Re: [Freeipa-users] Queries on migrating nis netgroups
Martin Kosek wrote: > On 01/05/2016 04:24 PM, Rob Crittenden wrote: >> Martin Kosek wrote: >>> On 01/04/2016 10:41 PM, Rob Crittenden wrote: Martin Kosek wrote: >>> ... > I anyway tried to add externalHost to the shadow hostgroup via ldapmodify > as DM > and it worked: > > # ipa netgroup-show masters > Netgroup name: masters > Description: ipaNetgroup masters > NIS domain name: rhel72 > External host: foo > Member Hostgroup: masters > > I am still unable to add membership as admin though: > > # ipa netgroup-add-member masters --hosts foo2 > ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the > 'externalHost' attribute of entry 'cn=masters,cn=ng,cn=alt,dc=rhel72'. That is the right way to do it. Unknown hosts to IPA are marked as "external" and stored separately. Just be aware that you can put anything in there so beware of typoes. This command works fine for me using IPA using ipa-server-4.2.0-15.el7 so I'm not sure where the permission bug lies. >>> >>> Did you try it on native netgroup (added via netgroup-add) or hostgroup >>> shadow >>> group? As it works for me on native netgroups, but not on shadow netgroups, >>> where I can only add the external host with as DM. >>> >> >> I didn't but I can reproduce it. >> >> It is probably due to this deny ACI: >> >> aci: (targetfilter = "(objectClass=mepManagedEntry)")(targetattr = >> "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny >> (write) userdn = "ldap:///all;;) > > Ah, good catch. I was suspecting something like that, I just did not know we > went that far to create deny ACI. > >> Not very nice behavior (and deny ACIs are icky). >> >> I guess the netgroup mod commands should look to see if it is a real >> netgroup before trying to do a write and otherwise raise a more >> reasonable error. > > Potentially yes, although I do not see that as the most important part. I > rather do not know how to solve Roderick's issue and add external hosts as > part > of the shadow netgroups. > > Currently, the only workaround is to create plain host/ghost entries for these > non-ipa clients and use them in host groups. > That or use real netgroups created via netgroup-add instead of hostgroups. That is the only way to have control over the advertised NIS domain in the triple anyway. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Queries on migrating nis netgroups
On 01/05/2016 04:24 PM, Rob Crittenden wrote: > Martin Kosek wrote: >> On 01/04/2016 10:41 PM, Rob Crittenden wrote: >>> Martin Kosek wrote: >> ... I anyway tried to add externalHost to the shadow hostgroup via ldapmodify as DM and it worked: # ipa netgroup-show masters Netgroup name: masters Description: ipaNetgroup masters NIS domain name: rhel72 External host: foo Member Hostgroup: masters I am still unable to add membership as admin though: # ipa netgroup-add-member masters --hosts foo2 ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'externalHost' attribute of entry 'cn=masters,cn=ng,cn=alt,dc=rhel72'. >>> >>> That is the right way to do it. Unknown hosts to IPA are marked as >>> "external" and stored separately. Just be aware that you can put >>> anything in there so beware of typoes. >>> >>> This command works fine for me using IPA using ipa-server-4.2.0-15.el7 >>> so I'm not sure where the permission bug lies. >> >> Did you try it on native netgroup (added via netgroup-add) or hostgroup >> shadow >> group? As it works for me on native netgroups, but not on shadow netgroups, >> where I can only add the external host with as DM. >> > > I didn't but I can reproduce it. > > It is probably due to this deny ACI: > > aci: (targetfilter = "(objectClass=mepManagedEntry)")(targetattr = > "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny > (write) userdn = "ldap:///all;;) Ah, good catch. I was suspecting something like that, I just did not know we went that far to create deny ACI. > Not very nice behavior (and deny ACIs are icky). > > I guess the netgroup mod commands should look to see if it is a real > netgroup before trying to do a write and otherwise raise a more > reasonable error. Potentially yes, although I do not see that as the most important part. I rather do not know how to solve Roderick's issue and add external hosts as part of the shadow netgroups. Currently, the only workaround is to create plain host/ghost entries for these non-ipa clients and use them in host groups. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Queries on migrating nis netgroups
