NIS and Netgroups : Restricting logins on a machine using compat mode and netgroups
There’s no local files implementation of netgroups. Netgroups are used to group machines or users together in order to make certain sysadmin tasks easier.
A standard netgroup triple reads as follows: (hostname, username, domainname)
An example netgroup line reads as follows:
- netgroup-name triple1 triple2 triple3
Though netgroup triples group together hostnames, usernames and domainnames, nothing really reads them in that manner. Thus, you’ll usually want to use a triple just to list hosts or users i.e. in order to share NFS file systems or restrict logins to a system.
For example, the following would be a typical netgroup map, on a NIS master:
- # ypcat -k netgroup
- trusted-users (,user1,) (,user2,) (,user3,)
- trusted-machines (machine1,,) (machine2,,) (machine3,,)
A netgroup entry with NIS is limited to 1024 characters in size. If you need to put together a longer netgroup using nis, you can do so by making a meta-group:
- meta-group netgroup1 netgroup2
- netgroup1 (,user1,) (,user2,)
- netgroup2 (,user300,) (,user301,)
The following netgroup will not do what you expect:
- bogus-group (machine1,user1,) (machine2,user2,)
You might think this means user1 at machine1 and user2 at machine2, but in actuality, it is a netgroup of two users (user1 and user2) and two machines (machine1 and machine2). Always separate out machine and user netgroups, as shown in the /etc/netgroup example above, and you will avoid confusion.
Note that we reference the /etc/netgroup file, but this file only exists in order to be your flat’ source file. This file must be in your NIS or NIS+ databases.
User netgroups can be used in the /etc/passwd file (and /etc/shadow if using Solaris 2.x Operating Environment). The following entry would include all of the users in the trusted-users
group in your /etc/passwd + /etc/shadow files:
- # cat /etc/passwd
- # cat /etc/shadow
Note: Be sure not to forget the entry in the /etc/shadow file.
On Solaris 2.x you must also edit /etc/nsswitch.conf in order to use that +/- syntax as follows:
- passwd: compat
- passwd_compat: nisplus
- netgroup: nisplus (or nis or ldap, again,files should not be used)
Machine netgroups can be used when exporting file systems. The following entry in /etc/exports on a SunOS 4.x machine would allow machines in the trusted-machines netgroup access to the /export
- # cat /etc/exports
- /export -access=trusted-machines
For Solaris 2.x and later, netgroups can also be used for shared filesystems defined in the /etc/dfs/dfstab file. The following entry would allow machines in the trusted-machines netgroup access to the /export filesystem:
- # cat /etc/dfs/dfstab
- share -F nfs -o rw=trusted-machines /export
Remember that you must be running NIS, NIS+ or LDAP for netgroups to work.
Simply having an /etc/netgroup file will do nothing. It is ONLY the netgroup NIS or NIS+ map which is used. The ypfiles man page lists the names of the NIS or NIS+ maps.
You can also use + and – entries in /etc/passwd to allow or deny access to specific accounts in addition to using netgroups.
Example (only allowing some of the NIS accounts access):
To allow only user1 and user2 from the NIS passwd table to access a system, add the following lines to the end of the /etc/passwd file:
Another example (denying specific accounts):
To allow every NIS account except for user3 to access a system, add the following to the end of the /etc/passwd file:
Another example (giving partial access to accounts):
To give full access to user4, deny access to user5, and disable the passwords and set the shell field to /bin/false for all other NIS accounts on a system, the following would be at the end of the /etc/passwd file: