Sure. We use netgroups for /etc/exports. The most natural format for triples is
(host,,) That’s the format Netapp documents. By default, ipa netgroup-add-member uses (host,-,domain) where domain seems to come from our Kerberos domain. Netapp documentation requests leaving that field blank, though some documentation suggests that if it’s filled in, they will ignore triples where the domain doesn’t match the Netapp’s domain. We are no longer using NIS, so as far as we know, the Netapp doesn’t have a NIS domain. I think it’s safest to leave the field blank. I can do this in IPA. —nisdomain= will leave it blank. That results in (host,-,) That works with the Netapp. (I haven’t actually tried putting a domain in.) Unfortunately it won’t work with sssd, because sssd won’t show any triples if the nisdomain isn’t set for that net group. In general I don’t understand why IPA and sssd are using a nonstandard representation of net groups. Why not just a collection of triples and subgroups? As far as I can see RFC 2307bis has the same schema for net groups as RFC 2307. https://tools.ietf.org/html/draft-howard-rfc2307bis-02. Is there a later version of RFC 2307bis that I haven’t been able to find? Draft 2 is the latest at tools.ietf.org<http://tools.ietf.org>. ( 1.3.6.1.1.1.2.8 NAME 'nisNetgroup' SUP top STRUCTURAL DESC 'Abstraction of a netgroup. May refer to other netgroups' MUST cn MAY ( nisNetgroupTriple $ memberNisNetgroup $ description ) ) The representation used by IPA seems to be non-standard. I’d expect IPA and sssd to allow me to add any triple I want that’s valid in a normal net group file. One problem with the IPA representation is that there are no actual triples. There’s a list of hosts, a list of users, and a domain. Not all triples can be represented that way. Something like (host1, user1,) (host2, user2,) has to be represented by a user list of user1, user2 and a host list of host1, host2. But the pairing isn’t always well defined. E.g. I added to that group an external host3 and an internal user3. I ended up with (host3, user1,) (host1, user2,) (host2, user3,) I don’t know whether there are applications that use the pairing of hosts and users, but the original design was intended to support that. With IPA it’s dangerous, because I have to know just how IPA generates the triples from the entires. Is there a way to get the RFC-defined behavior from IPA and SSSD? We don’t actually have a user case for pairing. We just need a host list. So for the moment the plan is to add hosts with nisdomain=, and use nslcd in nsswitch.conf for net groups on the Linux systems that are NFS servers. I don’t have any specific use case for distinguishing between space and -. But the spec says they mean something different. I don’t know why you would adopt a representation that doesn’t allow for every valid triple. On Nov 13, 2017, at 4:25 AM, Pavel Březina <pbrez...@redhat.com<mailto:pbrez...@redhat.com>> wrote: Can you send us some example of what you are trying to achieve and what does not work? I'm also ccing Alexander Bokovoy to see why IPA adds somewhere dash and somewhere blanks.
_______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
