System Administration Guide: Naming and Directory Services (FNS and NIS+)

Chapter 17 Administering NIS+ Groups

This chapter describes NIS+ groups and how to administer them.


Note –

Some NIS+ security group tasks can be performed more easily with Solstice AdminSuite tools if you have them available.



Note –

NIS+ might not be supported in a future release. Tools to aid the migration from NIS+ to LDAP are available in the Solaris 9 operating environment (see System Administration Guide: Naming and Directory Services (DNS, NIS, and LDAP)). For more information, visit http://www.sun.com/directory/nisplus/transition.html.


Solaris Groups

In a Solaris-NIS+ environment, there are three kinds of groups: UNIX groups, net groups, and NIS+ groups.

NIS+ Groups

NIS+ groups are used to assign access rights to NIS+ objects to one or more NIS+ principles. These access rights are described in Chapter 11, NIS+ Security Overview. Information about NIS+ groups is stored in tables located in the NIS+ groups_dir directory object. Information about each group is stored in a table of the same name. For example, information about the admin group is stored in admin.groups_dir.

It is recommended practice to create at least one NIS+ group called admin. The admin NIS+ group is normally used to designate those users who are to have NIS+ access rights. You can name this group anything you want, but the NIS+ manual set assumes that the group with NIS+ administrator privileges is named admin. You can also create multiple NIS+ groups with different sets of users and different sets of rights.


Note –

Always use the nisgrpadm command to work with NIS+ group membership. You can also use the nisls and nischgrp commands on the group table. Do not use the nistbladm command on the group table.


For a complete description of NIS+ group-related commands and their syntax and options, see the NIS+ man pages.

Related Commands

The nisgrpadm command performs most group administration tasks but several other commands affect groups as well:

Table 17–1 Commands That Affect Groups

Command 

Description 

See 

nissetup

Creates, among other things, the directory in which a domain's groups are stored: groups_dir.

 

nisls

Lists the contents of the groups_dir directory; in other words, all the groups in a domain. For each named groups there will be a table of that name in groups_dir.

Using the nisls Command With Directories

nischgrp

Changes or assigns a group to any NIS+ object. 

Changing an Object or Entry's Group

niscat

Lists the object properties and membership of an NIS+ group. 

Using niscat With NIS+ Groups

nisdefaults

Lists, among other things, the group that will be assigned to any new NIS+ object. 

Displaying NIS+ Defaults—The nisdefaults Command

For a complete description of these commands and their syntax, and options, see the NIS+ man pages.


Note –

Do not use the nistbladm command to work with the NIS+ groups table.


NIS+ Group Member Types

NIS+ groups can have three types of members: explicit, implicit, and recursive; and three types of nonmembers, also explicit, implicit, and recursive. These member types are used when adding or removing members of a group as described in The nisgrpadm Command.

Member Types

NIS+ groups also accept nonmembers in all three categories: explicit, implicit, and recursive. Nonmembers are principals specifically excluded from a group that they otherwise would be part of.

Nonmember Types

Nonmembers are identified by a minus sign in front of their name:

Group Syntax

The order in which inclusions and exclusions are entered does not matter. Exclusions always take precedence over inclusions. Thus, if a principal is a member of an included implicit domain and also a member of an excluded recursive group, then that principal is not included.

Thus, when using the nisgrpadm command, you can specify group members and nonmembers as shown in Table 17–2:

Table 17–2 Specifying Group Members and Nonmembers

Type of member 

Syntax 

Explicit member 

username.domain

Implicit member 

*.domain

Recursive member 

@groupname.domain

Explicit nonmember 

-username.domain

Implicit nonmember 

-*.domain

Recursive nonmember 

@groupname.domain

Using niscat With NIS+ Groups

The niscat -ocommand can be used to list the object properties and membership of an NIS+ group.

