System Administration
Showing results for 
Search instead for 
Did you mean: 

ldap netgroups doesn't work for NFS exports

Go to solution
Graham Allan

ldap netgroups doesn't work for NFS exports

OK, my last question regarding netgroups and LDAP was confused. Now I looked into it further to verify what the problem actually is.

Our systems are Tru64 5.1B-4 / patchkit 6 set up with ldapcd working against an openldap server; it works fine for authentication.

I have "netgroup: ldap" set in /etc/nsswitch.conf and runnign some small test programs using getnetgrent demonstrates that the system is retrieving the netgroup info from ldap.

However NFS exports using netgroup names in /etc/exports are not honored.

Running truss against mountd shows that no netgroup lookups are being done (I won't paste the traces here, they're quite long).

However, running the same trace against mountd on a system running a NIS client for netgroup info shows interesting info - things like:

getdomainname("mynisdomain", 256) = 0
getpid() = 468 [ 1 ]
open("/var/yp/binding/mynisdomain.2", O_RDONLY, 01777777777760002762657) = 9

so it seems clear that mountd is trying to read the yp data directly rather than using the c library functions getnetgrent or innetgr.

This seems like a bug to me.

We do actually have support through HP, though I don't know how likely it is for anything to get fixed at this stage. But sometimes channels like this can be almost more useful than regular support, as we might hear something back indirectly from the engineers concerned. Would be great if anyone could find out more!

Ann Majeske
Honored Contributor

Re: ldap netgroups doesn't work for NFS exports

I looked at the source code for Tru64 mountd and it does only look at NIS for netgroups. To me this feels like a bug. But, the man page for mountd specifically says "The identifiers listed beside the name of each filesystem or directory can be either host names, IP addresses, or NIS netgroups names." The man page specifically talks about "NIS netgroups" and not just "netgroups". This could be interpreted that only NIS netgroups supported or it could be interpreted as simply a clarification of what netgroups are (netgroups, like there are in NIS). The mountd man page was written when NIS was the only supported server for netgroups, so I tend towards the latter.

There are engineers working on support for Tru64 and problems are getting fixed. But, given the ambiguity here if you enter a problem report is it possible that you won't get a fix if the "official" interpretation of the man page is that "NIS" is meant as a restriction, not an explanation. I say go ahead and try it, what do you have to lose?

Just a FYI, in nsswitch.conf "ldap" is only a valid source for the netgroup database, it cannot be defined as a source for user or group databases. To use ldap for user and group information you have to use the SIA ldap mechanism.

Graham Allan

Re: ldap netgroups doesn't work for NFS exports

Thanks very much, that's great to have my suspicions about the mountd operation confirmed. I opened a case with support so we can see if they want to do anything about it. I'm no real programmer by any means but looking at the netgroup-reading code in FreeBSD mountd source doesn't look terribly complicated (for whatever that's worth...)

I have just one more Tru64 LDAP-related query to ask about in a new thread :-)