test,c
#include <netdb.h>
#include <stdio.h>
#include <stdlib.h>
int main(int argc, char **argv) {
printf("%d\n", innetgr(argv[1], argv[2], NULL, NULL));
}
---------------------
[hedrick@krb2 credserv]$ ./test lcsrcf ilab1.cs.rutgers.edu
0
[hedrick@krb2 credserv]$ ipa host-show ilab1.cs.rutgers.edu
Host name: ilab1.cs.rutgers.edu
Principal name: host/[email protected]
Principal alias: host/[email protected]
SSH public key fingerprint:
SHA256:XQelZD+3XV8yJTUQCU277t3Tsfin3JXFZWOXgBwlpk0 (ecdsa-sha2-nistp256),
SHA256:viELfgjJE7+GXq+QDLcW3XUBRZcaiZcMOpaTXvPo/I0 (ssh-
ed25519),
SHA256:MjIvgUUtUYmjohS2fCJ5NIgn6laFKSLttWYnEfN0KYY (ssh-rsa)
Password: False
Member of netgroups: dcsilab_gpuservers__1, working-hosts, gradpool,
research-user-maint
Indirect Member of netgroup: dcsilab, dcsilab_clients, lcsrcluster, lcsrcf,
dcs, dcsilab_gpuservers
Keytab: True
Managed by: ilab1.cs.rutgers.edu
[hedrick@krb2 credserv]$ ./test dcsilab_clients ilab1.cs.rutgers.edu
1
—————————————
I’m doing this on a test kerberos server, which makes the logs easier to look
at. It’s centos 8. I walked up the hierarchy. The first place it failed was
netgroup dcs. Here’s the queries it made:
[04/Nov/2019:10:27:08.092994997 -0500] conn=22700 op=14 SRCH
base="cn=ng,cn=alt,dc=cs,dc=rutgers,dc=edu" scope=2
filter="(&(cn=dcs)(objectClass=ipaNisNetgroup))"\
attrs="objectClass cn member memberOf memberUser memberHost externalHost
nisDomainName ipaUniqueID"
[04/Nov/2019:10:27:08.093756954 -0500] conn=22700 op=14 RESULT err=0 tag=101
nentries=1 etime=0.0000917908 notes=P pr_idx=0 pr_cookie=-1
[04/Nov/2019:10:27:08.094390316 -0500] conn=22700 op=15 SRCH
base="cn=ng,cn=alt,dc=cs,dc=rutgers,dc=edu" scope=2
filter="(&(|(memberOf=ipaUniqueID=60eeb708-c407-\
11e7-baa3-000c29dbd083,cn=ng,cn=alt,dc=cs,dc=rutgers,dc=edu))(objectClass=ipaNisNetgroup))"
attrs="objectClass cn member memberOf memberUser memberHost externalH\
ost nisDomainName ipaUniqueID"
[04/Nov/2019:10:27:08.108564311 -0500] conn=22700 op=15 RESULT err=0 tag=101
nentries=48 etime=0.0014740764 notes=P pr_idx=0 pr_cookie=-1
[04/Nov/2019:10:27:08.116836919 -0500] conn=22700 op=16 SRCH
base="cn=accounts,dc=cs,dc=rutgers,dc=edu" scope=2
filter="(&(|(memberOf=ipaUniqueID=60eeb708-c407-1\
1e7-baa3-000c29dbd083,cn=ng,cn=alt,dc=cs,dc=rutgers,dc=edu))(objectClass=posixAccount))"
attrs="uid memberOf objectClass"
[04/Nov/2019:10:27:08.117217428 -0500] conn=22700 op=16 RESULT err=0 tag=101
nentries=0 etime=0.0008600383 notes=P pr_idx=0 pr_cookie=-1
[04/Nov/2019:10:27:08.117542516 -0500] conn=22700 op=17 SRCH
base="cn=accounts,dc=cs,dc=rutgers,dc=edu" scope=2
filter="(&(|(memberOf=ipaUniqueID=60eeb708-c407-1\
1e7-baa3-000c29dbd083,cn=ng,cn=alt,dc=cs,dc=rutgers,dc=edu))(objectClass=ipaIDObject)(objectClass=posixAccount))"
attrs="uid memberOf objectClass"
[04/Nov/2019:10:27:08.117684401 -0500] conn=22700 op=17 RESULT err=0 tag=101
nentries=0 etime=0.0000418212 notes=P pr_idx=0 pr_cookie=-1
[04/Nov/2019:10:27:08.118033435 -0500] conn=22700 op=18 SRCH
base="cn=accounts,dc=cs,dc=rutgers,dc=edu" scope=2
filter="(&(|(memberOf=ipaUniqueID=60eeb708-c407-1\
1e7-baa3-000c29dbd083,cn=ng,cn=alt,dc=cs,dc=rutgers,dc=edu))(objectClass=ipaHost))"
attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID"
[04/Nov/2019:10:27:08.189687425 -0500] conn=22700 op=18 RESULT err=0 tag=101
nentries=172 etime=0.0071957440 notes=P pr_idx=0 pr_cookie=-1
Let me interpret that.
