On Wed, Sep 19, 2001 at 09:38:02AM -0500, Shawn Fertch wrote:
> A lot of interesting things have come through on this. Looks like I'll
> definately be doing some serious reading when the time comes to work on this
> more. However right now, it's a low priority according to mgt. Where for
> me, it's a slightly higher priority to which I'd like to get rolling.
Well, my suggestion is to round up one machine of each architecture on which
you can do some testing. This can be difficult, especially when working
with important, expensive machines (Alphas, RS/6000s, etc). But it's the
only way that you'll figure out if NIS is feasible.
> On the question about limiting/blocking users from certain machines, the
> netgroup will that have to be multiple netgroups for various machines
> blocked? Reason why I ask is we have 100+ servers of primarily HP, Sun, AIX,
> a few DEC and even fewer Linux (unknown distros at this point) and there are
> varying levels, sublevels and such of access control. While one may have
> access to a client support server, they cannot have access to a Development
> box. Yet, their manager may. If the netgroups part becomes too cumbersome
> it would scrap the entire project and we'll have to stick with the adduser
> scripts we have right now on each machine.
Well, I guess is possible that with really fine grained access control,
you'd have a bunch of netgroups to manage. Though, to fully understand
what you're asking, I'll outline a small scenario.
Machines: ServerA, ServerB, ServerC
Users: UserA, UserB, UserC
Now, lets say you want UserA and UserB to be able to log into ServerA;
UserA and UserC to be able to log into ServerB; and all three users to be
able to log into ServerC.
Users can be in multiple netgroups, so you'd so something like the
following:
Create netgroup, netgroupA, containing UserA and UserB. Create netgroup,
netgroupB, containing UserA and UserC.
In /etc/passwd on ServerA, add:
+ at netgroupA::0:0::::
+::0:0::::/usr/local/etc/not_welcome
In /etc/passwd on ServerB, add:
+ at netgroupB::0:0::::
+::0:0::::/usr/local/etc/not_welcome
In /etc/passwd on ServerC, add:
+ at netgroupA::0:0::::
+ at netgroupB::0:0::::
+::0:0::::/usr/local/etc/not_welcome
Another possibility for access to ServerC is to create a new netgroup
called netgroupC and put in that netgroup, the two netgroups netgroupA and
netgroupB. Then, in /etc/passwd on ServerC you'd add:
+ at netgroupC::0:0::::
+::0:0::::/usr/local/etc/not_welcome
When checking a user's authentication, netgroupC would be expanded to
netgroupA and netgroupB, which are in turn expanded to UserA, UserB, UserC.
Does that make things more clear?
Gabe
>
> --
> ---
> Shawn
>
> "Knowing is not enough, we must apply. Willing is not enough, we must do."
> -Bruce Lee
> _______________________________________________
> tclug-list mailing list
> tclug-list at mn-linux.org
> https://mailman.mn-linux.org/mailman/listinfo/tclug-list
>
--
------------------------------------------------------------------------
Gabe Turner gabe at msi.umn.edu
SGI Origin Systems Administrator,
University of Minnesota Supercomputing Institute
for Digital Simulation and Advanced Computation www.msi.umn.edu
------------------------------------------------------------------------