On Fri, Dec 11, 2015 at 10:16:50AM -0500, James Craig wrote: > On Thu, 10 Dec 2015, Mark Johnston wrote: > > > On Thu, Dec 10, 2015 at 10:58:11AM -0500, James Craig wrote: > >> > >> > >> Hey all! > >> > >> I am migrating some of our services to freeBSD, and in the process of this, > >> I have discovered something that seems odd to me; netgroups don't seem to > >> work > >> as expected. > >> > >> I am trying to set up a machine that will eventually be a file server > >> (running 10.2-RELEASE) and getent netgroup <name> doesn't return anything, > >> even if it is a valid name. > >> > >> We have been using openldap, and on the old solaris server, I was able to > >> query netgroups for information, and use netgroups to limit some access to > >> NFS. > >> > >> getent passwd, and other lookups seem to work fine. > >> > >> > >> I had truss running on the ldap server, and when I try to > >> getent netgroup <name> there is no action. So I ran a truss on the getent > >> on > >> the FreeBSD machine, and sifting through the system calls the system will > >> only > >> search the file /etc/netgroup (which is empty), despite that > >> my /etc/nsswitch.conf looks like this: > > > > Unfortunately, the NSS documentation is wrong: the netgroup database isn't > > implemented. The netgroup NSS methods always read /etc/netgroup and > > ignore the sources configured in /etc/nsswitch.conf. > > I am glad I wasn't screwing up; thanks for the insight. > > Since this note I have also discovered that trying to use netgroups > in login.access fails because I am not using NIS -- regardless of > the /etc/netgroup file being populated.
Yes, it looks like the system needs to belong to an NIS domain containing the specified netgroups in order for login.access support to work. > > Is this something that will get implemented? (where would I go to > find out?) It's not really clear what "this" is. :) If you want to be able to specify an NIS domain in login.access, some syntax for doing so would need to be proposed. A bugzilla PR would be the way to do so: https://bugs.freebsd.org You can search for existing PRs to see if something similar has already been submitted. > > > I have a libc patch (missing man page updates) that fixes this: > > https://people.freebsd.org/~markj/patches/netgroup_nss.diff > > It also adds a getnetgrent_r() implementation. If you're able to rebuild > > libc in your environment, this patch should fix the problem you're > > encountering - please let me know if it doesn't! > > I'll be honest; I have never done that before, so I am not sure > what it will take, or what the ramifications on the system would > be. > > I can look into it. (pointers would be appreciated, if there are any) I'll send some instructions in a separate mail. _______________________________________________ freebsd-net@freebsd.org mailing list https://lists.freebsd.org/mailman/listinfo/freebsd-net To unsubscribe, send any mail to "freebsd-net-unsubscr...@freebsd.org"
