Network Groups
Manage NIS netgroups for legacy UNIX authentication and authorization systems. Netgroups define sets of users, hosts, and domains for network-wide access control. Supports triple notation (user, host, domain), nested netgroup membership, and integration with NIS compatibility mode for environments requiring traditional UNIX authentication mechanisms.
A netgroup is a group used for permission checking. It can contain both user and host values.
EXAMPLES
Add a new netgroup:
ipa netgroup-add --desc="NFS admins" adminsAdd members to the netgroup:
ipa netgroup-add-member --users=tuser1 --users=tuser2 adminsRemove a member from the netgroup:
ipa netgroup-remove-member --users=tuser2 adminsDisplay information about a netgroup:
ipa netgroup-show adminsDelete a netgroup:
ipa netgroup-del admins
Commands
Command Description
netgroup-add Add a new netgroup.
netgroup-add-member Add members to a netgroup.
netgroup-del Delete a netgroup.
netgroup-find Search for a netgroup.
netgroup-mod Modify a netgroup.
netgroup-remove-member Remove members from a netgroup.
netgroup-show Display information about a netgroup.
netgroup-add
Usage: ipa [global-options] netgroup-add NAME [options]
Add a new netgroup.
Arguments
Argument Required Description
NAME yes Netgroup name
Options
Option Description
--desc DESC Netgroup description
--nisdomain NISDOMAIN NIS domain name
--usercat USERCAT User category the rule applies to
--hostcat HOSTCAT Host category the rule applies to
--setattr SETATTR Set an attribute to a name/value pair. Format is
attr=value.
--addattr ADDATTR Add an attribute/value pair. Format is
attr=value. The attribute
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--no-members Suppress processing of membership attributes.
netgroup-add-member
Usage: ipa [global-options] netgroup-add-member NAME [options]
Add members to a netgroup.
Arguments
Argument Required Description
NAME yes Netgroup name
Options
Option Description
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--no-members Suppress processing of membership attributes.
--users USERS users to add
--groups GROUPS groups to add
--hosts HOSTS hosts to add
--hostgroups HOSTGROUPS host groups to add
--netgroups NETGROUPS netgroups to add
netgroup-del
Usage: ipa [global-options] netgroup-del NAME [options]
Delete a netgroup.
Arguments
Argument Required Description
NAME yes Netgroup name
Options
Option Description
--continue Continuous mode: Don’t stop on errors.
netgroup-find
Usage: ipa [global-options] netgroup-find [CRITERIA] [options]
Search for a netgroup.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
Option Description
--name NAME Netgroup name
--desc DESC Netgroup description
--nisdomain NISDOMAIN NIS domain name
--uuid UUID IPA unique ID
--usercat USERCAT User category the rule applies to
--hostcat HOSTCAT Host category the rule applies to
--timelimit TIMELIMIT Time limit of search in seconds (0 is unlimited)
--sizelimit SIZELIMIT Maximum number of entries returned (0 is
unlimited)
--managed search for managed groups
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--pkey-only Results should contain primary key attribute only
(“name”)
--netgroups NETGROUPS Search for netgroups with these member netgroups.
--no-netgroups NO-NETGROUPS Search for netgroups without these member
netgroups.
--users USERS Search for netgroups with these member users.
--no-users NO-USERS Search for netgroups without these member users.
--groups GROUPS Search for netgroups with these member groups.
--no-groups NO-GROUPS Search for netgroups without these member groups.
--hosts HOSTS Search for netgroups with these member hosts.
--no-hosts NO-HOSTS Search for netgroups without these member hosts.
--hostgroups HOSTGROUPS Search for netgroups with these member host
groups.
--no-hostgroups NO-HOSTGROUPS Search for netgroups without these member host
groups.
--in-netgroups IN-NETGROUPS Search for netgroups with these member of
netgroups.
--not-in-netgroups NOT-IN-NETGROUPS Search for netgroups without these member of
netgroups.
netgroup-mod
Usage: ipa [global-options] netgroup-mod NAME [options]
Modify a netgroup.
Arguments
Argument Required Description
NAME yes Netgroup name
Options
Option Description
--desc DESC Netgroup description
--nisdomain NISDOMAIN NIS domain name
--usercat USERCAT User category the rule applies to
--hostcat HOSTCAT Host category the rule applies to
--setattr SETATTR Set an attribute to a name/value pair. Format is
attr=value.
--addattr ADDATTR Add an attribute/value pair. Format is
attr=value. The attribute
--delattr DELATTR Delete an attribute/value pair. The option will
be evaluated
--rights Display the access rights of this entry (requires
—all). See ipa man page for details.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--no-members Suppress processing of membership attributes.
netgroup-remove-member
Usage: ipa [global-options] netgroup-remove-member NAME [options]
Remove members from a netgroup.
Arguments
Argument Required Description
NAME yes Netgroup name
Options
Option Description
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.
--no-members Suppress processing of membership attributes.
--users USERS users to remove
--groups GROUPS groups to remove
--hosts HOSTS hosts to remove
--hostgroups HOSTGROUPS host groups to remove
--netgroups NETGROUPS netgroups to remove
netgroup-show
Usage: ipa [global-options] netgroup-show NAME [options]
Display information about a netgroup.
Arguments
Argument Required Description
NAME yes Netgroup name
Options
Option Description
--rights Display the access rights of this entry (requires
—all). See ipa man page for details.
--all Retrieve and print all attributes from the
server. Affects command output.
--raw Print entries as stored on the server. Only
affects output format.