On Wed, Jan 28, 2015 at 01:57:28PM +0000, Roderick Johnstone wrote: > On 28/01/15 10:57, Jakub Hrozek wrote: > >On Tue, Jan 27, 2015 at 10:03:37PM +0000, Roderick Johnstone wrote: > >>Hi > >> > >>I'm migrating from a legacy NIS setup to ipa. I have a number of NIS > >>netgroups (of hosts) that are being used to export (non-kerberos) nfs shares > >>to which I would like to migrate to ipa. > >> > >>I've create a new netgroup in ipa (for testing) and added some hosts to it > >>(using ipa netgroup-add and ipa netgroup-add-member). I'm hoping that when > >>exporting an nfs share using the @netgroup syntax in /etc/exports that the > >>netgroup will be looked up in ipa and the share will be exported to the > >>hosts in the netgroup. > >> > >>/etc/nsswitch.conf has a line: > >>netgroup: files nis sss > >> > >>/etc/exports has a line: > >>/var/tmp/testexport @rmjnetgroup1(ro) > >> > >>I haven't, so far, been able to mount the exported share on a client so I'm > >>wondering if this setup would be expected to work? > >> > >>What is confusing to me is that the section in the Redhat 6 Identity > >>Management guide on netgroups also has information on running the NIS > >>listener plugin so I'm wondering if perhaps this only works when running the > >>nis listener. I'm trying to avoid that. > >> > >>I'd welcome any clarification on how to do non-kerberised nfs exports to > >>groups of hosts. > > > >Does getent netgroup rmjnetgroup1 show the hosts you'd expect? > > > > Indeed it does. > > The individual triples listed for the netgroup contain entries like: > (host,-,domain) > where host is a fully qualified hostname which is dns resolvable. > > (For info if I do ypcat on one of my NIS netgroups I get a triple like this: > (host,,) > where host is the fully qualified host name, and nothing in the domain > field. > > I've actually tried two netgroups with different domains set. The first one > (rmjnetgroup) I made without specifying the --nisdomain option to ipa > netgroup-add and domain in the output above shows as my dns domain (which is > a lower case version of my kerberos realm). > > I couldn't mount nfs shares when exporting to @rmjnetgroup. I checked that I > could mount the shares when I exported explicitly to the fully qualified > host name, and that worked ok. > > So, thinking that the problem was with the domain name I made a new netgroup > (rmjnetgroup1) with the option --nisdomain=xxx where xxx is the proper name > for our nis domain as shown with the domainname command. > > I couldn't mount nfs shares when exporting to @rmjnetgroup1 either. > > Roderick
Thank you for your reply, then we know the SSSD's netgroup handling is correct. To be honest, we're getting a bit out of my comfort zone into the NFS area. Maybe Roland (CC) knows how to debug the issue further? -- Manage your subscription for the Freeipa-users mailing list: https://www.redhat.com/mailman/listinfo/freeipa-users Go To http://freeipa.org for more info on the project
