Network Groups
Manage NIS netgroups for legacy UNIX authentication and authorization systems. Netgroups define sets of users, hosts, and domains for network-wide access control. Supports triple notation (user, host, domain), nested netgroup membership, and integration with NIS compatibility mode for environments requiring traditional UNIX authentication mechanisms.
Overview
Netgroups are a legacy UNIX/NIS (Network Information Service) mechanism for defining sets of users, hosts, and domains for network-wide access control. While originally designed for NIS environments, FreeIPA provides netgroup support for backward compatibility with legacy UNIX systems and applications that rely on netgroup-based authorization.
What Are Netgroups?
A netgroup is a named collection of triples in the format (user, host, domain), where:
- user: Username (can be empty, meaning any user)
- host: Hostname (can be empty, meaning any host)
- domain: NIS domain name (can be empty, typically empty in IPA)
Example triple: (alice, server01, ) means user “alice” on host “server01” in any domain.
Netgroups can also contain:
- Users: IPA user accounts
- Groups: IPA user groups (group members implicitly included)
- Hosts: IPA host entries
- Host groups: IPA host groups (host members implicitly included)
- Nested netgroups: Other netgroups for hierarchical organization
Historical Context: NIS and Netgroups
NIS (Network Information Service, formerly Yellow Pages/YP) was a directory service used in UNIX environments before LDAP became prevalent. Netgroups were NIS’s mechanism for defining which users could access which hosts. Common uses included:
- NFS export access control (
/etc/exports) - Login access control via PAM (
/etc/pam.d/*) - Batch job scheduling access
- Application-specific authorization
While NIS is largely obsolete, many legacy applications and UNIX systems still support netgroup-based authorization, making IPA’s netgroup support valuable for hybrid environments transitioning from NIS to modern identity management.
FreeIPA Netgroup Implementation
IPA stores netgroups in LDAP using the nisNetgroup object class. For NIS-compatible systems, IPA’s schema compatibility plugin can expose netgroups in NIS-style format for legacy clients.
Key differences from traditional NIS netgroups:
- IPA netgroups are stored in LDAP, not flat files
- IPA provides rich membership (users, groups, hosts, hostgroups)
- Netgroups integrate with IPA’s RBAC system for management
- No separate NIS domain management (typically not used in IPA)
Use Cases for Netgroups
Legacy NFS exports: NFS servers use netgroups in /etc/exports to control which hosts/users can mount filesystems:
/export/data @nfs-clients(rw)
Login access control: Some systems use netgroups for login authorization (though HBAC is preferred in IPA environments).
Batch system authorization: Grid computing and batch scheduling systems (SGE, LSF, PBS) may use netgroups for job submission authorization.
Application-specific access: Legacy UNIX applications with netgroup support for authorization.
Netgroups vs HBAC Rules
For new IPA deployments, HBAC (Host-Based Access Control) is the recommended mechanism for access control:
HBAC advantages:
- Native IPA feature with full SSSD integration
- Fine-grained control (per-service access control)
- Centralized policy enforcement
- Real-time policy updates
- Testing capabilities (
ipa hbactest)
When to use netgroups:
- Legacy NIS migration requiring netgroup compatibility
- Applications that only support netgroup-based authorization
- NFS exports requiring netgroup syntax
- Transitional environments moving from NIS to IPA
In modern IPA environments, use HBAC for access control and reserve netgroups for legacy compatibility.
Netgroup Categories
IPA netgroups support category attributes for broad matching:
--usercat=all: Matches all users (equivalent to wildcard in user field)
--hostcat=all: Matches all hosts (equivalent to wildcard in host field)
Categories simplify netgroup management for cases where “all users” or “all hosts” is appropriate, avoiding the need to explicitly add every user or host.
Examples
Add a new netgroup:
ipa netgroup-add --desc="NFS admins" admins
Add members to the netgroup:
ipa netgroup-add-member --users=tuser1 --users=tuser2 admins
Remove a member from the netgroup:
ipa netgroup-remove-member --users=tuser2 admins
Display information about a netgroup:
ipa netgroup-show admins
Delete a netgroup:
ipa netgroup-del admins
Use Cases
1. Migrating NIS Netgroups to IPA
Organization retiring legacy NIS infrastructure needs to migrate 50 netgroups used for NFS access control to FreeIPA.
# On old NIS server, export netgroup definitions
ypcat -k netgroup > netgroups-export.txt
# Example netgroup format in NIS:
# nfs-clients (alice,server01,) (bob,server02,) (,-,)
# Create equivalent netgroups in IPA
ipa netgroup-add nfs-clients --desc="NFS client access"
# Add members based on NIS export
# Convert NIS triples to IPA membership
ipa netgroup-add-member nfs-clients \
--users=alice \
--users=bob
# Add hosts
ipa netgroup-add-member nfs-clients \
--hosts=server01.example.com \
--hosts=server02.example.com
# Verify netgroup created
ipa netgroup-show nfs-clients
# Output shows:
# Netgroup name: nfs-clients
# Description: NFS client access
# Member users: alice, bob
# Member hosts: server01.example.com, server02.example.com
# Update NFS server /etc/exports to use netgroup
# (No syntax change - still uses @nfs-clients)
Result: NIS netgroups migrated to IPA. NFS servers continue using same netgroup syntax via IPA’s NIS compatibility mode.
