(host,,)

That’s the format Netapp documents. By default, ipa netgroup-add-member uses

(host,-,domain)

where domain seems to come from our Kerberos domain. Netapp documentation requests leaving that field blank, though some documentation suggests that if it’s filled in, they will ignore triples where the domain doesn’t match the Netapp’s domain. We are no longer using NIS, so as far as we know, the Netapp doesn’t have a NIS domain. I think it’s safest to leave the field blank.

I can do this in IPA. —nisdomain= will leave it blank. That results in

(host,-,)

That works with the Netapp. (I haven’t actually tried putting a domain in.)

Unfortunately it won’t work with sssd, because sssd won’t show any triples if the nisdomain isn’t set for that net group.

In general I don’t understand why IPA and sssd are using a nonstandard representation of net groups. Why not just a collection of triples and subgroups? As far as I can see RFC 2307bis has the same schema for net groups as RFC 2307. https://tools.ietf.org/html/draft-howard-rfc2307bis-02. Is there a later version of RFC 2307bis that I haven’t been able to find? Draft 2 is the latest at tools.ietf.org.

The representation used by IPA seems to be non-standard. I’d expect IPA and sssd to allow me to add any triple I want that’s valid in a normal net group file.

One problem with the IPA representation is that there are no actual triples. There’s a list of hosts, a list of users, and a domain. Not all triples can be represented that way. Something like

(host1, user1,)

(host2, user2,)

has to be represented by a user list of user1, user2 and a host list of host1, host2. But the pairing isn’t always well defined. E.g. I added to that group an external host3 and an internal user3. I ended up with

(host3, user1,)

(host1, user2,)

(host2, user3,)

I don’t know whether there are applications that use the pairing of hosts and users, but the original design was intended to support that. With IPA it’s dangerous, because I have to know just how IPA generates the triples from the entires.

Is there a way to get the RFC-defined behavior from IPA and SSSD?

We don’t actually have a user case for pairing. We just need a host list. So for the moment the plan is to add hosts with nisdomain=, and use nslcd in nsswitch.conf for net groups on the Linux systems that are NFS servers.

I don’t have any specific use case for distinguishing between space and -. But the spec says they mean something different. I don’t know why you would adopt a representation that doesn’t allow for every valid triple.