#3573 sssd won't show netgroups with blank domain
Closed: Fixed 4 years ago Opened 4 years ago by hedrick.

Create a netgroup with nisdomain=, i.e. a blank NIS domain name.

sssd won't show it.

From abokovoy@redhat.com:

This is the code in ipa_netgr_process_all():
ret = sysdb_attrs_get_string(state->netgroups[i], SYSDB_NETGROUP_DOMAIN,
if (ret != EOK) {
goto done;

      DEBUG(SSSDBG_TRACE_INTERNAL, "Putting together triples of "
                                    "netgroup %d\n", i);
      for (j = 0; j < uids_count; j++) {
          for (k = 0; k < hosts_count; k++) {
              triple = talloc_asprintf(state, "(%s,%s,%s)",
                                       hosts[k], uids[j],
              if (triple == NULL) {
                  ret = ENOMEM;
                  goto done;

              ret = sysdb_attrs_add_string(state->netgroups[i],
              if (ret != EOK) {
                  goto done;

So, if no domain is retrieved, no netgroup triple is generated by SSSD
IPA provider. Note that this does not utilize compatibility netgroups
subtree as generated by schema compatibility plugin (in
cn=ng,cn=compat,$SUFFIX) but instead works directly with IPA netgroups.

cc @pbrezina isn't this similar or the same as the issue you saw the other day?

ah, no, this is different.

Thank you for the bug report, it's quite easy to reproduce, but because my netgroups knowledge is limited, I'm not sure what the expected output is. Man innetgr says "Any of the elements in a triple can be empty, which means that anything matches. The functions described here allow access to the netgroup databases".

The compat tree presents the negroup triple as:

nisNetgroupTriple: (-,tuser1,)                                                                                                                                                                                                              

So far I have a trivial patch that presents the netgroup with an empty nisDomainName as the compat tree does, if you like, I'll be glad to send you a test build.

Yes, I'd appreciate a test build. I believe the trivial change is the one I want.
I could actually fix it locally, but I don't like to deploy fixed code until I've verified that the fix will be in the next release.

Sure, what version and on what OS are you running (the output of rpm -q sssd-common is enough...)

My test system is up to date:


Our production systems are


But we can update them.

Since I think the test system is easier to experiment with, I built the test package based on 7.4:

Looks good. Thanks. Will this be in the next update?

Unfortunately we are past the point in RHEL-7.5 where developers can freely merge code from upstream. We need a justification for any commit in this phase already.

If you have a RHEL subscription, can you please file a support case? Then we could work on cloning it to a bugzilla and use the bugzilla to add the patch.

No, we're using Centos. I would have paid for our IPA servers, but RH won't support Centos even though it's the same, and starting over with RHEL isn't practical.

We don't have that many servers that need this, so as long as it gets in eventually we should be OK.

Metadata Update from @jhrozek:
- Issue set to the milestone: SSSD 1.16.2

4 years ago

Metadata Update from @jhrozek:
- Issue assigned to jhrozek
- Issue priority set to: major
- Issue tagged with: PR, bug

4 years ago

Related PR does not contain any code coverage for this bugfix and this ticket is not linked with downstream bug.

This bug should be tested somewhere to prevent any regressions in future.
Removing milestone ("moving to needs triage") for further discussion.

We can push PR sooner if we find solution before next triage.

Metadata Update from @lslebodn:
- Issue set to the milestone: None (was: SSSD 1.16.2)

4 years ago

Metadata Update from @jhrozek:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

4 years ago

Thanks. What release will this show up in?

SSSD is moving from Pagure to Github. This means that new issues and pull requests
will be accepted only in SSSD's github repository.

This issue has been cloned to Github and is available here:
- https://github.com/SSSD/sssd/issues/4597

If you want to receive further updates on the issue, please navigate to the github issue
and click on subscribe button.

Thank you for understanding. We apologize for all inconvenience.

Login to comment on this ticket.