On 29/01/15 21:43, Roderick Johnstone wrote:
On 29/01/2015 17:32, Jakub Hrozek wrote:
On Wed, Jan 28, 2015 at 01:57:28PM +0000, Roderick Johnstone wrote:
On 28/01/15 10:57, Jakub Hrozek wrote:
On Tue, Jan 27, 2015 at 10:03:37PM +0000, Roderick Johnstone wrote:
I'm migrating from a legacy NIS setup to ipa. I have a number of NIS
netgroups (of hosts) that are being used to export (non-kerberos)
to which I would like to migrate to ipa.
I've create a new netgroup in ipa (for testing) and added some
hosts to it
(using ipa netgroup-add and ipa netgroup-add-member). I'm hoping
exporting an nfs share using the @netgroup syntax in /etc/exports
netgroup will be looked up in ipa and the share will be exported to
hosts in the netgroup.
/etc/nsswitch.conf has a line:
netgroup: files nis sss
/etc/exports has a line:
I haven't, so far, been able to mount the exported share on a
client so I'm
wondering if this setup would be expected to work?
What is confusing to me is that the section in the Redhat 6 Identity
Management guide on netgroups also has information on running the NIS
listener plugin so I'm wondering if perhaps this only works when
nis listener. I'm trying to avoid that.
I'd welcome any clarification on how to do non-kerberised nfs
groups of hosts.
Does getent netgroup rmjnetgroup1 show the hosts you'd expect?
Indeed it does.
The individual triples listed for the netgroup contain entries like:
where host is a fully qualified hostname which is dns resolvable.
(For info if I do ypcat on one of my NIS netgroups I get a triple
where host is the fully qualified host name, and nothing in the domain
I've actually tried two netgroups with different domains set. The
(rmjnetgroup) I made without specifying the --nisdomain option to ipa
netgroup-add and domain in the output above shows as my dns domain
a lower case version of my kerberos realm).
I couldn't mount nfs shares when exporting to @rmjnetgroup. I checked
could mount the shares when I exported explicitly to the fully qualified
host name, and that worked ok.
So, thinking that the problem was with the domain name I made a new
(rmjnetgroup1) with the option --nisdomain=xxx where xxx is the
for our nis domain as shown with the domainname command.
I couldn't mount nfs shares when exporting to @rmjnetgroup1 either.
Thank you for your reply, then we know the SSSD's netgroup handling is
correct. To be honest, we're getting a bit out of my comfort zone into
the NFS area.
Maybe Roland (CC) knows how to debug the issue further?
Thanks for your interest Jakub.
Just to round this thread out I did get the exporting to netgroups
defined in ipa working. My problems were, I think, related to reverse
name lookups resolving to short hostnames coming from /etc/hosts rather
than FQDN names that were being used in /etc/exports (as well as some
Interestingly, the setting of the nis domain name by the domainname
command on the nfs server doesn't seem to have to match the nisdomain
setting for the netgroup for the export to work.
In further testing using a netgroup in /etc/hosts.allow to control ssh
access like this:
sshd : @rmjnetgroup : ALLOW
ALL : ALL : DENY
it seems that the nis domain name set with the domainname command must
match the nis domain set in the netgroup in IdM or else access is not
Hoping this might be of use to someone else one day.
Manage your subscription for the Freeipa-users mailing list:
Go To http://freeipa.org for more info on the project