2. Controlling NFS Export Access with Netgroups
NFS server needs to grant read/write access to specific users and hosts for sensitive data export.
# Create netgroup for sensitive data access
ipa netgroup-add finance-nfs \
--desc="Finance department NFS access"
# Add finance users
ipa netgroup-add-member finance-nfs \
--users=alice \
--users=bob \
--groups=finance-team
# Add authorized client hosts
ipa netgroup-add-member finance-nfs \
--hosts=workstation01.example.com \
--hosts=workstation02.example.com \
--hostgroups=finance-workstations
# On NFS server, configure /etc/exports
# Use netgroup syntax with @netgroup-name
cat >> /etc/exports <<EOF
/export/finance @finance-nfs(rw,sync,no_root_squash)
EOF
# Reload NFS exports
exportfs -ra
# Verify export with netgroup
exportfs -v
# /export/finance @finance-nfs(rw,sync,wdelay,no_root_squash)
# Test access from authorized host
# On workstation01.example.com:
mount -t nfs nfs-server:/export/finance /mnt/finance
# Mount succeeds (workstation01 is in finance-nfs netgroup)
# Test from unauthorized host:
# On unauthorized-host:
mount -t nfs nfs-server:/export/finance /mnt/finance
# mount.nfs: access denied (not in finance-nfs netgroup)
Result: NFS export access controlled via IPA netgroup. Only users in finance-team group accessing from finance-workstations can mount the sensitive filesystem.
3. Using Nested Netgroups for Hierarchical Organization
Large organization with multiple departments needs hierarchical netgroup structure for NFS access.
# Create department-specific netgroups
ipa netgroup-add engineering-nfs --desc="Engineering NFS access"
ipa netgroup-add sales-nfs --desc="Sales NFS access"
ipa netgroup-add marketing-nfs --desc="Marketing NFS access"
# Add department members
ipa netgroup-add-member engineering-nfs --groups=engineering
ipa netgroup-add-member sales-nfs --groups=sales
ipa netgroup-add-member marketing-nfs --groups=marketing
# Create parent netgroup for all departments
ipa netgroup-add all-departments-nfs --desc="All departments NFS access"
# Add department netgroups as members (nesting)
ipa netgroup-add-member all-departments-nfs \
--netgroups=engineering-nfs \
--netgroups=sales-nfs \
--netgroups=marketing-nfs
# Verify nested structure
ipa netgroup-show all-departments-nfs
# Output shows:
# Member netgroups: engineering-nfs, sales-nfs, marketing-nfs
# Use parent netgroup in NFS export for shared data
# /etc/exports:
# /export/shared @all-departments-nfs(ro)
# Use department-specific netgroups for department data
# /export/engineering @engineering-nfs(rw)
# /export/sales @sales-nfs(rw)
# /export/marketing @marketing-nfs(rw)
Result: Hierarchical netgroup structure enables both department-specific and company-wide NFS access control. Changes to department membership automatically propagate to parent netgroup.
4. Using Netgroup Categories for Broad Access
NFS server hosting public read-only data needs to allow all authenticated users from any IPA-enrolled host.
# Create netgroup with user category "all"
ipa netgroup-add public-data \
--desc="Public data access for all users" \
--usercat=all \
--hostcat=all
# No need to explicitly add users or hosts
# Categories match all users and all hosts
# Verify category configuration
ipa netgroup-show public-data --all
# Output shows:
# User category: all
# Host category: all
# Configure NFS export
# /etc/exports:
# /export/public @public-data(ro,sync)
# Any authenticated user from any IPA-enrolled host can mount
Result: Netgroup with categories provides “allow all” access without maintaining explicit membership lists.
5. Managing Netgroup Membership with Groups
Instead of adding individual users to netgroup, use IPA groups for easier membership management.
# Create netgroup for development servers access
ipa netgroup-add dev-servers --desc="Development servers access"
# Add entire group instead of individual users
ipa netgroup-add-member dev-servers --groups=developers
# Add entire hostgroup
ipa netgroup-add-member dev-servers --hostgroups=dev-infrastructure
# When users join/leave developers group, netgroup membership automatically updates
ipa group-add-member developers --users=newdev
# newdev automatically in dev-servers netgroup
# When hosts added to dev-infrastructure hostgroup, netgroup updates
ipa hostgroup-add-member dev-infrastructure --hosts=dev03.example.com
# dev03 automatically in dev-servers netgroup
# Verify effective membership
ipa netgroup-show dev-servers --all
# Shows groups and hostgroups, plus their transitive members
Result: Group-based netgroup membership simplifies management. User/host lifecycle changes automatically reflected in netgroup without manual netgroup updates.
