Is there a hostgroup named 'ng'? That would create a mananaged netgroup of the same name.

Replying to [comment:1 rcritten]:

Is there a hostgroup named 'ng'? That would create a mananaged netgroup of the same name.

No:

[akrivoka@vm-090 freeipa]$ ipa hostgroup-find
--------------------
0 hostgroups matched
--------------------
----------------------------
Number of entries returned 0
----------------------------

This is a valid issue (though really strange one). For the time being, you can workaround it by creating hostgroup ng which will also create the ng netgroup:

# ipa hostgroup-add ng
Description: ng
--------------------
Added hostgroup "ng"
--------------------
  Host-group: ng
  Description: ng

# ipa netgroup-show ng
  Netgroup name: ng
  Description: ipaNetgroup ng
  NIS domain name: idm.lab.bos.redhat.com
  Member Hostgroup: ng

Additional findings:

1. I was unable to add a netgroup named 'ng' even using ldapadd:

   [root@vm-039 ~]# ldapsearch -LLL -h localhost -D "cn=Directory Manager" -x -b "cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com" -w blablabla
   dn: cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
   objectClass: nsContainer
   objectClass: top
   cn: ng

   [root@vm-039 ~]# cat add.txt
   dn: cn=ng,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
   cn: ng
   description: ng
   nisdomainname: idm.lab.bos.redhat.com
   objectclass: ipaobject
   objectclass: ipaassociation
   objectclass: ipanisnetgroup
   [root@vm-039 ~]# ldapadd -x -D 'cn=directory manager' -w blablabla -f add.txt
   adding new entry "cn=ng,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"
   ldap_add: Constraint violation (19)
   additional info: Another entry with the same attribute value already exists (attribute: "cn")

2. I tried creating another netgroup, and then renaming it to 'ng' using ldapmodify. That failed as well:

   [root@vm-039 ~]# ipa netgroup-add ng1 --desc=ng --all --raw

   Added netgroup "ng1"

   dn: ipaUniqueID=c492bb32-d740-11e2-a9d6-001a4a104e2c,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
   cn: ng1
   description: ng
   ipaUniqueID: c492bb32-d740-11e2-a9d6-001a4a104e2c
   nisDomainName: idm.lab.bos.redhat.com
   objectClass: ipaobject
   objectClass: ipaassociation
   objectClass: ipanisnetgroup
   [root@vm-039 ~]# cat modify.txt
   dn: ipaUniqueID=c492bb32-d740-11e2-a9d6-001a4a104e2c,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com
   changetype: modify
   replace: cn
   cn: ng
   [root@vm-039 ~]# ldapmodify -x -D 'cn=directory manager' -w blablabla -f modify.txt
   modifying entry "ipaUniqueID=c492bb32-d740-11e2-a9d6-001a4a104e2c,cn=ng,cn=alt,dc=idm,dc=lab,dc=bos,dc=redhat,dc=com"
   ldap_modify: Constraint violation (19)
   additional info: Another entry with the same attribute value already exists (attribute: "cn")

I have the feeling it is because cn=ng is in the DN as a structural element.

I'd pass this by the 389-ds folks.

This is caused by the NIS uniqueness plugin (DN: cn=netgroup uniqueness,cn=plugins,cn=config). See what happens when I disable it:

# ipa netgroup-add ng
Description: foo
-------------------
Added netgroup "ng"
-------------------
  Netgroup name: ng
  Description: foo
  NIS domain name: idm.lab.bos.redhat.com
  IPA unique ID: 0e6c9d46-d7cc-11e2-90f3-001a4a104eb0

I think we just need to fix it's configuration (if possible) so that it does not run the uniqueness check on the parent container.

Thank you taking time to submit this request for FreeIPA. Unfortunately this bug was not given priority and the team lacks the capacity to work on it at this time.

Given that we are unable to fulfil this request I am closing the issue as wontfix. To request re-consideration of this decision please reopen this issue and provide additional technical details about its importance to you.