Martin Kosek wrote: > On 01/04/2016 10:41 PM, Rob Crittenden wrote: >> Martin Kosek wrote: > ... >>> I anyway tried to add externalHost to the shadow hostgroup via ldapmodify >>> as DM >>> and it worked: >>> >>> # ipa netgroup-show masters >>> Netgroup name: masters >>> Description: ipaNetgroup masters >>> NIS domain name: rhel72 >>> External host: foo >>> Member Hostgroup: masters >>> >>> I am still unable to add membership as admin though: >>> >>> # ipa netgroup-add-member masters --hosts foo2 >>> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the >>> 'externalHost' attribute of entry 'cn=masters,cn=ng,cn=alt,dc=rhel72'. >> >> That is the right way to do it. Unknown hosts to IPA are marked as >> "external" and stored separately. Just be aware that you can put >> anything in there so beware of typoes. >> >> This command works fine for me using IPA using ipa-server-4.2.0-15.el7 >> so I'm not sure where the permission bug lies. > > Did you try it on native netgroup (added via netgroup-add) or hostgroup shadow > group? As it works for me on native netgroups, but not on shadow netgroups, > where I can only add the external host with as DM. > I didn't but I can reproduce it. It is probably due to this deny ACI: aci: (targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny (write) userdn = "ldap:///all;;) Not very nice behavior (and deny ACIs are icky). I guess the netgroup mod commands should look to see if it is a real netgroup before trying to do a write and otherwise raise a more reasonable error. rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Queries on migrating nis netgroups
On 05/01/2016 17:17, Rob Crittenden wrote: Martin Kosek wrote: On 01/05/2016 04:24 PM, Rob Crittenden wrote: Martin Kosek wrote: On 01/04/2016 10:41 PM, Rob Crittenden wrote: Martin Kosek wrote: ... I anyway tried to add externalHost to the shadow hostgroup via ldapmodify as DM and it worked: # ipa netgroup-show masters Netgroup name: masters Description: ipaNetgroup masters NIS domain name: rhel72 External host: foo Member Hostgroup: masters I am still unable to add membership as admin though: # ipa netgroup-add-member masters --hosts foo2 ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'externalHost' attribute of entry 'cn=masters,cn=ng,cn=alt,dc=rhel72'. That is the right way to do it. Unknown hosts to IPA are marked as "external" and stored separately. Just be aware that you can put anything in there so beware of typoes. This command works fine for me using IPA using ipa-server-4.2.0-15.el7 so I'm not sure where the permission bug lies. Did you try it on native netgroup (added via netgroup-add) or hostgroup shadow group? As it works for me on native netgroups, but not on shadow netgroups, where I can only add the external host with as DM. I didn't but I can reproduce it. It is probably due to this deny ACI: aci: (targetfilter = "(objectClass=mepManagedEntry)")(targetattr = "*")(version 3.0; acl "Managed netgroups cannot be modified"; deny (write) userdn = "ldap:///all;;) Ah, good catch. I was suspecting something like that, I just did not know we went that far to create deny ACI. Not very nice behavior (and deny ACIs are icky). I guess the netgroup mod commands should look to see if it is a real netgroup before trying to do a write and otherwise raise a more reasonable error. Potentially yes, although I do not see that as the most important part. I rather do not know how to solve Roderick's issue and add external hosts as part of the shadow netgroups. Currently, the only workaround is to create plain host/ghost entries for these non-ipa clients and use them in host groups. That or use real netgroups created via netgroup-add instead of hostgroups. That is the only way to have control over the advertised NIS domain in the triple anyway. rob Martin/Rob Thanks for all your analysis on this query. I had come to the conclusion that using the real netgroups was probably the way to go on this in my particular circumstances. I'm happy now that I'm not missing something obvious about the managed netgroups which would make them a better choice. Thanks again. Roderick -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Queries on migrating nis netgroups
