Thank you for all the different ways you offered on denying regular user
access to the NIS Server. Here are the credits to those of you who
kindly helped me with my request and your responses:
- Michael Salehi
- Mike Clarke
- Peter M Allan
- Jan-Olaf Droese
- rsk@itw.com
- Karlheinz Pischke
- matthew zeier
- K. Ravi
- Kevin Sheehan
===========================================================================
There are several ways to do it, the easiest is to have the servers, not
use nis. In 2.x its easy, use the nsswitch.files.
===========================================================================
I assume you really are using NIS and not NISplus. I've no idea how it's none
with NISplus but here's what I do using NIS.
First yuo need to create an independant passwd file for just your own users, I
use /var/etc/passwd. Copy all your own user entries from /etc/passwd into this
file then delete them from /etc/passwd. The only entries left in /etc/passwd
should be the original items supplied when the system was installed.
Modify /var/yp/Makefile to use the new passwd file. My Makefile has the line:
PWDIR=/var/etc
The passwd section in my Makefile looks like this (beware long lines have been
folded by my mailer):
passwd.time: /$(PWDIR)/passwd
@(awk 'BEGIN { FS=":"; OFS="\t"; } /^[a-zA-Z0-9_]/ { print $$1, $$0 }'
/$(PWDIR)/passwd $(CHKPIPE))| $(MAKEDBM) - $(YPDBDIR)/$(DOM)/passwd.byname;
@(awk 'BEGIN { FS=":"; OFS="\t"; } /^[a-zA-Z0-9_]/ { printf("%-10d ",
$$3); print $$0 }' /$(PWDIR)/passwd $(CHKPIPE))| $(MAKEDBM) -
$(YPDBDIR)/$(DOM)/
passwd.byuid;
@touch passwd.time;
@echo "updated passwd";
@if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOM) passwd.byname; fi
@if [ ! $(NOPUSH) ]; then $(YPPUSH) -d $(DOM) passwd.byuid; fi
@if [ ! $(NOPUSH) ]; then echo "pushed passwd"; fi
I can't remember if the file originally used the PWDIR variable or if I
changed
it long ago.
Run make and change the passwd line in /etc/nsswitch.conf on the server to be
just:
passwd files
This _should_ do what you need. The only bit that differs from my setup is the
nsswitch.conf entry. You might be interested in how we do it. We wanted to
restrict access on the file servers to a small number of users who are trusted
to perform various updates but not sufficiently trusted to be given the root
password. First I set up an entry for the trusted users in /etc/netgroup
rather
like this:
server_users (-,mike,) (-,trusty1,) (-,another_trusty,)
Then I added the following line to the end of /etc/passwd and /etc/shadow:
+@server_users
I don't know if it's really needed in the shadow file but it doesn't appear to
do any harm.
Then I changed the passwd line in /etc/nsswitch.conf to:
passwd compat
Using this approach, access is limited to users in /etc/passwd (i.e. root) and
only selected users from our passwd file.
This has worked fine for us for several years with just one exception. One of
our fileservers also acts as a mail server, /var/mail is mounted from this
machine on all the clients. When I applied the restrictions all mail was
bounced
as being for unknown users, If you come across any other methods which don't
suffer from this problem I would be very interested to hear of them..
===========================================================================
This is an easy one - think before posting. :-)
Make your NIS passwd map from a different passwd file than /etc/passwd.
Say /etc/NIS/passwd, having the full content.
/etc/passwd can be a pruned down version
(taking info from the nis map, but with the famous /bin/false
as login shell. if you wish to have files with named owners,
rather than UIDs)
===========================================================================
With our solaris1 machines we did the following:
1) Change the yp-Makefile to use a different file than /etc/passwd
for building the nis-map. Move your passwd-File to that location
(e.g. /etc/passwd.nis)
2) Create a /etc/passwd file with just the accounts you want to
allow access to.
3) That's all.
===========================================================================
This was just answered yesterday (!). Please find and read the article
which begins "SUMMARY: restricting login under..." -- it describes
how to use netgroups to do this.
[I just cannot find a decent excuse for this one--I AM embarrassed! Vicky]
===========================================================================
I have not tried this but the /etc/nsswitch.conf file should be the right.
have an entry there for passwd which asks only local passwd file on the
server:
passwd: files
===========================================================================
Here's what I did at 3Com. All of us admins are in a group "sysadm" and
all of the shells on my NIS machiens are 550, root:sysadm. The prevents
anyone not an admin frm logging in. And it's really easy to allow
someone else to join our group - just add them to /etc/group and push
maps.
===========================================================================
This is what I've done on our NIS server (I'm running the server on SunOs
4.1.4, but the idea is same) :
Create a separate file for putting NIS accounts, say passwd.nis and edit the
NIS makefile to look at this file rather than passwd.
And, to disable NIS logins in a Solaris machine, edit nsswitch.conf and
remove 'nis' from the 'passwd' line. i.e
change 'passwd: files nis'
to 'passwd: files'.
===========================================================================
Move the location of the passwd file in the Makefile. It doesn't have
to be /etc/passwd, and the server doesn't have to use NIS for passwd (in
nssswitch.conf just make passwd file based).
===========================================================================
I was hoping that someone would reply "just <touch /etc/nologin>" and
you are there!
Anyway, thank you for all the knowledge.
Sincerely,
Vicky Lau
vlau@msmail2.hac.com
This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:18 CDT