subject:"\[SSSD\-users\] Re\: net groups with IPA"

[SSSD-users] Re: net groups with IPA

2017-11-14 Thread Alexander Bokovoy


On ma, 13 marras 2017, Charles Hedrick wrote:

The netapp is using LDAP with RFC2307 for all name service. That
include users, groups, and netgroups.

What they are asking for is for LDAP to implement netgroup.byhost. It
appears that AD does this. As far as I can tell, they are looking for
nisMapName=netgroup.byhost accessed via LDAP.

I hadn’t thought about asking IPA to emulate NIS. If that would
efficiently implement the netgroup.byhost NIS map, maybe it’s the way
to go. We don’t currently have NIS enabled for the netapp. We’re using
RFC2307 for users and groups. Netapp supports ns-switch, so it sounds
like we could use NIS for just netgroups. Is that what you’d suggest?

No, I'm not suggesting that. I was confused on what is your exact
configuration because you conflated many things together and it wasn't
clear at all what is in use.

I don't think we have any support for nisMapName attribute at all.

--
/ Alexander Bokovoy
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: net groups with IPA

2017-11-13 Thread Alexander Bokovoy

On ma, 13 marras 2017, Charles Hedrick wrote:

While we’re on this subject, it would be useful for IPA to support
netgroup.byhost. That would give signifiant advantages with Netapp. If
that is supported, Netapp will look up the netgroups for a host every
time a mount is done. Without it, they consider that reloading the
whole net group file is too inefficient, so they depend upon a cache
whose normal TTL is a day.

I'm confused here.

We have:
- LDAP: native netgroups in IPA, used by SSSD IPA provider directly
- LDAP: compatibility tree that exposes native IPA netgroups as RFC2307bis
  objects with no way to set blank nisDomainName right now
- NIS protocol: NIS triplets generated based on the compat tree
  netgroups.

The latter provides three netgroup maps:
- netgroup
- netgroup.byhost
- netgroup.byuser

The are already exist but both netgroup.byhost and netgroup.byuser are
not utilized by glibc, so they may have regressed (I see them defined in
the code).

Which of the implementation do you use? Did you configure your Netapp
filer to look up LDAP in cn=ng,cn=compat,$SUFFIX or is it using NIS
protocol?

On Nov 13, 2017, at 4:25 AM, Pavel Březina  wrote:

On 11/08/2017 11:47 PM, Charles Hedrick wrote:

In my opinion the whole rfc3704bis implementation of net groups is wonky.

This isn’t the only problem. Why is there a distinction between internal and 
external hosts? Suppose I add an external host to a net group, and later do ipa 
host-add for it. If the distinction actually matters I’d expect the system to 
turn the external host entry into an internal host entry. But it doesn’t.

In principle there’s a difference between blank and -, but the ipa 
implementation always produces - for missing user and host and blank for 
missing domain name.

I’d really rather see the system just store the triples rather than doing a 
complex mapping going in and out.

On Nov 8, 2017, at 5:08 PM, Jakub Hrozek  wrote:

Pavel, does this sound like the bug you were looking at wrt sudo lately?

On Wed, Nov 08, 2017 at 09:46:25PM +, Charles Hedrick wrote:

Netapp wants the domain field to be blank. That leaves us a problem that’s hard 
to solve.

On Nov 8, 2017, at 4:41 PM, Charles Hedrick 
> wrote:

OK, I see what’s going on, but it looks like a bug.

We mostly use net groups for hosts. In NIS our entries like like (hostname,,)  
You can put that into IPA by specifying NISdomain=, i.e. blank domain name. 
However if you do that, getent shows no entries. That is, entries with blank 
hostname are ignored. I claim this is a bug, since for a host entry there’s no 
reason to specify a domain.

I also found that specifying

ipa_netgroup_domain=cs.rutgers.edu

causes no net groups to display, even ones whose domain is 
cs.rutgers.edu.
 This also looks like a bug.

On Nov 8, 2017, at 3:53 PM, Charles Hedrick 
> wrote:

We want to move our net groups from NIS to IPA. I’ve loaded the groups. They’re 
visible on a system that uses nslcd pointed at the IPA server. But the systems 
that use SSSD for authentication don’t show anything. The net groups all show 
as undefined.

I’ve turned on debugging and looked at the LDAP logs. It does the right quotes 
and the log says it extracts the members. But they don’t show up.

Any idea where to look?

Can you send us some example of what you are trying to achieve and what does 
not work? I'm also ccing Alexander Bokovoy to see why IPA adds somewhere dash 
and somewhere blanks.

--
/ Alexander Bokovoy
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: net groups with IPA

2017-11-13 Thread Alexander Bokovoy


On ma, 13 marras 2017, Charles Hedrick wrote:

Sure. We use netgroups for /etc/exports. The most natural format for triples is

(host,,)

That’s the format Netapp documents. By default, ipa netgroup-add-member uses

(host,-,domain)

where domain seems to come from our Kerberos domain. Netapp
documentation requests leaving that field blank, though some
documentation suggests that if it’s filled in, they will ignore triples
where the domain doesn’t match the Netapp’s domain. We are no longer
using NIS, so as far as we know, the Netapp doesn’t have a NIS domain.
I think it’s safest to leave the field blank.

IPA sets NIS domain by default to its primary domain (equal to IPA
realm in lower case). This is just a default value.


I can do this in IPA. —nisdomain= will leave it blank. That results in

(host,-,)

That works with the Netapp. (I haven’t actually tried putting a domain in.)

Unfortunately it won’t work with sssd, because sssd won’t show any
triples if the nisdomain isn’t set for that net group.

So, the real issue is SSSD's inability to support empty netgroup domain
part, right?

This is the code in ipa_netgr_process_all():
...
   ret = sysdb_attrs_get_string(state->netgroups[i], SYSDB_NETGROUP_DOMAIN,
);
   if (ret != EOK) {
   goto done;
   }
...

