Managing NFS and NIS, 2nd Edition - Mike Eisler [33]
There is yet another group of files that can be augmented with data from NIS. These files are not managed by NIS directly, but you can add special entries referring to the NIS database (in particular, the netgroups map). Such files include hosts.equiv and .rhosts. We won't discuss these files in this chapter; we will treat them as the need arises. For example, we will discuss hosts.equiv in Chapter 12.
Now we're going to discuss the special netgroups map. This new database is the basis for the most useful extensions to the standard administrative files; it is what prevents NIS from becoming a rigid, inflexible system. After our discussion of netgroups, we will pay special attention to the appended files.
Netgroups
In addition to the standard password, group, and host file databases, NIS introduces a new database for creating sets of users and hosts called the netgroups map. The user and hostname fields are used to define groups (of hosts or users) for administrative purposes. For example, to define a subset of the users in the passwd map that should be given access to a specific machine, you can create a netgroup for those users.
A netgroup is a set of triples of the form:
(hostname, username, domain name)
A single netgroup contains one or more of these triples. Host and usernames have their usual meanings, but a domain name in this instance refers to the NIS domain in which the netgroup is valid. If an entry in the triple is left blank, that field becomes a wildcard. If the entry is specified as a dash (-), the field can take no value.
Netgroups are typically used to augment other maps and files; for example, adding a selected group of users to the password file. The definitions and behavior of netgroups are confusing because their syntax doesn't exactly match the way the netgroup information is used. Even though the netgroup syntax allows you to specify user and hostnames in the same triple, user and hostnames are rarely used together. For example, when a netgroup is used to add users to an NIS-managed password file, only the usernames are taken from the netgroup. The hostnames are ignored, because hostnames have no place in the password file. Similarly, when using a netgroup to grant filesystem access permissions to a set of NFS clients, only the hostname fields in the netgroup are used. Usernames are ignored in this case, which means a hostname will be included in the list even if - is used as the username in its triple.
Some examples are helpful:
source (-,stern,nesales), (-,julie,nesales), (-,peter,nesales)
trusted-hosts (bitatron,,), (corvette,,)
trusted-users (bitatron,stern,), (corvette,johnc,)
dangerous-users (,jimc,), (,dave,)
In the first example, source is a group of three users; in this respect, the netgroup is similar to an entry in /etc/group. The source netgroup in this case grants no specific permissions, although it could be included in the password file for the source archive machine, granting selected users access to that host. The second example shows a definition for a set of hosts, and would be of no use in a password file. In the third example, stern and johnc are members of the trusted-users group when it is parsed for usernames. Hosts bitatron and corvette are members of trusted-users when it is parsed for hostnames. Note that there is no interpretation of the netgroup that associates user stern with host bitatron. In the fourth example, dave and jimc are members of dangerous-users, but no hosts are included in this group. The domain name field is used when multiple NIS domains exist on the same network and it is necessary to create