Solved

RHEL5 NIS netgroups

Posted on 2009-07-01
28
1,633 Views
Last Modified: 2013-12-06
I have NIS running on RHEL5. I am trying to run netgroups and see that I am missing the netgroup.byhost and netgroup.byname files:

[root@server1 yp]# push_maps    <--- my script
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
[root@<server1> yp]#

Anyone know why this would be?

I have the following:

server:/etc/nsswitch.conf
passwd:     files nis
shadow:     files nis
group:      files nis
netgroup:   files nis

client:/etc/nsswitch.conf
passwd:     files nis
shadow:     files nis
group:      files nis
netgroup:   files nis

Server:/etc/netgroup

#TEST_USERS
test_users      (,branded,)
# TEST_SERVERS
test_servers    (ITS-SETESTSRV22,,)








0
Comment
Question by:bebo_c
  • 18
  • 10
28 Comments
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24758312
Hi,

did you check /var/yp/Makefile?
The 'all: '  line must contain 'netgrp'

wmp


0
 

Author Comment

by:bebo_c
ID: 24758405
Perfect:

[root@porthos2 yp]# push_maps
Updating passwd.byname...
Updating passwd.byuid...
Updating group.byname...
Updating group.bygid...
Updating hosts.byname...
Updating hosts.byaddr...
Updating rpc.byname...
Updating rpc.bynumber...
Updating services.byname...
Updating services.byservicename...
Updating netid.byname...
Updating protocols.bynumber...
Updating protocols.byname...
Updating mail.aliases...
Updating netgroup...
Updating netgroup.byhost...
Updating netgroup.byuser...
[root@porthos2 yp]# ypcat netgroup.byhost
mydomain
test_servers
test_users
[root@porthos2 yp]# ypcat netgroup.byuser
mydomain
test_users
test_servers
[root@porthos2 yp]#
============================================

Now I have only one user and server in the netgroup file and I want him to be the only one that can login to my client:

Server:/etc/netgroup

#TEST_USERS
test_users      (,branded,)
# TEST_SERVERS
test_servers    (ITS-SETESTSRV22,,)

Do I need to modify /etc/passwd , /etc/group?




0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24758561
Modiffy /etc/passwd to contain the netgroup:

+@test_users::::::

To deny access to others use

+::::::/bin/false

Take care to have /bin/false in /etc/shells.

To allow access only from hosts in @test_servers try modifying @test_users like

test_users (@test_servers,branded,)

Not sure if this will work, though.

If not, try

test_users (ITS-SETESTSRV22,branded,)

If more than one user from that host, use

test_users (ITS-SETESTSRV22,branded,) (ITS-SETESTSRV22,anotheruser,)

No need to touch /etc/group

wmp


0
 

Author Comment

by:bebo_c
ID: 24758647
I did the following on master:

added to end /etc/passwd:
+@test_users::::::
+::::::/bin/false

Added /bin/false to /etc/shells:

[root@porthos2 yp]# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
/bin/ksh
/bin/false

Modified /etc/netgroup:

#TEST_USERS
test_users (ITS-SETESTSRV22,branded,)

# TEST_SERVERS
test_servers    (ITS-SETESTSRV22,,)

Pushed MAPS

Restarted yp services on both master and slave



login as non:test_user and I authenticate fine

login as: cranest
cranest@its-setestsrv22's password:
Last login: Wed Jul  1 14:54:18 2009 from oirm-crane-s.kc.kingcounty.lcl
[cranest@ITS-SETESTSRV22 ~]$

branded logs in also fine:

login as: branded
branded@its-setestsrv22's password:
[branded@ITS-SETESTSRV22 ~]$ pwd

Am I missing something? Your instructions were very simple...

Appreciate your help so far.......



0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24758709
Did you verify that crantest doesn't exist as a local user? In this case the whole NIS thing would be useless. And its-setestsrv22 is the host the user comes from, not the one he tries to login to.
0
 

Author Comment

by:bebo_c
ID: 24758836
[root@ITS-SETESTSRV22 security]# cat /etc/passwd|grep cranest
[root@ITS-SETESTSRV22 security]#


The master is porthos2
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24758966
Let's put it together:

- the /etc/netgroups file (and the appropriate NIS maps) containing the above definitions reside on porthos2, which is the NIS master.
- the /etc/passwd file with the proposed additions exists on "someserver" where you are testing, and which is a NIS client. Thus it's important to check /etc/passwd there, and not on ITS-SETESTSRV22.
- there is a server ITS-SETESTSRV22 from which cranest and and branded try to login to "someserver"

Only this scenario makes sense, and should work using the above configurations.

