Carousel is a LIE!

No_cascading_netgroups_please

11 Oct 2004

title: No cascading netgroups please date: 2004-10-11 13:56:00

Top Tip: Red Hat and NIS groups

A while back, we ran into problems with netgroups and FreeBSD. I've lost the links, but it turns out that NIS groups can be a total of 1024 characters, not including whitespace. Lemme tell you, it doesn't take many entries like: (foo.example.com,,) to fill up that limit, and it's pretty stupid.

The solution, such as it is, is to create container netgroups like this: master.netgroup @subgroup1, @subgroup2 @subgroup1 (foo.example.com,,) ... It's a crock, but at least it's a solution for FreeBSD.

Well, last week it caused problems. We've got a RedHat machine, and guess what? Yep, doesn't recursively expand the netgroups: if you tell it to export to master.netgroup, it'll say it's doing it, but won't actually do it. It'll happily export to subgroup1 if you list them explicitly; it will not expand master.netgroup into subgroup1 and subgroup2.

Bollocks. Bollocks, I say.

Tags:

2 Comments

From: peterb
12-November-2004-07:00:03

Since cascading netgroups aren't part of any specification that I've seen, it doesn't surprise me that they're not universally supported.

I'd say a better solution is "Don't use netgroups."

From: Saint Aardvark the Carpeted
12-November-2004-10:23:41

"Don't use netgroups" is easy to say, but the reality is that the migration to (say) LDAP, while A Good Thing, would be a lot of work. At the moment, the benefits don't outway the difficulties.

An even better thing would be if there wasn't this stupid 1024 character limit on netgroup sizes; it takes remarkably few canonical hostnames to bump up against this ceiling.

Add a comment:

Name and email required; email is not displayed.

Name (required)
Email (required)
Website
The site is named after Saint ________ the Carpeted: (required)
Comment

Related Posts