On 12/22/2015 12:10 PM, Roderick Johnstone wrote:
> Hi
> I'm migrating our nis environment to freeipa 4.2.0 on Redhat 7.
> I need to have the netgroups set up in freeipa before migrating systems to be
> freeipa clients.
> At this point I'm trying to understand the relationship between hostgroups and
> netgroups and whether I should just be using ipa netgroup-add and ipa
> netgroup-add-member commands or whether I should be using equivalent ipa
> hostgroup* commands.
> Section 14.5.1 of the Redhat 7 Domain Identity Authentication and Policy Guide
> is telling me that I get a shadow netgroup for every hostgroup I create and
> that I can manage these netgroups with the "ipa-host-net-manage" command.
> I don't see the ipa-host-net-manage command. There are
> ipa host* commands but these don't include ipa host-net* commands. What am I
> missing here?

Good catch, this is actually a doc bug. I filed a Bugzilla:

Netgroups normally simply mirror host groups, so you do not have to use
"netgroup-*" commands if you do not manage native netgroup.

> Also the ipa netgroup* commands don't seem to be able to manage the shadow
> netgroups so I'm currently unable to manipulate my shadow netgroups to eg
> change the nisdomain associated with them. How do I do that?

Shadow netgroups should be only manipulated by updating the source hostgroups,

> Also it looks like I can't add non-ipa clients into hostgroups so presumable
> not into shadow netgroups either, so maybe this is a non-starter for me. Did I
> understand that correctly?

I personally do not have practical experience with netgroups, but it is true
that non-ipa clients cannot be added to host groups. Maybe Rob (CCed) as NIS
knowledgeable person knows more what is the best solution here.

I anyway tried to add externalHost to the shadow hostgroup via ldapmodify as DM
and it worked:

# ipa netgroup-show masters
  Netgroup name: masters
  Description: ipaNetgroup masters
  NIS domain name: rhel72
  External host: foo
  Member Hostgroup: masters

I am still unable to add membership as admin though:

# ipa netgroup-add-member masters --hosts foo2
ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
'externalHost' attribute of entry 'cn=masters,cn=ng,cn=alt,dc=rhel72'.


Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to