Listing the Object Properties of a Group

To list the object properties of a group, you must have read access to the groups_dir directory in which the group is stored. Use niscat -o and the group's fully qualified name, which must include its groups_dir subdirectory:


niscat -o group-name.groups_dir.domain-name

For example:


rootmaster# niscat -o sales.groups_dir.doc.com.
Object Name : sales
Owner : rootmaster.doc.com.
Group : sales.doc.com.
Domain : groups_dir.doc.com.
Access Rights : ----rmcdr---r---
Time to Live : 1:0:0
Object Type : GROUP
Group Flags :
Group Members : rootmaster.doc.com.
  topadmin.doc.com.
  @.admin.doc.com.
  *.sales.doc.com.

Note –

A better list of members is provided by the nisgrpadm -l command.


Several of the group's properties are inherited from the NIS_DEFAULTS environment variable, unless they were overridden when the group was created. The group flags field is currently unused. In the list of group members, the * symbol identifies member domains and the @ symbol identifies member groups.

The nisgrpadm Command

The nisgrpadm command creates, deletes, and performs miscellaneous administration operations on NIS+ groups. To use nisgrpadm, you must have access rights appropriate for the operation.

Table 17–3 Rights Required for nisgrpadm Command

This Operation 

Requires This Access Right 

To This Object 

Create a group 

Create 

groups_dir directory

Destroy a group 

Destroy 

groups_dir directory

List the Members 

Read 

the group object 

Add Members 

Modify 

the group object 

Remove Members 

Modify 

the group object 

The nisgrpadm has two main forms, one for working with groups and one for working with group members.

To create or delete a group, or to lists its members use these forms:


nisgrpadm -c group-name.domain-name
nisgrpadm -d group-name
nisgrpadm -l group-name

To add or remove members, or determine if they belong to the group use this form (where member... can be any combination of the six membership types listed in Table 17–2):


nisgrpadm -a group-name member...
nisgrpadm -r group-name member...
nisgrpadm -t group-name member...

All operations except create (-c) accept a partially qualified group-name. However, even for the -c option, nisgrpadm does not require the use of groups_dir in the group-name argument. In fact, it won't accept it.

Creating an NIS+ Group

To create an NIS+ group, you must have create rights to the groups_dir directory of the group's domain. Use the -c option and a fully qualified group name:


nisgrpadm -c group-name.
domainname

When you create a group, an NIS+ groups table with the name you have given is created in groups_dir. You can use nisls to confirm that the new group table now exists in groups_dir, and niscat to list the groups members listed in the table.

A newly created group contains no members. See Adding Members to an NIS+ Group for information on how to specify who belongs to a group.

The example below creates three groups named admin. The first is in the doc.com. domain, the second in sales.doc.com., and the third in manf.doc.com. All three are created on the master server of their respective domains.


rootmaster# nisgrpadm -c admin.doc.com.
Group admin.doc.com. created.
salesmaster# nisgrpadm -c admin.sales.doc.com.
Group admin.sales.doc.com. created.
manfmaster# nisgrpadm -c admin.manf.doc.com.
Group admin.manf.doc.com. created.

The group you create will inherit all the object properties specified in the NIS_DEFAULTS variable; that is, its owner, owning group, access rights, time-to-live, and search path. You can view these defaults by using the nisdefaults command (described in Chapter 15, Administering NIS+ Access Rights). Used without options, it provides this output:


rootmaster# nisdefaults
Principal Name : rootmaster.doc.com.
Domain Name : doc.com.
Host Name : rootmaster.doc.com.
Group Name :
Access Rights : ----rmcdr---r---
Time to live : 12:0:0
Search Path : doc.com.

The owner is listed in the Principal Name: field. The owning group is listed only if you have set the NIS_GROUP environment variable. For example, assuming a C-shell, to set NIS_GROUP to fns_admins.doc.com:


rootmaster# setenv NIS_GROUP fns_admins.doc.com

You can override any of these defaults at the time you create the group by using the -D option:


salesmaster# nisgrpadm -D group=special.sales.doc.com.-c 
admin.sales.doc.com. Group admin.sales.doc.com. created.