   DEBUG(SSSDBG_TRACE_INTERNAL, "Putting together triples of "
 "netgroup %d\n", i);
   for (j = 0; j < uids_count; j++) {
   for (k = 0; k < hosts_count; k++) {
   triple = talloc_asprintf(state, "(%s,%s,%s)",
hosts[k], uids[j],
domain);
   if (triple == NULL) {
   ret = ENOMEM;
   goto done;
   }

   ret = sysdb_attrs_add_string(state->netgroups[i],
SYSDB_NETGROUP_TRIPLE,
triple);
   if (ret != EOK) {
   goto done;
   }
   }
   }


So, if no domain is retrieved, no netgroup triple is generated by SSSD
IPA provider. Note that this does not utilize compatibility netgroups
subtree as generated by schema compatibility plugin (in
cn=ng,cn=compat,$SUFFIX) but instead works directly with IPA netgroups.

So our discussion about RFC2307bis is not really applicable here. If we
consider the use case with a blank nisDomainName a valid one (and I
think we can consider it), the code above needs to be fixed to allow
such use. It is a fairly simple fix.


In general I don’t understand why IPA and sssd are using a nonstandard
representation of net groups. Why not just a collection of triples and
subgroups? As far as I can see RFC 2307bis has the same schema for net
groups as RFC 2307.
https://tools.ietf.org/html/draft-howard-rfc2307bis-02. Is there a
later version of RFC 2307bis that I haven’t been able to find? Draft 2
is the latest at tools.ietf.org.

  ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL
DESC 'Abstraction of a netgroup. May refer to other
  netgroups'
MUST cn
MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )

The representation used by IPA seems to be non-standard. I’d expect IPA
and sssd to allow me to add any triple I want that’s valid in a normal
net group file.

You can read (old) explanation on why IPA has schema as it has:
https://www.freeipa.org/page/FreeIPAv2:DS_Design_Summary#Netgroups



One problem with the IPA representation is that there are no actual
triples. There’s a list of hosts, a list of users, and a domain. Not
all triples can be represented that way. Something like (host1, user1,)
(host2, user2,)
has to be represented by a user list of user1, user2 and a host list of
host1, host2. But the pairing isn’t always well defined. E.g. I added
to that group an external host3 and an internal user3. I ended up with

(host3, user1,)
(host1, user2,)
(host2, user3,)

I don’t know whether there are applications that use the pairing of
hosts and users, but the original design was intended to support that.
With IPA it’s dangerous, because I have to know just how IPA generates
the triples from the entires.

Frankly speaking, original RFC2307bis design had very little explanation
on the actual semantics. It just listed attributes and demonstrated
their use in examples. Actual semantical meaning wasn't defined.

In addition, NIS and NIS+ never had any RFC defined for them.


Is there a way to get the RFC-defined behavior from IPA and SSSD?

Can you point me to what you call RFC-defined behavior? Because I don't
see RFC defining a behavior but rather a storage format (which is
suboptimal but that's another story).



We don’t actually have a user case for pairing. We just need a host
list. So for

[SSSD-users] Re: net groups with IPA

2017-11-13 Thread Alexander Bokovoy


On ma, 13 marras 2017, Charles Hedrick wrote:

So, the real issue is SSSD's inability to support empty netgroup domain
part, right?


Yes, that’s the real bug. It doesn’t appear that the other issues are
serious, as I can’t find any real appiication that uses the NIS entries
as triples.

The sssd problem is moderately serious for me. I don’t want to put in
an arbitrary NIS domain name for a system that doesn’t use NIS, because
even if it works on the Netapp now, I’d be depending upon undocumented
behavior or I’d have to give it a dummy NIS domain. I’m reluctant to
tell the Netapp that it’s in a NIS domain that doesn’t exist. Who knows
what it would do?

It could also be an issue for transition. Consider a situation like
ours where we’re combining a number of NIS domains into a single IPA
domain. While we could work around it, it would be cleanest for our
netgroup entries not to have a domain name, so it’s clear that they
apply to all NIS domains. (In fact our transition has gone far enough
that this isn’t a real problem. We’re decommissioning NIS pretty
rapidly.)

Sure. Could you please file a bug about it (if not yet filed)?




Can you point me to what you call RFC-defined behavior? Because I don't
see RFC defining a behavior but rather a storage format (which is
suboptimal but that's another story).


I guess it depends upon how you understand the RFC. Clearly it doesn’t
matter how you store data as long as you present it to the application
the way the RFC specifies. But in fact an LDAP query simply presents it
as stored. So you have to use the compat tree to get the defined
results. Even there, there are triples that would be valid under the
RFC that you can’t generate. I agree that there may be no actual
applications that would do it, but that doesn’t seem like something you
want your directory services dictating.

In principle according to the documentation we could write an
application that checks access using both user and host from a triple.
E.g.

(host1, user1, domain1)

would authorize applications running in domain1 to accept login from
user1@host1. You can’t reliably generate triples like that, because the
association between user and host isn’t stored. You can fake it, but
the first time a host is removed, or for mixes of internal and external
hosts, you’ll get unexpected behavior.

Not sure why you keep saying that.

# ipa netgroup-add netgroup-foo  --nisdomain=xs.ipa.cool
-
Added netgroup "netgroup-foo"
-
 Netgroup name: netgroup-foo
 NIS domain name: xs.ipa.cool
 IPA unique ID: dafcbb66-c89a-11e7-b3e5-001a4a62eb77
# ipa netgroup-add-member netgroup-foo --users=ab --hosts=raup
 Netgroup name: netgroup-foo
 NIS domain name: xs.ipa.cool
 Member User: ab
 Member Host: raup.xs.ipa.cool
-
Number of members added 2
-


# ldapsearch -x -b cn=ng,cn=compat,dc=xs,dc=ipa,dc=cool  cn=netgroup-foo
dn: cn=netgroup-foo,cn=ng,cn=compat,dc=xs,dc=ipa,dc=cool
objectClass: nisNetgroup
objectClass: top
nisNetgroupTriple: (raup.xs.ipa.cool,ab,xs.ipa.cool)
cn: netgroup-foo

As you can see, there is a pretty standard for IPA way of creating an
object and adding members to it. Many other types of objects follow the
same approach. More to that, compat tree in LDAP has exactly what you
want.

