[SSSD-users] Re: net groups with IPA

Fri, 10 Nov 2017 11:06:12 -0800 


> On Nov 9, 2017, at 3:43 PM, Lukas Slebodnik <lsleb...@redhat.com> wrote:
> 
> On (08/11/17 20:53), Charles Hedrick wrote:
>> We want to move our net groups from NIS to IPA. I’ve loaded the groups. 
>> They’re visible on a system that uses nslcd pointed at the IPA server. But 
>> the systems that use SSSD for authentication don’t show anything. The net 
>> groups all show as undefined.
>> 
>> I’ve turned on debugging and looked at the LDAP logs. It does the right 
>> quotes and the log says it extracts the members. But they don’t show up.
>> 
>> Any idea where to look?
>> 
> 
> How did you add netgroups to IPA?
> Did you migrate from LDAP to IPA ("ipa migrate-ds”)

We went from a flat file to IPA. I wrote a script that did ipa netgroup-add and 
ipa-netgroup-add-member.

Here’s a piece of it

ipa netgroup-add-member dcsug_servers_remus1 --hosts=cumulus.rutgers.edu
ipa netgroup-add-member dcsug_servers_remus1 --hosts=stratus.rutgers.edu
ipa netgroup-add dcsinternet_clients
ipa netgroup-add-member dcsinternet_clients --netgroups=dcsinternet_sunclients
ipa netgroup-add dcsfac_linuxclients
ipa netgroup-add-member dcsfac_linuxclients --hosts=abhib.rutgers.edu
ipa netgroup-add-member dcsfac_linuxclients --hosts=atanasoff.rutgers.edu
ipa netgroup-add-member dcsfac_linuxclients --hosts=borges.rutgers.edu

Pretty obvious. 

However I discovered that all the net groups were created with a bogus 
nisdomain. Because netapp documentation says to leave it blank, I cleared all 
the nis domains with

ipa netgroup-mod NAME —nisdomain=

That turned out to be the issue. sssd won’t show a triple unless it has a 
non-blank domain entry in the domain field. This looks like a bug.

For the moment the plan is to use nslcd, i.e. ldap, for netgroups on the 
servers that need net groups (just NFS servers in our case).

I don’t believe we can tell sssd to use IPA for users and groups but ldap for 
netgroups. I want the features of IPA for users.

> Did you add them from command line with "ipa"?
> if yes then could you provide exact commands ?
> 
> LS
> _______________________________________________
> sssd-users mailing list -- sssd-users@lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

_______________________________________________
sssd-users mailing list -- sssd-users@lists.fedorahosted.org
To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org

Reply via email to