On Dec 8, 2011, at 2:11 PM, Jr Aquino wrote:
On Dec 8, 2011, at 9:27 AM, JR Aquino wrote:
On Dec 8, 2011, at 12:04 AM, Jan Zelený wrote:
I'm sending updated set of patches. All your comments were addressed, I also added man page updates and one modification to sdap_parse_search_base() which can be now used for at more places in IPA provider.
Thanks Jan
I am unable to get sssd to turn any netgroup over with: getent netgroup
<netgroupname>
When I do a tcpdump, I don't see any attempt at communicating with the IPA server at all.
Am I missing some initiation value in the sssd.conf?
That's odd, could you please send your config file and sanitized logs?
Thanks Jan
[sssd] services = nss, pam config_file_version = 2 domains = example.com
[nss]
[pam]
[domain/example.com] cache_credentials = True ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = opsecutil1.example.com chpass_provider = ipa ipa_server = authmgr1.example.com ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com ipa_hbac_refresh = 300
this is all that i get out of /var/log/sssd/sssd_nss.log with debug_level 8 when i tail -f and do a getent netgroup name:
OK!
sgallagh found a utf bug and got it fixed...
Now my log look like this:
(Thu Dec 8 14:02:05 2011) [sssd[nss]] [accept_fd_handler] (0x0100): Client connected! (Thu Dec 8 14:02:05 2011) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Dec 8 14:02:05 2011) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Dec 8 14:02:05 2011) [sssd[nss]] [setnetgrent_send] (0x0100): Requesting info for netgroup [ops] from [<ALL>] (Thu Dec 8 14:02:05 2011) [sssd[nss]] [lookup_netgr_step] (0x0100): Requesting info for [ops@example.com] (Thu Dec 8 14:02:05 2011) [sssd[nss]] [lookup_netgr_step] (0x0400): Returning info for netgroup [ops@example] (Thu Dec 8 14:02:05 2011) [sssd[nss]] [nss_cmd_getnetgrent] (0x0100): Requesting netgroup data (Thu Dec 8 14:02:05 2011) [sssd[nss]] [nss_cmd_getnetgrent] (0x0400): Returning results for [ops] (Thu Dec 8 14:02:05 2011) [sssd[nss]] [nss_cmd_getnetgrent] (0x0100): Requesting netgroup data (Thu Dec 8 14:02:05 2011) [sssd[nss]] [nss_cmd_getnetgrent] (0x0400): Returning results for [ops] (Thu Dec 8 14:02:05 2011) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
And my CLI looks like this:
[root@opsecutil1.ops ~]# getent netgroup ops ops (-, -, example.com)
This ^ netgroup should be chalked FULL of hosts...
When I manually create a /Native/ netgroup and perform a look up, i DO get the results.
[root@authmgr1 ~]# ipa netgroup-add testing Description: test
Added netgroup "testing"
Netgroup name: testing Description: test NIS domain name: example.com IPA unique ID: f58247ee-21e8-11e1-b338-9c8e9927cab0
[root@authmgr1 ~]# ipa netgroup-add-member --hosts=jump1.ops.example.com testing Netgroup name: testing Description: test NIS domain name: example.com Member Host: jump1.ops.example.com
Number of members added 1
[root@opsecutil1.ops ~]# getent netgroup testing testing (jump1.ops.example.com, -, example.com)
I think the problem is the sssd native support for netgroups + managed entries.
All of my netgroups are created via managed entries via hostgroups:
[root@authmgr1 ~]# ipa netgroup-find --all --raw ops --managed
14 netgroups matched
dn: cn=ops,cn=ng,cn=alt,dc=example,dc=com cn: ops description: ipaNetgroup ops nisdomainname: example.com ipauniqueid: e9135d68-1ac7-11e1-971a-9c8e9927cab0 memberhost: cn=ops,cn=hostgroups,cn=accounts,dc=example,dc=com mepmanagedby: cn=ops,cn=hostgroups,cn=accounts,dc=example,dc=com objectclass: ipanisnetgroup objectclass: ipaobject objectclass: mepManagedEntry objectclass: ipaAssociation objectclass: top
After further inspection, I was able to get native netgroups to produce the same null entries if I added hostgroups to the netgroup.
It appears that sssd's native netgroup support, does not enumerate the contents of a member hostgroup contained inside of a netgroup. The desired result is that the netgroup should contain a netgroup triple per host in the hostgroup.