In my opinion the whole rfc3704bis implementation of net groups is wonky. This isn’t the only problem. Why is there a distinction between internal and external hosts? Suppose I add an external host to a net group, and later do ipa host-add for it. If the distinction actually matters I’d expect the system to turn the external host entry into an internal host entry. But it doesn’t.
In principle there’s a difference between blank and -, but the ipa implementation always produces - for missing user and host and blank for missing domain name. I’d really rather see the system just store the triples rather than doing a complex mapping going in and out. > On Nov 8, 2017, at 5:08 PM, Jakub Hrozek <[email protected]> wrote: > > Pavel, does this sound like the bug you were looking at wrt sudo lately? > > On Wed, Nov 08, 2017 at 09:46:25PM +0000, Charles Hedrick wrote: >> Netapp wants the domain field to be blank. That leaves us a problem that’s >> hard to solve. >> >> On Nov 8, 2017, at 4:41 PM, Charles Hedrick >> <[email protected]<mailto:[email protected]>> wrote: >> >> OK, I see what’s going on, but it looks like a bug. >> >> We mostly use net groups for hosts. In NIS our entries like like >> (hostname,,) You can put that into IPA by specifying NISdomain=, i.e. blank >> domain name. However if you do that, getent shows no entries. That is, >> entries with blank hostname are ignored. I claim this is a bug, since for a >> host entry there’s no reason to specify a domain. >> >> I also found that specifying >> >> ipa_netgroup_domain=cs.rutgers.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcs.rutgers.edu%2F&data=02%7C01%7Chedrick%40rutgers.edu%7Cfdea024ced1e456bf72208d526f561b0%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636457757716393543&sdata=AA3P65kxArCD2WkRwAkGV5ci5jaCN54AZKPZ%2B8O4tbc%3D&reserved=0> >> >> causes no net groups to display, even ones whose domain is >> cs.rutgers.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcs.rutgers.edu%2F&data=02%7C01%7Chedrick%40rutgers.edu%7Cfdea024ced1e456bf72208d526f561b0%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636457757716393543&sdata=AA3P65kxArCD2WkRwAkGV5ci5jaCN54AZKPZ%2B8O4tbc%3D&reserved=0>. >> This also looks like a bug. >> >> On Nov 8, 2017, at 3:53 PM, Charles Hedrick >> <[email protected]<mailto:[email protected]>> wrote: >> >> We want to move our net groups from NIS to IPA. I’ve loaded the groups. >> They’re visible on a system that uses nslcd pointed at the IPA server. But >> the systems that use SSSD for authentication don’t show anything. The net >> groups all show as undefined. >> >> I’ve turned on debugging and looked at the LDAP logs. It does the right >> quotes and the log says it extracts the members. But they don’t show up. >> >> Any idea where to look? >> >> >> > >> _______________________________________________ >> sssd-users mailing list -- [email protected] >> To unsubscribe send an email to [email protected] > _______________________________________________ > sssd-users mailing list -- [email protected] > To unsubscribe send an email to [email protected] _______________________________________________ sssd-users mailing list -- [email protected] To unsubscribe send an email to [email protected]
