I'm sending couple patches which add support for IPA netgroups:
#53 These routines were not static, so I renamed them in order to avoid confusion and possible collision with equivalent routines in IPA provider
#54 Some new config options, please focus on this patch, I'm not entirely sure if my approach was the correct one.
#55 This new context was necessary so I can pass ipa options to routine determining host search base.
#56 This is netgroups support itself
#57 IPA id provider which is utilizing previously added support of netgroup fetching
Thanks Jan
Jan Zelený jzeleny@redhat.com wrote:
I'm sending couple patches which add support for IPA netgroups:
#53 These routines were not static, so I renamed them in order to avoid confusion and possible collision with equivalent routines in IPA provider
#54 Some new config options, please focus on this patch, I'm not entirely sure if my approach was the correct one.
#55 This new context was necessary so I can pass ipa options to routine determining host search base.
#56 This is netgroups support itself
#57 IPA id provider which is utilizing previously added support of netgroup fetching
I'm sending patches rebased so they apply on top of current multiple-search- bases patches. I'm aware that those will change and some changes will affect my patch #54-1, but other than that it should be fine.
Jan
On Wed, 2011-10-19 at 00:42 +0200, Jan Zeleny wrote:
Jan Zelený jzeleny@redhat.com wrote:
I'm sending couple patches which add support for IPA netgroups:
#53 These routines were not static, so I renamed them in order to avoid confusion and possible collision with equivalent routines in IPA provider
#54 Some new config options, please focus on this patch, I'm not entirely sure if my approach was the correct one.
#55 This new context was necessary so I can pass ipa options to routine determining host search base.
#56 This is netgroups support itself
#57 IPA id provider which is utilizing previously added support of netgroup fetching
I'm sending patches rebased so they apply on top of current multiple-search- bases patches. I'm aware that those will change and some changes will affect my patch #54-1, but other than that it should be fine.
The multiple-search-base patches are now committed upstream. Would you please rebase these patches one more time and I'll get them reviewed.
Stephen Gallagher sgallagh@redhat.com wrote:
On Wed, 2011-10-19 at 00:42 +0200, Jan Zeleny wrote:
Jan Zelený jzeleny@redhat.com wrote:
I'm sending couple patches which add support for IPA netgroups:
#53 These routines were not static, so I renamed them in order to avoid confusion and possible collision with equivalent routines in IPA provider
#54 Some new config options, please focus on this patch, I'm not entirely sure if my approach was the correct one.
#55 This new context was necessary so I can pass ipa options to routine determining host search base.
#56 This is netgroups support itself
#57 IPA id provider which is utilizing previously added support of netgroup fetching
I'm sending patches rebased so they apply on top of current multiple-search- bases patches. I'm aware that those will change and some changes will affect my patch #54-1, but other than that it should be fine.
The multiple-search-base patches are now committed upstream. Would you please rebase these patches one more time and I'll get them reviewed.
I'm sending rebased patches, this time also with support of externalHost attribute.
Jan
On Thu, 2011-11-03 at 23:22 +0100, Jan Zeleny wrote:
Stephen Gallagher sgallagh@redhat.com wrote:
On Wed, 2011-10-19 at 00:42 +0200, Jan Zeleny wrote:
Jan Zelený jzeleny@redhat.com wrote:
I'm sending couple patches which add support for IPA netgroups:
#53 These routines were not static, so I renamed them in order to avoid confusion and possible collision with equivalent routines in IPA provider
Ack.
#54 Some new config options, please focus on this patch, I'm not entirely sure if my approach was the correct one.
Nack.
Looks mostly good, except that when you added the new host search base option, you don't check it in the ipa_get_id_options() function. You need to make sure to set it appropriately and call sdap_parse_search_base().
#55 This new context was necessary so I can pass ipa options to routine determining host search base.
Ack.
#56 This is netgroups support itself
Nack.
As a nitpick, I'd prefer if you used the label 'done' in ipa_get_netgroups_process() instead of 'fail', since it's possible to reach there in the ENOENT case (which is technically a success case).