6. Troubleshooting Netgroup Access Issues
User reports inability to mount NFS share despite being in required netgroup.
# Verify user is in netgroup
ipa netgroup-show finance-nfs
# Member users: alice
# Member groups: finance-team
# Check if user is member of included group
ipa group-show finance-team
# Member users: bob, charlie (alice not listed)
# Alice is direct member, should work
# Check if netgroup exported to NIS compatibility
ldapsearch -x -b "cn=finance-nfs,cn=ng,cn=compat,dc=example,dc=com" \
"(objectClass=nisNetgroup)" nisNetgroupTriple
# Output should show:
# nisNetgroupTriple: (alice,,)
# nisNetgroupTriple: (bob,,)
# nisNetgroupTriple: (charlie,,)
# If missing, check schema compat plugin status
ipa-compat-manage status
# Schema compat is: enabled
# If disabled, enable it
ipa-compat-manage enable
systemctl restart dirsrv@EXAMPLE-COM
# Verify NFS server can resolve netgroup
# On NFS server:
getent netgroup finance-nfs
# Should show: finance-nfs (alice,,) (bob,,) (charlie,,)
# If getent returns nothing, configure SSSD for netgroup lookups
# /etc/sssd/sssd.conf:
# [nss]
# services = nss, pam, netgroup
systemctl restart sssd
# Retry getent
getent netgroup finance-nfs
# Now returns correct membership
# User can now mount NFS share
Result: Netgroup access issue resolved by enabling schema compatibility plugin and configuring SSSD for netgroup enumeration.
7. Listing All Netgroups with Specific Member
Find all netgroups containing a specific user for audit purposes.
# Find netgroups containing user alice
ipa netgroup-find --users=alice
# Returns all netgroups with alice as direct member
# Find netgroups containing group developers
ipa netgroup-find --groups=developers
# Find netgroups containing host server01
ipa netgroup-find --hosts=server01.example.com
# Find netgroups containing hostgroup dev-infrastructure
ipa netgroup-find --hostgroups=dev-infrastructure
# Generate comprehensive audit report
echo "Netgroup Audit for User: alice" > netgroup-audit.txt
echo "================================" >> netgroup-audit.txt
ipa netgroup-find --users=alice >> netgroup-audit.txt
echo "\nNetgroups via Group Membership:" >> netgroup-audit.txt
for group in $(ipa user-show alice | grep 'Member of groups:' | cut -d: -f2 | tr ',' '\n'); do
echo " Group: $group" >> netgroup-audit.txt
ipa netgroup-find --groups=$group >> netgroup-audit.txt
done
cat netgroup-audit.txt
Result: Comprehensive audit of all netgroups user is member of, both directly and via group membership.
8. Removing Deprecated Netgroups
Clean up obsolete netgroups left over from NIS migration that are no longer used.
# List all netgroups
ipa netgroup-find --pkey-only
# Shows: 47 netgroups
# Identify unused netgroups (no members)
for ng in $(ipa netgroup-find --pkey-only | grep 'Netgroup name:' | awk '{print $3}'); do
members=$(ipa netgroup-show "$ng" | grep -E "Member (users|groups|hosts|hostgroups|netgroups):" | wc -l)
if [ "$members" -eq 0 ]; then
echo "Unused netgroup: $ng"
fi
done
# Output:
# Unused netgroup: old-nis-group1
# Unused netgroup: legacy-netgroup
# Before deleting, check if used in NFS exports
# Search /etc/exports on all NFS servers
# If not referenced anywhere, safe to delete
# Delete unused netgroups
ipa netgroup-del old-nis-group1
ipa netgroup-del legacy-netgroup
# Verify deletion
ipa netgroup-find old-nis-group1
# 0 netgroups matched (deleted successfully)
Result: Obsolete netgroups identified and removed, reducing LDAP clutter and improving performance.
9. Specifying NIS Domain for Legacy Compatibility
Legacy NIS environment requires netgroups to specify NIS domain for compatibility with existing scripts.
# Create netgroup with NIS domain
ipa netgroup-add legacy-group \
--desc="Legacy NIS-compatible netgroup" \
--nisdomain=example.com
# Add members
ipa netgroup-add-member legacy-group \
--users=alice \
--hosts=server01.example.com
# Verify NIS domain set
ipa netgroup-show legacy-group --all
# Output:
# Netgroup name: legacy-group
# Description: Legacy NIS-compatible netgroup
# NIS domain name: example.com
# Member users: alice
# Member hosts: server01.example.com
# Netgroup triple exported includes domain
ldapsearch -x -b "cn=legacy-group,cn=ng,cn=compat,dc=example,dc=com" \
nisNetgroupTriple
# nisNetgroupTriple: (alice,server01.example.com,example.com)
# Legacy applications expecting domain field now function correctly
Result: Netgroup with NIS domain specification maintains compatibility with legacy applications requiring domain field in netgroup triples.
