nest-external-ng
> External host: dnsmaster.example.com, ipaclient02
> ---------------------------
> Number of members removed 1
> ---------------------------
>
> [root@ipaclient02 ~]# ipa netgroup-remove-member external-ng
> --hosts=ipaclient02
> Netgroup name: external-ng
> Description: netgroup for external hosts
> NIS domain name: example.com
> Member of netgroups: nest-external-ng
> External host: dnsmaster.example.com, ipaclient02
> Failed hosts/hostgroups:
> member host: ipaclient02.example.com: This entry is not a member
> ---------------------------
> Number of members removed 0
> ---------------------------
> [root@ipaclient02 ~]#
>
An external host is one that is never expected to be added as a host in
IPA, however we don't prevent it. There is no reconciliation done if an
external host is added as an IPA host, as you've seen. If you'd like
this please file an enhancement request at https://fedorahosted.org/freeipa/
In 3.0 we have added validation of external host names. Whether this
will prevent a bare name or not I'm not sure. I don't know why we would
care whether it was fully qualified or not, though yeah, it appears we
are automatically adding the domain. I tested this in 2.2 and it worked
as expected, a bare name was deletable.
rob
_______________________________________________
Freeipa-users mailing list
Freeipa-users@redhat.com
https://www.redhat.com/mailman/listinfo/freeipa-users