Did you test this with any netgroups that have more than one member triple? Your use of sysdb_attrs_get_string() will return ERANGE if there is more than one of the requested attribute. You probably want to use sysdb_attrs_get_el() to verify whether there are any values there.
Nitpick: when you 'continue' if entities_found == 0, don't use the else block. Save yourself an indentation level.
Please don't use tmp_str for anything useful (like the sss_filter_sanitize() or the hash key). It's confusing to figure out which one you're sanitizing.
ipa_netgr_fetch_*() functions do not handle multiple search bases (or the associated filters).
get_host_search_base() should not be occurring in ipa_netgr_fetch_hosts(), it should be set up like users and netgroups in the ipa_get_id_options() function and capable of handling multiple search bases.
Would you please add more comments to ipa_netgr_members_process()? It's nicely generic, but that makes it tricky to follow.
Otherwise, I like the approach. Good work!
#57 IPA id provider which is utilizing previously added support of netgroup fetching
Ack
#54 Some new config options, please focus on this patch, I'm not entirely sure if my approach was the correct one.
Nack.
Looks mostly good, except that when you added the new host search base option, you don't check it in the ipa_get_id_options() function. You need to make sure to set it appropriately and call sdap_parse_search_base().
That's why I was asking for thorough review. I was basing the design on your implementation of similar option in HBAC code and I wasn't sure it's the right design. As I understand it, you'd prefer to have multiple search bases support for this option available, correct?
I have no objections, but if I'm to rewrite this, I think we should do the same thing in HBAC code, shouldn't we?
Thanks Jan
On Mon, 2011-11-14 at 14:28 +0100, Jan Zelený wrote:
#54 Some new config options, please focus on this patch, I'm not entirely sure if my approach was the correct one.
Nack.
Looks mostly good, except that when you added the new host search base option, you don't check it in the ipa_get_id_options() function. You need to make sure to set it appropriately and call sdap_parse_search_base().
That's why I was asking for thorough review. I was basing the design on your implementation of similar option in HBAC code and I wasn't sure it's the right design. As I understand it, you'd prefer to have multiple search bases support for this option available, correct?
I have no objections, but if I'm to rewrite this, I think we should do the same thing in HBAC code, shouldn't we?
You are of course completely right, and I missed that in my initial patches.
On Mon, 2011-11-14 at 14:28 +0100, Jan Zelený wrote:
#54 Some new config options, please focus on this patch, I'm not entirely sure if my approach was the correct one.
Nack.
Looks mostly good, except that when you added the new host search base option, you don't check it in the ipa_get_id_options() function. You need to make sure to set it appropriately and call sdap_parse_search_base().
That's why I was asking for thorough review. I was basing the design on your implementation of similar option in HBAC code and I wasn't sure it's the right design. As I understand it, you'd prefer to have multiple search bases support for this option available, correct?
I have no objections, but if I'm to rewrite this, I think we should do the same thing in HBAC code, shouldn't we?
Pushed to master.
On Thu, 2011-11-03 at 23:22 +0100, Jan Zeleny wrote:
Stephen Gallagher sgallagh@redhat.com wrote:
On Wed, 2011-10-19 at 00:42 +0200, Jan Zeleny wrote:
Jan Zelený jzeleny@redhat.com wrote:
I'm sending couple patches which add support for IPA netgroups:
#53 These routines were not static, so I renamed them in order to avoid confusion and possible collision with equivalent routines in IPA provider
Ack.
#54 Some new config options, please focus on this patch, I'm not entirely sure if my approach was the correct one.
Nack.
Looks mostly good, except that when you added the new host search base option, you don't check it in the ipa_get_id_options() function. You need to make sure to set it appropriately and call sdap_parse_search_base().
#55 This new context was necessary so I can pass ipa options to routine determining host search base.
Ack.
#56 This is netgroups support itself
Nack.