Look up netgropu dcs to find uniqueID
Look for all netgroups, users, ??, hosts that are members of the uniqueID
The last query returned 172 hosts. I tried the query manually and got 172 hosts
as well. ilab1.cs.rutgers.edu was one of them. I would have expected it to
return yes, but it returned 0.
If I check the next level down in the hierarchy, I get success.
I’m going to email you the SSSD log file separately, as I’m not sure whether
there’s anteing in it that shouldn’t be public.
> On Nov 1, 2019, at 9:03 AM, Sumit Bose <[email protected]> wrote:
>
> On Thu, Oct 31, 2019 at 02:02:51PM +0000, Charles Hedrick wrote:
>> I need to support netgroup checks in a service, written in C. I’m asking the
>> SSSD list because we’re using SSSD, which means that net group operations
>> are routed to the SSSD provider.
>>
>> I found that innetgr doesn’t work if there are nested net groups. The man
>> page doesn’t suggest that this would happen, though various online
>> discussions seem to suggest it. As far as I can tell, using the usual libc
>> routines, I’d have to do a recursive enumeration of the netgroup. This seems
>> pretty silly, since the host's memberOf attribute shows what net groups it’s
>> a member of, whether direct or indirect. You could also enumerate using the
>> compat tree, which lets a single LDAP query get all members of the netgroup.
>
> Hi,
>
> it would be good if you can share some logs which covered the failed
> attempt. Iirc nested netgroups are handled by SSSD and glibc together.
> I.e. SSSD will not resolve a nested netgroup automatically but just
> returns the name and the glibc ask for the members of the nested group
> if needed.
>
> bye,
> Sumit
>
>>
>> For the moment I’m doing LDAP operations. My application already needs to do
>> GSSAPI-authenticated LDAP operations, so I have an LDAP connection already.
>> A netgroup check require two queries, which could reasonably be cached.
>> Lookup the netgroup by name to find the unique ID. Look up the host and see
>> if the unique ID matches any memberOf attributes.
>>
>> But not all applications would be set up so this is easy. Is there a
>> reasonable way to check netgroup membership using normal libc calls?
>>
>>
>> _______________________________________________
>> sssd-users mailing list -- [email protected]
>> To unsubscribe send an email to [email protected]
>> Fedora Code of Conduct:
>> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
>> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
>> List Archives:
>> https://lists.fedorahosted.org/archives/list/[email protected]
> _______________________________________________
> sssd-users mailing list -- [email protected]
> To unsubscribe send an email to [email protected]
> Fedora Code of Conduct:
> https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedorahosted.org/archives/list/[email protected]
_______________________________________________
sssd-users mailing list -- [email protected]
To unsubscribe send an email to [email protected]
Fedora Code of Conduct:
https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives:
https://lists.fedorahosted.org/archives/list/[email protected]
