[Freeipa-users] netgroups not working for exports in freeipa

Roderick Johnstone rmj at ast.cam.ac.uk
Wed Jan 28 13:57:28 UTC 2015 

On 28/01/15 10:57, Jakub Hrozek wrote:
> On Tue, Jan 27, 2015 at 10:03:37PM +0000, Roderick Johnstone wrote:
>> Hi
>>
>> I'm migrating from a legacy NIS setup to ipa. I have a number of NIS
>> netgroups (of hosts) that are being used to export (non-kerberos) nfs shares
>> to which I would like to migrate to ipa.
>>
>> I've create a new netgroup in ipa (for testing) and added some hosts to it
>> (using ipa netgroup-add and ipa netgroup-add-member). I'm hoping that when
>> exporting an nfs share using the @netgroup syntax in /etc/exports that the
>> netgroup will be looked up in ipa and the share will be exported to the
>> hosts in the netgroup.
>>
>> /etc/nsswitch.conf has a line:
>> netgroup:   files nis sss
>>
>> /etc/exports has a line:
>> /var/tmp/testexport @rmjnetgroup1(ro)
>>
>> I haven't, so far, been able to mount the exported share on a client so I'm
>> wondering if this setup would be expected to work?
>>
>> What is confusing to me is that the section in the Redhat 6 Identity
>> Management guide on netgroups also has information on running the NIS
>> listener plugin so I'm wondering if perhaps this only works when running the
>> nis listener. I'm trying to avoid that.
>>
>> I'd welcome any clarification on how to do non-kerberised nfs exports to
>> groups of hosts.
>
> Does getent netgroup rmjnetgroup1 show the hosts you'd expect?
>

Indeed it does.

The individual triples listed for the netgroup contain entries like:
(host,-,domain)
where host is a fully qualified hostname which is dns resolvable.

(For info if I do ypcat on one of my NIS netgroups I get a triple like this:
(host,,)
where host is the fully qualified host name, and nothing in the domain 
field.

I've actually tried two netgroups with different domains set. The first 
one (rmjnetgroup) I made without specifying the --nisdomain option to 
ipa netgroup-add and domain in the output above shows as my dns domain 
(which is a lower case version of my kerberos realm).

I couldn't mount nfs shares when exporting to @rmjnetgroup. I checked 
that I could mount the shares when I exported explicitly to the fully 
qualified host name, and that worked ok.

So, thinking that the problem was with the domain name I made a new 
netgroup (rmjnetgroup1) with the option --nisdomain=xxx where xxx is the 
proper name for our nis domain as shown with the domainname command.

I couldn't mount nfs shares when exporting to @rmjnetgroup1 either.

Roderick

More information about the Freeipa-users mailing list