Solaris on Exalogic – Using netgroup with NIS

On Exalogic, a name service such as NIS or LDAP is required for NFSv4 to work properly, therefore most customers have this configured in their environments. If you are interested in how to configure NIS on Solaris 11.1, this article “Solaris on Exalogic – Setup NIS on Solaris 1.1” will be helpful.

A name service provides a centralized repository of user and group information so that a user needs to be created once on the NIS server and then this user will be seen on all NIS clients.

In some situations, this default behaviour is not optimal. For example 1) certain compute nodes on the system are being used for user acceptance test purpose while other compute nodes are being used for production purpose. 2) Exalogic is used in a multi-tenancy environment where a tenant has exclusive access right to certain compute nodes. Obviously, a way is required to restrict users from accessing systems that they are not authorized.

This is where netgroup comes in handy. A netgroup is defined and stored in a name service such as NIS and LDAP, it allows administrator to define a network-wide group of users to restrict remote login. Network groups can do much more but they are out of the scoop of this article. See the netgroup(4) man page of Solaris 11.1 for more information.

As the title suggests, this article will focus on how to use netgroup with NIS.

Steps to Configure netgroup with NIS

The following steps need to be performed by root user.

1. Create netgroup on NIS Master

Ensure netgroup is one of the maps that are shared by the NIS master, a source netgroup file in your source maps directory  e.g. /var/yp/src should already exist,

Assume that we have two users called “acme1u1” and “acme2u1” already defined and we are going to create two netgroups called “acme1” and “acme2” where “acme1” consists of “acme1u1” and “acme2” consists of “acme2u1”.

Here is an example of how the netgroup file should look like:

root@nis-master:/var/yp# cat src/netgroup
acme1 (,acme1u1,)
acme2 (,acme2u1,)

Once you are done with the netgroup source file, go to the NIS home directory (e.g. /var/yp) to update the maps.

root@nis-master:/var/yp# make
updated netgroup
pushed netgroup

2. Configure NIS Client(s) to use netgroup

Modify name-service/switch to enable netgroup to use NIS and turn on compat mode for user authentication.

Example:

root@acme1_z1:~# svccfg -s name-service/switch
svc:/system/name-service/switch> listprop config
config                      application
config/default             astring     files
config/value_authorization astring     solaris.smf.value.name-service.switch
config/host                astring     "files dns mdns"
config/printer             astring     "user files"
config/password            astring     "files nis"
config/group               astring     "files nis"
svc:/system/name-service/switch> setprop config/enable_passwd_compat = boolean: true
svc:/system/name-service/switch> setprop config/netgroup = astring: nis
svc:/system/name-service/switch> listprop config
config                       application
config/default              astring     files
config/value_authorization  astring     solaris.smf.value.name-service.switch
config/host                 astring     "files dns mdns"
config/printer              astring     "user files"
config/password             astring     "files nis"
config/group                astring     "files nis"
config/enable_passwd_compat boolean     true
config/netgroup             astring     nis
svc:/system/name-service/switch> exit
root@acme1_z1:~# svcadm refresh name-service/switch

Please ensure the name-service/switch is refreshed after the changes.

Modify the /etc/passwd and /etc/shadow files to add an entry for the appropriate netgroup, the following example illustrates the netgroup “acme1” has been appended to the /etc/passwd and /etc/shadow files of a host called “acme1_z1”.

Example:

root@acme1_z1:~# tail -1 /etc/passwd
+@acme1::::::
root@acme1_z1:~# tail -1 /etc/shadow
+@acme1::::::

To test if the netgroup has taken effect, try to su to a user defined in the added netgroup and a user not defined in the netgroup and see the difference. The following example illustrates that user “acme1u1” that is defined in the netgroup “acme1” can login to the system but not user “acme2u1”.

Example:

root@acme1_z1:~# su - acme1u1
Oracle Corporation      SunOS 5.11      11.1    April 2013
acme1u1@acme1_z1:~$ exit
logout
root@acme1_z1:~# su - acme2u1
su: Unknown id: acme2u1

Repeat step 2 for all NIS clients with their corresponding netgroups.

Add Your Comment