loukides@uunet.uu.net (Mike Loukides) (11/23/88)
Does anyone know exactly what function the "domain" field serves in a
netgroup triple? Can it be used to "import" information about users/hosts
in one domain into another domain?
To make this more clear, consider this situation:
1. There are two domains on my network: the omnipresent "foo" and "bar"
These two domains fundamentally don't trust each other.
2. I have accounts on systems in both domains.
3. I would like to be able to do an rlogin from a "foohost" to a
"barhost" without giving a password.
4. I add a netgroup entry for the netgroup "foreignme" in "bar" that consists
of (foohost,loukides,foo).
5. I set up my ~/.rhosts on "barhost" with the entry +@foreignme.
Should this, or shouldn't this, let me login from "foohost" to "barhost"
without giving a password? I would think that it should, but my
experiments indicate that it doesn't.
Here's a more fundamental example of what I'd like to be able to do:
1: Again, there are two domains: "foo" and "bar"
2: I would like the master password databases on the two machines to
be completely disjoint; i.e. if I have an entry if the "foo"
database, I don't have an entry in "bar."
3: I would like to give "bar" users accounts on "foo" machines
by adding entries like +@barusers::0:0::: in the local passwd
files. Of course, netgroups like "barusers" would be defined in
the netgroup database for "foo"; most simply, with a netgrop file
like:
barusers (-,,bar)
barhosts (,-,bar)
foousers (-,,foo)
foohosts (,-,foo)
(assume enough filesystem symmetry so home directories aren't a problem).
I'm convinced this is reasonable; I'm also pretty well convinced that yp
doesn't work this way, but thought I'd ask.
The latter is more or less the way we'd like to use netgroups locally. If
this isn't possible, I'd like to know what, exactly, it is that the
"domain" field in the netgroup triple is there for. I know that it tells
yp (on an rlogin, or whatever) to "make sure you use domain 'foo' when
looking up this user/host in the database." As far as I can tell, though,
'foo' can only be the default domain of the host you're logging in to;
with anything else, you get excluded.
While I'm at it, here's another question. Consider the netgroup
mygroup (myhost, loukides, mydomain)
As far as I can tell, there's no connection implied at all between
"myhost" and "myname". For example, if I put this netgroup into a .rhosts
file on "otherhost", anyone using "myhost" can login without a password;
the entry doesn't imply that "myhost" can execute an rlogin provided that
the user is "loukides." (The triple notation, unfortunately, begs for
this kind of interpretation). Is my interpretation (i.e. that there's no
implicit connection between "hosts" and "users" in a netgroup) correct?
(If so, I'd argue that the triplet notation is a mistake, but that's
another issue; right now, I just want to clear up the semantics).