Was it unclear to you that 'ipa netgroup-add-member' is the command to
use? See 'ipa help netgroup' for details on all commands we have about
netgroups.


Since no known applications uses this, it’s probably not a serious bug,
but I wouldn’t have created a design that disallows it.


On Nov 13, 2017, at 11:44 AM, Alexander Bokovoy  wrote:

On ma, 13 marras 2017, Charles Hedrick wrote:

Sure. We use netgroups for /etc/exports. The most natural format for triples is

(host,,)

That’s the format Netapp documents. By default, ipa netgroup-add-member uses

(host,-,domain)

where domain seems to come from our Kerberos domain. Netapp
documentation requests leaving that field blank, though some
documentation suggests that if it’s filled in, they will ignore triples
where the domain doesn’t match the Netapp’s domain. We are no longer
using NIS, so as far as we know, the Netapp doesn’t have a NIS domain.
I think it’s safest to leave the field blank.

IPA sets NIS domain by default to its primary domain (equal to IPA
realm in lower case). This is just a default value.


I can do this in IPA. —nisdomain= will leave it blank. That results in

(host,-,)

That works with the Netapp. (I haven’t actually tried putting a domain in.)

Unfortunately it won’t work with sssd, because sssd won’t show any
triples if the nisdomain isn’t set for that net group.

So, the real issue is SSSD's inability to support empty netgroup domain
part, right?

This is the code in ipa_netgr_process_all():
...
  ret = sysdb_attrs_get_string(state->netgroups[i], SYSDB_NETGROUP_DOMAIN,
   );
  if (ret !=

[SSSD-users] Re: net groups with IPA

2017-11-13 Thread Charles Hedrick

> On Nov 13, 2017, at 12:51 PM, Alexander Bokovoy  wrote:
> 
> Not sure why you keep saying that.


Your example showed only one entry. Suppose I want to generate 

(host1, user1,)
(host2, user2,)

I can use 

ipa netgroup-add-member —hosts=host1 —users=user1
ipa netgroup-add-member —hosts=host2 —users=user2

But the results aren’t always as expected


Failure mode 1: deleting a host

ipa netgroup-add-member testng --hosts=www.rutgers.edu --users=hedrick
ipa netgroup-add-member testng --hosts=c217.cs.rutgers.edu --users=clh

nisNetgroupTriple: (www.rutgers.edu,hedrick,cs.rutgers.edu)
nisNetgroupTriple: (c217.cs.rutgers.edu,clh,cs.rutgers.edu)

ipa host-del www.rutgers.edu

nisNetgroupTriple: (c217.cs.rutgers.edu,hedrick,cs.rutgers.edu)
nisNetgroupTriple: (-,clh,cs.rutgers.edu)

Note that hedrick is now paired with c217, not www.


Failure mode 2: external host mixed with internal

ipa netgroup-add-member testng --users=dsmith --hosts=rci.rutgers.edu

nisNetgroupTriple: (rci.rutgers.edu,hedrick,cs.rutgers.edu)
nisNetgroupTriple: (c217.cs.rutgers.edu,clh,cs.rutgers.edu)
nisNetgroupTriple: (-,dsmith,cs.rutgers.edu)

Probably not what I intended. The problem is that external hosts are shown 
first, while the user is added last.

___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: net groups with IPA

2017-11-13 Thread Charles Hedrick

The netapp is using LDAP with RFC2307 for all name service. That include users, 
groups, and netgroups.

What they are asking for is for LDAP to implement netgroup.byhost. It appears 
that AD does this. As far as I can tell, they are looking for 
nisMapName=netgroup.byhost accessed via LDAP.

I hadn’t thought about asking IPA to emulate NIS. If that would efficiently 
implement the netgroup.byhost NIS map, maybe it’s the way to go. We don’t 
currently have NIS enabled for the netapp. We’re using RFC2307 for users and 
groups. Netapp supports ns-switch, so it sounds like we could use NIS for just 
netgroups. Is that what you’d suggest?

> On Nov 13, 2017, at 12:15 PM, Alexander Bokovoy  wrote:
> 
> On ma, 13 marras 2017, Charles Hedrick wrote:
>> While we’re on this subject, it would be useful for IPA to support
>> netgroup.byhost. That would give signifiant advantages with Netapp. If
>> that is supported, Netapp will look up the netgroups for a host every
>> time a mount is done. Without it, they consider that reloading the
>> whole net group file is too inefficient, so they depend upon a cache
>> whose normal TTL is a day.
> I'm confused here.
> 
> We have:
> - LDAP: native netgroups in IPA, used by SSSD IPA provider directly
> - LDAP: compatibility tree that exposes native IPA netgroups as RFC2307bis
>  objects with no way to set blank nisDomainName right now
> - NIS protocol: NIS triplets generated based on the compat tree
>  netgroups.
> 
> The latter provides three netgroup maps:
> - netgroup
> - netgroup.byhost
> - netgroup.byuser
> 
> The are already exist but both netgroup.byhost and netgroup.byuser are
> not utilized by glibc, so they may have regressed (I see them defined in
> the code).
> 
> Which of the implementation do you use? Did you configure your Netapp
> filer to look up LDAP in cn=ng,cn=compat,$SUFFIX or is it using NIS
> protocol?
> 
>> 
>> 
>>> On Nov 13, 2017, at 4:25 AM, Pavel Březina  wrote:
>>> 
>>> On 11/08/2017 11:47 PM, Charles Hedrick wrote:
 In my opinion the whole rfc3704bis implementation of net groups is wonky.

 This isn’t the only problem. Why is there a distinction between internal 
 and external hosts? Suppose I add an external host to a net group, and 
 later do ipa host-add for it. If the distinction actually matters I’d 
 expect the system to turn the external host entry into an internal host 
 entry. But it doesn’t.

 In principle there’s a difference between blank and -, but the ipa 
 implementation always produces - for missing user and host and blank for 
 missing domain name.

 I’d really rather see the system just store the triples rather than doing 
 a complex mapping going in and out.

