topic Re: Restrict NIS users in Operating System - Linux

Restrict NIS users

Binu_5 — Tue, 30 Aug 2005 22:29:57 GMT

Hi All

Can any body tell me how to restrict nis users to user Linux servers
OS version is Red Hat linux 9

Thanks
Binu

Re: Restrict NIS users

Vitaly Karasik_1 — Wed, 31 Aug 2005 01:20:15 GMT

>how to restrict nis users
can you provide more info about this?

Re: Restrict NIS users

Binu_5 — Wed, 31 Aug 2005 01:36:28 GMT

Hi

I have an NIS server here and all the users
are configures in this Server...
NIS users will login to individual workstations ..Here all the NIS users can login to all workstations .. I want to restrict some users accessing some workstations ..

Is there any setting in the workstation side

Thanks
Binu

Re: Restrict NIS users

Vitaly Karasik_1 — Wed, 31 Aug 2005 01:47:51 GMT

netgroup can help you.
see http://www.tldp.org/HOWTO/NIS-HOWTO/settingup_client.html for more.

Re: Restrict NIS users

CSG Office — Wed, 31 Aug 2005 06:21:01 GMT

Hi Binu,

If it is NIS, then each NIS client would have "+" at the bottom of passwd and shadow files. To remove a particular user such as jsmith, you would put "-jsmith" in passwd. Alternatively, you could take out the "+" (which includes everyone) and put "+jsmith" to make jsmith the only user to be able to log on with an NIS account. If you have user accounts you will never want to logon to clients, make the accounts UID a low number. I don't remember what the lowest NIS UID is, but that is adjustable anyway. You may have to look for that.

Re: Restrict NIS users

Binu_5 — Wed, 31 Aug 2005 07:44:52 GMT

Hi

Please find the last lines of my password file
#+::0:0:::
+binuv

I have added a user call +binuv at the
end of the line and hashed (#) the above line but still all the nis users can login to the system

Thanks
Binu

Re: Restrict NIS users

Ivan Ferreira — Wed, 31 Aug 2005 08:19:08 GMT

To restrict users to specific workstations, you can use the pam_access module:

http://susefaq.sourceforge.net/howto/pam.html

Enable pam_access in /etc/pam.d/system-auth and then configure the /etc/security/access.conf file.

Re: Restrict NIS users

RAC_1 — Wed, 31 Aug 2005 08:27:05 GMT

Use netgroup file.
man netgroup for details.

You can also put as follows in passwd file.

-user_name1
-user_name2

Re: Restrict NIS users

Ross Minkov — Thu, 01 Sep 2005 00:43:08 GMT

When you have "passwd: files nis" in /etc/nsswitch.conf file you do not need to include + entry in /etc/passwd to allow for NIS logins. In that case all users with NIS accounts can login to the system.

To be able to restrict interactive access to the system to a subset of the NIS users you can use the +/- semantics syntax in /etc/passwd as follows:
+nisuser ==> include the specified user from NIS passwd.byname
-nisuser ==> exclude the specified user
+@netgroup ==> include all users in the netgroup
-@netgroup ==> exclude all users in the netgroup
+ ==> include everything, except excluded users

To allow for this syntax in /etc/passwd the "compat" source should be used for passwd in /etc/nsswitch.conf. It reads /etc/passwd for getpwnam() functions and, if it finds +/- entries, invokes an appropriate source. In case you need to use it, the "compat" source also provides full +/- semantics for /etc/group.

HTH,
Ross

Re: Restrict NIS users

Artur Shnayder — Tue, 06 Sep 2005 10:54:57 GMT

I've added the following configuration in /etc/passwd file:
+@admin:::::::
-::::::::

When users from other then admin netgroup are connecting to the host they get something like:
id: cannot find name for group ID 6553
id: cannot find name for user ID 925

but they are still able to log in. Is there any way to prevent login permissions for these users?

Re: Restrict NIS users

Ross Minkov — Tue, 06 Sep 2005 11:05:15 GMT

Arthur,

Try this:

1. Only add the following to /etc/passwd:

+@admin

Remove any lines that have ::::...
Also make sure you don't have a "+" line in it.

2. Add the following line to /etc/group:

+

3. Change you /etc/nsswitch.conf to have:

passwd: compat
shadow: compat
group: compat

HTH,
Ross

Re: Restrict NIS users

Artur Shnayder — Tue, 06 Sep 2005 11:16:21 GMT

"+" in the /etc/group file removed GID error message, all the rest is the same.
I forgot to mention that it's RHE3 update 4.
I guess the problem is somewhere in pam modules.

Re: Restrict NIS users

Binu_5 — Tue, 13 Sep 2005 01:04:35 GMT

Hi

I have added only one user in
/etc/security/access.conf like the following format
+:alphy but still other users can access the system

Thanks
Binu