10. Batch Creating Netgroups from CSV
Administrator needs to create 30 netgroups based on organizational structure defined in spreadsheet.
# Export spreadsheet to CSV
# Format: netgroup_name, description, members (comma-separated)
cat > netgroups.csv <<EOF
dept-engineering,Engineering Department,engineering,eng-servers
dept-sales,Sales Department,sales,sales-servers
dept-hr,Human Resources,hr,hr-servers
EOF
# Script to batch create netgroups
while IFS=, read -r name desc group hostgroup; do
echo "Creating netgroup: $name"
# Create netgroup
ipa netgroup-add "$name" --desc="$desc"
# Add group members
if [ -n "$group" ]; then
ipa netgroup-add-member "$name" --groups="$group"
fi
# Add hostgroup members
if [ -n "$hostgroup" ]; then
ipa netgroup-add-member "$name" --hostgroups="$hostgroup"
fi
done < netgroups.csv
# Verify all netgroups created
ipa netgroup-find --pkey-only | grep "^ Netgroup name: dept-"
# dept-engineering
# dept-sales
# dept-hr
Result: 30 netgroups created efficiently via batch script, reducing manual effort and potential errors.
Security Considerations
Overly Broad Netgroup Categories
Using --usercat=all or --hostcat=all grants access to all users or hosts in the IPA domain, which may violate least-privilege principles. A misconfigured netgroup with categories can inadvertently grant excessive NFS export access, application permissions, or login rights to unintended users/hosts. For NFS exports containing sensitive data, avoid category-based netgroups and explicitly define allowed users/hosts. Audit netgroups with categories periodically: ipa netgroup-find --usercat=all and ipa netgroup-find --hostcat=all. Document business justification for any category usage.
Netgroup Membership Visibility
All authenticated IPA users can enumerate netgroups and view their membership using ipa netgroup-find and ipa netgroup-show. This information disclosure may reveal organizational structure, sensitive groupings (e.g., “executives-nfs”, “finance-data”), or infrastructure topology. While netgroup visibility cannot be easily restricted without breaking functionality, avoid using sensitive names that disclose confidential information. Use generic naming (e.g., “data-tier1” instead of “payroll-nfs”). Netgroup membership is also visible via LDAP queries, so treat netgroup names and descriptions as semi-public information.
Nested Netgroup Complexity
Complex nested netgroup hierarchies (netgroups containing netgroups containing netgroups) can create difficult-to-audit access control chains. Administrators may grant access via a parent netgroup without realizing which child netgroups (and their members) are included, leading to unintended access. Limit nesting depth (recommended: max 2-3 levels). Document netgroup hierarchies clearly. Before adding netgroups to parent netgroups, verify all transitive members are appropriate for the intended access scope. Use ipa netgroup-show --all to view full membership including nested groups.
Group-Based Membership Surprises
Adding IPA groups to netgroups (--groups=developers) means any user added to that group automatically gains netgroup membership. If group membership processes are less rigorous than netgroup access requirements, unintended users may gain access. For example, if “developers” group is broadly used but “dev-nfs” netgroup grants access to production NFS shares, new developers automatically gain production access. Ensure group membership policies align with netgroup access requirements. For high-security netgroups, use explicit user membership rather than group-based membership.
NFS Export Access Control Limitations
Netgroups used in NFS /etc/exports control which hosts can mount filesystems, but NFS’s security model has limitations. NFS traditionally trusts client-reported UIDs (unless Kerberos-based NFS is used). A compromised client host in an allowed netgroup can present any UID to access files. Netgroups prevent unauthorized hosts from mounting, but don’t prevent UID spoofing from allowed hosts. For sensitive data, combine netgroup-based export control with Kerberos NFS (sec=krb5), restrictive file permissions, and audit logging. Netgroups are perimeter access control, not authorization.
Schema Compatibility Plugin Exposure
IPA’s schema compatibility plugin exposes netgroups in NIS-compatible format at cn=ng,cn=compat,<basedn> for legacy clients. This compatibility tree is readable by anonymous users if anonymous binds are enabled (default: disabled in IPA). An attacker with LDAP access can enumerate netgroups and membership without Kerberos authentication. Ensure anonymous LDAP binds are disabled (IPA default). Restrict direct LDAP access to IPA servers. Monitor LDAP access logs for unusual netgroup enumeration queries.