Deleting an NIS+ Group

To delete an NIS+ group, you must have destroy rights to the groups_dir directory in the group's domain. Use the -d option:


nisgrpadm -d group-name

If the default domain is set properly, you don't have to fully-qualify the group name. However, you should check first (use nisdefaults), because you could unintentionally delete a group in another domain. The example below deletes the test.sales.doc.com. group.


salesmaster% nisgrpadm -d test.sales.doc.com.
Group `test.sales.doc.com.' destroyed.

Adding Members to an NIS+ Group

To add members to an NIS+ group you must have modify rights to the group object. Use the -a option:


nisgrpadm -a group-name members. . .

As described in NIS+ Group Member Types, you can add principals (explicit members), domains (implicit members), and groups (recursive members). You don't have to fully qualify the name of the group or the name of the members who belong to the default domain. This example adds the NIS+ principals panza and valjean, both from the default domain, sales.doc.com., and the principal makeba, from the manf.doc.com. domain, to the group top-team.sales.doc.com.


client% nisgrpadm -a Ateam panza valjean makeba.manf.doc.com.
Added panza.sales.doc.com to group Ateam.sales.doc.com
Added valjean.sales.doc.com to group Ateam.sales.doc.com
Added makeba.manf.doc.com to group Ateam.sales.doc.com

To verify the operation, use the nisgrpadm -l option. Look for the members under the Explicit members heading.

This example adds all the NIS+ principals in the doc.com. domain to the staff.doc.com. group. It is entered from a client in the doc.com. domain. Note the * symbol and the dot in front of the domain name.


client% nisgrpadm -a Staff *.doc.com.
Added *.doc.com. to group Staff.manf.doc.com.

This example adds the NIS+ group admin.doc.com. to the admin.manf.doc.com. group. It is entered from a client of the manf.doc.com. domain. Note the @ symbol in front of the group name.


client% nisgrpadm -a admin @admin.doc.com.
Added @admin.doc.com. to group admin.manf.doc.com.

Listing the Members of an NIS+ Group

To list the members of an NIS+ group, you must have read rights to the group object. Use the -l option:


nisgrpadm -l group-name

This example lists the members of the admin.manf.doc.com. group. It is entered from a client in the manf.doc.com. group:


client% nisgrpadm -l admin 
Group entry for admin.manf.doc.com. group:
 No explicit members
 No implicit members:
 Recursive members:
 @admin.doc.com.
 No explicit nonmembers
 No implicit nonmembers
 No recursive nonmembers 

Removing Members From an NIS+ Group

To remove members from an NIS+ group, you must have modify rights to the group object. Use the -r option:


nisgrpadm -r group-name members. . .

This example removes the NIS+ principals allende and hugo.manf.doc.com. from the Ateam.sales.doc.com group. It is entered from a client in the sales.doc.com. domain:


client% nisgrpadm -r Ateam allende hugo.manf.doc.com.
Removed allende.sales.doc.com. from group Ateam.sales.doc.com.
Removed hugo.manf.doc.com. from group Ateam.sales.doc.com.

This example removes the admin.doc.com. group from the admin.manf.doc.com. group. It is entered from a client in the manf.doc.com. domain:


client% nisgrpadm -r admin @admin.doc.com.
Removed @admin.doc.com. from group admin.manf.doc.com.

Testing for Membership in an NIS+ Group

To find out whether an NIS+ principal is a member of a particular NIS+ group you must have read access to the group object. Use the -t option:


nisgrpadm -t group-name members. . .

This example tests whether the NIS+ principal topadmin belongs to the admin.doc.com. group. It is entered from a client in the doc.com. domain.


client% nisgrpadm -t admin topadmin
topadmin.doc.com. is a member of group admin.doc.com.

This example tests whether the NIS+ principal jo, from the sales.doc.com. domain, belongs to the admin.sales.doc.com. group. It is entered from a client in the doc.com. domain.


client% nisgrpadm -t admin.sales.doc.com. jo.sales.doc.com. 
jo.sales.doc.com. is a member of group admin.sales.doc.com.