SUMMARY: netgroups under NIS+

From: Stuart Kendrick (
Date: Fri Feb 14 1997 - 14:40:02 CST

I have netgroups working now. My two key errors were:

Syntax in /etc/nsswitch.conf should be:
passwd: compat
passwd_compat: nisplus

passwd: compat
passwd_compat: files nisplus

per p.339 in the Solaris 2.5 NIS+ and FNS Administration Guide

And an unwanted ":" in the definition of the netgroup, should be
test (,bob,) (,susan,) (,eli,)


test: (,bob,) (,susan,) (,eli,)

(otherwise, the name of the netgroup becomes "test:" rather than "test".)

Thanks to:
David Montgomery <>
Christian Masopust <>
Willi Burmeister <>
Casper Dik <casper@holland.Sun.COM>
Cecil Pang <>
and Radar at SunService


Stuart Kendrick
Network Services

Original post attached:

Per numerous helpful suggestions, my netgroup set-up now looks as follows:

passwd: compat
passwd_compat: nisplus

ASCII form of netgroup
test: (,bob,) (,susan,) (,eli,)

imported into the NIS+ space with: nisaddent -mvf netgroup netgroup
where "netgroup" is the name of the ASCII file.

niscat netgroup.org_dir
test: bob
test: susan
test: eli

I run nisping -C and use nislog to prove that the NIS+ logs on the master
are checkpointed.

/etc/passwd looks like:
noaccess:x:60002:60002:No Access User:/:
nobody4:x:65534:65534:SunOS 4.x Nobody:/:

/etc/shadow looks like:

Still, I cannot log in (via any account in the NIS+ space, member of "test" or
not). I am trying both console access and telnet access. I kill and restart
nscd. I reboot. UIDs defined in /etc/passwd still function fine, of

I have also tried modding the netgroup to look as follows, where
"" is the name of my NIS+ domain:

test: (,bob, (,susan, (,eli,


test: (-,bob, (,susan, (-,eli,

And followed the same procedure (e.g. imported into the NIS+ space using
the nisaddent command above, nisping -C, kill -HUP nscd, reboot). At no
point does the situation improve.

I've stared at the traffic between my test box and the master server using
my favorite packet analysis tool, a Network General Sniffer.
Unfortunately, Sun RPC traffic is not my strong point, and there sure is a
lot of it. I could, however, spend more time on packet analysis if anyone
had a direction to suggest.

Any other suggestions?


Stuart Kendrick
Network Services

This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:46 CDT