RHEL5 NIS netgroups

Hi,

did you check /var/yp/Makefile?
The 'all: '  line must contain 'netgrp'

wmp

Perfect:

[root@porthos2 yp]# push_maps
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
Updating netgroup...
Updating netgroup.byhost...
Updating netgroup.byuser...
[root@porthos2 yp]# ypcat netgroup.byhost
mydomain
test_servers
test_users
[root@porthos2 yp]# ypcat netgroup.byuser
mydomain
test_users
test_servers
[root@porthos2 yp]#
============================================

Now I have only one user and server in the netgroup file and I want him to be the only one that can login to my client:

Server:/etc/netgroup

#TEST_USERS
test_users      (,branded,)
# TEST_SERVERS
test_servers    (ITS-SETESTSRV22,,)

Do I need to modify /etc/passwd , /etc/group?

Modiffy /etc/passwd to contain the netgroup:

+@test_users::::::

To deny access to others use

+::::::/bin/false

Take care to have /bin/false in /etc/shells.

To allow access only from hosts in @test_servers try modifying @test_users like

test_users (@test_servers,branded,)

Not sure if this will work, though.

If not, try

test_users (ITS-SETESTSRV22,branded,)

If more than one user from that host, use

test_users (ITS-SETESTSRV22,branded,) (ITS-SETESTSRV22,anotheruser,)

No need to touch /etc/group

wmp

I did the following on master:

added to end /etc/passwd:
+@test_users::::::
+::::::/bin/false

Added /bin/false to /etc/shells:

[root@porthos2 yp]# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
/bin/ksh
/bin/false

Modified /etc/netgroup:

#TEST_USERS
test_users (ITS-SETESTSRV22,branded,)

# TEST_SERVERS
test_servers    (ITS-SETESTSRV22,,)

Pushed MAPS

Restarted yp services on both master and slave



login as non:test_user and I authenticate fine

login as: cranest
cranest@its-setestsrv22's password:
Last login: Wed Jul  1 14:54:18 2009 from oirm-crane-s.kc.kingcounty.lcl
[cranest@ITS-SETESTSRV22 ~]$

branded logs in also fine:

login as: branded
branded@its-setestsrv22's password:
[branded@ITS-SETESTSRV22 ~]$ pwd

Am I missing something? Your instructions were very simple...

Appreciate your help so far.......

Did you verify that crantest doesn't exist as a local user? In this case the whole NIS thing would be useless. And its-setestsrv22 is the host the user comes from, not the one he tries to login to.

[root@ITS-SETESTSRV22 security]# cat /etc/passwd|grep cranest
[root@ITS-SETESTSRV22 security]#


The master is porthos2

Let's put it together:

- the /etc/netgroups file (and the appropriate NIS maps) containing the above definitions reside on porthos2, which is the NIS master.
- the /etc/passwd file with the proposed additions exists on "someserver" where you are testing, and which is a NIS client. Thus it's important to check /etc/passwd there, and not on ITS-SETESTSRV22.
- there is a server ITS-SETESTSRV22 from which cranest and and branded try to login to "someserver"

Only this scenario makes sense, and should work using the above configurations.

Note - you should remove the usual NIS passwd entry +::::: (or the like) - the two new lines from above act as an replacement for that standard entry.

Replacing the old NIS "+::::: " with:

+@test_users::::::
+::::::/bin/false

Worked....I think I am almost done.

One last effort please. I I have groupA and groupB where groupA goes to group Aservers and groupB goes to groupB servers can I list them as follows:




+@groupA_users::::::
+@groupB_users::::::
+::::::/bin/false

Yes, of course! That's how it must be done.
Just take care to have the denial entry  +::::::/bin/false  as the last one in /etc/passwd.
Glad to hear that it worked!
Good luck!
wmp
 

Actually it seems we both can login even if I only have one account set to /etc/netgroup :

at end of /etc/passwd on master:

branded:x:1205:100:Dale Brandenstein, SEUNIX:/export/home/branded:/bin/bash
cranest:x:1200:100:Stephen Crane, SEUNIX:/export/home/cranest:/bin/bash
+@test_users::::::
+::::::/bin/false

/etc/netgroup

#TEST_USERS
test_users (ITS-SETESTSRV22,branded,)

# TEST_SERVERS
test_servers    (ITS-SETESTSRV22,,)

==========================
On test server SETESTSRV22

login as: branded
branded@its-setestsrv22's password:
Last login: Tue Jul  7 07:54:55 2009 from oirm-crane-s.kc.kingcounty.lcl
[branded@ITS-SETESTSRV22 ~]$

login as: cranest
cranest@its-setestsrv22's password:
Last login: Tue Jul  7 08:11:58 2009 from oirm-crane-s.kc.kingcounty.lcl
[cranest@ITS-SETESTSRV22 ~]$


=====================================

Also when I create an account it shows in ypcat and cat passwd on master but not on slaves:


[root@porthos2 ~]# ypcat passwd | grep cranest
cranest:pan1fwJ224p3k:1200:100:Stephen Crane, SEUNIX:/export/home/cranest:/bin/bash

[root@porthos2 ~]# grep cranest /etc/passwd
cranest:x:1200:100:Stephen Crane, SEUNIX:/export/home/cranest:/bin/bash

+@test_users::::::
+::::::/bin/false

belongs to /etc/passwd of SETESTSRV22, the server you're trying to login to!