> On Nov 8, 2017, at 5:08 PM, Jakub Hrozek  wrote:
> 
> Pavel, does this sound like the bug you were looking at wrt sudo lately?
> 
> On Wed, Nov 08, 2017 at 09:46:25PM +, Charles Hedrick wrote:
>> Netapp wants the domain field to be blank. That leaves us a problem 
>> that’s hard to solve.
>> 
>> On Nov 8, 2017, at 4:41 PM, Charles Hedrick 
>> > wrote:
>> 
>> OK, I see what’s going on, but it looks like a bug.
>> 
>> We mostly use net groups for hosts. In NIS our entries like like 
>> (hostname,,)  You can put that into IPA by specifying NISdomain=, i.e. 
>> blank domain name. However if you do that, getent shows no entries. That 
>> is, entries with blank hostname are ignored. I claim this is a bug, 
>> since for a host entry there’s no reason to specify a domain.
>> 
>> I also found that specifying
>> 
>> ipa_netgroup_domain=cs.rutgers.edu
>> 
>> causes no net groups to display, even ones whose domain is 
>> cs.rutgers.edu.
>>  This also looks like a bug.
>> 
>> On Nov 8, 2017, at 3:53 PM, Charles Hedrick 
>> > wrote:
>> 
>> We want to move our net groups from NIS to IPA. I’ve loaded the groups. 
>> They’re visible on a system that uses nslcd pointed at the IPA server. 
>> But the systems that use SSSD for authentication don’t show anything. 
>> The net groups all show as undefined.
>> 
>> I’ve turned on debugging and looked at the LDAP logs. It does the right 
>> quotes and the

[SSSD-users] Re: net groups with IPA

2017-11-13 Thread Charles Hedrick

> So, the real issue is SSSD's inability to support empty netgroup domain
> part, right?

Yes, that’s the real bug. It doesn’t appear that the other issues are serious, 
as I can’t find any real appiication that uses the NIS entries as triples.

The sssd problem is moderately serious for me. I don’t want to put in an 
arbitrary NIS domain name for a system that doesn’t use NIS, because even if it 
works on the Netapp now, I’d be depending upon undocumented behavior or I’d 
have to give it a dummy NIS domain. I’m reluctant to tell the Netapp that it’s 
in a NIS domain that doesn’t exist. Who knows what it would do?

It could also be an issue for transition. Consider a situation like ours where 
we’re combining a number of NIS domains into a single IPA domain. While we 
could work around it, it would be cleanest for our netgroup entries not to have 
a domain name, so it’s clear that they apply to all NIS domains. (In fact our 
transition has gone far enough that this isn’t a real problem. We’re 
decommissioning NIS pretty rapidly.)

> Can you point me to what you call RFC-defined behavior? Because I don't
> see RFC defining a behavior but rather a storage format (which is
> suboptimal but that's another story).

I guess it depends upon how you understand the RFC. Clearly it doesn’t matter 
how you store data as long as you present it to the application the way the RFC 
specifies. But in fact an LDAP query simply presents it as stored. So you have 
to use the compat tree to get the defined results. Even there, there are 
triples that would be valid under the RFC that you can’t generate. I agree that 
there may be no actual applications that would do it, but that doesn’t seem 
like something you want your directory services dictating.

In principle according to the documentation we could write an application that 
checks access using both user and host from a triple. E.g. 

(host1, user1, domain1)

would authorize applications running in domain1 to accept login from 
user1@host1. You can’t reliably generate triples like that, because the 
association between user and host isn’t stored. You can fake it, but the first 
time a host is removed, or for mixes of internal and external hosts, you’ll get 
unexpected behavior.

Since no known applications uses this, it’s probably not a serious bug, but I 
wouldn’t have created a design that disallows it.

> On Nov 13, 2017, at 11:44 AM, Alexander Bokovoy  wrote:
> 
> On ma, 13 marras 2017, Charles Hedrick wrote:
>> Sure. We use netgroups for /etc/exports. The most natural format for triples 
>> is
>> 
>> (host,,)
>> 
>> That’s the format Netapp documents. By default, ipa netgroup-add-member uses
>> 
>> (host,-,domain)
>> 
>> where domain seems to come from our Kerberos domain. Netapp
>> documentation requests leaving that field blank, though some
>> documentation suggests that if it’s filled in, they will ignore triples
>> where the domain doesn’t match the Netapp’s domain. We are no longer
>> using NIS, so as far as we know, the Netapp doesn’t have a NIS domain.
>> I think it’s safest to leave the field blank.
> IPA sets NIS domain by default to its primary domain (equal to IPA
> realm in lower case). This is just a default value.
> 
>> I can do this in IPA. —nisdomain= will leave it blank. That results in
>> 
>> (host,-,)
>> 
>> That works with the Netapp. (I haven’t actually tried putting a domain in.)
>> 
>> Unfortunately it won’t work with sssd, because sssd won’t show any
>> triples if the nisdomain isn’t set for that net group.
> So, the real issue is SSSD's inability to support empty netgroup domain
> part, right?
> 
> This is the code in ipa_netgr_process_all():
> ...
>   ret = sysdb_attrs_get_string(state->netgroups[i], SYSDB_NETGROUP_DOMAIN,
>);
>   if (ret != EOK) {
>   goto done;
>   }
> ...
> 
>   DEBUG(SSSDBG_TRACE_INTERNAL, "Putting together triples of "
> "netgroup %d\n", i);
>   for (j = 0; j < uids_count; j++) {
>   for (k = 0; k < hosts_count; k++) {
>   triple = talloc_asprintf(state, "(%s,%s,%s)",
>hosts[k], uids[j],
>domain);
>   if (triple == NULL) {
>   ret = ENOMEM;
>   goto done;
>   }
> 
>   ret = sysdb_attrs_add_string(state->netgroups[i],
>SYSDB_NETGROUP_TRIPLE,
>triple);
>   if (ret != EOK) {
>   goto done;
>   }
>   }
>   }
> 
> 
> So, if no domain is retrieved, no netgroup triple is generated by SSSD
> IPA provider. Note that this does not utilize compatibility netgroups
> subtree as generated by schema compatibility plugin (in
>

[SSSD-users] Re: net groups with IPA

2017-11-13 Thread Charles Hedrick

I just looked at documentation and source code. All the documentation I can 
find for netgroups leaves the semantics up to the application. The net group 
documentation does, however, imply that we’re dealing with a set of triples, 
not separate host and user lists. I checked the source for both openssh and bsd 
rlogin. For them it appears that they ignore the pairing and treat the net 
group as a list of hosts and users. 

