The netapp is using LDAP with RFC2307 for all name service. That include users, groups, and netgroups.
What they are asking for is for LDAP to implement netgroup.byhost. It appears that AD does this. As far as I can tell, they are looking for nisMapName=netgroup.byhost accessed via LDAP. I hadn’t thought about asking IPA to emulate NIS. If that would efficiently implement the netgroup.byhost NIS map, maybe it’s the way to go. We don’t currently have NIS enabled for the netapp. We’re using RFC2307 for users and groups. Netapp supports ns-switch, so it sounds like we could use NIS for just netgroups. Is that what you’d suggest? > On Nov 13, 2017, at 12:15 PM, Alexander Bokovoy <aboko...@redhat.com> wrote: > > On ma, 13 marras 2017, Charles Hedrick wrote: >> While we’re on this subject, it would be useful for IPA to support >> netgroup.byhost. That would give signifiant advantages with Netapp. If >> that is supported, Netapp will look up the netgroups for a host every >> time a mount is done. Without it, they consider that reloading the >> whole net group file is too inefficient, so they depend upon a cache >> whose normal TTL is a day. > I'm confused here. > > We have: > - LDAP: native netgroups in IPA, used by SSSD IPA provider directly > - LDAP: compatibility tree that exposes native IPA netgroups as RFC2307bis > objects with no way to set blank nisDomainName right now > - NIS protocol: NIS triplets generated based on the compat tree > netgroups. > > The latter provides three netgroup maps: > - netgroup > - netgroup.byhost > - netgroup.byuser > > The are already exist but both netgroup.byhost and netgroup.byuser are > not utilized by glibc, so they may have regressed (I see them defined in > the code). > > Which of the implementation do you use? Did you configure your Netapp > filer to look up LDAP in cn=ng,cn=compat,$SUFFIX or is it using NIS > protocol? > >> >> >>> On Nov 13, 2017, at 4:25 AM, Pavel Březina <pbrez...@redhat.com> wrote: >>> >>> On 11/08/2017 11:47 PM, Charles Hedrick wrote: >>>> In my opinion the whole rfc3704bis implementation of net groups is wonky. >>>> >>>> This isn’t the only problem. Why is there a distinction between internal >>>> and external hosts? Suppose I add an external host to a net group, and >>>> later do ipa host-add for it. If the distinction actually matters I’d >>>> expect the system to turn the external host entry into an internal host >>>> entry. But it doesn’t. >>>> >>>> In principle there’s a difference between blank and -, but the ipa >>>> implementation always produces - for missing user and host and blank for >>>> missing domain name. >>>> >>>> I’d really rather see the system just store the triples rather than doing >>>> a complex mapping going in and out. >>>> >>>> >>>>> On Nov 8, 2017, at 5:08 PM, Jakub Hrozek <jhro...@redhat.com> wrote: >>>>> >>>>> Pavel, does this sound like the bug you were looking at wrt sudo lately? >>>>> >>>>> On Wed, Nov 08, 2017 at 09:46:25PM +0000, Charles Hedrick wrote: >>>>>> Netapp wants the domain field to be blank. That leaves us a problem >>>>>> that’s hard to solve. >>>>>> >>>>>> On Nov 8, 2017, at 4:41 PM, Charles Hedrick >>>>>> <hedr...@rutgers.edu<mailto:hedr...@rutgers.edu>> wrote: >>>>>> >>>>>> OK, I see what’s going on, but it looks like a bug. >>>>>> >>>>>> We mostly use net groups for hosts. In NIS our entries like like >>>>>> (hostname,,) You can put that into IPA by specifying NISdomain=, i.e. >>>>>> blank domain name. However if you do that, getent shows no entries. That >>>>>> is, entries with blank hostname are ignored. I claim this is a bug, >>>>>> since for a host entry there’s no reason to specify a domain. >>>>>> >>>>>> I also found that specifying >>>>>> >>>>>> ipa_netgroup_domain=cs.rutgers.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcs.rutgers.edu%2F&data=02%7C01%7Chedrick%40rutgers.edu%7Cfdea024ced1e456bf72208d526f561b0%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636457757716393543&sdata=AA3P65kxArCD2WkRwAkGV5ci5jaCN54AZKPZ%2B8O4tbc%3D&reserved=0> >>>>>> >>>>>> causes no net groups to display, even ones whose domain is >>>>>> cs.rutgers.edu<https://na01.safelinks.protection.outlook.com/?url=http%3A%2F%2Fcs.rutgers.edu%2F&data=02%7C01%7Chedrick%40rutgers.edu%7Cfdea024ced1e456bf72208d526f561b0%7Cb92d2b234d35447093ff69aca6632ffe%7C1%7C0%7C636457757716393543&sdata=AA3P65kxArCD2WkRwAkGV5ci5jaCN54AZKPZ%2B8O4tbc%3D&reserved=0>. >>>>>> This also looks like a bug. >>>>>> >>>>>> On Nov 8, 2017, at 3:53 PM, Charles Hedrick >>>>>> <hedr...@rutgers.edu<mailto:hedr...@rutgers.edu>> wrote: >>>>>> >>>>>> We want to move our net groups from NIS to IPA. I’ve loaded the groups. >>>>>> They’re visible on a system that uses nslcd pointed at the IPA server. >>>>>> But the systems that use SSSD for authentication don’t show anything. >>>>>> The net groups all show as undefined. >>>>>> >>>>>> I’ve turned on debugging and looked at the LDAP logs. It does the right >>>>>> quotes and the log says it extracts the members. But they don’t show up. >>>>>> >>>>>> Any idea where to look? >>> >>> Can you send us some example of what you are trying to achieve and what >>> does not work? I'm also ccing Alexander Bokovoy to see why IPA adds >>> somewhere dash and somewhere blanks. >>> >> > > -- > / Alexander Bokovoy _______________________________________________ sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-le...@lists.fedorahosted.org
