You can make a difference in the Apple Support Community!

When you sign up with your Apple Account, you can provide valuable feedback to other community members by upvoting helpful replies and User Tips.

Looks like no one’s replied in a while. To start the conversation again, simply ask a new question.

User profile for user: Charles Fultz
Charles Fultz Author
User level: Level 1
15 points

Netgroup support

(This problem has existed since at least 10.2, but I'm using 10.5 now so I posted in this forum)
Is there anyway to get Mac OS to actually honor/use netgroups? It sees netgroups.
<PRE>
% ypmatch -k nfshosts1 netgroup
nfshosts1 (arthur,,) (bors,,) (merlin,,) (opus,,) (pendragon,,) (newman,,) (tux,,) (cache,,) (ector,,) (eros,,) (data,,) (cups,,) (fahmysun,,) (wolfgang,,) (lancelot,,) (gareth,,) (ocean,,) (skeelmac,,) (illiac4,,) (denali,,) (strongsad,,) (tt,,) (reardon,,) (id,,) (galt,,) (oz,,) (cassandra,,) (cybil,,) (squaredot,,) (hopper,,) (hephaestus,,) (homestar,,) (strongbad,,) (trogdor,,) (lance,,) (gauss,,) (oddjob,,) (lukasz,,) (sspillai,,) (bagdemagus,,)

</PRE>
spits out all of the hosts in my nfshosts1 netgroup. However, when I actually try to use that netgroup name in /etc/exports I get this:
<PRE>
Dec 7 10:42:58 trogdor /sbin/nfsd[2592]: Gethostbyname failed for nfshosts1
Dec 7 10:42:58 trogdor /sbin/nfsd[2592]: exports:3: couldn't get address for host: nfshosts1
Dec 7 10:42:58 trogdor /sbin/nfsd[2592]: exports:3: no valid hosts found for export
</PRE>

So, what has to ben done to get Mac OS to use netgroups? Any advice would be appreciated!

Thanks,
Charlie

G5, Mac OS X (10.5.1)

Posted on Dec 7, 2007 7:45 AM

Reply
3 replies
User profile for user: Charles Fultz
Charles Fultz Author
User level: Level 1
15 points

Dec 7, 2007 9:26 AM in response to Charles Fultz

So upon further investigation, Mac OS does indeed use netgroups. However,
it doesn't like nested netgroups, nor does it like netgroups via NIS. It will
use the flat-file /etc/netgroup and will expand netgroups that way.

Perhaps I don't have DirectoryServices configured properly to allow it to use
NIS for netgroups. Anyone have any suggestions for configuring
DirectoryServices to netgroups via NIS?

I believe the lack of support for nested netgroups is a bug. Where should
I report a bug of this nature?
Reply
User profile for user: Charles Fultz
Charles Fultz Author
User level: Level 1
15 points

Dec 7, 2007 10:17 AM in response to Charles Fultz

Wow, I'm on a role.
I must retract my last statement. It seems that Mac OS DOES indeed support netgroups
via NIS. You just have to tell Mac OS to use NIS for authentication (via Directory Utility in 10.5).

So, now I've answered my own question.

However, there still seems to be the issue that Mac OS does not support nested netgroups.
Where should I report this bug?
Reply
User profile for user: Adeyemi
Adeyemi
User level: Level 1
0 points

Dec 19, 2007 2:49 PM in response to Charles Fultz

Hi Charles.

I have already spent more than a year trying to get Apple engineers to look at this issue seriously. Netgroups are a vital component of our UNIX computing infrastructure.
OSX servers (lack of) netgroup support is very disappointing. Netgroups are broken. Starting off with a simple flat file definition in /etc/netgroup, the line continuation character is not handled correctly and
nested groups do not work.

Only very simple (one line) netgroup definitions currently work. Another bad feature is the fact than when you query the OS X NFS server via the 'showmount' command it will attempt to return the list of netgroup
members instead of just outputting the name of the netgroup which a filesystem is being exported to. Not only does this result in way too much output (we have 1000's of NFS clients) it should be considered a
security risk.

I need to revisit this with Apple support but I'm not holding my breath.

----
Yemi
Reply

Netgroup support

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up