HPE Community
Operating System - HP-UX
1824810 Members
4003 Online
109674 Solutions
New Discussion юеВ

NIS setup with local & NIS accounts etc..

 
Norman Dignard
Regular Advisor

тАО02-06-2002 08:20 AM

тАО02-06-2002 08:20 AM

NIS setup with local & NIS accounts etc..

Have a problem with my NIS setup that I can't seem to resolve after reading the docs and some testing. I must be going brain dead. Can someone help?
Suggestions on a better setup welcome.

Our setup
L1000 HP11.00 NIS master with 3 NICs homed to different subnets serving multiple 10.20 & 11.00 cleints. (Added additional NICs due to client bind problems accross subnets)

We want certian accounts (user/group) to also be local on certian hosts. Afetr playing with the +/- switch still can't seem to get it to work. Nsswitch file has compat for passwd/group entries. Part of the problem is that these same accounts also have to be on the NIS master. The NIS master also is a db server (Oracle & Raima) so it needs its entries in the passwd/group file. How do I implement this?

NIS master setup
All accounts in passwd/group files.
Passwd has +::-2:60001:::
Group has +:*:*

nsswitch.conf has :
passwd: compat
group: compat
hosts: nis [NOTFOUND=return] files [NOTFOUND=return] dns
networks: nis [NOTFOUND=return] files
protocols: nis [NOTFOUND=return] files
rpc: nis [NOTFOUND=return] files
publickey: nis [NOTFOUND=return] files
netgroup: nis [NOTFOUND=return] files
automount: files nis
aliases: files nis
services: files nis
automounter: files

On client:
Passwd has (only local adm stuff and) +::-2:60001::: as last entry
Group has (only local adm stuff and) +:*:* as last entry
nsswitch.conf setup is the same as the NIS master above.

The master has the following user/group defined in its maps
group map
dba::106:oracle
dms::110:oracle
oinstall::112:oracle

passwd map
oracle:ClN34.l.Bsh2:130:112:Oracle Admin,,,:/oracle/home:/usr/bin/sh
dms:23cYYDhXsUs0k:148:110:DMS Account,,,:/home/dms:/usr/bin/sh

I manually created the same user/group (with the same uid/gid) accounts on the local client as SAM would complain of a duplicate/existing account even with the nis client stopped. The entries are before the +::-2:60001::: and +:*:* in the passwd/group file.

With the NIS started on the client it appears that it is still going to NIS for the user/group account .
Adding a + in front of the user and group name didn't seem to work either. With the + entry and NIS on the client stopped trying to log in as the user, the system would come back saying invalid account. It appears that it was picking up the + as part of the user name. I even had a problem with the local user (no + in front of the user name) passwd entry of ,.. (change password on login) in that it would prompt the user to change their NIS passwd (and not their local account passwd) and would keep doing so on each login attempt.

Any suggestions on how would you set all this up properly? Do local and NIS accounts need unique uid/gids? What would happen if a local account is created with a uniue uid and then some future NIS account is created on the master server that uses the same uid/gids? Wouldn't this cause some admin problems in that if the same NIS user needs access to a cleint whos local uid/gid belongs to someone else?

That aside can someone tell me if the variable in /etc/rc.config.d/namesvrs WAIT_FOR_NIS_SERVER=FALSE
is valid on 11.x hosts? I noticed it on 10.20 cleints but its not there in the default 11.x file.

Norm Dignar
0 Kudos
Reply
3 REPLIES 3
Dmitry G. Spitsyn
Trusted Contributor

тАО02-06-2002 12:15 PM

тАО02-06-2002 12:15 PM

Re: NIS setup with local & NIS accounts etc..

Hello, Norman !
You need FULL records in the local passwd & group files ONLY for users to be authenticated locally.
All the users to be authenticated using NIS maps need so called escape entries in the passwd/group files (NO FULL ENTRY, only + and user/group name):
+name_of_user_or_group

It means that on your NIS master you need to have two versions of the files: one (truncated) for the local authentication and the other as the source for NIS maps.
For example, the local /etc/passwd file will contain FULL enties for some local users and escape entries for NIS-users. On NIS master your create NIS maps sourcing from NIS-version of the passwd file (containing FULL entries for all NIS-users).
BR,
DGS
0 Kudos
Reply
Norman Dignard
Regular Advisor

тАО02-06-2002 01:17 PM

тАО02-06-2002 01:17 PM

Re: NIS setup with local & NIS accounts etc..

I did have full entries in both the NIS master and client
passwd/group files. I added the + in front of the entry but that didn't seem to work.
As for the client local accounts, some hosts need it local (non-NIS) while others need it as a NIS account.
0 Kudos
Reply
Steve Labar
Valued Contributor

тАО02-07-2002 10:34 AM

тАО02-07-2002 10:34 AM

Re: NIS setup with local & NIS accounts etc..

You should be able to use
+{username} at the end of your /etc/passwd file and +{groupname} at the end of your /etc/group file. Whether they are a local or NIS user, they cannot share the same UID or there will be conflicts and/or, they user you think logged in will start using properties of a different user. If you are having problems adding NIS info at the client, verify your NIS master's maps are up to date and have been "pushed" to the clients. The easiest way to do this is to
cd /var/yp ; make
If the make fails you will need to correct errors before the proper maps wil be pushed out.

Good Luck.

Steve
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.