I don’t see how you could prove that there are no applications that use all the 
documented capabilities of netgroups, but the most likely two possibilities 
don’t. 

rlogin ignores triples that aren’t in the current NIS domain (or blank, 
presumably). sshd ignores the domain component.

> On Nov 13, 2017, at 4:25 AM, Pavel Březina  wrote:
> 
> On 11/08/2017 11:47 PM, Charles Hedrick wrote:
>> In my opinion the whole rfc3704bis implementation of net groups is wonky.
>> 
>> This isn’t the only problem. Why is there a distinction between internal and 
>> external hosts? Suppose I add an external host to a net group, and later do 
>> ipa host-add for it. If the distinction actually matters I’d expect the 
>> system to turn the external host entry into an internal host entry. But it 
>> doesn’t.
>> 
>> In principle there’s a difference between blank and -, but the ipa 
>> implementation always produces - for missing user and host and blank for 
>> missing domain name.
>> 
>> I’d really rather see the system just store the triples rather than doing a 
>> complex mapping going in and out.
>> 
>> 
>>> On Nov 8, 2017, at 5:08 PM, Jakub Hrozek  wrote:
>>> 
>>> Pavel, does this sound like the bug you were looking at wrt sudo lately?
>>> 
>>> On Wed, Nov 08, 2017 at 09:46:25PM +, Charles Hedrick wrote:
 Netapp wants the domain field to be blank. That leaves us a problem that’s 
 hard to solve.

 On Nov 8, 2017, at 4:41 PM, Charles Hedrick 
 > wrote:

 OK, I see what’s going on, but it looks like a bug.

 We mostly use net groups for hosts. In NIS our entries like like 
 (hostname,,)  You can put that into IPA by specifying NISdomain=, i.e. 
 blank domain name. However if you do that, getent shows no entries. That 
 is, entries with blank hostname are ignored. I claim this is a bug, since 
 for a host entry there’s no reason to specify a domain.

 I also found that specifying

 ipa_netgroup_domain=cs.rutgers.edu

 causes no net groups to display, even ones whose domain is 
 cs.rutgers.edu.
  This also looks like a bug.

 On Nov 8, 2017, at 3:53 PM, Charles Hedrick 
 > wrote:

 We want to move our net groups from NIS to IPA. I’ve loaded the groups. 
 They’re visible on a system that uses nslcd pointed at the IPA server. But 
 the systems that use SSSD for authentication don’t show anything. The net 
 groups all show as undefined.

 I’ve turned on debugging and looked at the LDAP logs. It does the right 
 quotes and the log says it extracts the members. But they don’t show up.

 Any idea where to look?
> 
> Can you send us some example of what you are trying to achieve and what does 
> not work? I'm also ccing Alexander Bokovoy to see why IPA adds somewhere dash 
> and somewhere blanks.
> 

___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: net groups with IPA

2017-11-13 Thread Charles Hedrick

While we’re on this subject, it would be useful for IPA to support 
netgroup.byhost. That would give signifiant advantages with Netapp. If that is 
supported, Netapp will look up the netgroups for a host every time a mount is 
done. Without it, they consider that reloading the whole net group file is too 
inefficient, so they depend upon a cache whose normal TTL is a day.

> On Nov 13, 2017, at 4:25 AM, Pavel Březina  wrote:
> 
> On 11/08/2017 11:47 PM, Charles Hedrick wrote:
>> In my opinion the whole rfc3704bis implementation of net groups is wonky.
>> 
>> This isn’t the only problem. Why is there a distinction between internal and 
>> external hosts? Suppose I add an external host to a net group, and later do 
>> ipa host-add for it. If the distinction actually matters I’d expect the 
>> system to turn the external host entry into an internal host entry. But it 
>> doesn’t.
>> 
>> In principle there’s a difference between blank and -, but the ipa 
>> implementation always produces - for missing user and host and blank for 
>> missing domain name.
>> 
>> I’d really rather see the system just store the triples rather than doing a 
>> complex mapping going in and out.
>> 
>> 
>>> On Nov 8, 2017, at 5:08 PM, Jakub Hrozek  wrote:
>>> 
>>> Pavel, does this sound like the bug you were looking at wrt sudo lately?
>>> 
>>> On Wed, Nov 08, 2017 at 09:46:25PM +, Charles Hedrick wrote:
 Netapp wants the domain field to be blank. That leaves us a problem that’s 
 hard to solve.

 On Nov 8, 2017, at 4:41 PM, Charles Hedrick 
 > wrote:

 OK, I see what’s going on, but it looks like a bug.

 We mostly use net groups for hosts. In NIS our entries like like 
 (hostname,,)  You can put that into IPA by specifying NISdomain=, i.e. 
 blank domain name. However if you do that, getent shows no entries. That 
 is, entries with blank hostname are ignored. I claim this is a bug, since 
 for a host entry there’s no reason to specify a domain.

 I also found that specifying

 ipa_netgroup_domain=cs.rutgers.edu

 causes no net groups to display, even ones whose domain is 
 cs.rutgers.edu.
  This also looks like a bug.

 On Nov 8, 2017, at 3:53 PM, Charles Hedrick 
 > wrote:

 We want to move our net groups from NIS to IPA. I’ve loaded the groups. 
 They’re visible on a system that uses nslcd pointed at the IPA server. But 
 the systems that use SSSD for authentication don’t show anything. The net 
 groups all show as undefined.

 I’ve turned on debugging and looked at the LDAP logs. It does the right 
 quotes and the log says it extracts the members. But they don’t show up.

