Hi Pavel, can you help us with this thread? > On 12 Aug 2016, at 21:57, Jeff Goddard <[email protected]> wrote: > > > > On Fri, Aug 12, 2016 at 3:53 PM, Justin Stephenson <[email protected]> > wrote: > In the CentOS/RHEL 7 version of sssd, a NIS netgroup is created automatically > in the IPA compat tree under 'cn=ng,cn=compat,$suffix' because sudo has no > understanding of hostgroups. > > You should be able to query this on a client with > # getent netgroup office > > This should return nisNetgroupTriple for each host in the hostgroup > (ipa-client-1.example.com,-,example.com) > (ipa-client-2.example.com,-,example.com) > > I would check this in your environment between working and non-working > systems. > I believe in later versions of sssd they added IPA sudo schema support to > eliminate the need for the compat tree so this could be related to the issue > if newer ubuntu clients are not working but CentOS is working. > > What version of sssd are you running? > Kind regards, > > Justin Stephenson > On 08/12/2016 02:35 PM, Jeff Goddard wrote: >> I made the edit as suggested - removing nis and just leaving sss - restarted >> sssd and then re-tried. I also tried with files sss. Still getting the same >> result. >> >> Thanks, >> >> Jeff > The query returns the expect results: > > getent netgroup office > office > (docker-dev-01.internal.emerlyn.com,-,internal.emerlyn.com) > (docker-dev-02.internal.emerlyn.com,-,internal.emerlyn.com) > (docker-dev-03.internal.emerlyn.com,-,internal.emerlyn.com) [more hosts] > > sssd version is 1.13.4 > > Jeff > > >
-- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go to http://freeipa.org for more info on the project
