On Exalogic, a name service such as NIS or LDAP is required for NFSv4 to work properly, therefore most customers have this configured in their environments. If you are interested in how to configure NIS on Solaris 11.1, this article "Solaris on Exalogic - Setup NIS on Solaris 1.1" will be helpful.
A name service provides a centralized repository of user and group information so that a user needs to be created once on the NIS server and then this user will be seen on all NIS clients.
In some situations, this default behaviour is not optimal. For example 1) certain compute nodes on the system are being used for user acceptance test purpose while other compute nodes are being used for production purpose. 2) Exalogic is used in a multi-tenancy environment where a tenant has exclusive access right to certain compute nodes. Obviously, a way is required to restrict users from accessing systems that they are not authorized.
This is where netgroup comes in handy. A netgroup is defined and stored in a name service such as NIS and LDAP, it allows administrator to define a network-wide group of users to restrict remote login. Network groups can do much more but they are out of the scoop of this article. See the netgroup(4) man page of Solaris 11.1 for more information.
As the title suggests, this article will focus on how to use netgroup with NIS.
The following steps need to be performed by root user.
Ensure netgroup is one of the maps that are shared by the NIS master, a source netgroup file in your source maps directory e.g. /var/yp/src should already exist,
Assume that we have two users called "acme1u1" and "acme2u1" already defined and we are going to create two netgroups called "acme1" and "acme2" where "acme1" consists of "acme1u1" and "acme2" consists of "acme2u1".
Here is an example of how the netgroup file should look like:
root@nis-master:/var/yp# cat src/netgroup acme1 (,acme1u1,) acme2 (,acme2u1,)
Once you are done with the netgroup source file, go to the NIS home directory (e.g. /var/yp) to update the maps.
root@nis-master:/var/yp# make updated netgroup pushed netgroup
Modify name-service/switch to enable netgroup to use NIS and turn on compat mode for user authentication.
root@acme1_z1:~# svccfg -s name-service/switch svc:/system/name-service/switch> listprop config config application config/default astring files config/value_authorization astring solaris.smf.value.name-service.switch config/host astring "files dns mdns" config/printer astring "user files" config/password astring "files nis" config/group astring "files nis" svc:/system/name-service/switch> setprop config/enable_passwd_compat = boolean: true svc:/system/name-service/switch> setprop config/netgroup = astring: nis svc:/system/name-service/switch> listprop config config application config/default astring files config/value_authorization astring solaris.smf.value.name-service.switch config/host astring "files dns mdns" config/printer astring "user files" config/password astring "files nis" config/group astring "files nis" config/enable_passwd_compat boolean true config/netgroup astring nis svc:/system/name-service/switch> exit root@acme1_z1:~# svcadm refresh name-service/switch
Please ensure the name-service/switch is refreshed after the changes.
Modify the /etc/passwd and /etc/shadow files to add an entry for the appropriate netgroup, the following example illustrates the netgroup "acme1" has been appended to the /etc/passwd and /etc/shadow files of a host called "acme1_z1".
root@acme1_z1:~# tail -1 /etc/passwd +@acme1::::::
root@acme1_z1:~# tail -1 /etc/shadow +@acme1::::::
To test if the netgroup has taken effect, try to su to a user defined in the added netgroup and a user not defined in the netgroup and see the difference. The following example illustrates that user "acme1u1" that is defined in the netgroup "acme1" can login to the system but not user "acme2u1".
root@acme1_z1:~# su - acme1u1 Oracle Corporation SunOS 5.11 11.1 April 2013 acme1u1@acme1_z1:~$ exit logout root@acme1_z1:~# su - acme2u1 su: Unknown id: acme2u1
Repeat step 2 for all NIS clients with their corresponding netgroups.