RHEL5 NIS netgroups

I have NIS running on RHEL5. I am trying to run netgroups and see that I am missing the netgroup.byhost and netgroup.byname files:

[root@server1 yp]# push_maps    <--- my script
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
[root@<server1> yp]#

Anyone know why this would be?

I have the following:

server:/etc/nsswitch.conf
passwd:     files nis
shadow:     files nis
group:      files nis
netgroup:   files nis

client:/etc/nsswitch.conf
passwd:     files nis
shadow:     files nis
group:      files nis
netgroup:   files nis

Server:/etc/netgroup

#TEST_USERS
test_users      (,branded,)
# TEST_SERVERS
test_servers    (ITS-SETESTSRV22,,)








bebo_cAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

woolmilkporcCommented:
Hi,

did you check /var/yp/Makefile?
The 'all: '  line must contain 'netgrp'

wmp


0
bebo_cAuthor Commented:
Perfect:

[root@porthos2 yp]# push_maps
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
Updating netgroup...
Updating netgroup.byhost...
Updating netgroup.byuser...
[root@porthos2 yp]# ypcat netgroup.byhost
mydomain
test_servers
test_users
[root@porthos2 yp]# ypcat netgroup.byuser
mydomain
test_users
test_servers
[root@porthos2 yp]#
============================================

Now I have only one user and server in the netgroup file and I want him to be the only one that can login to my client:

Server:/etc/netgroup

#TEST_USERS
test_users      (,branded,)
# TEST_SERVERS
test_servers    (ITS-SETESTSRV22,,)

Do I need to modify /etc/passwd , /etc/group?




0
woolmilkporcCommented:
Modiffy /etc/passwd to contain the netgroup:

+@test_users::::::

To deny access to others use

+::::::/bin/false

Take care to have /bin/false in /etc/shells.

To allow access only from hosts in @test_servers try modifying @test_users like

test_users (@test_servers,branded,)

Not sure if this will work, though.

If not, try

test_users (ITS-SETESTSRV22,branded,)

If more than one user from that host, use

test_users (ITS-SETESTSRV22,branded,) (ITS-SETESTSRV22,anotheruser,)

No need to touch /etc/group

wmp


0
10 Tips to Protect Your Business from Ransomware

Did you know that ransomware is the most widespread, destructive malware in the world today? It accounts for 39% of all security breaches, with ransomware gangsters projected to make $11.5B in profits from online extortion by 2019.

bebo_cAuthor Commented:
I did the following on master:

added to end /etc/passwd:
+@test_users::::::
+::::::/bin/false

Added /bin/false to /etc/shells:

[root@porthos2 yp]# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
/bin/ksh
/bin/false

Modified /etc/netgroup:

#TEST_USERS
test_users (ITS-SETESTSRV22,branded,)

# TEST_SERVERS
test_servers    (ITS-SETESTSRV22,,)

Pushed MAPS

Restarted yp services on both master and slave



login as non:test_user and I authenticate fine

login as: cranest
cranest@its-setestsrv22's password:
Last login: Wed Jul  1 14:54:18 2009 from oirm-crane-s.kc.kingcounty.lcl
[cranest@ITS-SETESTSRV22 ~]$

branded logs in also fine:

login as: branded
branded@its-setestsrv22's password:
[branded@ITS-SETESTSRV22 ~]$ pwd

Am I missing something? Your instructions were very simple...

Appreciate your help so far.......



0
woolmilkporcCommented:
Did you verify that crantest doesn't exist as a local user? In this case the whole NIS thing would be useless. And its-setestsrv22 is the host the user comes from, not the one he tries to login to.
0
bebo_cAuthor Commented:
[root@ITS-SETESTSRV22 security]# cat /etc/passwd|grep cranest
[root@ITS-SETESTSRV22 security]#


The master is porthos2
0
woolmilkporcCommented:
Let's put it together:

- the /etc/netgroups file (and the appropriate NIS maps) containing the above definitions reside on porthos2, which is the NIS master.
- the /etc/passwd file with the proposed additions exists on "someserver" where you are testing, and which is a NIS client. Thus it's important to check /etc/passwd there, and not on ITS-SETESTSRV22.
- there is a server ITS-SETESTSRV22 from which cranest and and branded try to login to "someserver"

Only this scenario makes sense, and should work using the above configurations.