Note - you should remove the usual NIS passwd entry +::::: (or the like) - the two new lines from above act as an replacement for that standard entry.
0
 

Author Comment

by:bebo_c
ID: 24794746
Replacing the old NIS "+::::: " with:

+@test_users::::::
+::::::/bin/false

Worked....I think I am almost done.

One last effort please. I I have groupA and groupB where groupA goes to group Aservers and groupB goes to groupB servers can I list them as follows:




+@groupA_users::::::
+@groupB_users::::::
+::::::/bin/false
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24794922
Yes, of course! That's how it must be done.
Just take care to have the denial entry  +::::::/bin/false  as the last one in /etc/passwd.
Glad to hear that it worked!
Good luck!
wmp
 
0
 

Author Comment

by:bebo_c
ID: 24795132
Actually it seems we both can login even if I only have one account set to /etc/netgroup :

at end of /etc/passwd on master:

branded:x:1205:100:Dale Brandenstein, SEUNIX:/export/home/branded:/bin/bash
cranest:x:1200:100:Stephen Crane, SEUNIX:/export/home/cranest:/bin/bash
+@test_users::::::
+::::::/bin/false

/etc/netgroup

#TEST_USERS
test_users (ITS-SETESTSRV22,branded,)

# TEST_SERVERS
test_servers    (ITS-SETESTSRV22,,)

==========================
On test server SETESTSRV22

login as: branded
branded@its-setestsrv22's password:
Last login: Tue Jul  7 07:54:55 2009 from oirm-crane-s.kc.kingcounty.lcl
[branded@ITS-SETESTSRV22 ~]$

login as: cranest
cranest@its-setestsrv22's password:
Last login: Tue Jul  7 08:11:58 2009 from oirm-crane-s.kc.kingcounty.lcl
[cranest@ITS-SETESTSRV22 ~]$


=====================================

Also when I create an account it shows in ypcat and cat passwd on master but not on slaves:


[root@porthos2 ~]# ypcat passwd | grep cranest
cranest:pan1fwJ224p3k:1200:100:Stephen Crane, SEUNIX:/export/home/cranest:/bin/bash

[root@porthos2 ~]# grep cranest /etc/passwd
cranest:x:1200:100:Stephen Crane, SEUNIX:/export/home/cranest:/bin/bash


0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24795218
+@test_users::::::
+::::::/bin/false

belongs to /etc/passwd of SETESTSRV22, the server you're trying to login to!
0
 

Author Comment

by:bebo_c
ID: 24795308
Ooops...

So the /etc/netgroup file only needs to be on the master...right....

I think I got it now......
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24795340
!
0
 

Author Comment

by:bebo_c
ID: 24795437
Master:

/etc/netgroup

#TEST_USERS
test_users (ITS-SETESTSRV22,branded,)
# TEST_SERVERS
test_servers    (ITS-SETESTSRV22,,)

Client:

/etc/passwd
gdm:x:42:42::/var/gdm:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
hpsmh:x:101:500::/opt/hp/hpsmh:/sbin/nologin
+@test_users::::::
+::::::/bin/false

On any:
[root@porthos2 ~]# ypcat passwd|grep cranest
cranest:pan1fwJ224p3k:1200:100:Stephen Crane, SEUNIX:/export/home/cranest:/bin/bash
[root@porthos2 ~]# ypcat passwd|grep branded
branded:paaG1KVccanig:1028:100:Dale Brandenstein, SEUNIX:/export/home/branded:/bin/bash


I can still login as cranest on client:


login as: cranest
cranest@its-setestsrv22's password:
Last login: Tue Jul  7 08:55:27 2009 from oirm-crane-s.kc.kingcounty.lcl
[cranest@ITS-SETESTSRV22 ~]$



0
How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

 

Author Comment

by:bebo_c
ID: 24795594
I still have the +:*:::::/etc/NoShell on master:

maniyar:x:2501:100:ABT CONT - Rahul Maniyambeth:/export/home/maniyar:/bin/bash
cranest:x:1200:100:Stephen Crane, SEUNIX:/export/home/cranest:/bin/bash
branded:x:1028:100:Dale Brandenstein, SEUNIX:/export/home/branded:/bin/bash
+:*:::::/etc/NoShell     <--------------------------------------------------------------------------------------------------------here !!
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin

But on client:

gdm:x:42:42::/var/gdm:/sbin/nologin
sabayon:x:86:86:Sabayon user:/home/sabayon:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
hpsmh:x:101:500::/opt/hp/hpsmh:/sbin/nologin
+@test_users::::::
+::::::/bin/false

  at the end of /etc/passwd on client only.