As a nitpick, I'd prefer if you used the label 'done' in ipa_get_netgroups_process() instead of 'fail', since it's possible to reach there in the ENOENT case (which is technically a success case).
Did you test this with any netgroups that have more than one member triple? Your use of sysdb_attrs_get_string() will return ERANGE if there is more than one of the requested attribute. You probably want to use sysdb_attrs_get_el() to verify whether there are any values there.
Nitpick: when you 'continue' if entities_found == 0, don't use the else block. Save yourself an indentation level.
Please don't use tmp_str for anything useful (like the sss_filter_sanitize() or the hash key). It's confusing to figure out which one you're sanitizing.
ipa_netgr_fetch_*() functions do not handle multiple search bases (or the associated filters).
get_host_search_base() should not be occurring in ipa_netgr_fetch_hosts(), it should be set up like users and netgroups in the ipa_get_id_options() function and capable of handling multiple search bases.
Would you please add more comments to ipa_netgr_members_process()? It's nicely generic, but that makes it tricky to follow.
Otherwise, I like the approach. Good work!
#57 IPA id provider which is utilizing previously added support of netgroup fetching
Ack
I'm sending updated set of patches. All your comments were addressed, I also added man page updates and one modification to sdap_parse_search_base() which can be now used for at more places in IPA provider.
Thanks Jan
On Wed, 2011-11-16 at 14:11 +0100, Jan Zelený wrote:
On Thu, 2011-11-03 at 23:22 +0100, Jan Zeleny wrote:
Stephen Gallagher sgallagh@redhat.com wrote:
On Wed, 2011-10-19 at 00:42 +0200, Jan Zeleny wrote:
Jan Zelený jzeleny@redhat.com wrote:
I'm sending couple patches which add support for IPA netgroups:
#53 These routines were not static, so I renamed them in order to avoid confusion and possible collision with equivalent routines in IPA provider
Ack.
#54 Some new config options, please focus on this patch, I'm not entirely sure if my approach was the correct one.
Nack.
Looks mostly good, except that when you added the new host search base option, you don't check it in the ipa_get_id_options() function. You need to make sure to set it appropriately and call sdap_parse_search_base().
#55 This new context was necessary so I can pass ipa options to routine determining host search base.
Ack.
#56 This is netgroups support itself
Nack.
As a nitpick, I'd prefer if you used the label 'done' in ipa_get_netgroups_process() instead of 'fail', since it's possible to reach there in the ENOENT case (which is technically a success case).
Did you test this with any netgroups that have more than one member triple? Your use of sysdb_attrs_get_string() will return ERANGE if there is more than one of the requested attribute. You probably want to use sysdb_attrs_get_el() to verify whether there are any values there.
Nitpick: when you 'continue' if entities_found == 0, don't use the else block. Save yourself an indentation level.
Please don't use tmp_str for anything useful (like the sss_filter_sanitize() or the hash key). It's confusing to figure out which one you're sanitizing.
ipa_netgr_fetch_*() functions do not handle multiple search bases (or the associated filters).
get_host_search_base() should not be occurring in ipa_netgr_fetch_hosts(), it should be set up like users and netgroups in the ipa_get_id_options() function and capable of handling multiple search bases.
Would you please add more comments to ipa_netgr_members_process()? It's nicely generic, but that makes it tricky to follow.
Otherwise, I like the approach. Good work!
#57 IPA id provider which is utilizing previously added support of netgroup fetching
Ack
I'm sending updated set of patches. All your comments were addressed, I also added man page updates and one modification to sdap_parse_search_base() which can be now used for at more places in IPA provider.
Thanks Jan
Ack to all six. Good work!
I'm sending updated set of patches. All your comments were addressed, I also added man page updates and one modification to sdap_parse_search_base() which can be now used for at more places in IPA provider.
Thanks Jan
I am unable to get sssd to turn any netgroup over with: getent netgroup <netgroupname>
When I do a tcpdump, I don't see any attempt at communicating with the IPA server at all.
Am I missing some initiation value in the sssd.conf?