Ooops...

So the /etc/netgroup file only needs to be on the master...right....

I think I got it now......

!

Master:

/etc/netgroup

#TEST_USERS
test_users (ITS-SETESTSRV22,branded,)
# TEST_SERVERS
test_servers    (ITS-SETESTSRV22,,)

Client:

/etc/passwd
gdm:x:42:42::/var/gdm:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
hpsmh:x:101:500::/opt/hp/hpsmh:/sbin/nologin
+@test_users::::::
+::::::/bin/false

On any:
[root@porthos2 ~]# ypcat passwd|grep cranest
cranest:pan1fwJ224p3k:1200:100:Stephen Crane, SEUNIX:/export/home/cranest:/bin/bash
[root@porthos2 ~]# ypcat passwd|grep branded
branded:paaG1KVccanig:1028:100:Dale Brandenstein, SEUNIX:/export/home/branded:/bin/bash


I can still login as cranest on client:


login as: cranest
cranest@its-setestsrv22's password:
Last login: Tue Jul  7 08:55:27 2009 from oirm-crane-s.kc.kingcounty.lcl
[cranest@ITS-SETESTSRV22 ~]$

I still have the +:*:::::/etc/NoShell on master:

maniyar:x:2501:100:ABT CONT - Rahul Maniyambeth:/export/home/maniyar:/bin/bash
cranest:x:1200:100:Stephen Crane, SEUNIX:/export/home/cranest:/bin/bash
branded:x:1028:100:Dale Brandenstein, SEUNIX:/export/home/branded:/bin/bash
+:*:::::/etc/NoShell     <--------------------------------------------------------------------------------------------------------here !!
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin

But on client:

gdm:x:42:42::/var/gdm:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
hpsmh:x:101:500::/opt/hp/hpsmh:/sbin/nologin
+@test_users::::::
+::::::/bin/false

  at the end of /etc/passwd on client only.



Am I becoming a pain?

Does it have anything to do with /etc/pam.d/login? I was messing with it before but put back

To be sure, please examine once more your /etc/nsswitch.conf.

Since you're already using NIS (apart from netgroups etc.), it should already contain

passwd: files compat
group: files compat

but also

netgroup: files nis

OK?

You can also test with 'ypwhich' whether you're using the correct server, and with 'ypcat'
what's in your network databases besides 'passwd'. Check with 'ypwhich -m' what databases you have, and with 'ypcat' what's in them.

passwd:     files compat
shadow:     files compat
group:      files compat


netgroup:   files nis
===================
MASTER:

[root@porthos2 ~]# ypwhich
localhost.localdomain

[root@porthos2 ~]# ypwhich -m
passwd.byuid porthos2.kc.kingcounty.lcl
group.bygid porthos2.kc.kingcounty.lcl
netgroup porthos2.kc.kingcounty.lcl
netid.byname porthos2.kc.kingcounty.lcl
hosts.byname porthos2.kc.kingcounty.lcl
netgroup.byhost porthos2.kc.kingcounty.lcl
mail.aliases porthos2.kc.kingcounty.lcl
services.byservicename porthos2.kc.kingcounty.lcl
ypservers porthos2.kc.kingcounty.lcl
rpc.bynumber porthos2.kc.kingcounty.lcl
passwd.byname porthos2.kc.kingcounty.lcl
netgroup.byuser porthos2.kc.kingcounty.lcl
hosts.byaddr porthos2.kc.kingcounty.lcl
group.byname porthos2.kc.kingcounty.lcl
protocols.byname porthos2.kc.kingcounty.lcl
services.byname porthos2.kc.kingcounty.lcl
rpc.byname porthos2.kc.kingcounty.lcl
protocols.bynumber porthos2.kc.kingcounty.lcl
[root@porthos2 ~]#


Client:

[root@ITS-SETESTSRV22 pam.d]# ypwhich
porthos2.kc.kingcounty.lcl
[root@ITS-SETESTSRV22 pam.d]#


