On 29/01/2015 17:32, Jakub Hrozek wrote:
On Wed, Jan 28, 2015 at 01:57:28PM +0000, Roderick Johnstone wrote:
On 28/01/15 10:57, Jakub Hrozek wrote:
On Tue, Jan 27, 2015 at 10:03:37PM +0000, Roderick Johnstone wrote:

I'm migrating from a legacy NIS setup to ipa. I have a number of NIS
netgroups (of hosts) that are being used to export (non-kerberos) nfs shares
to which I would like to migrate to ipa.

I've create a new netgroup in ipa (for testing) and added some hosts to it
(using ipa netgroup-add and ipa netgroup-add-member). I'm hoping that when
exporting an nfs share using the @netgroup syntax in /etc/exports that the
netgroup will be looked up in ipa and the share will be exported to the
hosts in the netgroup.

/etc/nsswitch.conf has a line:
netgroup:   files nis sss

/etc/exports has a line:
/var/tmp/testexport @rmjnetgroup1(ro)

I haven't, so far, been able to mount the exported share on a client so I'm
wondering if this setup would be expected to work?

What is confusing to me is that the section in the Redhat 6 Identity
Management guide on netgroups also has information on running the NIS
listener plugin so I'm wondering if perhaps this only works when running the
nis listener. I'm trying to avoid that.

I'd welcome any clarification on how to do non-kerberised nfs exports to
groups of hosts.

Does getent netgroup rmjnetgroup1 show the hosts you'd expect?

Indeed it does.

The individual triples listed for the netgroup contain entries like:
where host is a fully qualified hostname which is dns resolvable.

(For info if I do ypcat on one of my NIS netgroups I get a triple like this:
where host is the fully qualified host name, and nothing in the domain

I've actually tried two netgroups with different domains set. The first one
(rmjnetgroup) I made without specifying the --nisdomain option to ipa
netgroup-add and domain in the output above shows as my dns domain (which is
a lower case version of my kerberos realm).

I couldn't mount nfs shares when exporting to @rmjnetgroup. I checked that I
could mount the shares when I exported explicitly to the fully qualified
host name, and that worked ok.

So, thinking that the problem was with the domain name I made a new netgroup
(rmjnetgroup1) with the option --nisdomain=xxx where xxx is the proper name
for our nis domain as shown with the domainname command.

I couldn't mount nfs shares when exporting to @rmjnetgroup1 either.


Thank you for your reply, then we know the SSSD's netgroup handling is
correct. To be honest, we're getting a bit out of my comfort zone into
the NFS area.

Maybe Roland (CC) knows how to debug the issue further?

Thanks for your interest Jakub.

Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project

Reply via email to