[SSSD-users] Re: net groups with IPA

On ma, 13 marras 2017, Charles Hedrick wrote: The netapp is using LDAP with RFC2307 for all name service. That include users, groups, and netgroups. What they are asking for is for LDAP to implement netgroup.byhost. It appears that AD does this. As far as I can tell, they are looking for

[SSSD-users] Re: net groups with IPA

On ma, 13 marras 2017, Charles Hedrick wrote: While we’re on this subject, it would be useful for IPA to support netgroup.byhost. That would give signifiant advantages with Netapp. If that is supported, Netapp will look up the netgroups for a host every time a mount is done. Without it, they

[SSSD-users] Re: net groups with IPA

On ma, 13 marras 2017, Charles Hedrick wrote: Sure. We use netgroups for /etc/exports. The most natural format for triples is (host,,) That’s the format Netapp documents. By default, ipa netgroup-add-member uses (host,-,domain) where domain seems to come from our Kerberos domain. Netapp

[SSSD-users] Re: net groups with IPA

On ma, 13 marras 2017, Charles Hedrick wrote: So, the real issue is SSSD's inability to support empty netgroup domain part, right? Yes, that’s the real bug. It doesn’t appear that the other issues are serious, as I can’t find any real appiication that uses the NIS entries as triples. The sssd

[SSSD-users] Re: net groups with IPA

> On Nov 13, 2017, at 12:51 PM, Alexander Bokovoy wrote: > > Not sure why you keep saying that. Your example showed only one entry. Suppose I want to generate (host1, user1,) (host2, user2,) I can use ipa netgroup-add-member —hosts=host1 —users=user1 ipa

[SSSD-users] Re: net groups with IPA

The netapp is using LDAP with RFC2307 for all name service. That include users, groups, and netgroups. What they are asking for is for LDAP to implement netgroup.byhost. It appears that AD does this. As far as I can tell, they are looking for nisMapName=netgroup.byhost accessed via LDAP. I

[SSSD-users] Re: net groups with IPA

> So, the real issue is SSSD's inability to support empty netgroup domain > part, right? Yes, that’s the real bug. It doesn’t appear that the other issues are serious, as I can’t find any real appiication that uses the NIS entries as triples. The sssd problem is moderately serious for me. I

[SSSD-users] Re: net groups with IPA

I just looked at documentation and source code. All the documentation I can find for netgroups leaves the semantics up to the application. The net group documentation does, however, imply that we’re dealing with a set of triples, not separate host and user lists. I checked the source for both

[SSSD-users] Re: net groups with IPA

While we’re on this subject, it would be useful for IPA to support netgroup.byhost. That would give signifiant advantages with Netapp. If that is supported, Netapp will look up the netgroups for a host every time a mount is done. Without it, they consider that reloading the whole net group file

[SSSD-users] Re: net groups with IPA

Sure. We use netgroups for /etc/exports. The most natural format for triples is (host,,) That’s the format Netapp documents. By default, ipa netgroup-add-member uses (host,-,domain) where domain seems to come from our Kerberos domain. Netapp documentation requests leaving that field blank,

[SSSD-users] Re: net groups with IPA

On ma, 13 marras 2017, Pavel Březina wrote: On 11/08/2017 11:47 PM, Charles Hedrick wrote: In my opinion the whole rfc3704bis implementation of net groups is wonky. RFC 3704bis does not exist. RFC3704 is about ingress filtering in multihome networks. Are you talking about RFC 2307bis? This

[SSSD-users] Re: net groups with IPA

> On Nov 9, 2017, at 3:43 PM, Lukas Slebodnik wrote: > > On (08/11/17 20:53), Charles Hedrick wrote: >> We want to move our net groups from NIS to IPA. I’ve loaded the groups. >> They’re visible on a system that uses nslcd pointed at the IPA server. But >> the systems

[SSSD-users] Re: net groups with IPA

On (08/11/17 20:53), Charles Hedrick wrote: >We want to move our net groups from NIS to IPA. I’ve loaded the groups. >They’re visible on a system that uses nslcd pointed at the IPA server. But the >systems that use SSSD for authentication don’t show anything. The net groups >all show as

[SSSD-users] Re: net groups with IPA

Charles Hedrick wrote: > In my opinion the whole rfc3704bis implementation of net groups is wonky. Since you seem to be using FreeIPA wouldn't it be a better solution to implement a script for converting your netgroups into HBAC rules? I never did this myself though. Ciao, Michael. smime.p7s

[SSSD-users] Re: net groups with IPA

In my opinion the whole rfc3704bis implementation of net groups is wonky. This isn’t the only problem. Why is there a distinction between internal and external hosts? Suppose I add an external host to a net group, and later do ipa host-add for it. If the distinction actually matters I’d expect

[SSSD-users] Re: net groups with IPA

Pavel, does this sound like the bug you were looking at wrt sudo lately? On Wed, Nov 08, 2017 at 09:46:25PM +, Charles Hedrick wrote: > Netapp wants the domain field to be blank. That leaves us a problem that’s > hard to solve. > > On Nov 8, 2017, at 4:41 PM, Charles Hedrick >

[SSSD-users] Re: net groups with IPA

Netapp wants the domain field to be blank. That leaves us a problem that’s hard to solve. On Nov 8, 2017, at 4:41 PM, Charles Hedrick > wrote: OK, I see what’s going on, but it looks like a bug. We mostly use net groups for hosts. In NIS our

[SSSD-users] Re: net groups with IPA

OK, I see what’s going on, but it looks like a bug. We mostly use net groups for hosts. In NIS our entries like like (hostname,,) You can put that into IPA by specifying NISdomain=, i.e. blank domain name. However if you do that, getent shows no entries. That is, entries with blank hostname