NIS netgroups are groups (sets) of users or systems that you define for your administrative purposes. For example, you can create netgroups that do the following.
Define a set of users who can access a specific system
Define a set of NFS client systems to be given some specific file system access
Define a set of users who are to have administrator privileges on all the systems in a particular NIS domain
Each netgroup is given a netgroup name. Netgroups do not directly set permissions or access rights. Instead, the netgroup names are used by other NIS maps in places where a user name or system name would normally be used. For example, suppose you created a netgroup of network administrators called netadmins. To grant all members of the netadmins netgroup access to a given system, you only need to add a netadmin entry to that system's /etc/passwd file. Netgroup names can also be added to the /etc/netgroup file and propagated to the NIS netgroup map. See the netgroup(5) man page for more detailed information about using netgroups.
On a network using NIS, the netgroup input file on the master NIS server is used for generating three maps: netgroup, netgroup.byuser, and netgroup.byhost. The netgroup map contains the basic information in the netgroup input file. The two other NIS maps contain information in a format that speeds lookups of netgroup information, given the system or user name.
Entries in the netgroup input file are in the format: name ID, where name is the name you give to a netgroup, and ID identifies a system or user who belongs to the netgroup. You can specify as many IDs (members) to a netgroup as you want, separated by commas. For example, to create a netgroup with three members, the netgroup input file entry would be in the format: name ID, ID, ID. The member IDs in a netgroup input file entry are in the following format.
([-|system], [-|user], [domain])
Where system is a system name, user is a user ID, and domain is the system or user's NIS domain. The domain element is optional and should only be used to identify systems or users in some other NIS domain. The system and user element of each member's entry are required, but a dash (-) is used to denote a null. There is no necessary relationship between the system and user elements in an entry.
The following are two sample netgroup input file entries, each of which create a netgroup named admins composed of the users hauri and soloh who is in the remote domain sales and the systems altair and sirius.
admins (altair,hauri,) (sirius,soloh,sales) admins (altair,-,) (sirius,-,) (-,hauri,) (-,soloh,sales)
Various programs use the netgroup NIS maps for permission checking during login, remote mount, remote login, and remote shell creation. These programs include mountd, and login. The login command consults the netgroup maps for user classifications if it encounters netgroup names in the passwd database. The mountd daemon consults the netgroup maps for system classifications if it encounters netgroup names in the /etc/dfs/dfstab file. In fact, any program that uses the ruserok interface checks the netgroup maps for both system and user classifications if they encounter netgroup names in the /etc/hosts.equiv or .rhosts file.
If you add a new NIS user or system to your network, be sure to add them to appropriate netgroups in the netgroup input file. Then use the make and yppush commands to create the netgroup maps and push them to all of your NIS servers. See the netgroup(5) man page for detailed information about using netgroups and netgroup input file syntax.