Am I becoming a pain?
0
 

Author Comment

by:bebo_c
ID: 24796403
Does it have anything to do with /etc/pam.d/login? I was messing with it before but put back
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24796483
To be sure, please examine once more your /etc/nsswitch.conf.

Since you're already using NIS (apart from netgroups etc.), it should already contain

passwd: files compat
group: files compat

but also

netgroup: files nis

OK?

You can also test with 'ypwhich' whether you're using the correct server, and with 'ypcat'
what's in your network databases besides 'passwd'. Check with 'ypwhich -m' what databases you have, and with 'ypcat' what's in them.


0
 

Author Comment

by:bebo_c
ID: 24796646
passwd:     files compat
shadow:     files compat
group:      files compat


netgroup:   files nis
===================
MASTER:

[root@porthos2 ~]# ypwhich
localhost.localdomain

[root@porthos2 ~]# ypwhich -m
passwd.byuid porthos2.kc.kingcounty.lcl
group.bygid porthos2.kc.kingcounty.lcl
netgroup porthos2.kc.kingcounty.lcl
netid.byname porthos2.kc.kingcounty.lcl
hosts.byname porthos2.kc.kingcounty.lcl
netgroup.byhost porthos2.kc.kingcounty.lcl
mail.aliases porthos2.kc.kingcounty.lcl
services.byservicename porthos2.kc.kingcounty.lcl
ypservers porthos2.kc.kingcounty.lcl
rpc.bynumber porthos2.kc.kingcounty.lcl
passwd.byname porthos2.kc.kingcounty.lcl
netgroup.byuser porthos2.kc.kingcounty.lcl
hosts.byaddr porthos2.kc.kingcounty.lcl
group.byname porthos2.kc.kingcounty.lcl
protocols.byname porthos2.kc.kingcounty.lcl
services.byname porthos2.kc.kingcounty.lcl
rpc.byname porthos2.kc.kingcounty.lcl
protocols.bynumber porthos2.kc.kingcounty.lcl
[root@porthos2 ~]#


Client:

[root@ITS-SETESTSRV22 pam.d]# ypwhich
porthos2.kc.kingcounty.lcl
[root@ITS-SETESTSRV22 pam.d]#


[root@ITS-SETESTSRV22 pam.d]# ypwhich -m
passwd.byuid porthos2.kc.kingcounty.lcl
group.bygid porthos2.kc.kingcounty.lcl
netgroup porthos2.kc.kingcounty.lcl
netid.byname porthos2.kc.kingcounty.lcl
hosts.byname porthos2.kc.kingcounty.lcl
netgroup.byhost porthos2.kc.kingcounty.lcl
mail.aliases porthos2.kc.kingcounty.lcl
services.byservicename porthos2.kc.kingcounty.lcl
ypservers porthos2.kc.kingcounty.lcl
rpc.bynumber porthos2.kc.kingcounty.lcl
passwd.byname porthos2.kc.kingcounty.lcl
netgroup.byuser porthos2.kc.kingcounty.lcl
hosts.byaddr porthos2.kc.kingcounty.lcl
group.byname porthos2.kc.kingcounty.lcl
protocols.byname porthos2.kc.kingcounty.lcl
services.byname porthos2.kc.kingcounty.lcl
rpc.byname porthos2.kc.kingcounty.lcl
protocols.bynumber porthos2.kc.kingcounty.lcl
[root@ITS-SETESTSRV22 pam.d]#

MASTER:

[root@porthos2 ~]# ypcat netgroup
(,,kc.kingcounty.lcl)
(ITS-SETESTSRV22,,)
(ITS-SETESTSRV22,branded,)

CLIENT:

[root@ITS-SETESTSRV22 ~]# ypcat netgroup
(,,kc.kingcounty.lcl)
(ITS-SETESTSRV22,,)
(ITS-SETESTSRV22,branded,)
[root@ITS-SETESTSRV22 ~]#
0
 

Author Comment

by:bebo_c
ID: 24796748
I did do:

[root@ITS-SETESTSRV22 kc.kingcounty.lcl]# ypcat netid.byname
[root@ITS-SETESTSRV22 kc.kingcounty.lcl]#


And nothing shows...All others work...
0
 
LVL 68

Expert Comment

by:woolmilkporc
ID: 24796993
I'm really not sure if I need to mention - I meant /etc/nsswitch.conf at the client side -the server you want to login to.

Well, what can I say more?

Please re-read my post #24758966 where I tried to put it together. Particularly, note which config has to be done on which of the servers.

