Administering NIS Users
This section includes information about setting user passwords, adding new users to an
NIS domain, and assigning users to netgroups.
How to Add a New NIS User to an NIS Domain
- On the master NIS server, become superuser or assume an equivalent role.
Roles contain authorizations and privileged commands. For more information about roles, see Chapter 9, Using Role-Based Access Control (Tasks), in System Administration Guide: Security Services.
- Create the new user's login ID with the useradd command.
# useradd userID
userID is the login ID of the new user. This command creates entries
in the /etc/passwd and /etc/shadow files on the master NIS server.
- Create the new user's initial password.
To create an initial password that the new user can use to
log in, run the passwd command.
# passwd userID
Where userID is the login ID of the new user. You will be
prompted for the password to assign to this user.
This step is necessary because the password entry created by the useradd command
is locked, which means that the new user cannot log in. By specifying
an initial password, you unlock the entry.
- If necessary, copy the new entry into the server's passwd map input files.
The map source files on your master server should be in a
directory other than /etc. Copy and paste the new lines from the /etc/passwd
and /etc/shadow files into the passwd map input files on the server.
See Password Files and Namespace Security for additional information.
For example, if you added the new user brown, the line from /etc/passwd
that you would copy to your passwd input file would look like
the following.
brown:x:123:10:User brown:/home/brown:/bin/csh:
The line for brown that you would copy from /etc/shadow would look
like:
brown:W12345GkHic:6445::::::
- Make sure that the Makefile correctly specifies the directory where the password input
file resides.
- If appropriate, delete the new user's entries from /etc/passwd and /etc/shadow input files.
For security reasons, do not keep user entries in the NIS master server
/etc/passwd and /etc/shadow files. After copying the entries for the new user to
the NIS map source files that are stored in some other directory, use
the userdel command on the master server to delete the new user.
For example, to delete the new user brown from the master server's /etc
files, you would enter the following.
# userdel brown
For more information about userdel, see the userdel man page.
- Update the NIS passwd maps.
After you have updated the passwd input file on the master server, update
the passwd maps by running make in the directory containing the source file.
# userdel brown
# cd /var/yp
# /usr/ccs/bin/make passwd
- Tell the new user the initial password you have assigned to his or
her login ID.
After logging in, the new user can run passwd at any time to
establish a different password.
Setting User Passwords
Users run passwd to change their passwords.
% passwd username
Before users can change their passwords, you must start the rpc.yppasswdd daemon
on the master server to update the password file.
The rpc.yppasswdd daemon starts automatically on the master server. Notice that when the
-m option is given to rpc.yppasswdd, a make is forced in /var/yp immediately
following a modification of the file. If you want to avoid having this
make take place each time the passwd file is changed, remove the
-m option from the rpc.yppasswd command in the ypstart script and control the pushing
of the passwd maps through the crontab file.
Note - No arguments should follow the rpc.yppasswd -m command. Although you can edit
the ypstart script file to achieve a different action, it is not recommended
that you modify this file other than optionally removing the -m option. All commands
and daemons invoked by this file with the proper set of command
line parameters. If you choose to edit this file, be especially careful when
editing the rpc.yppasswdd command. If you add an explicit call to the passwd.adjunct file,
the exact $PWDIR/security/passwd.adjunct path must be used; otherwise, incorrect processing results.
NIS Netgroups
NIS netgroups are groups (sets) of users or machines that you define for
your administrative purposes. For example, you can create netgroups that do the following.
Define a set of users who can access a specific machine
Define a set of NFS client machines to be given some specific file system access
Define a set of users who are to have administrator privileges on all the machines in a particular NIS domain
Each netgroup is given a netgroup name. Netgroups do not directly set permissions
or access rights. Instead, the netgroup names are used by other NIS maps
in places where a user name or machine name would normally be
used. For example, suppose you created a netgroup of network administrators called netadmins.
To grant all members of the netadmins group access to a given machine,
you need only add a netadmin entry to that machine's /etc/passwd file.
Netgroup names can also be added to the /etc/netgroup file and propagated to the
NIS netgroup map. See netgroup(4) for more detailed information on using netgroups.
On a network using NIS, the netgroup input file on the master NIS
server is used for generating three maps: netgroup, netgroup.byuser, and netgroup.byhost. The
netgroup map contains the basic information in the netgroup input file. The
two other NIS maps contain information in a format that speeds lookups of
netgroup information, given the machine or user.
Entries in the netgroup input file are in the format: name ID, where
name is the name you give to a netgroup, and ID identifies a
machine or user who belongs to the netgroup. You can specify as many
IDs (members) to a netgroup as you want, separated by commas. For example,
to create a netgroup with three members, the netgroup input file entry would be
in the format: name ID, ID, ID. The member IDs in
a netgroup input file entry are in the following format.
([-|machine], [-|user], [domain])
Where machine is a machine name, user is a user ID, and
domain is the machine or user's NIS domain. The domain element is optional and
should only be used to identify machines or users in some other
NIS domain. The machine and user element of each member's entry are required, but
a dash (-) is used to denote a null. There is no necessary
relationship between the machine and user elements in an entry.
The following are two sample netgroup input file entries, each of which
create a netgroup named admins composed of the users hauri and juanita
who is in the remote domain sales and the machines altair and
sirius.
admins (altair, hauri), (sirius,juanita,sales)
admins (altair,-), (sirius,-), (-,hauri), (-,juanita,sales)
Various programs use the netgroup NIS maps for permission checking during login, remote
mount, remote login, and remote shell creation. These programs include mountd, login, rlogin,
and rsh . The login command consults the netgroup maps for user classifications
if it encounters netgroup names in the passwd database. The mountd daemon consults the
netgroup maps for machine classifications if it encounters netgroup names in the /etc/dfs/dfstab
file. rlogin and rsh In fact, any program that uses the ruserok
interface consults the netgroup maps for both machine and user classifications if they encounter
netgroup names in the /etc/hosts.equiv or .rhosts files.
If you add a new NIS user or machine to your network,
be sure to add them to appropriate netgroups in the netgroup input file. Then
use the make and yppush commands to create the netgroup maps and push
them to all of your NIS servers. See netgroup(4) for detailed information on
using netgroups and netgroup input file syntax.