SUMMARY: NIS/netgroup problem

From: Gary Horton (gary@chinook.atd.ucar.edu)
Date: Sun Jan 23 1994 - 15:30:10 CST


Many thanks to all who responded to my netgroup problem. I'll now
summarize relevant information (place disclaimer here) ***as gleaned
from information gathered and observations during subsequent
experimentation***.

Turns out that netgroup works only with NIS running, and that using
it in .rhosts files is no problem. I'll also make the tentative
observation that the wisdom that follows applies certainly to netgroup
usage in .rhosts files, but not necessarily in other places (e.g.,
hosts.equiv, exports) because some of the rules I have to follow
(e.g., don't use capital letters) are rules I've seen violated in
other places without problems. That having been said:

The domain element of the netgroup triple is the NIS domain, not the
Internet extension that fully qualifies the hostname.

Using ypcat -k instead of simply ypcat reveals netgroup contents as
expected.

Don't use upper case in the netgroup name. The actual truth may be
not to use *mixed* case, but I've not had time to test this. From what
everyone says, I suspect the former. However, I've *seen* mixed case
in other usages (for exports) and those people have not complained...

The trailing '+' in the .rhosts file (e.g., "+@netgroup-name +") is
not a problem. It behaves as advertised in the man page.

Other problems can arise if:

a) the source system has multiple interfaces and multiple names
b) you are using DNS (in this names must be fully qualified)

(I had no time or resources to test this caveat)

The system is usually very picky about the syntax of /etc/netgroup, check for
a) empty lines
b) excess trailing backslashes
c) spaces after trailing backslashes
d) comments

Turns out that spaces work just as well as tabs in the netgroup file.

There is not a need to enter the netgroup in /etc/hosts.equiv except for
functionality other than that covered by .rhosts permissions.

There is not a *need* for commas between triples; I have not tested
whether this works with commas or not. Some people say it does, but
in either event it is not necessary (to solve my problem anyway).

The delay in making netgroup for NIS, i.e. the message

Can't bind master to send ypclear message to ypserv for map netgroup.

..and subsequent *long* delay, and, in fact, erroneous results on the NIS
make were precluded by touching, on the slave servers, the following files:

/var/yp/domain-name/netgroup.{byhost,byuser}.{dir,pag}

Here's some additional wisdom:

        1. Max line length in netgroup is 256.
        2. Max hostname length is 8, 12, or 16 depending on who you ask
        3. All characters should be lower case
        4. All delimiters should be tabs
        5. Don't put comments in the file
        6. Beware unprintable characters, find and delete them
        7. Beware blank lines, remove them
        8. The domain in netgroups is the NIS domain name
        9. Try "/usr/etc/yp/revnetgroup < netgroup -h" to check for cycles
            (this appears to be undocumented, but very useful)
        10. If you want to re-start ypserv wait a few minutes after killing the
            old ypserv before re-starting ypserv.
        11. There is a Sun patch (100296-04) that will fix the 256 character
            problem (don't know what else).

Again, I testify that, at least for the .rhosts usage, the tabs are not
necessary.

And, again, thanks VERY much to all who helped!



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:08:54 CDT