Note - you should remove the usual NIS passwd entry +::::: (or the like) - the two new lines from above act as an replacement for that standard entry.
0
bebo_cAuthor Commented:
Replacing the old NIS "+::::: " with:

+@test_users::::::
+::::::/bin/false

Worked....I think I am almost done.

One last effort please. I I have groupA and groupB where groupA goes to group Aservers and groupB goes to groupB servers can I list them as follows:




+@groupA_users::::::
+@groupB_users::::::
+::::::/bin/false
0
woolmilkporcCommented:
Yes, of course! That's how it must be done.
Just take care to have the denial entry  +::::::/bin/false  as the last one in /etc/passwd.
Glad to hear that it worked!
Good luck!
wmp
 
0
bebo_cAuthor Commented:
Actually it seems we both can login even if I only have one account set to /etc/netgroup :

at end of /etc/passwd on master:

branded:x:1205:100:Dale Brandenstein, SEUNIX:/export/home/branded:/bin/bash
cranest:x:1200:100:Stephen Crane, SEUNIX:/export/home/cranest:/bin/bash
+@test_users::::::
+::::::/bin/false

/etc/netgroup

#TEST_USERS
test_users (ITS-SETESTSRV22,branded,)

# TEST_SERVERS
test_servers    (ITS-SETESTSRV22,,)

==========================
On test server SETESTSRV22

login as: branded
branded@its-setestsrv22's password:
Last login: Tue Jul  7 07:54:55 2009 from oirm-crane-s.kc.kingcounty.lcl
[branded@ITS-SETESTSRV22 ~]$

login as: cranest
cranest@its-setestsrv22's password:
Last login: Tue Jul  7 08:11:58 2009 from oirm-crane-s.kc.kingcounty.lcl
[cranest@ITS-SETESTSRV22 ~]$


=====================================

Also when I create an account it shows in ypcat and cat passwd on master but not on slaves:


[root@porthos2 ~]# ypcat passwd | grep cranest
cranest:pan1fwJ224p3k:1200:100:Stephen Crane, SEUNIX:/export/home/cranest:/bin/bash

[root@porthos2 ~]# grep cranest /etc/passwd
cranest:x:1200:100:Stephen Crane, SEUNIX:/export/home/cranest:/bin/bash


0
woolmilkporcCommented:
+@test_users::::::
+::::::/bin/false

belongs to /etc/passwd of SETESTSRV22, the server you're trying to login to!
0
bebo_cAuthor Commented:
Ooops...

So the /etc/netgroup file only needs to be on the master...right....

I think I got it now......
0
woolmilkporcCommented:
!
0
bebo_cAuthor Commented:
Master:

/etc/netgroup

#TEST_USERS
test_users (ITS-SETESTSRV22,branded,)
# TEST_SERVERS
test_servers    (ITS-SETESTSRV22,,)

Client:

/etc/passwd
gdm:x:42:42::/var/gdm:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
hpsmh:x:101:500::/opt/hp/hpsmh:/sbin/nologin
+@test_users::::::
+::::::/bin/false

On any:
[root@porthos2 ~]# ypcat passwd|grep cranest
cranest:pan1fwJ224p3k:1200:100:Stephen Crane, SEUNIX:/export/home/cranest:/bin/bash
[root@porthos2 ~]# ypcat passwd|grep branded
branded:paaG1KVccanig:1028:100:Dale Brandenstein, SEUNIX:/export/home/branded:/bin/bash


I can still login as cranest on client:


login as: cranest
cranest@its-setestsrv22's password:
Last login: Tue Jul  7 08:55:27 2009 from oirm-crane-s.kc.kingcounty.lcl
[cranest@ITS-SETESTSRV22 ~]$



0
bebo_cAuthor Commented:
I still have the +:*:::::/etc/NoShell on master:

maniyar:x:2501:100:ABT CONT - Rahul Maniyambeth:/export/home/maniyar:/bin/bash
cranest:x:1200:100:Stephen Crane, SEUNIX:/export/home/cranest:/bin/bash
branded:x:1028:100:Dale Brandenstein, SEUNIX:/export/home/branded:/bin/bash
+:*:::::/etc/NoShell     <--------------------------------------------------------------------------------------------------------here !!
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin

But on client:

gdm:x:42:42::/var/gdm:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
hpsmh:x:101:500::/opt/hp/hpsmh:/sbin/nologin
+@test_users::::::
+::::::/bin/false

  at the end of /etc/passwd on client only.