Stale Netgroup Membership
Unlike HBAC rules which are actively evaluated by SSSD, netgroup membership is statically cached by NSS/SSSD. If a user is removed from a netgroup while their session is active, cached netgroup membership may persist until cache expiration or daemon restart. This creates a window where removed users retain access. For time-sensitive access revocation (terminated employees, security incidents), also disable user accounts (ipa user-disable) to force immediate authentication failure. Clear SSSD caches after security-critical netgroup changes: sssctl cache-expire or systemctl restart sssd.
Netgroup Names in /etc/exports
NFS /etc/exports files are typically world-readable on NFS servers. Netgroup names referenced in exports (e.g., @finance-nfs) disclose organizational structure and data classification (“finance” implies financial data). Attackers gaining read access to /etc/exports can map sensitive data locations and target specific netgroups for membership exploitation. Use non-descriptive netgroup names in high-security environments. Restrict read access to /etc/exports where feasible (chmod 600). Treat /etc/exports as infrastructure documentation that should be protected.
Lack of Time-Based or Conditional Access
Netgroups provide static membership-based access control without support for time-based access (e.g., “business hours only”) or contextual conditions (e.g., “from corporate network”). Once a user is in a netgroup, they have access regardless of time, location, or authentication method. For scenarios requiring conditional access, use HBAC rules (which support time-based rules via PAM) instead of netgroups, or implement application-layer access controls that consider context.
Netgroup Management Permissions
IPA’s default permission model allows relatively broad netgroup management. Users with delegated permissions can create, modify, or delete netgroups, potentially disrupting NFS access or creating backdoor access. Carefully delegate netgroup management permissions using IPA’s RBAC system. Create custom roles for netgroup management limited to specific administrators. Audit netgroup modifications: ipa-audit logs or monitor LDAP modification logs (/var/log/dirsrv/slapd-*/access). Implement change review processes for production netgroups.
Hidden Membership via Groups and Hostgroups
Netgroup membership can be indirect (via groups/hostgroups) making it non-obvious which users/hosts have access. Viewing ipa netgroup-show netgroup-name without --all may not reveal transitive group members, creating audit blind spots. Administrators may add users to a group without realizing that group’s inclusion in a netgroup grants additional access. Always use --all flag when auditing netgroups: ipa netgroup-show netgroup-name --all. Document which groups/hostgroups are included in access-critical netgroups.
Netgroups as Legacy Mechanism
Netgroups are a legacy NIS concept maintained primarily for backward compatibility. They lack modern security features like audit logging of access attempts, MFA enforcement, or integration with conditional access policies. Relying heavily on netgroups in new deployments misses security benefits of modern mechanisms (HBAC, RBAC). Migrate legacy netgroup-based access control to HBAC rules where possible. Reserve netgroups for applications that cannot use modern access control (NFS exports, legacy UNIX tools). Plan eventual removal of netgroup dependencies.
Troubleshooting
Netgroup Not Visible in getent netgroup
Symptoms: Created netgroup in IPA, but getent netgroup <name> returns no results on client systems.
Diagnosis:
# Verify netgroup exists in IPA
ipa netgroup-show test-netgroup
# Netgroup exists in IPA
# On client, try getent
getent netgroup test-netgroup
# (No output)
# Check if SSSD configured for netgroup lookups
grep services /etc/sssd/sssd.conf
# services = nss, pam (netgroup missing)
# Check schema compat plugin status on server
ipa-compat-manage status
# Schema compat is: disabled
Resolution: Enable schema compatibility plugin on IPA server: ipa-compat-manage enable && systemctl restart dirsrv@EXAMPLE-COM. Configure SSSD for netgroup lookups on client: edit /etc/sssd/sssd.conf, change services = nss, pam to services = nss, pam, netgroup. Restart SSSD: systemctl restart sssd. Verify: getent netgroup test-netgroup should now return netgroup membership.
NFS Export Denies Access Despite User in Netgroup
Symptoms: User is confirmed member of netgroup used in NFS /etc/exports, but mount/access denied.
Diagnosis:
# Verify user in netgroup
ipa netgroup-show nfs-clients
# Member users: alice
# On NFS server, check if netgroup resolves
getent netgroup nfs-clients
# nfs-clients (alice,,) (bob,,)
# Check NFS export configuration
cat /etc/exports | grep nfs-clients
# /export/data @nfs-clients(rw)
# Check NFS server logs
journalctl -u nfs-server | grep -i denied
# Denied access from 192.168.1.50
# Check if client host is in netgroup
ipa netgroup-show nfs-clients | grep "Member hosts"
# (No hosts listed - only users!)
# NFS netgroups need BOTH user AND host for access
Resolution: NFS uses netgroup triples (user, host, domain). For NFS access, both user and host must be in netgroup. Add client hosts to netgroup: ipa netgroup-add-member nfs-clients --hosts=client01.example.com --hosts=client02.example.com. Alternatively, use host category: ipa netgroup-mod nfs-clients --hostcat=all. After adding hosts, client access should succeed.
