Original post:
>Is there a way to restrict access by UID to a subset of machines in a
>NIS+domain?
>If machines a,b,c,d,e and f all belong to the same NIS+ domain ... can I
>allow user susan to log into machines a, b and c but not into machines d,
>e and f? Or do I have to start creating subdomains?
The answer is "yes", by using netgroups. To enable support of netgroups
under NIS+, use the following syntax:
/etc/passwd
...
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
+@allowed-grp::0:0:::
+::::::/usr/local/sbin/nologin
/etc/nsswitch.conf
...
passwd: compat
passwd_compat: files nisplus
group: files nisplus
In this way, one can enable NIS capabilities within NIS+; note that it is
*not* necesasry to run NIS+ in YP emulation mode. See man netgroup(4) for
more details.
Thanks in particular to Mark Bergman for his precise response.
--sk
Stuart Kendrick
Network Services
FHCRC
There are a couple of ways of doing this.
1) Install Wietse Venema's tcp_wrappers and logdaemon from
ftp.win.tue.nl and modify rshd and rexecd to respect /etc/login.access
(this is the method we use). This gives you fine grained control over
who can log in, on what terminals and where from.
2) Modify /etc/nsswitch.conf to use the password compatibility targets
(see man page for nsswitch.conf), then you can use the + syntax to
include or exclude netgroups. You don't need to run NIS/YP
compatibility - just turn on the +/- syntax in /etc/passwd.
passwd: compat
passwd_compat: nisplus
There were problems with Solaris 2.4 and some NIS+ patchlevels which
prevented this from working.
3) Create a NIS+ subdomain. Remember the NIS+ server for the subdomain
will be a client of the parent domain, so will not have restricted
access itself. If you've got a number of machines with the same
restrictions this may be the best route, but you'll need to be clear
about NIS+ links and search paths.
|Kevin.Davidson@edinburgh.ac.uk +-+ Centre for Cognitive Science/HCRC
You can do it by putting susan into a netgroup, and allowing logins
into e and f by netgroup (using the YP compatibilty syntax, but NOT
running NIS+ in compatibility mode)
Here's the /etc/passwd and /etc/nsswitch.conf for a working example:
-----------------------------------------------------------------
nobody:x:60001:60001:Nobody:/:
noaccess:x:60002:60002:No Access User:/:
+@allowed-grp::0:0:::
+::::::/usr/local/sbin/nologin
-----------------------------------------------------------------
In this case, /usr/local/sbin/nologin is a script that explains that
logins aren't allowed and exits.
-----------------------------------------------------------------
passwd: compat
passwd_compat: files nisplus
group: files nisplus
-----------------------------------------------------------------
Mark Bergman <bergman@phri.nyu.edu>
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:16 CDT