Am I becoming a pain?
0
bebo_cAuthor Commented:
Does it have anything to do with /etc/pam.d/login? I was messing with it before but put back
0
woolmilkporcCommented:
To be sure, please examine once more your /etc/nsswitch.conf.

Since you're already using NIS (apart from netgroups etc.), it should already contain

passwd: files compat
group: files compat

but also

netgroup: files nis

OK?

You can also test with 'ypwhich' whether you're using the correct server, and with 'ypcat'
what's in your network databases besides 'passwd'. Check with 'ypwhich -m' what databases you have, and with 'ypcat' what's in them.


0
bebo_cAuthor Commented:
passwd:     files compat
shadow:     files compat
group:      files compat


netgroup:   files nis
===================
MASTER:

[root@porthos2 ~]# ypwhich
localhost.localdomain

[root@porthos2 ~]# ypwhich -m
passwd.byuid porthos2.kc.kingcounty.lcl
group.bygid porthos2.kc.kingcounty.lcl
netgroup porthos2.kc.kingcounty.lcl
netid.byname porthos2.kc.kingcounty.lcl
hosts.byname porthos2.kc.kingcounty.lcl
netgroup.byhost porthos2.kc.kingcounty.lcl
mail.aliases porthos2.kc.kingcounty.lcl
services.byservicename porthos2.kc.kingcounty.lcl
ypservers porthos2.kc.kingcounty.lcl
rpc.bynumber porthos2.kc.kingcounty.lcl
passwd.byname porthos2.kc.kingcounty.lcl
netgroup.byuser porthos2.kc.kingcounty.lcl
hosts.byaddr porthos2.kc.kingcounty.lcl
group.byname porthos2.kc.kingcounty.lcl
protocols.byname porthos2.kc.kingcounty.lcl
services.byname porthos2.kc.kingcounty.lcl
rpc.byname porthos2.kc.kingcounty.lcl
protocols.bynumber porthos2.kc.kingcounty.lcl
[root@porthos2 ~]#


Client:

[root@ITS-SETESTSRV22 pam.d]# ypwhich
porthos2.kc.kingcounty.lcl
[root@ITS-SETESTSRV22 pam.d]#


[root@ITS-SETESTSRV22 pam.d]# ypwhich -m
passwd.byuid porthos2.kc.kingcounty.lcl
group.bygid porthos2.kc.kingcounty.lcl
netgroup porthos2.kc.kingcounty.lcl
netid.byname porthos2.kc.kingcounty.lcl
hosts.byname porthos2.kc.kingcounty.lcl
netgroup.byhost porthos2.kc.kingcounty.lcl
mail.aliases porthos2.kc.kingcounty.lcl
services.byservicename porthos2.kc.kingcounty.lcl
ypservers porthos2.kc.kingcounty.lcl
rpc.bynumber porthos2.kc.kingcounty.lcl
passwd.byname porthos2.kc.kingcounty.lcl
netgroup.byuser porthos2.kc.kingcounty.lcl
hosts.byaddr porthos2.kc.kingcounty.lcl
group.byname porthos2.kc.kingcounty.lcl
protocols.byname porthos2.kc.kingcounty.lcl
services.byname porthos2.kc.kingcounty.lcl
rpc.byname porthos2.kc.kingcounty.lcl
protocols.bynumber porthos2.kc.kingcounty.lcl
[root@ITS-SETESTSRV22 pam.d]#

MASTER:

[root@porthos2 ~]# ypcat netgroup
(,,kc.kingcounty.lcl)
(ITS-SETESTSRV22,,)
(ITS-SETESTSRV22,branded,)

CLIENT:

