Date: Fri, 11 Dec 2015 11:39:15 -0800 From: Mark Johnston <markj@FreeBSD.org> To: James Craig <jmc@cs.rit.edu> Cc: freebsd-net@freebsd.org Subject: Re: Netgroups in FreeBSD10 Message-ID: <20151211193915.GC98922@wkstn-mjohnston.west.isilon.com> In-Reply-To: <alpine.DEB.2.10.1512110942340.5564@starfury.cs.rit.edu> References: <alpine.DEB.2.10.1512101051380.30539@starfury.cs.rit.edu> <20151210201621.GC34692@wkstn-mjohnston.west.isilon.com> <alpine.DEB.2.10.1512110942340.5564@starfury.cs.rit.edu>
next in thread | previous in thread | raw e-mail | index | archive | help
On Fri, Dec 11, 2015 at 10:16:50AM -0500, James Craig wrote: > On Thu, 10 Dec 2015, Mark Johnston wrote: > > > On Thu, Dec 10, 2015 at 10:58:11AM -0500, James Craig wrote: > >> > >> > >> Hey all! > >> > >> I am migrating some of our services to freeBSD, and in the process of this, > >> I have discovered something that seems odd to me; netgroups don't seem to work > >> as expected. > >> > >> I am trying to set up a machine that will eventually be a file server > >> (running 10.2-RELEASE) and getent netgroup <name> doesn't return anything, > >> even if it is a valid name. > >> > >> We have been using openldap, and on the old solaris server, I was able to > >> query netgroups for information, and use netgroups to limit some access to NFS. > >> > >> getent passwd, and other lookups seem to work fine. > >> > >> > >> I had truss running on the ldap server, and when I try to > >> getent netgroup <name> there is no action. So I ran a truss on the getent on > >> the FreeBSD machine, and sifting through the system calls the system will only > >> search the file /etc/netgroup (which is empty), despite that > >> my /etc/nsswitch.conf looks like this: > > > > Unfortunately, the NSS documentation is wrong: the netgroup database isn't > > implemented. The netgroup NSS methods always read /etc/netgroup and > > ignore the sources configured in /etc/nsswitch.conf. > > I am glad I wasn't screwing up; thanks for the insight. > > Since this note I have also discovered that trying to use netgroups > in login.access fails because I am not using NIS -- regardless of > the /etc/netgroup file being populated. Yes, it looks like the system needs to belong to an NIS domain containing the specified netgroups in order for login.access support to work. > > Is this something that will get implemented? (where would I go to > find out?) It's not really clear what "this" is. :) If you want to be able to specify an NIS domain in login.access, some syntax for doing so would need to be proposed. A bugzilla PR would be the way to do so: https://bugs.freebsd.org You can search for existing PRs to see if something similar has already been submitted. > > > I have a libc patch (missing man page updates) that fixes this: > > https://people.freebsd.org/~markj/patches/netgroup_nss.diff > > It also adds a getnetgrent_r() implementation. If you're able to rebuild > > libc in your environment, this patch should fix the problem you're > > encountering - please let me know if it doesn't! > > I'll be honest; I have never done that before, so I am not sure > what it will take, or what the ramifications on the system would > be. > > I can look into it. (pointers would be appreciated, if there are any) I'll send some instructions in a separate mail.
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20151211193915.GC98922>