On Dec 8, 2011, at 2:11 PM, Jr Aquino wrote:
> On Dec 8, 2011, at 9:27 AM, JR Aquino wrote:
>> On Dec 8, 2011, at 12:04 AM, Jan Zelený wrote:
>>>>> I'm sending updated set of patches. All your comments were
addressed,
>>>>> I also added man page updates and one modification to
>>>>> sdap_parse_search_base() which can be now used for at more places
in
>>>>> IPA provider.
>>>>>
>>>>>
>>>>> Thanks
>>>>> Jan
>>>>
>>>> I am unable to get sssd to turn any netgroup over with: getent
>>>> netgroup <netgroupname>
>>>>
>>>> When I do a tcpdump, I don't see any attempt at communicating with
the
>>>> IPA server at all.
>>>>
>>>> Am I missing some initiation value in the sssd.conf?
>>>
>>> That's odd, could you please send your config file and sanitized logs?
>>>
>>> Thanks
>>> Jan
>>
>> [sssd]
>> services = nss, pam
>> config_file_version = 2
>> domains =
example.com
>>
>> [nss]
>>
>> [pam]
>>
>> [
domain/example.com]
>> cache_credentials = True
>> ipa_domain =
example.com
>> id_provider = ipa
>> auth_provider = ipa
>> access_provider = ipa
>> ipa_hostname =
opsecutil1.example.com
>> chpass_provider = ipa
>> ipa_server =
authmgr1.example.com
>> ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com
>> ipa_hbac_refresh = 300
>
>> this is all that i get out of /var/log/sssd/sssd_nss.log with debug_level
> OK!
>
> sgallagh found a utf bug and got it fixed...
>
> Now my log look like this:
>
> (Thu Dec 8 14:02:05 2011) [sssd[nss]] [accept_fd_handler] (0x0100):
> Client connected! (Thu Dec 8 14:02:05 2011) [sssd[nss]]
> [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Dec 8
> 14:02:05 2011) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered
> version [1]. (Thu Dec 8 14:02:05 2011) [sssd[nss]] [setnetgrent_send]
> (0x0100): Requesting info for netgroup [ops] from [<ALL>] (Thu Dec 8
> 14:02:05 2011) [sssd[nss]] [lookup_netgr_step] (0x0100): Requesting info
> for [ops(a)example.com] (Thu Dec 8 14:02:05 2011) [sssd[nss]]
> [lookup_netgr_step] (0x0400): Returning info for netgroup [ops@example]
> (Thu Dec 8 14:02:05 2011) [sssd[nss]] [nss_cmd_getnetgrent] (0x0100):
> Requesting netgroup data (Thu Dec 8 14:02:05 2011) [sssd[nss]]
> [nss_cmd_getnetgrent] (0x0400): Returning results for [ops] (Thu Dec 8
> 14:02:05 2011) [sssd[nss]] [nss_cmd_getnetgrent] (0x0100): Requesting
> netgroup data (Thu Dec 8 14:02:05 2011) [sssd[nss]]
> [nss_cmd_getnetgrent] (0x0400): Returning results for [ops] (Thu Dec 8
> 14:02:05 2011) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
>
> And my CLI looks like this:
>
> [root(a)opsecutil1.ops ~]# getent netgroup ops
> ops (-, -,
example.com)
>
> This ^ netgroup should be chalked FULL of hosts...
>
>
> When I manually create a /Native/ netgroup and perform a look up, i DO
> get the results.
>
> [root@authmgr1 ~]# ipa netgroup-add testing
> Description: test
> ------------------------
> Added netgroup "testing"
> ------------------------
>
> Netgroup name: testing
> Description: test
> NIS domain name:
example.com
> IPA unique ID: f58247ee-21e8-11e1-b338-9c8e9927cab0
>
> [root@authmgr1 ~]# ipa netgroup-add-member --hosts=jump1.ops.example.com
> testing
>
> Netgroup name: testing
> Description: test
> NIS domain name:
example.com
> Member Host:
jump1.ops.example.com
>
> -------------------------
> Number of members added 1
> -------------------------
>
> [root(a)opsecutil1.ops ~]# getent netgroup testing
> testing (
jump1.ops.example.com, -,
example.com)
>
> I think the problem is the sssd native support for netgroups + managed
> entries.
>
> All of my netgroups are created via managed entries via hostgroups:
>
>
> [root@authmgr1 ~]# ipa netgroup-find --all --raw ops --managed
> --------------------
> 14 netgroups matched
> --------------------
>
> dn: cn=ops,cn=ng,cn=alt,dc=example,dc=com
> cn: ops
> description: ipaNetgroup ops
> nisdomainname:
example.com
> ipauniqueid: e9135d68-1ac7-11e1-971a-9c8e9927cab0
> memberhost: cn=ops,cn=hostgroups,cn=accounts,dc=example,dc=com
> mepmanagedby: cn=ops,cn=hostgroups,cn=accounts,dc=example,dc=com
> objectclass: ipanisnetgroup
> objectclass: ipaobject
> objectclass: mepManagedEntry
> objectclass: ipaAssociation
> objectclass: top
After further inspection, I was able to get native netgroups to produce the
same null entries if I added hostgroups to the netgroup.
It appears that sssd's native netgroup support, does not enumerate the
contents of a member hostgroup contained inside of a netgroup. The
desired result is that the netgroup should contain a netgroup triple per
host in the hostgroup.
Patch is on the list in a new thread. Thanks for catching this.
Jan