[root@ITS-SETESTSRV22 ~]# ypcat netgroup
(,,kc.kingcounty.lcl)
(ITS-SETESTSRV22,,)
(ITS-SETESTSRV22,branded,)
[root@ITS-SETESTSRV22 ~]#
0
bebo_cAuthor Commented:
I did do:

[root@ITS-SETESTSRV22 kc.kingcounty.lcl]# ypcat netid.byname
[root@ITS-SETESTSRV22 kc.kingcounty.lcl]#


And nothing shows...All others work...
0
woolmilkporcCommented:
I'm really not sure if I need to mention - I meant /etc/nsswitch.conf at the client side -the server you want to login to.

Well, what can I say more?

Please re-read my post #24758966 where I tried to put it together. Particularly, note which config has to be done on which of the servers.

I still see only two (or three?) servers in your posts, but we will need four of them:

- NIS master (porthos2, the one with /etc/netgroup and the /etc/passwd without the +@... stuff)
- allowed host to login from ("ITS-SETESTSRV22")  -  no config needed!
- forbidden host to login from (for testing, "oirm-crane-s"?) - no config needed!
-
host to login to (the client with the new /etc/passwd "+@..." entries and /etc/nsswitch.conf stuff) - NOT "ITS-SETESTSRV22"

It seems  a bit confusing, but the hosts you come from really don't need to know anything about NIS.
0
bebo_cAuthor Commented:
OK,

I will create another RHEL5 server for tomorrow so we have:

1. My desktop WindowsXP: "oirm-crane-s"?
2. NIS RHEL5 MASTER "Porthos2"
3. NIS RHEL5 CLIENT "ITS-SETESTSRV22"
4. NEW RHEL5 CLIENT server (unknown) for tomorrow.

Will that be sufficient?  ,, I appreciate your help...
0
woolmilkporcCommented:
OK, if ITS-SETESTSRV22 is your target login server it needs to be a NIS client, but may not be the one mentioned in netgroups on porthos2!

The 'allowed' host in /etc/netgroups on porthos2 needs to be 1) or 4). The other one of the two will become the 'forbidden' host.
0
bebo_cAuthor Commented:
OK, I will see you tomorrow with all 4, thanks
0
bebo_cAuthor Commented:
So here is a recap of what I need:

MASTER: porthos2 (in use now)

WORKSTATION: oirm-crane-s (in use now)

CLIENT1: ITS-SETESTSRV22 (in use now)

CLIENT2: ITS-SETESTSRV23 ( New)

=====

test_users = branded

other_users = cranest

test_servers = ITS-SETESTSRV22

other_servers = ITS-SETESTSRV23




===============

I want "branded" to only access "test_servers" and "cranest" to only access "other_servers"
================





/etc/netgroup on ITS-SETESTSRV22 and ITS-SETESTSRV23

########################
# TEST_SERVERS
# test_servers  (ITS-SETESTSRV22,,)

# OTHER_SERVERS
# other_servers  (ITS-SETESTSRV23,,)

#TEST_USERS
test_users (ITS-SETESTSRV22,branded,)

#OTHER_USERS
test_users (ITS-SETESTSRV23,cranest,)

#Domains
mydomain        (,,kc.kingcounty.lcl)
######################
0
bebo_cAuthor Commented:
OK,

We have the following servers and workstations:

1. My desktop WindowsXP: "oirm-crane-s"?
2. NIS RHEL5 NIS MASTER "Porthos2"
3. NIS RHEL5 NIS CLIENT "ITS-SETESTSRV22"
4. NEW RHEL5 "ITS-SETESTSRV23"  <------untouched RHEL5 fresh build
0
bebo_cAuthor Commented:
I have joined the new server to the NIS domain:

Was: 4. NEW RHEL5 "ITS-SETESTSRV23"  <------untouched RHEL5 fresh build
Now: 4. NEW RHEL5 "ITS-SETESTSRV23"  NIS client to porthos2 <master>
0
bebo_cAuthor Commented:
We had a problem with the master and had to rebuild from the other day. Everything works fine now.

Thanks
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
bebo_cAuthor Commented:
Thanks
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Linux Distributions

From novice to tech pro — start learning today.