SUMMARY: How can i permit a user only to use one host in a NIS-based network?

From: Detlev Habicht (habicht@ims.uni-hannover.de)
Date: Mon Jan 20 1997 - 11:23:34 CST


Hi all,

some weeks ago i had this question:

  We have a network based on several SUNs with SunOS 4.1.x and NIS. We have
  one mainserver with all the filesystems like /home and other software
  directorys. All hosts are trusted hosts on the other hosts, but all hosts
  mount filesystems on the mainserver.

  Now i need an account for a user who has only to work on one host in the
  network. How can i do this via NIS? The user has to use all the
  filesystems on the mainserver, too.

 
Here a now the best solutions for my problem:

---

From: "John C. Pavao" <jcpavao@ultranet.com>:

I haven't really thought too much about the NIS, but what about the .cshrc or .profile? I have lots of scripts that start with

if [ `uname -n` != "host1" ] then echo "You can't do that here" exit else : fi

It's the quick and dirty solution, I suppose. The .* would have to be owned by root without write permissions from the user or the group he/she is in. ---

From: Ian MacPhedran <Ian_MacPhedran@engr.USask.Ca>:

There are a few approaches to this. 1) create a local account on the one machine for the user. Files can still be placed on the fileserver, but there is a possibility of UID conflicts, should you add an NIS account with the same UID. 2) create an NIS account with a "bad" shell (e.g. /bin/false) and use a "plus" entry on the one machine's /etc/passwd with a valid shell: +username::0:0:::/bin/csh --- From: applix!cobra!charles@uunet.uu.net (Charles Homan [ext 422]):

[...]

A more-complicated-to-set-up, but more flexible scheme would be to add him into the NIS maps as usual, but on every computer except the one you want him to work on (I _said_ it was more complicated!), add the line "-joeblow:*:[uid]:[gid]::", so the end of the passwd file might look like:

-joeblow:*:12345:67:: +:*:0:0:::

Then you can just get rid of that line when you want to give him access to another machine, and his uid will always be the same, etc. It also has the advantage of making him set his password the same way as everyone else (using yppasswd instead of passwd). ---

From: danielh@nabaus.com.au (Daniel Hermans): This can be done quite easily. It works well too. Basically, check out the netgroups man page or Sunsolve srdb 5781:

SRDB ID: 5781

SYNOPSIS: restricting logins on a machine using netgroups

DETAIL DESCRIPTION:

Rather than allow all users that are defined in the NIS maps to login to a certain machine, an administrator may wish to restrict logins to a netgroup.

NOTE: The use of netgroups requires the use of NIS.

The process to accomplish this is as follows:

1. On the NIS master server, define the netgroup in the /etc/netgroup file. If this file does not exist, create a new one. Entries in this file are in the format of:

group (host, user, domain) (host, user, domain) ...

For example, to create a netgroup called "trusted" which allows several users to login from any machine in the network, create an /etc/netgroups entry that looks like this:

trusted (,user1,) (,user2,) (,user3,) (,user4,)

2. Update the NIS netgroup map: cd /var/yp;make.

3. Update the /etc/passwd file on the machines that will have the restricted logins. Using the above example of the 'trusted' netgroup:

+@trusted::0:::

4. If it exists, remove the "+::0:0:::" in the /etc/passwd file.

Now only users in the /etc/passwd file on the local machine, or in the "trusted" netgroup, may login to that machine.

---

Nearly the same answers came from:

cathy@mercury.stm.com (Cathy Hargrave) John Justin Hough <john@oncology.uthscsa.edu> Kevin.Sheehan@uniq.com.au (Kevin Sheehan {Consulting Poster Child}) Waqar Hafiz <whafiz@london.micrognosis.com> chris@dvs1.informatik.th-darmstadt.de (Christoph Liebig) clg@csph.psu.edu (Craig L. Gruneberg) dengland@ivac.com (Dave England) Glenn Satchell - Uniq Professional Services <Glenn.Satchell@Uniq.com.au>

Thank you to all.

I am very sorry about the late summary, but i was ill.

Bye.

Detlev

-- Detlev | Institut fuer Mikroelektronische Systeme, Uni Hannover Habicht | D-30167 Hannover +49 511 7624992 habicht@ims.uni-hannover.de



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:43 CDT