Reintroduce netgroups support?

Fri Jun 3 10:29:26 UTC 2022

On pe, 03 kesä 2022, Samuel Cabrero via samba-technical wrote:
> Hi,
> 
> I have received some complains after we dropped netgroups support in
> Samba 4.15.0. Our release notes only mention we dropped NIS but
> netgroups went with it.
> 
> Some people still use netgroups without NIS, stored in LDAP and made
> available to the system through nss_sss, but it is also possible to use
> /etc/netgroups.
> 
> I had a look to the removed code and I think it is possible to
> reintroduce netgroups support independently from NIS, using the
> getdomainname() function from glibc instead of yp_get_default_domain()
> from libnsl. 
> 
> Should we bring back netgroups support?

When we were discussing removal of NIS support from Fedora 36 last year,
I did some research as FreeIPA does provide NIS server simulation.

-----------------------------------
FreeIPA does depend on nisdomainname utility (part of hostname package).

SUDO depends on the correct value returned from getdomainname() in order
to support netgroups in LDAP-stored SUDO rules. Same rules are
implemented by FreeIPA and SSSD.

However, I think this is *not* deprecated technology question. Domain
name information is the part of UTS information in the kernel.

According to glibc implementation, getdomainname() pulls the domain name
from uname() syscall:
https://sourceware.org/git/?p=glibc.git;a=blob;f=misc/getdomain.c;h=09bb3b0e2cc214b406387294ad90b3c01e2d9a71;hb=HEAD

where 'domainname' is GNU extension. It represents a name of the domain
this host belongs to. Note that the domain name itself is not a DNS
domain name as it represents a higher abstraction level entity which can
be roughly mapped to a whole IPA or AD domain. This is how we actually
are using it in FreeIPA.

Someone has to set the domain name upon startup. So far, only
nisdomainname tool was doing that. If that is removed, then SUDO will
definitely break.

This does not require presence of NIS infrastructure but does require
properly configured NIS domain name on each client. Which means we must be
able to continue configuring NIS domain name.
------------------------------------

So Samba definitely can rely on getdomainname() to provide the same
functionality.

The question is more towards distributions: who would set the domain
name? Original Debian's package for 'hostname' does not provide any
method to call 'hostname -y' or 'nisdomainname' to set the domain name
system-wide. Same with 'net-tools' version.

Fedora and openSUSE do have a systemd service, nis-domainname.service,
that automate setting a domain name from /etc/sysconfig/network or
/etc/sysconfig/network/config, depending on a distro flavor.

It looks like Debian-based distributions already broken with regards to
netgroups support as they have no means automatically set the NIS domain
name.

-- 
/ Alexander Bokovoy