Nested Netgroup Members Not Showing
Symptoms: Added netgroup-A as member of netgroup-B, but netgroup-B doesn’t show netgroup-A’s members.
Diagnosis:
# Check parent netgroup
ipa netgroup-show parent-netgroup
# Member netgroups: child-netgroup
# (No member users shown)
# Check child netgroup
ipa netgroup-show child-netgroup
# Member users: alice, bob
# Expected: parent-netgroup should transitively include alice, bob
Resolution: Use --all flag to see transitive membership: ipa netgroup-show parent-netgroup --all. This shows all users/hosts from nested netgroups. Without --all, only direct members are displayed. Transitive membership is automatically resolved by NSS/SSSD when netgroups are queried by applications, but IPA’s display omits transitive members unless explicitly requested.
Cannot Delete Netgroup
Symptoms: ipa netgroup-del fails with “This entry is being referenced by other entries” error.
Diagnosis:
# Try to delete netgroup
ipa netgroup-del old-netgroup
# ipa: ERROR: This entry is being referenced by other entries
# Find which netgroups reference old-netgroup
ipa netgroup-find --netgroups=old-netgroup
# Shows parent netgroups containing old-netgroup
Resolution: Netgroup is member of other netgroups (nested). Remove from parent netgroups first: ipa netgroup-remove-member parent-netgroup --netgroups=old-netgroup. Repeat for all parents, then retry deletion: ipa netgroup-del old-netgroup. Alternatively, search for all references: ldapsearch -x -b "cn=ng,cn=compat,dc=example,dc=com" "(&(objectClass=nisNetgroup)(memberNisNetgroup=old-netgroup))".
Netgroup Members Added But Not Effective
Symptoms: Added users/hosts to netgroup, but access still denied. Changes don’t take effect.
Diagnosis:
# Verify member added to netgroup
ipa netgroup-show test-group
# Member users: charlie (newly added)
# On client, check NSS cache
getent netgroup test-group
# test-group (alice,,) (bob,,) (no charlie)
# SSSD cache outdated
sssctl cache-expire
# Still showing old membership - cache very stale
Resolution: SSSD caches netgroup membership. After netgroup changes, expire SSSD cache on clients: sssctl cache-expire --netgroups or sssctl cache-remove --netgroups. For immediate effect, restart SSSD: systemctl restart sssd. Alternatively, wait for automatic cache expiration (default: several hours). For testing, lower SSSD cache timeout in /etc/sssd/sssd.conf: [nss] netgroup_cache_timeout = 60.
Netgroup Shows Users But Application Doesn’t Recognize
Symptoms: Netgroup has correct members in IPA, but legacy application using netgroup doesn’t recognize membership.
Diagnosis:
# Verify netgroup in IPA
ipa netgroup-show app-users
# Member users: alice, bob
# Check if schema compat exposes it
ldapsearch -x -b "cn=app-users,cn=ng,cn=compat,dc=example,dc=com" \
"(objectClass=nisNetgroup)" nisNetgroupTriple
# No results (schema compat not exporting)
# Check compat plugin
ipa-compat-manage status
# Schema compat is: enabled
# But no netgroup entries in compat tree
Resolution: Schema compatibility may be enabled but netgroup export broken. Restart directory server: systemctl restart dirsrv@EXAMPLE-COM. Verify compat entries regenerate: ldapsearch -x -b "cn=ng,cn=compat,dc=example,dc=com" "(objectClass=nisNetgroup)" cn. If still missing, check directory server logs: journalctl -u dirsrv@EXAMPLE-COM | grep -i compat. Verify IPA not running in minimal/non-compat mode.
Group Members Not Appearing in Netgroup
Symptoms: Added group to netgroup, but group’s members not appearing in netgroup lookups.
Diagnosis:
# Netgroup has group membership
ipa netgroup-show dev-access
# Member groups: developers
# Group has members
ipa group-show developers
# Member users: alice, bob, charlie
# But getent doesn't show individual users
getent netgroup dev-access
# (,server01,) (empty user field!)
# Group members not expanded to netgroup triples
Resolution: This is expected behavior for netgroups with group members. Schema compat plugin doesn’t recursively expand group membership into netgroup triples in all cases. For applications requiring explicit user triples, add users directly to netgroup instead of via groups: ipa netgroup-add-member dev-access --users=alice --users=bob --users=charlie. Alternatively, if application supports SSSD/NSS netgroup lookups (not legacy NIS), group expansion may work correctly via SSSD.
Permission Denied When Managing Netgroups
Symptoms: User receives “Insufficient access rights” when attempting to create/modify netgroups.
