NIS and Netgroups : Restricting logins on a machine using compat mode and netgroups

There’s no local files implementation of netgroups.   Netgroups are used to group machines or users together in order to make certain sysadmin tasks easier.

A standard netgroup triple reads as follows: (hostname, username, domainname)

An example netgroup line reads as follows:

  • netgroup-name triple1 triple2 triple3

Though netgroup triples group together hostnames, usernames and domainnames, nothing really reads them in that manner.   Thus, you’ll usually want to use a triple just to list hosts or users i.e. in order to share NFS file systems or restrict logins to a system.

For example, the following would be a typical netgroup map, on a  NIS master:

  • # ypcat -k netgroup
  • trusted-users       (,user1,) (,user2,) (,user3,)
  • trusted-machines           (machine1,,) (machine2,,) (machine3,,)

A netgroup entry with NIS is limited to 1024 characters in size.   If you need to put together a longer netgroup using nis, you can do so by making a meta-group:

  • meta-group netgroup1 netgroup2
  • netgroup1 (,user1,) (,user2,)
  • netgroup2 (,user300,)   (,user301,)

The following netgroup will not do what you expect:

  • bogus-group     (machine1,user1,) (machine2,user2,)

You might think this means user1 at machine1 and user2 at machine2, but in actuality, it is a netgroup of two users (user1 and user2) and two machines (machine1 and machine2).   Always separate out machine and user netgroups, as shown in the /etc/netgroup example above, and you will avoid confusion.

Note that we reference the /etc/netgroup file, but this file only exists in order to be your flat’ source file.   This file must be in your NIS or NIS+ databases.

User netgroups can be used in the /etc/passwd file (and /etc/shadow if using Solaris 2.x Operating Environment).  The following entry would include all of the users in the trusted-users

group in your /etc/passwd + /etc/shadow files:

  • # cat /etc/passwd
  • +@trusted-users::::::
  • # cat /etc/shadow
  • +@trusted-users::::::

Note: Be sure not to forget the entry in the /etc/shadow file.

On Solaris 2.x you must also edit /etc/nsswitch.conf in order to use that +/- syntax as follows:

  • passwd:         compat
  • passwd_compat: nisplus
  • netgroup:     nisplus (or nis or ldap, again,files should not be used)

Machine netgroups can be used when exporting file systems.   The following entry in /etc/exports on a SunOS 4.x machine would allow machines in the trusted-machines netgroup access to the /export


  • # cat /etc/exports
  • /export -access=trusted-machines

For Solaris 2.x and later, netgroups can also be used for shared filesystems defined in the /etc/dfs/dfstab file. The following entry would allow machines in the trusted-machines netgroup access to the /export filesystem:

  • # cat /etc/dfs/dfstab
  • share -F nfs -o rw=trusted-machines /export

Remember that you must be running NIS, NIS+ or LDAP for netgroups to work.

Simply having an /etc/netgroup file will do nothing. It is ONLY the netgroup NIS or NIS+ map which is used.   The ypfiles man page lists the names of the NIS or NIS+ maps.

You can also use + and – entries in /etc/passwd to allow or deny access to specific accounts in addition to using netgroups.


Example (only allowing some of the NIS accounts access):

To allow only user1 and user2 from the NIS passwd table to access a system, add the following lines to the end of the /etc/passwd file:

  • +user1
  • +user2


Another example (denying specific accounts):

To allow every NIS account except for user3 to access a system, add the following to the end of the /etc/passwd file:

  • -user3
  • +


Another example (giving partial access to accounts):

To give full access to user4, deny access to user5, and disable the passwords and set the shell field to /bin/false for all other NIS accounts on a system, the following would be at the end of the /etc/passwd file:

  • +user4
  • -user5
  • +:*:0:0:::/bin/false





I have started ( aka in 2009 as my own personal reference blog, and later sometime i have realized that my leanings might be helpful for other unixadmins if I manage my knowledge-base in more user friendly format. And the result is today's' You can connect me at -

1 Response

  1. September 18, 2015

    […] Read – Restricting logins on a machine using compat mode and netgroups […]

What is in your mind, about this post ? Leave a Reply

  Our next learning article is ready, subscribe it in your email

What is your Learning Goal for Next Six Months ? Talk to us