[root@ITS-SETESTSRV22 pam.d]# ypwhich -m
passwd.byuid porthos2.kc.kingcounty.lcl
group.bygid porthos2.kc.kingcounty.lcl
netgroup porthos2.kc.kingcounty.lcl
netid.byname porthos2.kc.kingcounty.lcl
hosts.byname porthos2.kc.kingcounty.lcl
netgroup.byhost porthos2.kc.kingcounty.lcl
mail.aliases porthos2.kc.kingcounty.lcl
services.byservicename porthos2.kc.kingcounty.lcl
ypservers porthos2.kc.kingcounty.lcl
rpc.bynumber porthos2.kc.kingcounty.lcl
passwd.byname porthos2.kc.kingcounty.lcl
netgroup.byuser porthos2.kc.kingcounty.lcl
hosts.byaddr porthos2.kc.kingcounty.lcl
group.byname porthos2.kc.kingcounty.lcl
protocols.byname porthos2.kc.kingcounty.lcl
services.byname porthos2.kc.kingcounty.lcl
rpc.byname porthos2.kc.kingcounty.lcl
protocols.bynumber porthos2.kc.kingcounty.lcl
[root@ITS-SETESTSRV22 pam.d]#

MASTER:

[root@porthos2 ~]# ypcat netgroup
(,,kc.kingcounty.lcl)
(ITS-SETESTSRV22,,)
(ITS-SETESTSRV22,branded,)

CLIENT:

[root@ITS-SETESTSRV22 ~]# ypcat netgroup
(,,kc.kingcounty.lcl)
(ITS-SETESTSRV22,,)
(ITS-SETESTSRV22,branded,)
[root@ITS-SETESTSRV22 ~]#

I did do:

[root@ITS-SETESTSRV22 kc.kingcounty.lcl]# ypcat netid.byname
[root@ITS-SETESTSRV22 kc.kingcounty.lcl]#


And nothing shows...All others work...

I'm really not sure if I need to mention - I meant /etc/nsswitch.conf at the client side -the server you want to login to.

Well, what can I say more?

Please re-read my post #24758966 where I tried to put it together. Particularly, note which config has to be done on which of the servers.

I still see only two (or three?) servers in your posts, but we will need four of them:

- NIS master (porthos2, the one with /etc/netgroup and the /etc/passwd without the +@... stuff)
- allowed host to login from ("ITS-SETESTSRV22")  -  no config needed!
- forbidden host to login from (for testing, "oirm-crane-s"?) - no config needed!
- host to login to (the client with the new /etc/passwd "+@..." entries and /etc/nsswitch.conf stuff) - NOT "ITS-SETESTSRV22"

It seems  a bit confusing, but the hosts you come from really don't need to know anything about NIS.

OK,

I will create another RHEL5 server for tomorrow so we have:

1. My desktop WindowsXP: "oirm-crane-s"?
2. NIS RHEL5 MASTER "Porthos2"
3. NIS RHEL5 CLIENT "ITS-SETESTSRV22"
4. NEW RHEL5 CLIENT server (unknown) for tomorrow.

Will that be sufficient?  ,, I appreciate your help...

OK, I will see you tomorrow with all 4, thanks

So here is a recap of what I need:

MASTER: porthos2 (in use now)

WORKSTATION: oirm-crane-s (in use now)

CLIENT1: ITS-SETESTSRV22 (in use now)

CLIENT2: ITS-SETESTSRV23 ( New)

=====

test_users = branded

other_users = cranest

test_servers = ITS-SETESTSRV22

other_servers = ITS-SETESTSRV23




===============

I want "branded" to only access "test_servers" and "cranest" to only access "other_servers"
================





/etc/netgroup on ITS-SETESTSRV22 and ITS-SETESTSRV23

########################
# TEST_SERVERS
# test_servers  (ITS-SETESTSRV22,,)

# OTHER_SERVERS
# other_servers  (ITS-SETESTSRV23,,)

#TEST_USERS
test_users (ITS-SETESTSRV22,branded,)

#OTHER_USERS
test_users (ITS-SETESTSRV23,cranest,)

#Domains
mydomain        (,,kc.kingcounty.lcl)
######################

OK,

We have the following servers and workstations:

1. My desktop WindowsXP: "oirm-crane-s"?
2. NIS RHEL5 NIS MASTER "Porthos2"
3. NIS RHEL5 NIS CLIENT "ITS-SETESTSRV22"
4. NEW RHEL5 "ITS-SETESTSRV23"  <------untouched RHEL5 fresh build

I have joined the new server to the NIS domain:

Was: 4. NEW RHEL5 "ITS-SETESTSRV23"  <------untouched RHEL5 fresh build
Now: 4. NEW RHEL5 "ITS-SETESTSRV23"  NIS client to porthos2 <master>

Thanks