 Any idea where to look?
> 
> Can you send us some example of what you are trying to achieve and what does 
> not work? I'm also ccing Alexander Bokovoy to see why IPA adds somewhere dash 
> and somewhere blanks.
> 

___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: net groups with IPA

2017-11-13 Thread Charles Hedrick

Sure. We use netgroups for /etc/exports. The most natural format for triples is

(host,,)

That’s the format Netapp documents. By default, ipa netgroup-add-member uses

(host,-,domain)

where domain seems to come from our Kerberos domain. Netapp documentation 
requests leaving that field blank, though some documentation suggests that if 
it’s filled in, they will ignore triples where the domain doesn’t match the 
Netapp’s domain. We are no longer using NIS, so as far as we know, the Netapp 
doesn’t have a NIS domain. I think it’s safest to leave the field blank.

I can do this in IPA. —nisdomain= will leave it blank. That results in

(host,-,)

That works with the Netapp. (I haven’t actually tried putting a domain in.)

Unfortunately it won’t work with sssd, because sssd won’t show any triples if 
the nisdomain isn’t set for that net group.

In general I don’t understand why IPA and sssd are using a nonstandard 
representation of net groups. Why not just a collection of triples and 
subgroups? As far as I can see RFC 2307bis has the same schema for net groups 
as RFC 2307. https://tools.ietf.org/html/draft-howard-rfc2307bis-02. Is there a 
later version of RFC 2307bis that I haven’t been able to find? Draft 2 is the 
latest at tools.ietf.org.

   ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL
 DESC 'Abstraction of a netgroup. May refer to other
   netgroups'
 MUST cn
 MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) )

The representation used by IPA seems to be non-standard. I’d expect IPA and 
sssd to allow me to add any triple I want that’s valid in a normal net group 
file.

One problem with the IPA representation is that there are no actual triples. 
There’s a list of hosts, a list of users, and a domain. Not all triples can be 
represented that way. Something like
(host1, user1,)
(host2, user2,)
has to be represented by a user list of user1, user2 and a host list of host1, 
host2. But the pairing isn’t always well defined. E.g. I added to that group an 
external host3 and an internal user3. I ended up with

(host3, user1,)
(host1, user2,)
(host2, user3,)

I don’t know whether there are applications that use the pairing of hosts and 
users, but the original design was intended to support that. With IPA it’s 
dangerous, because I have to know just how IPA generates the triples from the 
entires.

Is there a way to get the RFC-defined behavior from IPA and SSSD?

We don’t actually have a user case for pairing. We just need a host list. So 
for the moment the plan is to add hosts with nisdomain=, and use nslcd in 
nsswitch.conf for net groups on the Linux systems that are NFS servers.

I don’t have any specific use case for distinguishing between space and -. But 
the spec says they mean something different. I don’t know why you would adopt a 
representation that doesn’t allow for every valid triple.


On Nov 13, 2017, at 4:25 AM, Pavel Březina 
> wrote:

Can you send us some example of what you are trying to achieve and what does 
not work? I'm also ccing Alexander Bokovoy to see why IPA adds somewhere dash 
and somewhere blanks.

___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: net groups with IPA

2017-11-13 Thread Alexander Bokovoy

On ma, 13 marras 2017, Pavel Březina wrote:

On 11/08/2017 11:47 PM, Charles Hedrick wrote:

In my opinion the whole rfc3704bis implementation of net groups is
wonky.

RFC 3704bis does not exist. RFC3704 is about ingress filtering in
multihome networks. Are you talking about RFC 2307bis?

This isn’t the only problem. Why is there a distinction between
internal and external hosts? Suppose I add an external host to a net
group, and later do ipa host-add for it. If the distinction actually
matters I’d expect the system to turn the external host entry into an
internal host entry. But it doesn’t.

In principle there’s a difference between blank and -, but the ipa
implementation always produces - for missing user and host and blank
for missing domain name.

For hosts and users, if you specify hostCategory=all or
userCategory=all, there will be blanks in the generated
nisNetgroupTriple. 

For NIS domain name there is always either explicitly defined
nisDomainName or a '-'. Where did you see blanks for the nisDomainName?

Actual mapping rule looks like this:

schema-compat-entry-attribute: nisNetgroupTriple=(%link("%ifeq(\"hostCategory\
",\"all\",\"\",\"%collect(\\\"%{externalHost}\\\",\\\"%deref(\\\"memberHo
st\\\",\\\"fqdn\\\")\\\",\\\"%deref_r(\\\"member\\\",
\\\"fqdn\\\")\\\",\\\"%deref_r(\\\"memberHost\\\",\\\"member\
\\",\\\"fqdn\\\")\\\")\")","%ifeq(\"hostCategory\",\"all\",\"\",\
"-\")",",","%ifeq(\"userCategory\",\"all\",\"\",\"%collect(\\\"%deref(\\\
"memberUser\\\",\\\"uid\\\")\\\",\\\"%deref_r(\\\"member\
\\",\\\"uid\\\")\\\",\\\"%deref_r(\\\"memberUser\\\",\\\"
member\\\",\\\"uid\\\")\\\")\")","%ifeq(\"userCategory\",\"all\",
\"\",\"-\")"),%{nisDomainName:-})

As you can see in the last part it includes %{nisDomainName:-}, e.g. if
attribute nisDomainName is not defined in the original IPA net group
object, it will be replaced by '-'.

So one way to solve this problem is by replacing the
"%{nisDomainName:-}" by a more complex expression, something that would
use some predefined nisDomainName to be a trigger to add a blank there.

Something like

%ifeq("nisDomainName","any","","%{nisDomainName:-}"

instead of %{nisDomainName:-}

In my case it looks like this:
# ipa netgroup-show my-new-netgroup
 Netgroup name: my-new-netgroup
 NIS domain name: any
 User category: all
 Host category: all

# ldapsearch -x -b cn=ng,cn=compat,$SUFFIX cn=my-new-netgroup
dn: cn=my-new-netgroup,cn=ng,cn=compat,$SUFFIX
objectClass: nisNetgroup
objectClass: top
nisNetgroupTriple: (,,)
cn: my-new-netgroup

I’d really rather see the system just store the triples rather than
doing a complex mapping going in and out.

IPA uses a different LDAP schema for net groups than what RFC2307bis expects.
Thus, a need to dynamically redefine LDAP objects (for whole RFC2307,
not just net groups).

