Netgroups in FreeBSD10
Mark Johnston
markj at FreeBSD.org
Thu Dec 10 20:14:32 UTC 2015
On Thu, Dec 10, 2015 at 10:58:11AM -0500, James Craig wrote:
>
>
> Hey all!
>
> I am migrating some of our services to freeBSD, and in the process of this,
> I have discovered something that seems odd to me; netgroups don't seem to work
> as expected.
>
> I am trying to set up a machine that will eventually be a file server
> (running 10.2-RELEASE) and getent netgroup <name> doesn't return anything,
> even if it is a valid name.
>
> We have been using openldap, and on the old solaris server, I was able to
> query netgroups for information, and use netgroups to limit some access to NFS.
>
> getent passwd, and other lookups seem to work fine.
>
>
> I had truss running on the ldap server, and when I try to
> getent netgroup <name> there is no action. So I ran a truss on the getent on
> the FreeBSD machine, and sifting through the system calls the system will only
> search the file /etc/netgroup (which is empty), despite that
> my /etc/nsswitch.conf looks like this:
Unfortunately, the NSS documentation is wrong: the netgroup database isn't
implemented. The netgroup NSS methods always read /etc/netgroup and
ignore the sources configured in /etc/nsswitch.conf.
I have a libc patch (missing man page updates) that fixes this:
https://people.freebsd.org/~markj/patches/netgroup_nss.diff
It also adds a getnetgrent_r() implementation. If you're able to rebuild
libc in your environment, this patch should fix the problem you're
encountering - please let me know if it doesn't!
More information about the freebsd-net
mailing list