The nisgrpadm Command
The nisgrpadm command creates, deletes, and performs miscellaneous administration operations on NIS+ groups. To use nisgrpadm, you must have access rights appropriate for the operation.
Table 17–3 Rights Required for nisgrpadm Command|
This Operation |
Requires This Access Right |
To This Object |
|---|---|---|
|
Create a group |
Create |
groups_dir directory |
|
Destroy a group |
Destroy |
groups_dir directory |
|
List the Members |
Read |
the group object |
|
Add Members |
Modify |
the group object |
|
Remove Members |
Modify |
the group object |
The nisgrpadm has two main forms, one for working with groups and one for working with group members.
To create or delete a group, or to lists its members use these forms:
nisgrpadm -c group-name.domain-name nisgrpadm -d group-name nisgrpadm -l group-name |
To add or remove members, or determine if they belong to the group use this form (where member... can be any combination of the six membership types listed in Table 17–2):
nisgrpadm -a group-name member... nisgrpadm -r group-name member... nisgrpadm -t group-name member... |
All operations except create (-c) accept a partially qualified group-name. However, even for the -c option, nisgrpadm does not require the use of groups_dir in the group-name argument. In fact, it won't accept it.
Creating an NIS+ Group
To create an NIS+ group, you must have create rights to the groups_dir directory of the group's domain. Use the -c option and a fully qualified group name:
nisgrpadm -c group-name. domainname |
When you create a group, an NIS+ groups table with the name you have given is created in groups_dir. You can use nisls to confirm that the new group table now exists in groups_dir, and niscat to list the groups members listed in the table.
A newly created group contains no members. See Adding Members to an NIS+ Group for information on how to specify who belongs to a group.
The example below creates three groups named admin. The first is in the doc.com. domain, the second in sales.doc.com., and the third in manf.doc.com. All three are created on the master server of their respective domains.
rootmaster# nisgrpadm -c admin.doc.com. Group admin.doc.com. created. salesmaster# nisgrpadm -c admin.sales.doc.com. Group admin.sales.doc.com. created. manfmaster# nisgrpadm -c admin.manf.doc.com. Group admin.manf.doc.com. created. |
The group you create will inherit all the object properties specified
in the NIS_DEFAULTS variable;
that is, its owner, owning group, access rights, time-to-live, and search
path. You can view these defaults by using the nisdefaults
command (described in Chapter 15, Administering NIS+ Access Rights). Used without options,
it provides this output:
rootmaster# nisdefaults Principal Name : rootmaster.doc.com. Domain Name : doc.com. Host Name : rootmaster.doc.com. Group Name : Access Rights : ----rmcdr---r--- Time to live : 12:0:0 Search Path : doc.com. |
The owner is listed in the Principal Name: field. The owning group is
listed only if you have set the NIS_GROUP
environment variable. For example, assuming a C-shell, to set NIS_GROUP to fns_admins.doc.com:
rootmaster# setenv NIS_GROUP fns_admins.doc.com |
You can override any of these defaults at the time you create the group by using the -D option:
salesmaster# nisgrpadm -D group=special.sales.doc.com.-c admin.sales.doc.com. Group admin.sales.doc.com. created. |
Deleting an NIS+ Group
To delete an NIS+ group, you must have destroy rights to the groups_dir directory in the group's domain. Use the -d option:
nisgrpadm -d group-name |
If the default domain is set properly, you don't have to fully-qualify the group name. However, you should check first (use nisdefaults), because you could unintentionally delete a group in another domain. The example below deletes the test.sales.doc.com. group.
salesmaster% nisgrpadm -d test.sales.doc.com. Group `test.sales.doc.com.' destroyed. |
Adding Members to an NIS+ Group
To add members to an NIS+ group you must have modify rights to the group object. Use the -a option:
nisgrpadm -a group-name members. . . |
As described in NIS+ Group Member Types, you can add principals (explicit members), domains (implicit members), and groups (recursive members). You don't have to fully qualify the name of the group or the name of the members who belong to the default domain. This example adds the NIS+ principals panza and valjean, both from the default domain, sales.doc.com., and the principal makeba, from the manf.doc.com. domain, to the group top-team.sales.doc.com.
client% nisgrpadm -a Ateam panza valjean makeba.manf.doc.com. Added panza.sales.doc.com to group Ateam.sales.doc.com Added valjean.sales.doc.com to group Ateam.sales.doc.com Added makeba.manf.doc.com to group Ateam.sales.doc.com |
To verify the operation, use the nisgrpadm -l option. Look for the members under the Explicit members heading.
This example adds all the NIS+ principals in the doc.com. domain to the staff.doc.com. group. It is entered from a client in the doc.com. domain. Note the * symbol and the dot in front of the domain name.
client% nisgrpadm -a Staff *.doc.com. Added *.doc.com. to group Staff.manf.doc.com. |
This example adds the NIS+ group admin.doc.com. to the admin.manf.doc.com. group. It is entered from a client of the manf.doc.com. domain. Note the @ symbol in front of the group name.
client% nisgrpadm -a admin @admin.doc.com. Added @admin.doc.com. to group admin.manf.doc.com. |
Listing the Members of an NIS+ Group
To list the members of an NIS+ group, you must have read rights to the group object. Use the -l option:
nisgrpadm -l group-name |
This example lists the members of the admin.manf.doc.com. group. It is entered from a client in the manf.doc.com. group:
client% nisgrpadm -l admin Group entry for admin.manf.doc.com. group: No explicit members No implicit members: Recursive members: @admin.doc.com. No explicit nonmembers No implicit nonmembers No recursive nonmembers |
Removing Members From an NIS+ Group
To remove members from an NIS+ group, you must have modify rights to the group object. Use the -r option:
nisgrpadm -r group-name members. . . |
This example removes the NIS+ principals allende and hugo.manf.doc.com. from the Ateam.sales.doc.com group. It is entered from a client in the sales.doc.com. domain:
client% nisgrpadm -r Ateam allende hugo.manf.doc.com. Removed allende.sales.doc.com. from group Ateam.sales.doc.com. Removed hugo.manf.doc.com. from group Ateam.sales.doc.com. |
This example removes the admin.doc.com. group from the admin.manf.doc.com. group. It is entered from a client in the manf.doc.com. domain:
client% nisgrpadm -r admin @admin.doc.com. Removed @admin.doc.com. from group admin.manf.doc.com. |
Testing for Membership in an NIS+ Group
To find out whether an NIS+ principal is a member of a particular NIS+ group you must have read access to the group object. Use the -t option:
nisgrpadm -t group-name members. . . |
This example tests whether the NIS+ principal topadmin belongs to the admin.doc.com. group. It is entered from a client in the doc.com. domain.
client% nisgrpadm -t admin topadmin topadmin.doc.com. is a member of group admin.doc.com. |
This example tests whether the NIS+ principal jo, from the sales.doc.com. domain, belongs to the admin.sales.doc.com. group. It is entered from a client in the doc.com. domain.
client% nisgrpadm -t admin.sales.doc.com. jo.sales.doc.com. jo.sales.doc.com. is a member of group admin.sales.doc.com. |
- © 2010, Oracle Corporation and/or its affiliates