From owner-freebsd-net@freebsd.org Thu Dec 10 20:14:32 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 0618A9D7351 for ; Thu, 10 Dec 2015 20:14:32 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: from mail-qg0-x230.google.com (mail-qg0-x230.google.com [IPv6:2607:f8b0:400d:c04::230]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id B955A18DE for ; Thu, 10 Dec 2015 20:14:31 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: by qgea14 with SMTP id a14so161746919qge.0 for ; Thu, 10 Dec 2015 12:14:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=cRNAVUcirrE66ZNpaAOLsc+6AeAOdWd2lZGE3kNiZss=; b=YFoNrxEMuICPjxoVSURm22bI+N7idKGByEQ2OybgZmGKBH1Z/JYHVoCvUDtH1hUJa9 A2hdSlsKYV0MdUc1bLZQaFSo3RjAEoF5q9C2hWa7Kwp2/zrQJj4zz/od81Isloh1E+ey FhpCqMEjZ8Xa6thmG6uh9sbs+IY8SGD+qqy0TLTOVrvxf6FEkVsVp3XVhjKVaOBLoV4R MGY4Q/MQ81JV6xhIycv1NsyPTLWWGdJJ31zDbelWxeCApzR54UkwfjwUBf+ZGhHDkgac 3dcOCrWBu7WmoWmu/XZV3JBxbgKbMRwhD5vmb9DFFOM+qSu4Y0ku8JGHMHuCxvDG9RIF W0hw== X-Received: by 10.140.194.136 with SMTP id p130mr9525511qha.76.1449778468772; Thu, 10 Dec 2015 12:14:28 -0800 (PST) Received: from wkstn-mjohnston.west.isilon.com (c-67-182-131-225.hsd1.wa.comcast.net. [67.182.131.225]) by smtp.gmail.com with ESMTPSA id d69sm6706205qkb.45.2015.12.10.12.14.27 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Thu, 10 Dec 2015 12:14:28 -0800 (PST) Sender: Mark Johnston Date: Thu, 10 Dec 2015 12:16:21 -0800 From: Mark Johnston To: James Craig Cc: freebsd-net@freebsd.org Subject: Re: Netgroups in FreeBSD10 Message-ID: <20151210201621.GC34692@wkstn-mjohnston.west.isilon.com> References: MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Thu, 10 Dec 2015 20:14:32 -0000 On Thu, Dec 10, 2015 at 10:58:11AM -0500, James Craig wrote: > > > Hey all! > > I am migrating some of our services to freeBSD, and in the process of this, > I have discovered something that seems odd to me; netgroups don't seem to work > as expected. > > I am trying to set up a machine that will eventually be a file server > (running 10.2-RELEASE) and getent netgroup doesn't return anything, > even if it is a valid name. > > We have been using openldap, and on the old solaris server, I was able to > query netgroups for information, and use netgroups to limit some access to NFS. > > getent passwd, and other lookups seem to work fine. > > > I had truss running on the ldap server, and when I try to > getent netgroup there is no action. So I ran a truss on the getent on > the FreeBSD machine, and sifting through the system calls the system will only > search the file /etc/netgroup (which is empty), despite that > my /etc/nsswitch.conf looks like this: Unfortunately, the NSS documentation is wrong: the netgroup database isn't implemented. The netgroup NSS methods always read /etc/netgroup and ignore the sources configured in /etc/nsswitch.conf. I have a libc patch (missing man page updates) that fixes this: https://people.freebsd.org/~markj/patches/netgroup_nss.diff It also adds a getnetgrent_r() implementation. If you're able to rebuild libc in your environment, this patch should fix the problem you're encountering - please let me know if it doesn't!