On Nov 8, 2017, at 5:08 PM, Jakub Hrozek  wrote:

Pavel, does this sound like the bug you were looking at wrt sudo lately?

On Wed, Nov 08, 2017 at 09:46:25PM +, Charles Hedrick wrote:

Netapp wants the domain field to be blank. That leaves us a problem that’s hard 
to solve.

On Nov 8, 2017, at 4:41 PM, Charles Hedrick 
> wrote:

OK, I see what’s going on, but it looks like a bug.

We mostly use net groups for hosts. In NIS our entries like like
(hostname,,)  You can put that into IPA by specifying NISdomain=,
i.e. blank domain name. However if you do that, getent shows no
entries. That is, entries with blank hostname are ignored. I claim
this is a bug, since for a host entry there’s no reason to specify a
domain.

I also found that specifying

ipa_netgroup_domain=cs.rutgers.edu

causes no net groups to display, even ones whose domain is
cs.rutgers.edu.
This also looks like a bug.

On Nov 8, 2017, at 3:53 PM, Charles Hedrick 
> wrote:

We want to move our net groups from NIS to IPA. I’ve loaded the
groups. They’re visible on a system that uses nslcd pointed at the
IPA server. But the systems that use SSSD for authentication don’t
show anything. The net groups all show as undefined.

I’ve turned on debugging and looked at the LDAP logs. It does the
right quotes and the log says it extracts the members. But they
don’t show up.

Any idea where to look?

Can you send us some example of what you

[SSSD-users] Re: net groups with IPA

2017-11-10 Thread Charles Hedrick



> On Nov 9, 2017, at 3:43 PM, Lukas Slebodnik  wrote:
> 
> On (08/11/17 20:53), Charles Hedrick wrote:
>> We want to move our net groups from NIS to IPA. I’ve loaded the groups. 
>> They’re visible on a system that uses nslcd pointed at the IPA server. But 
>> the systems that use SSSD for authentication don’t show anything. The net 
>> groups all show as undefined.
>> 
>> I’ve turned on debugging and looked at the LDAP logs. It does the right 
>> quotes and the log says it extracts the members. But they don’t show up.
>> 
>> Any idea where to look?
>> 
> 
> How did you add netgroups to IPA?
> Did you migrate from LDAP to IPA ("ipa migrate-ds”)

We went from a flat file to IPA. I wrote a script that did ipa netgroup-add and 
ipa-netgroup-add-member.

Here’s a piece of it

ipa netgroup-add-member dcsug_servers_remus1 --hosts=cumulus.rutgers.edu
ipa netgroup-add-member dcsug_servers_remus1 --hosts=stratus.rutgers.edu
ipa netgroup-add dcsinternet_clients
ipa netgroup-add-member dcsinternet_clients --netgroups=dcsinternet_sunclients
ipa netgroup-add dcsfac_linuxclients
ipa netgroup-add-member dcsfac_linuxclients --hosts=abhib.rutgers.edu
ipa netgroup-add-member dcsfac_linuxclients --hosts=atanasoff.rutgers.edu
ipa netgroup-add-member dcsfac_linuxclients --hosts=borges.rutgers.edu

Pretty obvious. 

However I discovered that all the net groups were created with a bogus 
nisdomain. Because netapp documentation says to leave it blank, I cleared all 
the nis domains with

ipa netgroup-mod NAME —nisdomain=

That turned out to be the issue. sssd won’t show a triple unless it has a 
non-blank domain entry in the domain field. This looks like a bug.

For the moment the plan is to use nslcd, i.e. ldap, for netgroups on the 
servers that need net groups (just NFS servers in our case).

I don’t believe we can tell sssd to use IPA for users and groups but ldap for 
netgroups. I want the features of IPA for users.

> Did you add them from command line with "ipa"?
> if yes then could you provide exact commands ?
> 
> LS
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: net groups with IPA

2017-11-09 Thread Lukas Slebodnik

On (08/11/17 20:53), Charles Hedrick wrote:
>We want to move our net groups from NIS to IPA. I’ve loaded the groups. 
>They’re visible on a system that uses nslcd pointed at the IPA server. But the 
>systems that use SSSD for authentication don’t show anything. The net groups 
>all show as undefined.
>
>I’ve turned on debugging and looked at the LDAP logs. It does the right quotes 
>and the log says it extracts the members. But they don’t show up.
>
>Any idea where to look?
>

How did you add netgroups to IPA?
Did you migrate from LDAP to IPA ("ipa migrate-ds")

Did you add them from command line with "ipa"?
if yes then could you provide exact commands ?

LS
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: net groups with IPA

2017-11-08 Thread Michael Ströder

Charles Hedrick wrote:
> In my opinion the whole rfc3704bis implementation of net groups is wonky.

Since you seem to be using FreeIPA wouldn't it be a better solution to
implement a script for converting your netgroups into HBAC rules?

I never did this myself though.

Ciao, Michael.



smime.p7s
Description: S/MIME Cryptographic Signature
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: net groups with IPA

2017-11-08 Thread Charles Hedrick

In my opinion the whole rfc3704bis implementation of net groups is wonky.

This isn’t the only problem. Why is there a distinction between internal and 
external hosts? Suppose I add an external host to a net group, and later do ipa 
host-add for it. If the distinction actually matters I’d expect the system to 
turn the external host entry into an internal host entry. But it doesn’t.

In principle there’s a difference between blank and -, but the ipa 
implementation always produces - for missing user and host and blank for 
missing domain name.

I’d really rather see the system just store the triples rather than doing a 
complex mapping going in and out.