I still see only two (or three?) servers in your posts, but we will need four of them:

- NIS master (porthos2, the one with /etc/netgroup and the /etc/passwd without the +@... stuff)
- allowed host to login from ("ITS-SETESTSRV22")  -  no config needed!
- forbidden host to login from (for testing, "oirm-crane-s"?) - no config needed!
-
host to login to (the client with the new /etc/passwd "+@..." entries and /etc/nsswitch.conf stuff) - NOT "ITS-SETESTSRV22"

It seems  a bit confusing, but the hosts you come from really don't need to know anything about NIS.
0
 

Author Comment

by:bebo_c
ID: 24797249
OK,

I will create another RHEL5 server for tomorrow so we have:

1. My desktop WindowsXP: "oirm-crane-s"?
2. NIS RHEL5 MASTER "Porthos2"
3. NIS RHEL5 CLIENT "ITS-SETESTSRV22"
4. NEW RHEL5 CLIENT server (unknown) for tomorrow.

Will that be sufficient?  ,, I appreciate your help...
0
 
LVL 68

Assisted Solution

by:woolmilkporc
woolmilkporc earned 250 total points
ID: 24797346
OK, if ITS-SETESTSRV22 is your target login server it needs to be a NIS client, but may not be the one mentioned in netgroups on porthos2!

The 'allowed' host in /etc/netgroups on porthos2 needs to be 1) or 4). The other one of the two will become the 'forbidden' host.
0
 

Author Comment

by:bebo_c
ID: 24797645
OK, I will see you tomorrow with all 4, thanks
0
 

Author Comment

by:bebo_c
ID: 24797967
So here is a recap of what I need:

MASTER: porthos2 (in use now)

WORKSTATION: oirm-crane-s (in use now)

CLIENT1: ITS-SETESTSRV22 (in use now)

CLIENT2: ITS-SETESTSRV23 ( New)

=====

test_users = branded

other_users = cranest

test_servers = ITS-SETESTSRV22

other_servers = ITS-SETESTSRV23




===============

I want "branded" to only access "test_servers" and "cranest" to only access "other_servers"
================





/etc/netgroup on ITS-SETESTSRV22 and ITS-SETESTSRV23

########################
# TEST_SERVERS
# test_servers  (ITS-SETESTSRV22,,)

# OTHER_SERVERS
# other_servers  (ITS-SETESTSRV23,,)

#TEST_USERS
test_users (ITS-SETESTSRV22,branded,)

#OTHER_USERS
test_users (ITS-SETESTSRV23,cranest,)

#Domains
mydomain        (,,kc.kingcounty.lcl)
######################
0
 

Author Comment

by:bebo_c
ID: 24807418
OK,

We have the following servers and workstations:

1. My desktop WindowsXP: "oirm-crane-s"?
2. NIS RHEL5 NIS MASTER "Porthos2"
3. NIS RHEL5 NIS CLIENT "ITS-SETESTSRV22"
4. NEW RHEL5 "ITS-SETESTSRV23"  <------untouched RHEL5 fresh build
0
 

Author Comment

by:bebo_c
ID: 24808578
I have joined the new server to the NIS domain:

Was: 4. NEW RHEL5 "ITS-SETESTSRV23"  <------untouched RHEL5 fresh build
Now: 4. NEW RHEL5 "ITS-SETESTSRV23"  NIS client to porthos2 <master>
0
 

Accepted Solution

by:
bebo_c earned 0 total points
ID: 24818090
We had a problem with the master and had to rebuild from the other day. Everything works fine now.

Thanks
0
 

Author Comment

by:bebo_c
ID: 24818116
Thanks
0

Featured Post

How to run any project with ease

Manage projects of all sizes how you want. Great for personal to-do lists, project milestones, team priorities and launch plans.
- Combine task lists, docs, spreadsheets, and chat in one
- View and edit from mobile/offline
- Cut down on emails

Join & Write a Comment

Suggested Solutions

Title # Comments Views Activity
Backup folder managed by open source CMS 2 56
Which NIC is live in Win/Linux? 25 72
Squid Authentication 7 35
Issue to mail 11 41
This document is written for Red Hat Enterprise Linux AS release 4 and ORACLE 10g.  Earlier releases can be installed using this document as well however there are some additional steps for packages to be installed see Metalink. Disclaimer: I hav…
Linux users are sometimes dumbfounded by the severe lack of documentation on a topic. Sometimes, the documentation is copious, but other times, you end up with some obscure "it varies depending on your distribution" over and over when searching for …
Learn how to find files with the shell using the find and locate commands. Use locate to find a needle in a haystack.: With locate, check if the file still exists.: Use find to get the actual location of the file.:
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

746 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now