Product SiteDocumentation Site

10.2. Creating Netgroups

All netgroups in FreeIPA are essentially static groups, meaning that the members of the group are manually and explicitly added to the group. Tangentially, FreeIPA allows nested groups, where a group is a member of another group. In that case, all of the group members of the member group automatically belong to the parent group, as well.
Netgroups are added in two steps: the group itself is created, and then members are added to it.

10.2.1. Adding Netgroups

10.2.1.1. With the Web UI

  1. Open the Identity tab, and select the Netgroups subtab.
  2. Click the Add link at the top of the netgroups list.
  3. Enter both a unique name and a description for the netgroup. Both the name and description are required.
    The group name is the identifier used for the netgroup in the FreeIPA domain, and it cannot be changed after it is created. The name cannot contain spaces, but other separators like an underscore (_) are allowed.
  4. Click the Add and Edit button to go immediately to the netgroup's edit pages.
  5. Optionally, set the NIS domain for the netgroup. This defaults to the FreeIPA domain, but it can be changed.
    1. Click the Settings tab.
    2. Enter the name of the alternate NIS domain in the NIS domain name field.
      The NIS domain name field sets the domain that appears in the netgroup triple. It does not affect which NIS domain the FreeIPA listener responds to.
  6. Add members, as described in Section 10.2.2.1, “With the Web UI”.

10.2.1.2. With the Command Line

New netgroups are added using the netgroup-add command. This adds only the group; members are added separately. Two attributes are always required: the group name and the group description. If those attributes are not given as arguments, then the script prompts for them. There is also an option to set the NIS domain name to use for the group; this defaults to the FreeIPA domain, but it can be set to something different, depending on the network configuration.
$ ipa netgroup-add --desc="description"  [--nisdomain=domainName]  groupName
For example:
# ipa netgroup-add --desc="my new netgroup" example-netgroup
# ipa netgroup-add-member --hosts=ipa.example.com example-netgroup
# ypcat -d example.com -h ipa.example.com netgroup
(ipa.example.com,-,example.com)

NOTE

The --nisdomain option sets the domain that appears in the netgroup triple. It does not affect which NIS domain the FreeIPA listener responds to.

10.2.2. Adding Netgroup Members

NOTE

Netgroups can contain user groups, host groups, and other netgroups as their members. These are nested groups.
It can take up to several minutes for the members of the child group to show up as members of the parent group. This is especially true on virtual machines where the nested groups have more than 500 members.
When creating nested groups, be careful not to create recursive groups. For example, if GroupA is a member of GroupB, do not add GroupB as a member of GroupA. Recursive groups are not supported and can cause unpredictable behavior.

10.2.2.1. With the Web UI

  1. Open the Identity tab, and select the Netgroups subtab.
  2. Click the name of the netgroup to which to add members.
  3. Select the tab for the type of netgroup member to add. Netgroups can have users, user groups, hosts, host groups, and other netgroups as members.
  4. Click the Enroll link at the top of the task area.
  5. Click the checkbox by the names of the users to add, and click the right arrows button, >>, to move the names to the selection box.
  6. Click the Enroll button.

10.2.2.2. With the Command Line

Once the group is configured, begin adding netgroup members with the netgroup-add-member command. Users, groups, hosts, host groups, and other netgroups can all be added to the netgroup entry. The entry name of the NIS group being edited usually comes at the end of the command:
# ipa netgroup-add-member --users=users --groups=groups --hosts=hosts --hostgroups=hostGroups --netgroups=netgroups  groupName
To set more than one member, use a comma-separated list with the option. For example, this sets two users and two hosts with the other configuration:
# ipa netgroup-add-member --users=jsmith,bjensen --groups=ITadmin --hosts=host1.example.com,host2.example.com --hostgroups=EngDev --netgroups=nisgroup2 example-group