Path: utzoo!utgpu!news-server.csri.toronto.edu!rutgers!mit-eddie!uw-beaver!fluke!deb
From: deb@tc.fluke.COM (Deb Lilly)
Newsgroups: comp.unix.admin
Subject: Re: netgroups
Summary: successful use of netgroups in /etc/passwd and /etc/hosts.equiv
Message-ID: <1990Dec15.011235.10319@tc.fluke.COM>
Date: 15 Dec 90 01:12:35 GMT
References: <17600@hydra.gatech.EDU>
Distribution: usa
Organization: John Fluke Mfg. Co., Inc., Everett, WA
Lines: 65

In article <17600@hydra.gatech.EDU>, flur@duke.gatech.edu (Peter W. Flur)
writes:

> ... we would
> like to be able to restrict which group of machines any one person has
> access to.  Rather than use the YP domains to do this, as we are now,
> we would like to use netgroups.  

At Fluke we use netgroups to limit logins on certain machines.  
Our YP domain is 'tc'.


Example 1 (netgroup in /etc/passwd to exclude logins from a machine):

Our netgroup 'uucpLogins' contains uucp accounts:

    uucpLogins (,uuaea,tc) (,uualle,tc) ...

In all our /etc/passwd files except on the uucphost, we exclude the
uucp accounts with:

    -@uucpLogins::0:0:::


Example 2 (netgroup in /etc/passwd to allow logins on a machine):

Our netgroup 'CDXusers' contains accounts for people allowed access to
a set of machines running a specialized application:

    CDXusers (,john,tc) (,amyh,tc) (,bryanf,tc) (,darren,tc) ...

In the /etc/passwd files on the restricted machines, we do not use
the full Yellow Pages passwd (no +::0:0::: entry), but do allow access 
to the CDXusers with:

    +@CDXusers::0:0:::


Example 3 (netgroup in /etc/hosts.equiv):

Our netgroup 'trustedhosts' includes all computers which use the same
logins, uids, groups, and gids as the rest of the network:

    trustedhosts (daphne,,tc) (eros,,tc) (hera,,tc) ...

The /etc/hosts.equiv file on all systems contains:

    +@trustedhosts 

There was a bug in SunOS 4.0.1 (bug ID 1022453) that required netgroup
names to be all lower case to work properly in /etc/hosts.equiv.  I 
don't know whether it's been fixed in 4.0.3 or 4.1.


Deb Lilly
Domain:	deb@tc.fluke.COM
UUCP:	uunet!fluke!deb
John Fluke Mfg. Co., M/S 223B, PO Box 9090, Everett WA 98206-9090  USA
+1 206 356-5052
-- 
Deb Lilly
Domain:	deb@tc.fluke.COM
UUCP:	uunet!fluke!deb
John Fluke Mfg. Co., M/S 223B, PO Box 9090, Everett WA 98206-9090  USA
+1 206 356-5052