On (17/03/17 10:40), Bob Hinton wrote: >On 17/03/2017 08:41, Jakub Hrozek wrote: >> On Fri, Mar 17, 2017 at 06:50:34AM +0000, Bob Hinton wrote: >>> Morning, >>> >>> We have a collection of hosts within prod1.local.lan. However, the >>> domain section of the shadow netgroups for the hosts is >>> mgmt.prod.local.lan. This seems to prevent sudo rules working on these >>> hosts unless they specify all hosts - >>> >>> -sh-4.2$ getent netgroup oepp_hosts >>> oepp_hosts >>> (oeppsdas001.z2.prod1.local.lan,-,mgmt.prod.local.lan) >>> (oeppsdas002.z2.prod1.local.lan,-,mgmt.prod.local.lan) >>> (oeppservice001.z2.prod1.local.lan,-,mgmt.prod.local.lan) >>> (oeppredis002.z4.prod1.local.lan,-,mgmt.prod.local.lan) >>> (oeppredis001.z4.prod1.local.lan,-,mgmt.prod.local.lan) >>> -sh-4.2$ hostname >>> oeppredis001.z4.prod1.local.lan >>> -sh-4.2$ nisdomainname >>> local.lan >>> -sh-4.2$ domainname >>> local.lan >>> >>> The VMs associated with these hosts have recently been migrated and >>> re-enrolled against a new IPA server. The originals all had netgroup >>> domains of local.lan so something must have gone wrong in the migration >>> process. Is there a way to correct the netgroup domains of these hosts, >>> or is the only option to run ipa-client-install --uninstall followed by >>> ipa-client-install to reattach them ? >> Did you remove the sssd cache after the migration? >> rm -f /var/lib/sss/db/*.ldb >> >> (please make sure the clients can reach the server or maybe mv the cache >> instead of rm so you can restore cached credentials if something goes >> wrong..) >> >Hi Jakub, > >I've now tried removing the sssd cache on one of the offending servers >and it's not made any difference. > >getent netgroup oepp_hosts > >when run from any host enrolled to the new IPA servers, including the >IPA masters themselves produces the results with "mgmt.prod" included >and the same thing run on any of the pre-migrated servers that are still >commissioned produces them without, so I assume that the netgroup domain >information is coming from the IPA masters rather than the local host. > Could you provide content of LDIF from IPA server? For this netgroup/hostgroup
LS -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
