Martin Kosek wrote:
> On 12/22/2015 12:10 PM, Roderick Johnstone wrote:
>> Hi
>> I'm migrating our nis environment to freeipa 4.2.0 on Redhat 7.
>> I need to have the netgroups set up in freeipa before migrating systems to be
>> freeipa clients.
>> At this point I'm trying to understand the relationship between hostgroups 
>> and
>> netgroups and whether I should just be using ipa netgroup-add and ipa
>> netgroup-add-member commands or whether I should be using equivalent ipa
>> hostgroup* commands.
>> Section 14.5.1 of the Redhat 7 Domain Identity Authentication and Policy 
>> Guide
>> is telling me that I get a shadow netgroup for every hostgroup I create and
>> that I can manage these netgroups with the "ipa-host-net-manage" command.
>> I don't see the ipa-host-net-manage command. There are
>> ipa host* commands but these don't include ipa host-net* commands. What am I
>> missing here?
> Good catch, this is actually a doc bug. I filed a Bugzilla:
> Netgroups normally simply mirror host groups, so you do not have to use
> "netgroup-*" commands if you do not manage native netgroup.
>> Also the ipa netgroup* commands don't seem to be able to manage the shadow
>> netgroups so I'm currently unable to manipulate my shadow netgroups to eg
>> change the nisdomain associated with them. How do I do that?
> Shadow netgroups should be only manipulated by updating the source hostgroups,

It depends on what you want. If the netgroup is a mirror of a hostgroup
then you have to manage it via the hostgroup commands and you don't
control the NIS domain. If you need more control or a real netgroup, use
the netgroup commands. But I'll note that we've done little to no
testing of the IPA fake NIS server providing multiple NIS domains. It
should work for netgroup but I think for other maps it won't because
only maps for the IPA domain are created by default.

>> Also it looks like I can't add non-ipa clients into hostgroups so presumable
>> not into shadow netgroups either, so maybe this is a non-starter for me. Did 
>> I
>> understand that correctly?
> I personally do not have practical experience with netgroups, but it is true
> that non-ipa clients cannot be added to host groups. Maybe Rob (CCed) as NIS
> knowledgeable person knows more what is the best solution here.
> I anyway tried to add externalHost to the shadow hostgroup via ldapmodify as 
> DM
> and it worked:
> # ipa netgroup-show masters
>   Netgroup name: masters
>   Description: ipaNetgroup masters
>   NIS domain name: rhel72
>   External host: foo
>   Member Hostgroup: masters
> I am still unable to add membership as admin though:
> # ipa netgroup-add-member masters --hosts foo2
> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
> 'externalHost' attribute of entry 'cn=masters,cn=ng,cn=alt,dc=rhel72'.

That is the right way to do it. Unknown hosts to IPA are marked as
"external" and stored separately. Just be aware that you can put
anything in there so beware of typoes.

This command works fine for me using IPA using ipa-server-4.2.0-15.el7
so I'm not sure where the permission bug lies.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to