On 01/05/2016 04:24 PM, Rob Crittenden wrote:
> Martin Kosek wrote:
>> On 01/04/2016 10:41 PM, Rob Crittenden wrote:
>>> Martin Kosek wrote:
>> ...
>>>> I anyway tried to add externalHost to the shadow hostgroup via ldapmodify 
>>>> as DM
>>>> and it worked:
>>>> # ipa netgroup-show masters
>>>>   Netgroup name: masters
>>>>   Description: ipaNetgroup masters
>>>>   NIS domain name: rhel72
>>>>   External host: foo
>>>>   Member Hostgroup: masters
>>>> I am still unable to add membership as admin though:
>>>> # ipa netgroup-add-member masters --hosts foo2
>>>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
>>>> 'externalHost' attribute of entry 'cn=masters,cn=ng,cn=alt,dc=rhel72'.
>>> That is the right way to do it. Unknown hosts to IPA are marked as
>>> "external" and stored separately. Just be aware that you can put
>>> anything in there so beware of typoes.
>>> This command works fine for me using IPA using ipa-server-4.2.0-15.el7
>>> so I'm not sure where the permission bug lies.
>> Did you try it on native netgroup (added via netgroup-add) or hostgroup 
>> shadow
>> group? As it works for me on native netgroups, but not on shadow netgroups,
>> where I can only add the external host with as DM.
> I didn't but I can reproduce it.
> It is probably due to this deny ACI:
> aci: (targetfilter = "(objectClass=mepManagedEntry)")(targetattr =
> "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny
> (write) userdn = "ldap:///all";;)

Ah, good catch. I was suspecting something like that, I just did not know we
went that far to create deny ACI.

> Not very nice behavior (and deny ACIs are icky).
> I guess the netgroup mod commands should look to see if it is a real
> netgroup before trying to do a write and otherwise raise a more
> reasonable error.

Potentially yes, although I do not see that as the most important part. I
rather do not know how to solve Roderick's issue and add external hosts as part
of the shadow netgroups.

Currently, the only workaround is to create plain host/ghost entries for these
non-ipa clients and use them in host groups.

Manage your subscription for the Freeipa-users mailing list:
Go to http://freeipa.org for more info on the project

Reply via email to