Martin Kosek wrote:
> On 01/05/2016 04:24 PM, Rob Crittenden wrote:
>> Martin Kosek wrote:
>>> On 01/04/2016 10:41 PM, Rob Crittenden wrote:
>>>> Martin Kosek wrote:
>>> ...
>>>>> I anyway tried to add externalHost to the shadow hostgroup via ldapmodify 
>>>>> as DM
>>>>> and it worked:
>>>>> # ipa netgroup-show masters
>>>>>   Netgroup name: masters
>>>>>   Description: ipaNetgroup masters
>>>>>   NIS domain name: rhel72
>>>>>   External host: foo
>>>>>   Member Hostgroup: masters
>>>>> I am still unable to add membership as admin though:
>>>>> # ipa netgroup-add-member masters --hosts foo2
>>>>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the
>>>>> 'externalHost' attribute of entry 'cn=masters,cn=ng,cn=alt,dc=rhel72'.
>>>> That is the right way to do it. Unknown hosts to IPA are marked as
>>>> "external" and stored separately. Just be aware that you can put
>>>> anything in there so beware of typoes.
>>>> This command works fine for me using IPA using ipa-server-4.2.0-15.el7
>>>> so I'm not sure where the permission bug lies.
>>> Did you try it on native netgroup (added via netgroup-add) or hostgroup 
>>> shadow
>>> group? As it works for me on native netgroups, but not on shadow netgroups,
>>> where I can only add the external host with as DM.
>> I didn't but I can reproduce it.
>> It is probably due to this deny ACI:
>> aci: (targetfilter = "(objectClass=mepManagedEntry)")(targetattr =
>> "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny
>> (write) userdn = "ldap:///all";;)
> Ah, good catch. I was suspecting something like that, I just did not know we
> went that far to create deny ACI.
>> Not very nice behavior (and deny ACIs are icky).
>> I guess the netgroup mod commands should look to see if it is a real
>> netgroup before trying to do a write and otherwise raise a more
>> reasonable error.
> Potentially yes, although I do not see that as the most important part. I
> rather do not know how to solve Roderick's issue and add external hosts as 
> part
> of the shadow netgroups.
> Currently, the only workaround is to create plain host/ghost entries for these
> non-ipa clients and use them in host groups.

That or use real netgroups created via netgroup-add instead of
hostgroups. That is the only way to have control over the advertised NIS
domain in the triple anyway.


Manage your subscription for the Freeipa-users mailing list:
Go to for more info on the project

Reply via email to