I'm sending updated set of patches. All your comments were addressed, I also added man page updates and one modification to sdap_parse_search_base() which can be now used for at more places in IPA provider.
Thanks Jan
I am unable to get sssd to turn any netgroup over with: getent netgroup
<netgroupname>
When I do a tcpdump, I don't see any attempt at communicating with the IPA server at all.
Am I missing some initiation value in the sssd.conf?
That's odd, could you please send your config file and sanitized logs?
Thanks Jan
On Dec 8, 2011, at 12:04 AM, Jan Zelený wrote:
I'm sending updated set of patches. All your comments were addressed, I also added man page updates and one modification to sdap_parse_search_base() which can be now used for at more places in IPA provider.
Thanks Jan
I am unable to get sssd to turn any netgroup over with: getent netgroup
<netgroupname>
When I do a tcpdump, I don't see any attempt at communicating with the IPA server at all.
Am I missing some initiation value in the sssd.conf?
That's odd, could you please send your config file and sanitized logs?
Thanks Jan
[sssd] services = nss, pam config_file_version = 2 domains = example.com
[nss]
[pam]
[domain/expertcity.com] cache_credentials = True ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = opsecutil1.example.com chpass_provider = ipa ipa_server = authmgr1.example.com ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com ipa_hbac_refresh = 300
this is all that i get out of /var/log/sssd/sssd_nss.log with debug_level 8 when i tail -f and do a getent netgroup name:
(Wed Dec 7 10:40:14 2011) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Dec 7 10:40:14 2011) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Dec 7 10:40:14 2011) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Wed Dec 7 10:40:14 2011) [sssd[nss]] [accept_fd_handler] (0x0100): Client connected! (Wed Dec 7 10:40:14 2011) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Dec 7 10:40:14 2011) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Dec 7 10:40:14 2011) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Wed Dec 7 10:40:54 2011) [sssd[nss]] [accept_fd_handler] (0x0100): Client connected! (Wed Dec 7 10:40:54 2011) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Dec 7 10:40:54 2011) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Dec 7 10:40:54 2011) [sssd[nss]] [client_recv] (0x0200): Client disconnected! (Wed Dec 7 10:40:54 2011) [sssd[nss]] [accept_fd_handler] (0x0100): Client connected! (Wed Dec 7 10:40:54 2011) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Wed Dec 7 10:40:54 2011) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Wed Dec 7 10:40:54 2011) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
On Dec 8, 2011, at 9:27 AM, JR Aquino wrote:
On Dec 8, 2011, at 12:04 AM, Jan Zelený wrote:
I'm sending updated set of patches. All your comments were addressed, I also added man page updates and one modification to sdap_parse_search_base() which can be now used for at more places in IPA provider.
Thanks Jan
I am unable to get sssd to turn any netgroup over with: getent netgroup
<netgroupname>
When I do a tcpdump, I don't see any attempt at communicating with the IPA server at all.
Am I missing some initiation value in the sssd.conf?
That's odd, could you please send your config file and sanitized logs?
Thanks Jan
[sssd] services = nss, pam config_file_version = 2 domains = example.com
[nss]
[pam]
[domain/example.com] cache_credentials = True ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = opsecutil1.example.com chpass_provider = ipa ipa_server = authmgr1.example.com ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com ipa_hbac_refresh = 300
this is all that i get out of /var/log/sssd/sssd_nss.log with debug_level 8 when i tail -f and do a getent netgroup name:
OK!
sgallagh found a utf bug and got it fixed...
