I just looked at documentation and source code. All the documentation I can find for
netgroups leaves the semantics up to the application. The net group documentation does,
however, imply that we’re dealing with a set of triples, not separate host and user lists.
I checked the source for both openssh and bsd rlogin. For them it appears that they ignore
the pairing and treat the net group as a list of hosts and users.
I don’t see how you could prove that there are no applications that use all the documented
capabilities of netgroups, but the most likely two possibilities don’t.
rlogin ignores triples that aren’t in the current NIS domain (or blank, presumably). sshd
ignores the domain component.
On Nov 13, 2017, at 4:25 AM, Pavel Březina
<pbrezina(a)redhat.com> wrote:
On 11/08/2017 11:47 PM, Charles Hedrick wrote:
> In my opinion the whole rfc3704bis implementation of net groups is wonky.
>
> This isn’t the only problem. Why is there a distinction between internal and external
hosts? Suppose I add an external host to a net group, and later do ipa host-add for it. If
the distinction actually matters I’d expect the system to turn the external host entry
into an internal host entry. But it doesn’t.
>
> In principle there’s a difference between blank and -, but the ipa implementation
always produces - for missing user and host and blank for missing domain name.
>
> I’d really rather see the system just store the triples rather than doing a complex
mapping going in and out.
>
>
>> On Nov 8, 2017, at 5:08 PM, Jakub Hrozek <jhrozek(a)redhat.com> wrote:
>>
>> Pavel, does this sound like the bug you were looking at wrt sudo lately?
>>
>> On Wed, Nov 08, 2017 at 09:46:25PM +0000, Charles Hedrick wrote:
>>> Netapp wants the domain field to be blank. That leaves us a problem that’s
hard to solve.
>>>
>>> On Nov 8, 2017, at 4:41 PM, Charles Hedrick
<hedrick@rutgers.edu<mailto:hedrick@rutgers.edu>> wrote:
>>>
>>> OK, I see what’s going on, but it looks like a bug.
>>>
>>> We mostly use net groups for hosts. In NIS our entries like like (hostname,,)
You can put that into IPA by specifying NISdomain=, i.e. blank domain name. However if
you do that, getent shows no entries. That is, entries with blank hostname are ignored. I
claim this is a bug, since for a host entry there’s no reason to specify a domain.
>>>
>>> I also found that specifying
>>>
>>>
ipa_netgroup_domain=cs.rutgers.edu<https://na01.safelinks.protection.o...
>>>
>>> causes no net groups to display, even ones whose domain is
cs.rutgers.edu<https://na01.safelinks.protection.outlook.com/?url=http...;.
This also looks like a bug.
>>>
>>> On Nov 8, 2017, at 3:53 PM, Charles Hedrick
<hedrick@rutgers.edu<mailto:hedrick@rutgers.edu>> wrote:
>>>
>>> We want to move our net groups from NIS to IPA. I’ve loaded the groups.
They’re visible on a system that uses nslcd pointed at the IPA server. But the systems
that use SSSD for authentication don’t show anything. The net groups all show as
undefined.
>>>
>>> I’ve turned on debugging and looked at the LDAP logs. It does the right
quotes and the log says it extracts the members. But they don’t show up.
>>>
>>> Any idea where to look?
Can you send us some example of what you are trying to achieve and what does not work?
I'm also ccing Alexander Bokovoy to see why IPA adds somewhere dash and somewhere
blanks.