Administering NIS+ Groups
This chapter describes NIS+ groups and how to administer them.
Note - Some NIS+ security group tasks can be performed more easily with Solstice AdminSuite tools if you have them available.
Note - NIS+ might not be supported in a future release. Tools to aid the migration from NIS+ to LDAP are available in the Solaris 9 operating environment (see Part V). For more information, visit http://www.sun.com/directory/nisplus/transition.html.
Solaris Groups
In a Solaris-NIS+ environment, there are three kinds of groups: UNIX groups, net groups, and NIS+ groups.
UNIX groups. A UNIX group is simply a collection of users who are given additional UNIX access permissions. In an NIS+ namespace, UNIX group information is stored in the group table located in the org_dir directory object (group.org_dir). See Chapter 19, Administering NIS+ Tables, for information on how to add, modify, or delete members of a UNIX group.
Net groups. A net group is a group of machines and users that have permission to perform remote operations on other machines. In an NIS+ namespace, net groups information is stored in the netgroup table located in the org_dir directory object (netgroup.org_dir). See Chapter 19, Administering NIS+ Tables, for information on how to add, modify, or delete members of a net groups.
NIS+ groups. An NIS+ group is a set of NIS+ users that are assigned specific access rights to NIS+ objects, usually for the purpose of administering the namespace. NIS+ group information is stored in tables located in the groups_dir directory object.
NIS+ Groups
NIS+ groups are used to assign access rights to NIS+ objects to one or more NIS+ principles. These access rights are described in Chapter 11, NIS+ Security Overview. Information about NIS+ groups is stored in tables located in the NIS+ groups_dir directory object. Information about each group is stored in a table of the same name. For example, information about the admin group is stored in admin.groups_dir.
It is recommended practice to create at least one NIS+ group called admin. The admin NIS+ group is normally used to designate those users who are to have NIS+ access rights. You can name this group anything you want, but the NIS+ manual set assumes that the group with NIS+ administrator privileges is named admin. You can also create multiple NIS+ groups with different sets of users and different sets of rights.
Note - Always use the nisgrpadm command to work with NIS+ group membership. You can also use the nisls and nischgrp commands on the group table. Do not use the nistbladm command on the group table.
For a complete description of NIS+ group-related commands and their syntax and options, see the NIS+ man pages.
Related Commands
The nisgrpadm command performs most group administration tasks but several other commands affect groups as well:
Table 17-1 Commands That Affect Groups
Command | Description | See |
|---|---|---|
nissetup | Creates, among other things, the directory in which a domain's groups are stored: groups_dir. |
|
nisls | Lists the contents of the groups_dir directory; in other words, all the groups in a domain. For each named groups there will be a table of that name in groups_dir. | |
nischgrp | Changes or assigns a group to any NIS+ object. | |
niscat | Lists the object properties and membership of an NIS+ group. | |
nisdefaults | Lists, among other things, the group that will be assigned to any new NIS+ object. |
For a complete description of these commands and their syntax, and options, see the NIS+ man pages.
Note - Do not use the nistbladm command to work with the NIS+ groups table.
NIS+ Group Member Types
NIS+ groups can have three types of members: explicit, implicit, and recursive; and three types of nonmembers, also explicit, implicit, and recursive. These member types are used when adding or removing members of a group as described in "The nisgrpadm Command".
Member Types
Explicit. An individual principal. Identified by principal name. The name does not have to be fully qualified if entered from its default domain.
Implicit. All the NIS+ principals who belong to an NIS+ domain. They are identified by their domain name, preceded by the * symbol and a dot. The operation you select applies to all the members in the group.
Recursive. All the NIS+ principals that are members of another NIS+ group. They are identified by their NIS+ group name, preceded by the @ symbol. The operation you select applies to all the members in the group.
NIS+ groups also accept nonmembers in all three categories: explicit, implicit, and recursive. Nonmembers are principals specifically excluded from a group that they otherwise would be part of.
Nonmember Types
Nonmembers are identified by a minus sign in front of their name:
Explicit-nonmember. Identified by a minus sign in front of the principal name.
Implicit-nonmember. Identified by a minus sign, * symbol, and dot in front of the domain name.
Recursive nonmember. Identified by a minus sign and @ symbol in front of the group name.
Group Syntax
The order in which inclusions and exclusions are entered does not matter. Exclusions always take precedence over inclusions. Thus, if a principal is a member of an included implicit domain and also a member of an excluded recursive group, then that principal is not included.
Thus, when using the nisgrpadm command, you can specify group members and nonmembers as shown in Table 17-2:
Table 17-2 Specifying Group Members and Nonmembers
Type of member | Syntax |
|---|---|
Explicit member | username.domain |
Implicit member | *.domain |
Recursive member | @groupname.domain |
Explicit nonmember | -username.domain |
Implicit nonmember | -*.domain |
Recursive nonmember | @groupname.domain |
Using niscat With NIS+ Groups
The niscat -ocommand can be used to list the object properties and membership of an NIS+ group.
Listing the Object Properties of a Group
To list the object properties of a group, you must have read access to the groups_dir directory in which the group is stored. Use niscat -o and the group's fully qualified name, which must include its groups_dir subdirectory:
niscat -o group-name.groups_dir.domain-name |
For example:
rootmaster# niscat -o sales.groups_dir.doc.com. Object Name : sales Owner : rootmaster.doc.com. Group : sales.doc.com. Domain : groups_dir.doc.com. Access Rights : ----rmcdr---r--- Time to Live : 1:0:0 Object Type : GROUP Group Flags : Group Members : rootmaster.doc.com. topadmin.doc.com. @.admin.doc.com. *.sales.doc.com. |
Note - A better list of members is provided by the nisgrpadm -l command.
Several of the group's properties are inherited from the NIS_DEFAULTS environment variable, unless they were overridden when the group was created. The group flags field is currently unused. In the list of group members, the * symbol identifies member domains and the @ symbol identifies member groups.
The nisgrpadm Command
The nisgrpadm command creates, deletes, and performs miscellaneous administration operations on NIS+ groups. To use nisgrpadm, you must have access rights appropriate for the operation.
Table 17-3 Rights Required for nisgrpadm Command
This Operation | Requires This Access Right | To This Object |
|---|---|---|
Create a group | Create | groups_dir directory |
Destroy a group | Destroy | groups_dir directory |
List the Members | Read | the group object |
Add Members | Modify | the group object |
Remove Members | Modify | the group object |
The nisgrpadm has two main forms, one for working with groups and one for working with group members.
To create or delete a group, or to lists its members use these forms:
nisgrpadm -c group-name.domain-name nisgrpadm -d group-name nisgrpadm -l group-name |
To add or remove members, or determine if they belong to the group use this form (where member... can be any combination of the six membership types listed in Table 17-2):
nisgrpadm -a group-name member... nisgrpadm -r group-name member... nisgrpadm -t group-name member... |
All operations except create (-c) accept a partially qualified group-name. However, even for the -c option, nisgrpadm does not require the use of groups_dir in the group-name argument. In fact, it won't accept it.