Diagnosis:
# Try to create netgroup
ipa netgroup-add test
# ipa: ERROR: Insufficient access: Insufficient 'add' privilege
# Check user's permissions
ipa user-show currentuser | grep "memberof"
# Member of groups: ipausers (not admins)
# Check netgroup management permissions
ipa permission-find --name="*netgroup*"
Resolution: Netgroup management requires administrative privileges or delegated permissions. Add user to admins group: ipa group-add-member admins --users=user. Alternatively, create custom role with netgroup management permissions and assign to user. Permissions needed: “System: Add Netgroups”, “System: Modify Netgroups”, “System: Remove Netgroups”.
Netgroup Category Not Working as Expected
Symptoms: Set --usercat=all expecting all users to have access, but access still denied.
Diagnosis:
# Check netgroup has category
ipa netgroup-show public-data
# User category: all
# (No explicit users listed)
# Check if getent shows category
getent netgroup public-data
# (,,) (empty triple - category not expanded)
# Legacy NIS doesn't understand categories
Resolution: Netgroup categories (--usercat=all, --hostcat=all) are an IPA extension not present in traditional NIS. Legacy applications expecting NIS-style netgroups may not recognize categories. For applications requiring explicit user/host triples, don’t use categories—add users/hosts explicitly. Categories work correctly with SSSD-aware applications and HBAC, but may fail with legacy NIS-style netgroup parsing.
NIS Domain Causes Netgroup Mismatch
Symptoms: Netgroup configured with --nisdomain, but application doesn’t match netgroup members.
Diagnosis:
# Netgroup has NIS domain set
ipa netgroup-show legacy-ng --all
# NIS domain name: example.com
# Member users: alice
# Check netgroup triple
getent netgroup legacy-ng
# (alice,,example.com)
# Application expects empty domain field
# (alice,,)
Resolution: Most IPA deployments don’t use NIS domain field (left empty). If application expects empty domain, remove NIS domain: ipa netgroup-mod legacy-ng --nisdomain="". Verify triple now has empty domain: getent netgroup legacy-ng should show (alice,,). Only set NIS domain if application specifically requires it for legacy NIS compatibility.
Netgroup Search Returns No Results
Symptoms: ipa netgroup-find <criteria> returns 0 results despite knowing netgroups exist.
Diagnosis:
# Search by description
ipa netgroup-find "Finance"
# 0 netgroups matched
# Search by name substring
ipa netgroup-find finance
# 0 netgroups matched
# List all netgroups
ipa netgroup-find
# 15 netgroups matched (netgroups exist!)
Resolution: ipa netgroup-find <CRITERIA> searches in name and description fields by default. Search is case-sensitive in some fields. Try case-insensitive search or exact name: ipa netgroup-find --name=finance-nfs. To search descriptions: ipa netgroup-find --desc="Finance". To find by member: ipa netgroup-find --users=alice or ipa netgroup-find --groups=finance-team. Use specific field flags for more reliable results than free-text criteria.
Netgroup Modification Doesn’t Update Membership
Symptoms: Used ipa netgroup-mod expecting to change members, but membership unchanged.
Diagnosis:
# Try to modify members with netgroup-mod
ipa netgroup-mod test-ng --users=alice
# ipa: ERROR: Unknown option: --users
# netgroup-mod doesn't accept membership options
Resolution: ipa netgroup-mod modifies netgroup attributes (description, categories, NIS domain) but NOT membership. To change members, use ipa netgroup-add-member or ipa netgroup-remove-member. Example: add user: ipa netgroup-add-member test-ng --users=alice. Remove user: ipa netgroup-remove-member test-ng --users=alice. Use netgroup-mod only for non-membership attributes.
Netgroup Contains Deleted Users/Hosts
Symptoms: Netgroup shows members that were deleted from IPA.
Diagnosis:
# Show netgroup
ipa netgroup-show old-ng
# Member users: alice, bob, deleted_user
# Try to show deleted user
ipa user-show deleted_user
# ipa: ERROR: deleted_user: user not found
# Orphaned membership reference
Resolution: Netgroup contains reference to deleted object. Remove orphaned reference: ipa netgroup-remove-member old-ng --users=deleted_user. If error occurs (“user not found”), use LDAP to remove directly: ldapmodify or use --raw mode. Alternatively, netgroup-remove-member may succeed despite user not existing. After cleanup, verify: ipa netgroup-show old-ng --all should not list deleted objects.
High LDAP Load from Netgroup Queries
Symptoms: IPA servers experiencing high LDAP query load traced to netgroup lookups.
