Gelen James wrote:
Hi all, Not sure whether it is bug or a feature, but when I evaluate the IPA net groups, the 'external host' feature brings me some unexpected results. I'll listed them below -- I am running IPA 2.1.3-9 on Redhat 6.2. 1, when I added a host into IPA netgroup in command line mode, 'ipa netgroup-add-member <netgroup> --hosts=<client>'. When the host is not yet installed/configured into an IPA client, it shows in 'external host' category, in the output of 'ipa netgroup-find <netgroup>' command. The 'external host' doesn't show up in the Web interface for IPA net group. But it does show up when run 'ipa net group-find', or even 'getent <netgroup>' by sssd. 2, After the 'external host' is configured into an IPA client -- 'ipa user-find <client> proves it' -- it is still reported as 'external host' by command 'ipa netgroup-find', and still not show up in web interface neither. Could this is a bug? 3, because of #2 above, when this machine is reconfigured, and removed with 'ipa user-del <client>', it is show up in the containing netgroups and nested netgroups, and has to be removed manually. :( 4, This could be a real bug: You can add an 'external host' with either a host's bare name, or FQDN name. Then after the machine is installed, and you would like to remove it from 'external host' category with command 'ipa user-del <client>', it will remove the FQDN name entry only! and leave the bare name there forever, until you delete the whole containing netgroup! [root@ipaclient02 ~]# ipa netgroup-find external-ng ------------------- 1 netgroups matched ------------------- Netgroup name: external-ng Description: netgroup for external hosts NIS domain name: example.com Member of netgroups: nest-external-ng External host: dnsmaster.example.com, ipaclient02, ipaclient02.mac.example.com ---------------------------- Number of entries returned 1 ---------------------------- [root@ipaclient02 ~]# getent netgroup external-ng external-ng (dnsmaster.example.com, -, example.com) (ipaclient02.mac.example.com, -, example.com) [root@ipaclient02 ~]# ipa netgroup-remove-member external-ng --hosts=ipaclient02 Netgroup name: external-ng Description: netgroup for external hosts NIS domain name: example.com Member of netgroups: nest-external-ng External host: dnsmaster.example.com, ipaclient02 --------------------------- Number of members removed 1 --------------------------- [root@ipaclient02 ~]# ipa netgroup-remove-member external-ng --hosts=ipaclient02 Netgroup name: external-ng Description: netgroup for external hosts NIS domain name: example.com Member of netgroups: nest-external-ng External host: dnsmaster.example.com, ipaclient02 Failed hosts/hostgroups: member host: ipaclient02.example.com: This entry is not a member --------------------------- Number of members removed 0 --------------------------- [root@ipaclient02 ~]#
An external host is one that is never expected to be added as a host in IPA, however we don't prevent it. There is no reconciliation done if an external host is added as an IPA host, as you've seen. If you'd like this please file an enhancement request at https://fedorahosted.org/freeipa/
In 3.0 we have added validation of external host names. Whether this will prevent a bare name or not I'm not sure. I don't know why we would care whether it was fully qualified or not, though yeah, it appears we are automatically adding the domain. I tested this in 2.2 and it worked as expected, a bare name was deletable.
rob _______________________________________________ Freeipa-users mailing list [email protected] https://www.redhat.com/mailman/listinfo/freeipa-users
