topic Re: NIS in Operating System - HP-UX

NIS

Ricky B. Nino — Wed, 12 Mar 2003 02:37:46 GMT

Hi,

I have 3 UNIX Servers.

I have all the users in my SERVER1 (NIS Server).

I wanted to prevent certain users to login in my SERVER2.

What's the best thing to do?

regards...

Re: NIS

S.K. Chan — Wed, 12 Mar 2003 03:55:43 GMT

You're saying SERVER1 is your master NIS. And lets say SERVER2 is a NIS client. For instance if you want to prevent user "skchan", "jim" and "robbie" (their password entries are in the NIS password map) from being able to login to SERVER2 you would ..
==> Edit SERVER2 /etc/passwd and insert these above your last line that typically looks like this ..
+::0:0:::
or
+::-2:60001:::
The lines you should put above it are ..
-skchan::0:0:::
-jim::0:0:::
-robbie::0:0:::
I think that should do it and you would want to test it thoroughly afterwards.

Re: NIS

Ricky B. Nino — Wed, 12 Mar 2003 05:01:14 GMT

Hi SK,

Nothings happened. Still the user (i.e. "rickyn") I put on the SERVER2://etc/passwd gets thru.

Re: NIS

S.K. Chan — Wed, 12 Mar 2003 05:08:47 GMT

Can you show me the last 3 lines in SERVER2's /etc/passwd. Also attach the content of /etc/nsswitch.conf. Thanks..

Re: NIS

Ricky B. Nino — Wed, 12 Mar 2003 05:23:39 GMT

Hi SK,

See attached file...

Re: NIS

S.K. Chan — Wed, 12 Mar 2003 05:40:26 GMT

The order is all wrong in the /etc/passwd file ... cut the last line ..
tftp:*:510:1:Trivial FTP user:/usr/tftpdir:false
and paste above ..
-rickyn::0:0:::
Basically the ..
+::-2:-2:::
should be last. So the last 2 lines in the file should be ..
-rickyn::0:0:::
+::-2:-2:::
As for the /etc/nsswitch.conf file, change these so that the + and - syntax can be used by the password file.
passwd: compat
group: compat
Now try the login again ..

Re: NIS

Ricky B. Nino — Wed, 12 Mar 2003 08:26:46 GMT

Hi SK,

Its working now. Many thanks...

If its not to much to you, could you provide brief explanation on the solution you have provided.

Thanks in advance and best regards...

Re: NIS

S.K. Chan — Wed, 12 Mar 2003 08:45:09 GMT

Sure .. first the /etc/passwd file. If you want it to look at the NIS password map to authenticate users in that map you need to have the escape sequence put at the end of the file (ie the last line in the local password file). The escape sequence can be in the form of ..
+::-2:60001:::
which in my opinion is more secure. But it's still ok to have ..
+::-2:-2:::
No big deal. So remember the order of that entry is important. Let say for some reason you want to create a local temporary user account (not NIS), you can edit the /etc/passwd file and put the appropriate entry above the escape sequence entry and that password entry would only apply to that particular machine. Bottomline .. escape sequence MUST be at the last line. The "-" key is used to disallow login of a particular NIS account, as simple as that.
Finally the /etc/nsswitch.conf file. Your original entry ..
passwd: files nis
group: files nis
basically tell the system to first look in the local /etc/passwd and /etc/group for an entry. If not found then fall-back and query NIS map. The rule is if you want the "+" and "-" to behave well you got to put "compat" instead.
Hope that explains it .. :)

Re: NIS

Ricky B. Nino — Wed, 12 Mar 2003 08:54:19 GMT

Hi SK,

Very well said...I got it.

regards...