Diagnosis:
# Check LDAP access log for netgroup queries
grep "cn=ng,cn=compat" /var/log/dirsrv/slapd-EXAMPLE-COM/access | wc -l
# 50000 (excessive queries)
# Identify source
grep "cn=ng,cn=compat" /var/log/dirsrv/slapd-EXAMPLE-COM/access | \
awk '{print $7}' | sort | uniq -c | sort -rn | head
# 45000 from 192.168.1.100 (one host)
# Host making excessive netgroup queries
Resolution: Identify application or misconfiguration on high-query host causing netgroup lookup storm. Common causes: NFS server re-reading /etc/exports on every mount (should cache), application repeatedly querying same netgroup without caching. On problematic host, check NFS logs, application logs. Implement query caching in application if possible. On IPA server, consider LDAP query rate limiting or blocking excessive query sources. Optimize netgroup structure to reduce query complexity (avoid deep nesting).
Commands
Commands
netgroup-add
Usage: ipa [global-options] netgroup-add NAME [options]
Add a new netgroup.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Netgroup name |
Options
| Option | Description |
|---|---|
--desc DESC | Netgroup description |
--nisdomain NISDOMAIN | NIS domain name |
--usercat USERCAT | User category the rule applies to |
--hostcat HOSTCAT | Host category the rule applies to |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
netgroup-add-member
Usage: ipa [global-options] netgroup-add-member NAME [options]
Add members to a netgroup.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Netgroup name |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--users USERS | users to add |
--groups GROUPS | groups to add |
--hosts HOSTS | hosts to add |
--hostgroups HOSTGROUPS | host groups to add |
--netgroups NETGROUPS | netgroups to add |
netgroup-del
Usage: ipa [global-options] netgroup-del NAME [options]
Delete a netgroup.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Netgroup name |
Options
| Option | Description |
|---|---|
--continue | Continuous mode: Don’t stop on errors. |
netgroup-find
Usage: ipa [global-options] netgroup-find [CRITERIA] [options]
Search for a netgroup.
Arguments
Argument Required Description
CRITERIA no A string searched in all relevant object
attributes
Options
| Option | Description |
|---|---|
--name NAME | Netgroup name |
--desc DESC | Netgroup description |
--nisdomain NISDOMAIN | NIS domain name |
--uuid UUID | IPA unique ID |
--usercat USERCAT | User category the rule applies to |
--hostcat HOSTCAT | Host category the rule applies to |
--timelimit TIMELIMIT | Time limit of search in seconds (0 is unlimited) |
--sizelimit SIZELIMIT | Maximum number of entries returned (0 is unlimited) |
--managed | search for managed groups |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--pkey-only | Results should contain primary key attribute only (“name”) |
--netgroups NETGROUPS | Search for netgroups with these member netgroups. |
--no-netgroups NO-NETGROUPS | Search for netgroups without these member netgroups. |
--users USERS | Search for netgroups with these member users. |
--no-users NO-USERS | Search for netgroups without these member users. |
--groups GROUPS | Search for netgroups with these member groups. |
--no-groups NO-GROUPS | Search for netgroups without these member groups. |
--hosts HOSTS | Search for netgroups with these member hosts. |
--no-hosts NO-HOSTS | Search for netgroups without these member hosts. |
--hostgroups HOSTGROUPS | Search for netgroups with these member host groups. |
--no-hostgroups NO-HOSTGROUPS | Search for netgroups without these member host groups. |
--in-netgroups IN-NETGROUPS | Search for netgroups with these member of netgroups. |
--not-in-netgroups NOT-IN-NETGROUPS | Search for netgroups without these member of netgroups. |
netgroup-mod
Usage: ipa [global-options] netgroup-mod NAME [options]
Modify a netgroup.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Netgroup name |
Options
| Option | Description |
|---|---|
--desc DESC | Netgroup description |
--nisdomain NISDOMAIN | NIS domain name |
--usercat USERCAT | User category the rule applies to |
--hostcat HOSTCAT | Host category the rule applies to |
--setattr SETATTR | Set an attribute to a name/value pair. Format is attr=value. |
--addattr ADDATTR | Add an attribute/value pair. Format is attr=value. The attribute |
--delattr DELATTR | Delete an attribute/value pair. The option will be evaluated |
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
netgroup-remove-member
Usage: ipa [global-options] netgroup-remove-member NAME [options]
Remove members from a netgroup.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Netgroup name |
Options
| Option | Description |
|---|---|
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |
--users USERS | users to remove |
--groups GROUPS | groups to remove |
--hosts HOSTS | hosts to remove |
--hostgroups HOSTGROUPS | host groups to remove |
--netgroups NETGROUPS | netgroups to remove |
netgroup-show
Usage: ipa [global-options] netgroup-show NAME [options]
Display information about a netgroup.
Arguments
| Argument | Required | Description |
|---|---|---|
NAME | yes | Netgroup name |
Options
| Option | Description |
|---|---|
--rights | Display the access rights of this entry (requires —all). See ipa man page for details. |
--all | Retrieve and print all attributes from the server. Affects command output. |
--raw | Print entries as stored on the server. Only affects output format. |
--no-members | Suppress processing of membership attributes. |