> On Nov 8, 2017, at 5:08 PM, Jakub Hrozek  wrote:
> 
> Pavel, does this sound like the bug you were looking at wrt sudo lately?
> 
> On Wed, Nov 08, 2017 at 09:46:25PM +, Charles Hedrick wrote:
>> Netapp wants the domain field to be blank. That leaves us a problem that’s 
>> hard to solve.
>> 
>> On Nov 8, 2017, at 4:41 PM, Charles Hedrick 
>> > wrote:
>> 
>> OK, I see what’s going on, but it looks like a bug.
>> 
>> We mostly use net groups for hosts. In NIS our entries like like 
>> (hostname,,)  You can put that into IPA by specifying NISdomain=, i.e. blank 
>> domain name. However if you do that, getent shows no entries. That is, 
>> entries with blank hostname are ignored. I claim this is a bug, since for a 
>> host entry there’s no reason to specify a domain.
>> 
>> I also found that specifying
>> 
>> ipa_netgroup_domain=cs.rutgers.edu
>> 
>> causes no net groups to display, even ones whose domain is 
>> cs.rutgers.edu.
>>  This also looks like a bug.
>> 
>> On Nov 8, 2017, at 3:53 PM, Charles Hedrick 
>> > wrote:
>> 
>> We want to move our net groups from NIS to IPA. I’ve loaded the groups. 
>> They’re visible on a system that uses nslcd pointed at the IPA server. But 
>> the systems that use SSSD for authentication don’t show anything. The net 
>> groups all show as undefined.
>> 
>> I’ve turned on debugging and looked at the LDAP logs. It does the right 
>> quotes and the log says it extracts the members. But they don’t show up.
>> 
>> Any idea where to look?
>> 
>> 
>> 
> 
>> ___
>> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
>> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: net groups with IPA

2017-11-08 Thread Jakub Hrozek

Pavel, does this sound like the bug you were looking at wrt sudo lately?

On Wed, Nov 08, 2017 at 09:46:25PM +, Charles Hedrick wrote:
> Netapp wants the domain field to be blank. That leaves us a problem that’s 
> hard to solve.
> 
> On Nov 8, 2017, at 4:41 PM, Charles Hedrick 
> > wrote:
> 
> OK, I see what’s going on, but it looks like a bug.
> 
> We mostly use net groups for hosts. In NIS our entries like like (hostname,,) 
>  You can put that into IPA by specifying NISdomain=, i.e. blank domain name. 
> However if you do that, getent shows no entries. That is, entries with blank 
> hostname are ignored. I claim this is a bug, since for a host entry there’s 
> no reason to specify a domain.
> 
> I also found that specifying
> 
> ipa_netgroup_domain=cs.rutgers.edu
> 
> causes no net groups to display, even ones whose domain is 
> cs.rutgers.edu. This also looks like a bug.
> 
> On Nov 8, 2017, at 3:53 PM, Charles Hedrick 
> > wrote:
> 
> We want to move our net groups from NIS to IPA. I’ve loaded the groups. 
> They’re visible on a system that uses nslcd pointed at the IPA server. But 
> the systems that use SSSD for authentication don’t show anything. The net 
> groups all show as undefined.
> 
> I’ve turned on debugging and looked at the LDAP logs. It does the right 
> quotes and the log says it extracts the members. But they don’t show up.
> 
> Any idea where to look?
> 
> 
> 

> ___
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: net groups with IPA

2017-11-08 Thread Charles Hedrick

Netapp wants the domain field to be blank. That leaves us a problem that’s hard 
to solve.

On Nov 8, 2017, at 4:41 PM, Charles Hedrick 
> wrote:

OK, I see what’s going on, but it looks like a bug.

We mostly use net groups for hosts. In NIS our entries like like (hostname,,)  
You can put that into IPA by specifying NISdomain=, i.e. blank domain name. 
However if you do that, getent shows no entries. That is, entries with blank 
hostname are ignored. I claim this is a bug, since for a host entry there’s no 
reason to specify a domain.

I also found that specifying

ipa_netgroup_domain=cs.rutgers.edu

causes no net groups to display, even ones whose domain is 
cs.rutgers.edu. This also looks like a bug.

On Nov 8, 2017, at 3:53 PM, Charles Hedrick 
> wrote:

We want to move our net groups from NIS to IPA. I’ve loaded the groups. They’re 
visible on a system that uses nslcd pointed at the IPA server. But the systems 
that use SSSD for authentication don’t show anything. The net groups all show 
as undefined.

I’ve turned on debugging and looked at the LDAP logs. It does the right quotes 
and the log says it extracts the members. But they don’t show up.

Any idea where to look?

___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: net groups with IPA

2017-11-08 Thread Charles Hedrick

OK, I see what’s going on, but it looks like a bug.

We mostly use net groups for hosts. In NIS our entries like like (hostname,,)  
You can put that into IPA by specifying NISdomain=, i.e. blank domain name. 
However if you do that, getent shows no entries. That is, entries with blank 
hostname are ignored. I claim this is a bug, since for a host entry there’s no 
reason to specify a domain.

I also found that specifying

ipa_netgroup_domain=cs.rutgers.edu

causes no net groups to display, even ones whose domain is 
cs.rutgers.edu. This also looks like a bug.

On Nov 8, 2017, at 3:53 PM, Charles Hedrick 
> wrote:

We want to move our net groups from NIS to IPA. I’ve loaded the groups. They’re 
visible on a system that uses nslcd pointed at the IPA server. But the systems 
that use SSSD for authentication don’t show anything. The net groups all show 
as undefined.

I’ve turned on debugging and looked at the LDAP logs. It does the right quotes 
and the log says it extracts the members. But they don’t show up.

Any idea where to look?


___
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

[SSSD-users] Re: net groups with IPA

[SSSD-users] Re: net groups with IPA

[SSSD-users] Re: net groups with IPA

[SSSD-users] Re: net groups with IPA

[SSSD-users] Re: net groups with IPA

[SSSD-users] Re: net groups with IPA

[SSSD-users] Re: net groups with IPA

[SSSD-users] Re: net groups with IPA

[SSSD-users] Re: net groups with IPA

[SSSD-users] Re: net groups with IPA

[SSSD-users] Re: net groups with IPA

[SSSD-users] Re: net groups with IPA

[SSSD-users] Re: net groups with IPA

[SSSD-users] Re: net groups with IPA

[SSSD-users] Re: net groups with IPA

[SSSD-users] Re: net groups with IPA

[SSSD-users] Re: net groups with IPA

[SSSD-users] Re: net groups with IPA

18 matches

Site Navigation

Mail list logo

Footer information