Now my log look like this:
(Thu Dec 8 14:02:05 2011) [sssd[nss]] [accept_fd_handler] (0x0100): Client connected! (Thu Dec 8 14:02:05 2011) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Dec 8 14:02:05 2011) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Dec 8 14:02:05 2011) [sssd[nss]] [setnetgrent_send] (0x0100): Requesting info for netgroup [ops] from [<ALL>] (Thu Dec 8 14:02:05 2011) [sssd[nss]] [lookup_netgr_step] (0x0100): Requesting info for [ops@example.com] (Thu Dec 8 14:02:05 2011) [sssd[nss]] [lookup_netgr_step] (0x0400): Returning info for netgroup [ops@example] (Thu Dec 8 14:02:05 2011) [sssd[nss]] [nss_cmd_getnetgrent] (0x0100): Requesting netgroup data (Thu Dec 8 14:02:05 2011) [sssd[nss]] [nss_cmd_getnetgrent] (0x0400): Returning results for [ops] (Thu Dec 8 14:02:05 2011) [sssd[nss]] [nss_cmd_getnetgrent] (0x0100): Requesting netgroup data (Thu Dec 8 14:02:05 2011) [sssd[nss]] [nss_cmd_getnetgrent] (0x0400): Returning results for [ops] (Thu Dec 8 14:02:05 2011) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
And my CLI looks like this:
[root@opsecutil1.ops ~]# getent netgroup ops ops (-, -, example.com)
This ^ netgroup should be chalked FULL of hosts...
When I manually create a /Native/ netgroup and perform a look up, i DO get the results.
[root@authmgr1 ~]# ipa netgroup-add testing Description: test ------------------------ Added netgroup "testing" ------------------------ Netgroup name: testing Description: test NIS domain name: example.com IPA unique ID: f58247ee-21e8-11e1-b338-9c8e9927cab0
[root@authmgr1 ~]# ipa netgroup-add-member --hosts=jump1.ops.example.com testing Netgroup name: testing Description: test NIS domain name: example.com Member Host: jump1.ops.example.com ------------------------- Number of members added 1 -------------------------
[root@opsecutil1.ops ~]# getent netgroup testing testing (jump1.ops.example.com, -, example.com)
I think the problem is the sssd native support for netgroups + managed entries.
All of my netgroups are created via managed entries via hostgroups:
[root@authmgr1 ~]# ipa netgroup-find --all --raw ops --managed -------------------- 14 netgroups matched -------------------- dn: cn=ops,cn=ng,cn=alt,dc=example,dc=com cn: ops description: ipaNetgroup ops nisdomainname: example.com ipauniqueid: e9135d68-1ac7-11e1-971a-9c8e9927cab0 memberhost: cn=ops,cn=hostgroups,cn=accounts,dc=example,dc=com mepmanagedby: cn=ops,cn=hostgroups,cn=accounts,dc=example,dc=com objectclass: ipanisnetgroup objectclass: ipaobject objectclass: mepManagedEntry objectclass: ipaAssociation objectclass: top
On Dec 8, 2011, at 2:11 PM, Jr Aquino wrote:
On Dec 8, 2011, at 9:27 AM, JR Aquino wrote:
On Dec 8, 2011, at 12:04 AM, Jan Zelený wrote:
I'm sending updated set of patches. All your comments were addressed, I also added man page updates and one modification to sdap_parse_search_base() which can be now used for at more places in IPA provider.
Thanks Jan
I am unable to get sssd to turn any netgroup over with: getent netgroup
<netgroupname>
When I do a tcpdump, I don't see any attempt at communicating with the IPA server at all.
Am I missing some initiation value in the sssd.conf?
That's odd, could you please send your config file and sanitized logs?
Thanks Jan
[sssd] services = nss, pam config_file_version = 2 domains = example.com
[nss]
[pam]
[domain/example.com] cache_credentials = True ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = opsecutil1.example.com chpass_provider = ipa ipa_server = authmgr1.example.com ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com ipa_hbac_refresh = 300
this is all that i get out of /var/log/sssd/sssd_nss.log with debug_level 8 when i tail -f and do a getent netgroup name:
OK!
sgallagh found a utf bug and got it fixed...
