From owner-freebsd-net@freebsd.org Fri Dec 11 19:37:22 2015 Return-Path: Delivered-To: freebsd-net@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 3809DA04697 for ; Fri, 11 Dec 2015 19:37:22 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: from mail-qk0-x22d.google.com (mail-qk0-x22d.google.com [IPv6:2607:f8b0:400d:c09::22d]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client CN "smtp.gmail.com", Issuer "Google Internet Authority G2" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id EC08B17A6 for ; Fri, 11 Dec 2015 19:37:21 +0000 (UTC) (envelope-from markjdb@gmail.com) Received: by qkck189 with SMTP id k189so18687527qkc.0 for ; Fri, 11 Dec 2015 11:37:21 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=sender:date:from:to:cc:subject:message-id:references:mime-version :content-type:content-disposition:in-reply-to:user-agent; bh=goIZuW71ziqeUypKfspLccVXGZ9RJq8wnRpeeR3IWA8=; b=T82tN7NY3kuk8CVv7cJVKcnHIzmS6Ma4lidtGPuO86RKm6d4l7iC9CE1jMgNMAmCGb AbylORyavSZRPWg3/hZ206xud2vEsE1oEFXjCP42p6fvw0nak9jU7qpu22ZZP1dH1Bci mirlKuB02W//Uz6oB4+DmlcEsTf0QskZ8A5mV9BKos4a1aDrHVNMO+v+34AbIi8bRmDH S0F9kmhJMqDRoTi1dGp5X9J+w1b4+8vjniMzVML6rBjzfuGK1Jh44euH/idq6BcamBDA era3KZOWui69AHzQzJoGDdfYQvKlq7+wgl6MJEXKoVivQ0prb76M9fFo8Y/dXHyYmosB mZjQ== X-Received: by 10.55.78.82 with SMTP id c79mr25562465qkb.44.1449862640864; Fri, 11 Dec 2015 11:37:20 -0800 (PST) Received: from wkstn-mjohnston.west.isilon.com (c-67-182-131-225.hsd1.wa.comcast.net. [67.182.131.225]) by smtp.gmail.com with ESMTPSA id 9sm59144qhm.21.2015.12.11.11.37.19 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Fri, 11 Dec 2015 11:37:20 -0800 (PST) Sender: Mark Johnston Date: Fri, 11 Dec 2015 11:39:15 -0800 From: Mark Johnston To: James Craig Cc: freebsd-net@freebsd.org Subject: Re: Netgroups in FreeBSD10 Message-ID: <20151211193915.GC98922@wkstn-mjohnston.west.isilon.com> References: <20151210201621.GC34692@wkstn-mjohnston.west.isilon.com> MIME-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Disposition: inline In-Reply-To: User-Agent: Mutt/1.5.24 (2015-08-30) X-BeenThere: freebsd-net@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: Networking and TCP/IP with FreeBSD List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 11 Dec 2015 19:37:22 -0000 On Fri, Dec 11, 2015 at 10:16:50AM -0500, James Craig wrote: > On Thu, 10 Dec 2015, Mark Johnston wrote: > > > On Thu, Dec 10, 2015 at 10:58:11AM -0500, James Craig wrote: > >> > >> > >> Hey all! > >> > >> I am migrating some of our services to freeBSD, and in the process of this, > >> I have discovered something that seems odd to me; netgroups don't seem to work > >> as expected. > >> > >> I am trying to set up a machine that will eventually be a file server > >> (running 10.2-RELEASE) and getent netgroup doesn't return anything, > >> even if it is a valid name. > >> > >> We have been using openldap, and on the old solaris server, I was able to > >> query netgroups for information, and use netgroups to limit some access to NFS. > >> > >> getent passwd, and other lookups seem to work fine. > >> > >> > >> I had truss running on the ldap server, and when I try to > >> getent netgroup there is no action. So I ran a truss on the getent on > >> the FreeBSD machine, and sifting through the system calls the system will only > >> search the file /etc/netgroup (which is empty), despite that > >> my /etc/nsswitch.conf looks like this: > > > > Unfortunately, the NSS documentation is wrong: the netgroup database isn't > > implemented. The netgroup NSS methods always read /etc/netgroup and > > ignore the sources configured in /etc/nsswitch.conf. > > I am glad I wasn't screwing up; thanks for the insight. > > Since this note I have also discovered that trying to use netgroups > in login.access fails because I am not using NIS -- regardless of > the /etc/netgroup file being populated. Yes, it looks like the system needs to belong to an NIS domain containing the specified netgroups in order for login.access support to work. > > Is this something that will get implemented? (where would I go to > find out?) It's not really clear what "this" is. :) If you want to be able to specify an NIS domain in login.access, some syntax for doing so would need to be proposed. A bugzilla PR would be the way to do so: https://bugs.freebsd.org You can search for existing PRs to see if something similar has already been submitted. > > > I have a libc patch (missing man page updates) that fixes this: > > https://people.freebsd.org/~markj/patches/netgroup_nss.diff > > It also adds a getnetgrent_r() implementation. If you're able to rebuild > > libc in your environment, this patch should fix the problem you're > > encountering - please let me know if it doesn't! > > I'll be honest; I have never done that before, so I am not sure > what it will take, or what the ramifications on the system would > be. > > I can look into it. (pointers would be appreciated, if there are any) I'll send some instructions in a separate mail.