Disable nis login for a particular user on a particular machine

linux nis

6,298

tYes, in many ways:

Have a netgroup created by your NIS administrator and "+" the netgroup in /etc/passwd
Explicitly "+" the users who should be allowed to log in to this host in /etc/passwd
"+" everyone (or a netgroup that is a superset) and explicitly "-" the users who SHOULD NOT be allowed to log in to this host in /etc/passwd

Number 1 is usually considered "more correct" from an admin standpoint
Number 2 is convenient if you don't have a lot of users who need to access this host and your admin team is slow creating/updating netgroups.
Number 3 is best if there are a few users who should be excluded but everyone else (or everyone else in a specific netgroup) should have access - e.g. denying an intern access to the NIS master server :-)

(If you have had the misfortune to be dropped into a NIS environment and don't have much experience with it I suggest picking up a copy of the O'Reilly "Managing NFS & NIS" Book - http://oreilly.com/catalog/9781565925106 - It's a good bet if you're in a NIS shop someone has a copy laying around :)

6,298

0fnt

Updated on September 17, 2022

Comments

0fnt almost 2 years
We have a nis server and a nis client in a domain. As part of the in-charge of a subdomain, I want to enable nis logins for only some users on a particular machine, and want to disable the rest of the users. I DO NOT have administrative access to nis master password file. Can it be done. If so, how?

e.g. machine1, all users enabled for nis login machine2, only xyz, and pqr are allowed to login machine3, abc and def are not allowed, rest all are allowed.

In short, to allow/disallow a subset of users from accessing a particular nis-client, without root/administrative privileges to the nis server.

nsswitch.conf looks like this:
```
#other entries before this
passwd:     files nis
shadow:     files nis
group:      files nis
#other entries after this. 
```
Client runs Ubuntu 10.04.(Don't flame me for this please :|) My /etc/passwd does not have a +:::::: entry, but/and all the users from nis can log in.

Thanks.
0fnt about 14 years

I'm probably doing something very stupid, but as you said, on the client side /etc/passwd, I added a line +xyz:::::: once, and +xyz once to allow only xyz to login, but others are able to login too. Am I supposed to restart something?. Would you be able to correct me please. Thanks.
voretaq7 about 14 years

If you are running nscd that needs to be restarted, otherwise double check that you don't have any other + lines -- you should only have +user:::::: entries for the people who should have access. If you have a +:::::: hanging around it will include everyone you don't explicitly - out. You can test using the id command (People who aren't +'d in shouldn't exist according to id). There's also a very slim possibility that your OS has a terribly broken NIS implementation & doesn't respect + and - lines, but that's not very likely.
0fnt about 14 years

I'm not sure you'd be reading this comment so late, but can you please check the edit to my original question. I have added the content of file nsswitch.conf, and mentioned the fact that /etc/passwd doesn't already have a +:::::: entry.