Now my log look like this:
(Thu Dec 8 14:02:05 2011) [sssd[nss]] [accept_fd_handler] (0x0100): Client connected! (Thu Dec 8 14:02:05 2011) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Dec 8 14:02:05 2011) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Dec 8 14:02:05 2011) [sssd[nss]] [setnetgrent_send] (0x0100): Requesting info for netgroup [ops] from [<ALL>] (Thu Dec 8 14:02:05 2011) [sssd[nss]] [lookup_netgr_step] (0x0100): Requesting info for [ops@example.com] (Thu Dec 8 14:02:05 2011) [sssd[nss]] [lookup_netgr_step] (0x0400): Returning info for netgroup [ops@example] (Thu Dec 8 14:02:05 2011) [sssd[nss]] [nss_cmd_getnetgrent] (0x0100): Requesting netgroup data (Thu Dec 8 14:02:05 2011) [sssd[nss]] [nss_cmd_getnetgrent] (0x0400): Returning results for [ops] (Thu Dec 8 14:02:05 2011) [sssd[nss]] [nss_cmd_getnetgrent] (0x0100): Requesting netgroup data (Thu Dec 8 14:02:05 2011) [sssd[nss]] [nss_cmd_getnetgrent] (0x0400): Returning results for [ops] (Thu Dec 8 14:02:05 2011) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
And my CLI looks like this:
[root@opsecutil1.ops ~]# getent netgroup ops ops (-, -, example.com)
This ^ netgroup should be chalked FULL of hosts...
When I manually create a /Native/ netgroup and perform a look up, i DO get the results.
[root@authmgr1 ~]# ipa netgroup-add testing Description: test
Added netgroup "testing"
Netgroup name: testing Description: test NIS domain name: example.com IPA unique ID: f58247ee-21e8-11e1-b338-9c8e9927cab0
[root@authmgr1 ~]# ipa netgroup-add-member --hosts=jump1.ops.example.com testing Netgroup name: testing Description: test NIS domain name: example.com Member Host: jump1.ops.example.com
Number of members added 1
[root@opsecutil1.ops ~]# getent netgroup testing testing (jump1.ops.example.com, -, example.com)
I think the problem is the sssd native support for netgroups + managed entries.
All of my netgroups are created via managed entries via hostgroups:
[root@authmgr1 ~]# ipa netgroup-find --all --raw ops --managed
14 netgroups matched
dn: cn=ops,cn=ng,cn=alt,dc=example,dc=com cn: ops description: ipaNetgroup ops nisdomainname: example.com ipauniqueid: e9135d68-1ac7-11e1-971a-9c8e9927cab0 memberhost: cn=ops,cn=hostgroups,cn=accounts,dc=example,dc=com mepmanagedby: cn=ops,cn=hostgroups,cn=accounts,dc=example,dc=com objectclass: ipanisnetgroup objectclass: ipaobject objectclass: mepManagedEntry objectclass: ipaAssociation objectclass: top
After further inspection, I was able to get native netgroups to produce the same null entries if I added hostgroups to the netgroup.
It appears that sssd's native netgroup support, does not enumerate the contents of a member hostgroup contained inside of a netgroup. The desired result is that the netgroup should contain a netgroup triple per host in the hostgroup.
On Dec 8, 2011, at 2:11 PM, Jr Aquino wrote:
On Dec 8, 2011, at 9:27 AM, JR Aquino wrote:
On Dec 8, 2011, at 12:04 AM, Jan Zelený wrote:
I'm sending updated set of patches. All your comments were addressed, I also added man page updates and one modification to sdap_parse_search_base() which can be now used for at more places in IPA provider.
Thanks Jan
I am unable to get sssd to turn any netgroup over with: getent netgroup <netgroupname>
When I do a tcpdump, I don't see any attempt at communicating with the IPA server at all.
Am I missing some initiation value in the sssd.conf?
That's odd, could you please send your config file and sanitized logs?
