flur@duke.gatech.edu (Peter W. Flur) (11/27/90)
Currently, we have a mixed bag of SS1's and 4/110's running either 4.0.3 or 4.1. There are three YP domains on the subnet, but we would like to bring that down to just one if possible. However, we would like to be able to restrict which group of machines any one person has access to. Rather than use the YP domains to do this, as we are now, we would like to use netgroups. As an example, let me say that the group of people p1, p2, p3, and p4 are all in the yp1 domain. there are three machines, m1, m2, and m3. p1 and p2 should only be allowed to access m1 and m2, which p3 should only be allowed on m3 and p4 should have access to all three machines. The host.equiv files all limit access to a list of machines in our subdomain only. I have read the documentation in the Sun manuals, and tried every combination of +@, -@, etc. in the password files and the host.equiv files, but have had no success to date. Can anyone offer any good advice as to how this can/should be accomplished? Thanks, Peter ----------------------------------------------------------------------- Peter Flur, Research Engineer Georgia Institute of Technology School of Electrical Engineering, Atlanta, GA 30332-0250 E-MAIL: flur@eecom.gatech.edu PHONE: (404) 853-9355
deb@tc.fluke.COM (Deb Lilly) (12/15/90)
In article <17600@hydra.gatech.EDU>, flur@duke.gatech.edu (Peter W. Flur) writes: > ... we would > like to be able to restrict which group of machines any one person has > access to. Rather than use the YP domains to do this, as we are now, > we would like to use netgroups. At Fluke we use netgroups to limit logins on certain machines. Our YP domain is 'tc'. Example 1 (netgroup in /etc/passwd to exclude logins from a machine): Our netgroup 'uucpLogins' contains uucp accounts: uucpLogins (,uuaea,tc) (,uualle,tc) ... In all our /etc/passwd files except on the uucphost, we exclude the uucp accounts with: -@uucpLogins::0:0::: Example 2 (netgroup in /etc/passwd to allow logins on a machine): Our netgroup 'CDXusers' contains accounts for people allowed access to a set of machines running a specialized application: CDXusers (,john,tc) (,amyh,tc) (,bryanf,tc) (,darren,tc) ... In the /etc/passwd files on the restricted machines, we do not use the full Yellow Pages passwd (no +::0:0::: entry), but do allow access to the CDXusers with: +@CDXusers::0:0::: Example 3 (netgroup in /etc/hosts.equiv): Our netgroup 'trustedhosts' includes all computers which use the same logins, uids, groups, and gids as the rest of the network: trustedhosts (daphne,,tc) (eros,,tc) (hera,,tc) ... The /etc/hosts.equiv file on all systems contains: +@trustedhosts There was a bug in SunOS 4.0.1 (bug ID 1022453) that required netgroup names to be all lower case to work properly in /etc/hosts.equiv. I don't know whether it's been fixed in 4.0.3 or 4.1. Deb Lilly Domain: deb@tc.fluke.COM UUCP: uunet!fluke!deb John Fluke Mfg. Co., M/S 223B, PO Box 9090, Everett WA 98206-9090 USA +1 206 356-5052 -- Deb Lilly Domain: deb@tc.fluke.COM UUCP: uunet!fluke!deb John Fluke Mfg. Co., M/S 223B, PO Box 9090, Everett WA 98206-9090 USA +1 206 356-5052