On 12/22/2015 12:10 PM, Roderick Johnstone wrote: > Hi > > I'm migrating our nis environment to freeipa 4.2.0 on Redhat 7. > > I need to have the netgroups set up in freeipa before migrating systems to be > freeipa clients. > > At this point I'm trying to understand the relationship between hostgroups and > netgroups and whether I should just be using ipa netgroup-add and ipa > netgroup-add-member commands or whether I should be using equivalent ipa > hostgroup* commands. > > Section 14.5.1 of the Redhat 7 Domain Identity Authentication and Policy Guide > is telling me that I get a shadow netgroup for every hostgroup I create and > that I can manage these netgroups with the "ipa-host-net-manage" command. > > I don't see the ipa-host-net-manage command. There are > ipa host* commands but these don't include ipa host-net* commands. What am I > missing here? Good catch, this is actually a doc bug. I filed a Bugzilla: https://bugzilla.redhat.com/show_bug.cgi?id=1295408 Netgroups normally simply mirror host groups, so you do not have to use "netgroup-*" commands if you do not manage native netgroup. > Also the ipa netgroup* commands don't seem to be able to manage the shadow > netgroups so I'm currently unable to manipulate my shadow netgroups to eg > change the nisdomain associated with them. How do I do that? Shadow netgroups should be only manipulated by updating the source hostgroups, AFAIK. > Also it looks like I can't add non-ipa clients into hostgroups so presumable > not into shadow netgroups either, so maybe this is a non-starter for me. Did I > understand that correctly? I personally do not have practical experience with netgroups, but it is true that non-ipa clients cannot be added to host groups. Maybe Rob (CCed) as NIS knowledgeable person knows more what is the best solution here. I anyway tried to add externalHost to the shadow hostgroup via ldapmodify as DM and it worked: # ipa netgroup-show masters Netgroup name: masters Description: ipaNetgroup masters NIS domain name: rhel72 External host: foo Member Hostgroup: masters I am still unable to add membership as admin though: # ipa netgroup-add-member masters --hosts foo2 ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the 'externalHost' attribute of entry 'cn=masters,cn=ng,cn=alt,dc=rhel72'. Martin -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Queries on migrating nis netgroups
On 01/04/2016 10:41 PM, Rob Crittenden wrote: > Martin Kosek wrote: ... >> I anyway tried to add externalHost to the shadow hostgroup via ldapmodify as >> DM >> and it worked: >> >> # ipa netgroup-show masters >> Netgroup name: masters >> Description: ipaNetgroup masters >> NIS domain name: rhel72 >> External host: foo >> Member Hostgroup: masters >> >> I am still unable to add membership as admin though: >> >> # ipa netgroup-add-member masters --hosts foo2 >> ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the >> 'externalHost' attribute of entry 'cn=masters,cn=ng,cn=alt,dc=rhel72'. > > That is the right way to do it. Unknown hosts to IPA are marked as > "external" and stored separately. Just be aware that you can put > anything in there so beware of typoes. > > This command works fine for me using IPA using ipa-server-4.2.0-15.el7 > so I'm not sure where the permission bug lies. Did you try it on native netgroup (added via netgroup-add) or hostgroup shadow group? As it works for me on native netgroups, but not on shadow netgroups, where I can only add the external host with as DM. -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
Re: [Freeipa-users] Queries on migrating nis netgroups
