On ma, 13 marras 2017, Charles Hedrick wrote:
The netapp is using LDAP with RFC2307 for all name service. That
include users, groups, and netgroups.
What they are asking for is for LDAP to implement netgroup.byhost. It
appears that AD does this. As far as I can tell, they are looking for
On ma, 13 marras 2017, Charles Hedrick wrote:
While we’re on this subject, it would be useful for IPA to support
netgroup.byhost. That would give signifiant advantages with Netapp. If
that is supported, Netapp will look up the netgroups for a host every
time a mount is done. Without it, they
On ma, 13 marras 2017, Charles Hedrick wrote:
Sure. We use netgroups for /etc/exports. The most natural format for triples is
(host,,)
That’s the format Netapp documents. By default, ipa netgroup-add-member uses
(host,-,domain)
where domain seems to come from our Kerberos domain. Netapp
On ma, 13 marras 2017, Charles Hedrick wrote:
So, the real issue is SSSD's inability to support empty netgroup domain
part, right?
Yes, that’s the real bug. It doesn’t appear that the other issues are
serious, as I can’t find any real appiication that uses the NIS entries
as triples.
The sssd
> On Nov 13, 2017, at 12:51 PM, Alexander Bokovoy wrote:
>
> Not sure why you keep saying that.
Your example showed only one entry. Suppose I want to generate
(host1, user1,)
(host2, user2,)
I can use
ipa netgroup-add-member —hosts=host1 —users=user1
ipa
The netapp is using LDAP with RFC2307 for all name service. That include users,
groups, and netgroups.
What they are asking for is for LDAP to implement netgroup.byhost. It appears
that AD does this. As far as I can tell, they are looking for
nisMapName=netgroup.byhost accessed via LDAP.
I
> So, the real issue is SSSD's inability to support empty netgroup domain
> part, right?
Yes, that’s the real bug. It doesn’t appear that the other issues are serious,
as I can’t find any real appiication that uses the NIS entries as triples.
The sssd problem is moderately serious for me. I
I just looked at documentation and source code. All the documentation I can
find for netgroups leaves the semantics up to the application. The net group
documentation does, however, imply that we’re dealing with a set of triples,
not separate host and user lists. I checked the source for both
While we’re on this subject, it would be useful for IPA to support
netgroup.byhost. That would give signifiant advantages with Netapp. If that is
supported, Netapp will look up the netgroups for a host every time a mount is
done. Without it, they consider that reloading the whole net group file
Sure. We use netgroups for /etc/exports. The most natural format for triples is
(host,,)
That’s the format Netapp documents. By default, ipa netgroup-add-member uses
(host,-,domain)
where domain seems to come from our Kerberos domain. Netapp documentation
requests leaving that field blank,
On ma, 13 marras 2017, Pavel Březina wrote:
On 11/08/2017 11:47 PM, Charles Hedrick wrote:
In my opinion the whole rfc3704bis implementation of net groups is
wonky.
RFC 3704bis does not exist. RFC3704 is about ingress filtering in
multihome networks. Are you talking about RFC 2307bis?
This
> On Nov 9, 2017, at 3:43 PM, Lukas Slebodnik wrote:
>
> On (08/11/17 20:53), Charles Hedrick wrote:
>> We want to move our net groups from NIS to IPA. I’ve loaded the groups.
>> They’re visible on a system that uses nslcd pointed at the IPA server. But
>> the systems
On (08/11/17 20:53), Charles Hedrick wrote:
>We want to move our net groups from NIS to IPA. I’ve loaded the groups.
>They’re visible on a system that uses nslcd pointed at the IPA server. But the
>systems that use SSSD for authentication don’t show anything. The net groups
>all show as
Charles Hedrick wrote:
> In my opinion the whole rfc3704bis implementation of net groups is wonky.
Since you seem to be using FreeIPA wouldn't it be a better solution to
implement a script for converting your netgroups into HBAC rules?
I never did this myself though.
Ciao, Michael.
smime.p7s
In my opinion the whole rfc3704bis implementation of net groups is wonky.
This isn’t the only problem. Why is there a distinction between internal and
external hosts? Suppose I add an external host to a net group, and later do ipa
host-add for it. If the distinction actually matters I’d expect
Pavel, does this sound like the bug you were looking at wrt sudo lately?
On Wed, Nov 08, 2017 at 09:46:25PM +, Charles Hedrick wrote:
> Netapp wants the domain field to be blank. That leaves us a problem that’s
> hard to solve.
>
> On Nov 8, 2017, at 4:41 PM, Charles Hedrick
>
Netapp wants the domain field to be blank. That leaves us a problem that’s hard
to solve.
On Nov 8, 2017, at 4:41 PM, Charles Hedrick
> wrote:
OK, I see what’s going on, but it looks like a bug.
We mostly use net groups for hosts. In NIS our
OK, I see what’s going on, but it looks like a bug.
We mostly use net groups for hosts. In NIS our entries like like (hostname,,)
You can put that into IPA by specifying NISdomain=, i.e. blank domain name.
However if you do that, getent shows no entries. That is, entries with blank
hostname
18 matches
Mail list logo