Thanks Jan
[sssd] services = nss, pam config_file_version = 2 domains = example.com
[nss]
[pam]
[domain/example.com] cache_credentials = True ipa_domain = example.com id_provider = ipa auth_provider = ipa access_provider = ipa ipa_hostname = opsecutil1.example.com chpass_provider = ipa ipa_server = authmgr1.example.com ldap_netgroup_search_base = cn=ng,cn=compat,dc=example,dc=com ipa_hbac_refresh = 300
this is all that i get out of /var/log/sssd/sssd_nss.log with debug_level
8 when i tail -f and do a getent netgroup name:
OK!
sgallagh found a utf bug and got it fixed...
Now my log look like this:
(Thu Dec 8 14:02:05 2011) [sssd[nss]] [accept_fd_handler] (0x0100): Client connected! (Thu Dec 8 14:02:05 2011) [sssd[nss]] [sss_cmd_get_version] (0x0200): Received client version [1]. (Thu Dec 8 14:02:05 2011) [sssd[nss]] [sss_cmd_get_version] (0x0200): Offered version [1]. (Thu Dec 8 14:02:05 2011) [sssd[nss]] [setnetgrent_send] (0x0100): Requesting info for netgroup [ops] from [<ALL>] (Thu Dec 8 14:02:05 2011) [sssd[nss]] [lookup_netgr_step] (0x0100): Requesting info for [ops@example.com] (Thu Dec 8 14:02:05 2011) [sssd[nss]] [lookup_netgr_step] (0x0400): Returning info for netgroup [ops@example] (Thu Dec 8 14:02:05 2011) [sssd[nss]] [nss_cmd_getnetgrent] (0x0100): Requesting netgroup data (Thu Dec 8 14:02:05 2011) [sssd[nss]] [nss_cmd_getnetgrent] (0x0400): Returning results for [ops] (Thu Dec 8 14:02:05 2011) [sssd[nss]] [nss_cmd_getnetgrent] (0x0100): Requesting netgroup data (Thu Dec 8 14:02:05 2011) [sssd[nss]] [nss_cmd_getnetgrent] (0x0400): Returning results for [ops] (Thu Dec 8 14:02:05 2011) [sssd[nss]] [client_recv] (0x0200): Client disconnected!
And my CLI looks like this:
[root@opsecutil1.ops ~]# getent netgroup ops ops (-, -, example.com)
This ^ netgroup should be chalked FULL of hosts...
When I manually create a /Native/ netgroup and perform a look up, i DO get the results.
[root@authmgr1 ~]# ipa netgroup-add testing Description: test
Added netgroup "testing"
Netgroup name: testing Description: test NIS domain name: example.com IPA unique ID: f58247ee-21e8-11e1-b338-9c8e9927cab0
[root@authmgr1 ~]# ipa netgroup-add-member --hosts=jump1.ops.example.com testing
Netgroup name: testing Description: test NIS domain name: example.com Member Host: jump1.ops.example.com
Number of members added 1
[root@opsecutil1.ops ~]# getent netgroup testing testing (jump1.ops.example.com, -, example.com)
I think the problem is the sssd native support for netgroups + managed entries.
All of my netgroups are created via managed entries via hostgroups:
[root@authmgr1 ~]# ipa netgroup-find --all --raw ops --managed
14 netgroups matched
dn: cn=ops,cn=ng,cn=alt,dc=example,dc=com cn: ops description: ipaNetgroup ops nisdomainname: example.com ipauniqueid: e9135d68-1ac7-11e1-971a-9c8e9927cab0 memberhost: cn=ops,cn=hostgroups,cn=accounts,dc=example,dc=com mepmanagedby: cn=ops,cn=hostgroups,cn=accounts,dc=example,dc=com objectclass: ipanisnetgroup objectclass: ipaobject objectclass: mepManagedEntry objectclass: ipaAssociation objectclass: top
After further inspection, I was able to get native netgroups to produce the same null entries if I added hostgroups to the netgroup.
It appears that sssd's native netgroup support, does not enumerate the contents of a member hostgroup contained inside of a netgroup. The desired result is that the netgroup should contain a netgroup triple per host in the hostgroup.
Patch is on the list in a new thread. Thanks for catching this.
Jan
sssd-devel@lists.fedorahosted.org