In my opinion the whole rfc3704bis implementation of net groups is wonky.
This isn’t the only problem. Why is there a distinction between internal and external
hosts? Suppose I add an external host to a net group, and later do ipa host-add for it. If
the distinction actually matters I’d expect the system to turn the external host entry
into an internal host entry. But it doesn’t.
In principle there’s a difference between blank and -, but the ipa implementation always
produces - for missing user and host and blank for missing domain name.
I’d really rather see the system just store the triples rather than doing a complex
mapping going in and out.
On Nov 8, 2017, at 5:08 PM, Jakub Hrozek <jhrozek(a)redhat.com>
wrote:
Pavel, does this sound like the bug you were looking at wrt sudo lately?
On Wed, Nov 08, 2017 at 09:46:25PM +0000, Charles Hedrick wrote:
> Netapp wants the domain field to be blank. That leaves us a problem that’s hard to
solve.
>
> On Nov 8, 2017, at 4:41 PM, Charles Hedrick
<hedrick@rutgers.edu<mailto:hedrick@rutgers.edu>> wrote:
>
> OK, I see what’s going on, but it looks like a bug.
>
> We mostly use net groups for hosts. In NIS our entries like like (hostname,,) You
can put that into IPA by specifying NISdomain=, i.e. blank domain name. However if you do
that, getent shows no entries. That is, entries with blank hostname are ignored. I claim
this is a bug, since for a host entry there’s no reason to specify a domain.
>
> I also found that specifying
>
>
ipa_netgroup_domain=cs.rutgers.edu<https://na01.safelinks.protection.o...
>
> causes no net groups to display, even ones whose domain is
cs.rutgers.edu<https://na01.safelinks.protection.outlook.com/?url=http...;.
This also looks like a bug.
>
> On Nov 8, 2017, at 3:53 PM, Charles Hedrick
<hedrick@rutgers.edu<mailto:hedrick@rutgers.edu>> wrote:
>
> We want to move our net groups from NIS to IPA. I’ve loaded the groups. They’re
visible on a system that uses nslcd pointed at the IPA server. But the systems that use
SSSD for authentication don’t show anything. The net groups all show as undefined.
>
> I’ve turned on debugging and looked at the LDAP logs. It does the right quotes and
the log says it extracts the members. But they don’t show up.
>
> Any idea where to look?
>
>
>
> _______________________________________________
> sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
> To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org
_______________________________________________
sssd-users mailing list -- sssd-users(a)lists.fedorahosted.org
To unsubscribe send an email to sssd-users-leave(a)lists.fedorahosted.org