Martin Kosek wrote: > On 12/22/2015 12:10 PM, Roderick Johnstone wrote: >> Hi >> >> I'm migrating our nis environment to freeipa 4.2.0 on Redhat 7. >> >> I need to have the netgroups set up in freeipa before migrating systems to be >> freeipa clients. >> >> At this point I'm trying to understand the relationship between hostgroups >> and >> netgroups and whether I should just be using ipa netgroup-add and ipa >> netgroup-add-member commands or whether I should be using equivalent ipa >> hostgroup* commands. >> >> Section 14.5.1 of the Redhat 7 Domain Identity Authentication and Policy >> Guide >> is telling me that I get a shadow netgroup for every hostgroup I create and >> that I can manage these netgroups with the "ipa-host-net-manage" command. >> >> I don't see the ipa-host-net-manage command. There are >> ipa host* commands but these don't include ipa host-net* commands. What am I >> missing here? > > Good catch, this is actually a doc bug. I filed a Bugzilla: > https://bugzilla.redhat.com/show_bug.cgi?id=1295408 > > Netgroups normally simply mirror host groups, so you do not have to use > "netgroup-*" commands if you do not manage native netgroup. > >> Also the ipa netgroup* commands don't seem to be able to manage the shadow >> netgroups so I'm currently unable to manipulate my shadow netgroups to eg >> change the nisdomain associated with them. How do I do that? > > Shadow netgroups should be only manipulated by updating the source hostgroups, > AFAIK. It depends on what you want. If the netgroup is a mirror of a hostgroup then you have to manage it via the hostgroup commands and you don't control the NIS domain. If you need more control or a real netgroup, use the netgroup commands. But I'll note that we've done little to no testing of the IPA fake NIS server providing multiple NIS domains. It should work for netgroup but I think for other maps it won't because only maps for the IPA domain are created by default. >> Also it looks like I can't add non-ipa clients into hostgroups so presumable >> not into shadow netgroups either, so maybe this is a non-starter for me. Did >> I >> understand that correctly? > > I personally do not have practical experience with netgroups, but it is true > that non-ipa clients cannot be added to host groups. Maybe Rob (CCed) as NIS > knowledgeable person knows more what is the best solution here. > > I anyway tried to add externalHost to the shadow hostgroup via ldapmodify as > DM > and it worked: > > # ipa netgroup-show masters > Netgroup name: masters > Description: ipaNetgroup masters > NIS domain name: rhel72 > External host: foo > Member Hostgroup: masters > > I am still unable to add membership as admin though: > > # ipa netgroup-add-member masters --hosts foo2 > ipa: ERROR: Insufficient access: Insufficient 'write' privilege to the > 'externalHost' attribute of entry 'cn=masters,cn=ng,cn=alt,dc=rhel72'. That is the right way to do it. Unknown hosts to IPA are marked as "external" and stored separately. Just be aware that you can put anything in there so beware of typoes. This command works fine for me using IPA using ipa-server-4.2.0-15.el7 so I'm not sure where the permission bug lies. rob rob -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
[Freeipa-users] Queries on migrating nis netgroups
Hi I'm migrating our nis environment to freeipa 4.2.0 on Redhat 7. I need to have the netgroups set up in freeipa before migrating systems to be freeipa clients. At this point I'm trying to understand the relationship between hostgroups and netgroups and whether I should just be using ipa netgroup-add and ipa netgroup-add-member commands or whether I should be using equivalent ipa hostgroup* commands. Section 14.5.1 of the Redhat 7 Domain Identity Authentication and Policy Guide is telling me that I get a shadow netgroup for every hostgroup I create and that I can manage these netgroups with the "ipa-host-net-manage" command. I don't see the ipa-host-net-manage command. There are ipa host* commands but these don't include ipa host-net* commands. What am I missing here? Also the ipa netgroup* commands don't seem to be able to manage the shadow netgroups so I'm currently unable to manipulate my shadow netgroups to eg change the nisdomain associated with them. How do I do that? Also it looks like I can't add non-ipa clients into hostgroups so presumable not into shadow netgroups either, so maybe this is a non-starter for me. Did I understand that correctly? Thanks Roderick Johnstone -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
