test,c #include <netdb.h> #include <stdio.h> #include <stdlib.h>
int main(int argc, char **argv) { printf("%d\n", innetgr(argv[1], argv[2], NULL, NULL));
}
---------------------
[hedrick@krb2 credserv]$ ./test lcsrcf ilab1.cs.rutgers.edu 0 [hedrick@krb2 credserv]$ ipa host-show ilab1.cs.rutgers.edu Host name: ilab1.cs.rutgers.edu Principal name: host/ilab1.cs.rutgers.edu@CS.RUTGERS.EDU Principal alias: host/ilab1.cs.rutgers.edu@CS.RUTGERS.EDU SSH public key fingerprint: SHA256:XQelZD+3XV8yJTUQCU277t3Tsfin3JXFZWOXgBwlpk0 (ecdsa-sha2-nistp256), SHA256:viELfgjJE7+GXq+QDLcW3XUBRZcaiZcMOpaTXvPo/I0 (ssh- ed25519), SHA256:MjIvgUUtUYmjohS2fCJ5NIgn6laFKSLttWYnEfN0KYY (ssh-rsa) Password: False Member of netgroups: dcsilab_gpuservers__1, working-hosts, gradpool, research-user-maint Indirect Member of netgroup: dcsilab, dcsilab_clients, lcsrcluster, lcsrcf, dcs, dcsilab_gpuservers Keytab: True Managed by: ilab1.cs.rutgers.edu [hedrick@krb2 credserv]$ ./test dcsilab_clients ilab1.cs.rutgers.edu 1
—————————————
I’m doing this on a test kerberos server, which makes the logs easier to look at. It’s centos 8. I walked up the hierarchy. The first place it failed was netgroup dcs. Here’s the queries it made:
[04/Nov/2019:10:27:08.092994997 -0500] conn=22700 op=14 SRCH base="cn=ng,cn=alt,dc=cs,dc=rutgers,dc=edu" scope=2 filter="(&(cn=dcs)(objectClass=ipaNisNetgroup))"\ attrs="objectClass cn member memberOf memberUser memberHost externalHost nisDomainName ipaUniqueID" [04/Nov/2019:10:27:08.093756954 -0500] conn=22700 op=14 RESULT err=0 tag=101 nentries=1 etime=0.0000917908 notes=P pr_idx=0 pr_cookie=-1 [04/Nov/2019:10:27:08.094390316 -0500] conn=22700 op=15 SRCH base="cn=ng,cn=alt,dc=cs,dc=rutgers,dc=edu" scope=2 filter="(&(|(memberOf=ipaUniqueID=60eeb708-c407-\ 11e7-baa3-000c29dbd083,cn=ng,cn=alt,dc=cs,dc=rutgers,dc=edu))(objectClass=ipaNisNetgroup))" attrs="objectClass cn member memberOf memberUser memberHost externalH\ ost nisDomainName ipaUniqueID" [04/Nov/2019:10:27:08.108564311 -0500] conn=22700 op=15 RESULT err=0 tag=101 nentries=48 etime=0.0014740764 notes=P pr_idx=0 pr_cookie=-1 [04/Nov/2019:10:27:08.116836919 -0500] conn=22700 op=16 SRCH base="cn=accounts,dc=cs,dc=rutgers,dc=edu" scope=2 filter="(&(|(memberOf=ipaUniqueID=60eeb708-c407-1\ 1e7-baa3-000c29dbd083,cn=ng,cn=alt,dc=cs,dc=rutgers,dc=edu))(objectClass=posixAccount))" attrs="uid memberOf objectClass" [04/Nov/2019:10:27:08.117217428 -0500] conn=22700 op=16 RESULT err=0 tag=101 nentries=0 etime=0.0008600383 notes=P pr_idx=0 pr_cookie=-1 [04/Nov/2019:10:27:08.117542516 -0500] conn=22700 op=17 SRCH base="cn=accounts,dc=cs,dc=rutgers,dc=edu" scope=2 filter="(&(|(memberOf=ipaUniqueID=60eeb708-c407-1\ 1e7-baa3-000c29dbd083,cn=ng,cn=alt,dc=cs,dc=rutgers,dc=edu))(objectClass=ipaIDObject)(objectClass=posixAccount))" attrs="uid memberOf objectClass" [04/Nov/2019:10:27:08.117684401 -0500] conn=22700 op=17 RESULT err=0 tag=101 nentries=0 etime=0.0000418212 notes=P pr_idx=0 pr_cookie=-1 [04/Nov/2019:10:27:08.118033435 -0500] conn=22700 op=18 SRCH base="cn=accounts,dc=cs,dc=rutgers,dc=edu" scope=2 filter="(&(|(memberOf=ipaUniqueID=60eeb708-c407-1\ 1e7-baa3-000c29dbd083,cn=ng,cn=alt,dc=cs,dc=rutgers,dc=edu))(objectClass=ipaHost))" attrs="objectClass cn fqdn serverHostName memberOf ipaSshPubKey ipaUniqueID" [04/Nov/2019:10:27:08.189687425 -0500] conn=22700 op=18 RESULT err=0 tag=101 nentries=172 etime=0.0071957440 notes=P pr_idx=0 pr_cookie=-1
Let me interpret that. Look up netgropu dcs to find uniqueID Look for all netgroups, users, ??, hosts that are members of the uniqueID
The last query returned 172 hosts. I tried the query manually and got 172 hosts as well. ilab1.cs.rutgers.edu was one of them. I would have expected it to return yes, but it returned 0.
If I check the next level down in the hierarchy, I get success.
I’m going to email you the SSSD log file separately, as I’m not sure whether there’s anteing in it that shouldn’t be public.
On Nov 1, 2019, at 9:03 AM, Sumit Bose sbose@redhat.com wrote:
On Thu, Oct 31, 2019 at 02:02:51PM +0000, Charles Hedrick wrote:
I need to support netgroup checks in a service, written in C. I’m asking the SSSD list because we’re using SSSD, which means that net group operations are routed to the SSSD provider.
I found that innetgr doesn’t work if there are nested net groups. The man page doesn’t suggest that this would happen, though various online discussions seem to suggest it. As far as I can tell, using the usual libc routines, I’d have to do a recursive enumeration of the netgroup. This seems pretty silly, since the host's memberOf attribute shows what net groups it’s a member of, whether direct or indirect. You could also enumerate using the compat tree, which lets a single LDAP query get all members of the netgroup.
Hi,
it would be good if you can share some logs which covered the failed attempt. Iirc nested netgroups are handled by SSSD and glibc together. I.e. SSSD will not resolve a nested netgroup automatically but just returns the name and the glibc ask for the members of the nested group if needed.
bye, Sumit
For the moment I’m doing LDAP operations. My application already needs to do GSSAPI-authenticated LDAP operations, so I have an LDAP connection already. A netgroup check require two queries, which could reasonably be cached. Lookup the netgroup by name to find the unique ID. Look up the host and see if the unique ID matches any memberOf attributes.
But not all applications would be set up so this is easy. Is there a reasonable way to check netgroup membership using normal libc calls?
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...
sssd-users mailing list -- sssd-users@lists.fedorahosted.org To unsubscribe send an email to sssd-users-leave@lists.fedorahosted.org Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedorahosted.org/archives/list/sssd-users@lists.fedorahosted.o...