kim@uunet.uu.net (05/09/89)
Here is a summary of the messages I received in response to my netgroups
question. All were quite helpful and I think it's appropriate to post
here considering the number of mail requests I received. I left out the
responses that were send to sunspots.
__________
Kim Kempf, Microware Systems Corporation {sun,uunet}!mcrware!kim
uunet!sphere.mast.ohio-state.edu!alden (Dave Alden):
I'm using the /etc/netgroup file pretty extensively. We have several
"groups" of people and several "groups" of machines - and I need to
restrict the access to each of the machines according to which group the
user is in. For example, here is a part of the netgroup file:
appmath-accounts aa-staff aa-faculty aa-guest
aa-staff (,alden,osu-math)
aa-faculty aa-faculty-110 \
(,aaa,osu-math)
aa-faculty-110 (,bbb,osu-math) \
(,ccc,osu-math)
aa-guest (,test,osu-math) \
(,guest,osu-math)
Let's say I have 2 professor's who have 4/110's and only those 2 prof's should
be able to access those 4/110's. In their password file I just put the entry
"+@aa-faculty-110" instead of the ususal "+::0:0:::", whereas on my "public"
3/60's I've got "+@appmath-accounts" which allows everyone to log into those
machines. Also, if those 2 prof's decide they want to allow one of the guests
to access their machines, all I have to do is modify the /etc/netgroup file and
not both of their password files.
I also use the netgroup file for grouping machines together for use the
the /etc/exports (-access option) and the /etc/hosts.equiv files. For
example:
app-math-machines m-gem m-class
m-gem (gem.mast.ohio-state.edu,,osu-math) \
(amethyst.mast.ohio-state.edu,,osu-math) \
(diamond.mast.ohio-state.edu,,osu-math)
m-class (newton.mast.ohio-state.edu,,osu-math)
Now all I have to put in my /etc/exports file is something like:
/usr/spool/mail -access=app-math-machines
/export/exec/sun3 -access=m-gem,root=gem.mast.ohio-state.edu
Also, now all I need in my /etc/hosts.equiv file is:
+@app-math-machines
And whenever I get a new machine (ie: another client on gem (a server))
all I have to do is update /etc/netgroup and it will automatically be
"entered" into my /etc/hosts.equiv file and /etc/exports (I don't think
you have to rerun /etc/exports after updating the /etc/netgroup file, but
I've never tested this fully).
Oh yeah - one "problem" with the netgroup file (actually it's with the
/etc/exports file) - it doesn't allow the "-root" option to contain a
netgroup - you must put in the names of the machines you want to allow
root access - and for some #@*&#@* reason Sun has decided that you won't
EVER want more than 10 machines to have root access (and I happen to have
14 currently - I just pick the 4 least used and don't allow them root
access).
I hope this helps. It's 11:37pm now and I've been up for 20 hours, so
some of this may be gibberish. :-) If you have any questions (like "Can
you convert this mail message into english?" :-) feel free to send me
mail.
...good luck,
__________
uunet!ida.org!mohar (Mike Mohar):
Kim, I use the netgroup here (60 Suns on multiple subnets) because I need
to use rwall. Mine is very basic, file looks like:
csednet (,,)
which defaults to all the Suns. When using rwall the command looks like:
rwall -n csednet
This is the text that I'm broadcasting to all the Suns. (control-D)
Now rwall is based on YP so it has to be running.
Hope this helps.
__________
Mike Walker <uunet!cfdl.larc.nasa.gov!mike>:
What we do locally is use netgroups to simplify other network maps. For
instance, we have a netgroup for the set of clients on each fileserver,
and in /etc/exports we simple say
/pub cmbsuns tabsuns
To pick up all the machines which should have access. You can also use
netgroups in your hosts.equiv to control access. Our hosts.equiv file
contains the lines:
+@cmbsuns
+@tabsuns
This makes adding hosts much easier - we used to have a problem with
someone forgetting to update one of the various datafiles, now it is much
easier.
Mike
__________
uunet!delphi.bsd.uchicago.edu!monty (Monty Mullig):
actually, the best documentation is around pp 296-7 of System and Network
Administration (chapter 12).
in a sense, netgroup is analogous to group in that it allows machines to
be part of machine groups, where group allows users to be enrolled in
groups. at least that's how we use it. we don't use the username part of
the member triple; our entries are all (host,-,domain). we only use
netgroup to control mounting priveledges on our servers. it's easier to
give access to a group in exportfs than to each machine. as far as i can
tell, there's no direct relationship between netgroup and group.
--monty
__________
Ken Rossman <uunet!cunixc.cc.columbia.edu!ken>:
We use /etc/netgroup here to set up network groups that we then use in
/etc/exports, so that we don't have to type in a long list of hosts that
we wish to export some of our major disks to. You just include the net
group name in the "-access" or "-root" arguments in exports.
I can supply more detail if you like. The format is not at all like
/etc/group, other than that the group name comes first on the line,
followed by a list of members of that group. There doesn't seem to be
anything like a group number, though... /Ken
<<<<<<<end>>>>>>