Print this page
re #11201 nss: need local netgroup implementation
| Split |
Close |
| Expand all |
| Collapse all |
--- old/usr/src/man/man4/netgroup.4
+++ new/usr/src/man/man4/netgroup.4
1 1 '\" te
2 +.\" Copyright 2012 Nexenta Systems, Inc. All rights reserved.
2 3 .\" Copyright (C) 2003, Sun Microsystems, Inc. All Rights Reserved
3 4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
4 5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
5 6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
6 7 .TH NETGROUP 4 "Feb 25, 2017"
7 8 .SH NAME
8 9 netgroup \- list of network groups
9 10 .SH SYNOPSIS
10 11 .LP
11 12 .nf
12 13 \fB/etc/netgroup\fR
13 14 .fi
14 15
15 16 .SH DESCRIPTION
16 17 .LP
17 18 A \fBnetgroup\fR defines a network-wide group of hosts and users. Use a
18 19 \fBnetgroup\fR to restrict access to shared \fBNFS\fR filesystems and to
19 20 restrict remote login and shell access.
20 21 .sp
21 22 .LP
22 -Network groups are stored in a network information service, such as
23 -\fBLDAP\fR or \fBNIS\fR, not in a local file.
23 +Network groups are usually stored in network information services,
24 +such as \fBLDAP\fR, or \fBNIS\fR, but may alternatively be stored in
25 +the local \fB/etc/netgroup\fR file. The \fBnetgroup\fR line of the
26 +\fBnsswitch.conf\fR(4) file determines which of those sources are used.
24 27 .sp
25 28 .LP
26 29 This manual page describes the format for a file that is used to supply input
27 -to a program such as \fBldapaddent\fR(1M) for LDAP or \fBmakedbm\fR(1M) for
28 -NIS. These programs build maps or tables used by
29 -their corresponding network information services.
30 +to a program such as \fBldapaddent\fR(1M) for LDAP, or \fBmakedbm\fR(1M) for
31 +NIS. The same file format is used in the local \fB/etc/netgroup\fR file.
30 32 .sp
31 33 .LP
32 34 Each line of the file defines the name and membership of a network group. The
33 35 line should have the format:
34 36 .sp
35 37 .in +2
36 38 .nf
37 39 \fIgroupname member\fR...
38 40 .fi
39 41 .in -2
40 42 .sp
41 43
42 44 .sp
43 45 .LP
44 46 The items on a line can be separated by a combination of one or more spaces or
45 47 tabs.
46 48 .sp
47 49 .LP
48 50 The \fIgroupname\fR is the name of the group being defined. This is followed by
49 51 a list of members of the group. Each \fImember\fR is either another group name,
50 52 all of whose members are to be included in the group being defined, or a triple
51 53 of the form:
52 54 .sp
53 55 .in +2
54 56 .nf
55 57 \fI(hostname,username,domainname)\fR
56 58 .fi
57 59 .in -2
58 60 .sp
59 61
60 62 .sp
61 63 .LP
62 64 In each triple, any of the three fields \fIhostname\fR, \fIusername\fR, and
63 65 \fIdomainname\fR, can be empty. An empty field signifies a wildcard that
64 66 matches any value in that field. Thus:
65 67 .sp
66 68 .in +2
67 69 .nf
68 70 everything (\|,\|,this.domain)
69 71 .fi
70 72 .in -2
71 73 .sp
72 74
73 75 .sp
74 76 .LP
75 77 defines a group named "everything" for the domain "this.domain" to which every
76 78 host and user belongs.
77 79 .sp
78 80 .LP
79 81 The \fIdomainname\fR field refers to the domain in which the triple is valid,
80 82 not the domain containing the host or user. In fact, applications using
81 83 \fBnetgroup\fR generally do not check the \fIdomainname\fR. Therefore, using
82 84 .sp
83 85 .in +2
84 86 .nf
85 87 (,,domain)
86 88 .fi
87 89 .in -2
88 90 .sp
89 91
90 92 .sp
91 93 .LP
92 94 is equivalent to
93 95 .sp
94 96 .in +2
95 97 .nf
96 98 (,,)
97 99 .fi
98 100 .in -2
99 101 .sp
100 102
101 103 .sp
102 104 .LP
103 105 You can also use netgroups to control \fBNFS\fR mount access (see
104 106 \fBshare_nfs\fR(1M)) and to control remote login and shell access (see
105 107 \fBhosts.equiv\fR(4)). You can also use them to control local login access (see
106 108 \fBpasswd\fR(4), \fBshadow\fR(4), and \fBcompat\fR in \fBnsswitch.conf\fR(4)).
107 109 .sp
108 110 .LP
109 111 When used for these purposes, a host is considered a member of a \fBnetgroup\fR
110 112 if the \fBnetgroup\fR contains any triple in which the \fBhostname\fR field
111 113 matches the name of the host requesting access and the \fBdomainname\fR field
112 114 matches the domain of the host controlling access.
113 115 .sp
114 116 .LP
115 117 Similarly, a user is considered a member of a \fBnetgroup\fR if the
116 118 \fBnetgroup\fR contains any triple in which the \fIusername\fR field matches
117 119 the name of the \fBuser\fR requesting access and the \fIdomainname\fR field
118 120 matches the domain of the host controlling access.
119 121 .sp
120 122 .LP
121 123 Note that when netgroups are used to control NFS mount access, access is
122 124 granted depending only on whether the requesting host is a member of the
|
↓ open down ↓ |
83 lines elided |
↑ open up ↑ |
123 125 \fBnetgroup\fR. Remote login and shell access can be controlled both on the
124 126 basis of host and user membership in separate netgroups.
125 127 .SH FILES
126 128 .ne 2
127 129 .na
128 130 \fB\fB/etc/netgroup\fR\fR
129 131 .ad
130 132 .RS 17n
131 133 Used by a network information service's utility to construct a map or table
132 134 that contains \fBnetgroup\fR information. For example, \fBldapaddent\fR(1M)
133 -uses \fB/etc/netgroup\fR to construct an LDAP container.
135 +uses \fB/etc/netgroup\fR to construct an LDAP container. Alternatively,
136 +the \fB/etc/netgroup\fR file may be used directly if the \fBfiles\fR
137 +source is specified in \fBnsswitch.conf\fR(4) for the \fBnetgroup\fR
138 +database.
139 +
134 140 .RE
135 141
136 -.sp
137 -.LP
138 -Note that the netgroup information must always be stored in a network
139 -information service, such as \fBLDAP\fR or \fBNIS\fR. The local file is
140 -only used to construct a map or table for the network information service. It
141 -is never consulted directly.
142 142 .SH SEE ALSO
143 143 .LP
144 144 \fBldapaddent\fR(1M), \fBmakedbm\fR(1M),
145 145 \fBshare_nfs\fR(1M), \fBinnetgr\fR(3C), \fBhosts\fR(4), \fBhosts.equiv\fR(4),
146 146 \fBnsswitch.conf\fR(4), \fBpasswd\fR(4), \fBshadow\fR(4)
147 147 .SH NOTES
148 148 .LP
149 -\fBnetgroup\fR requires a network information service such as \fBLDAP\fR
150 -or \fBNIS\fR.
151 -.sp
152 -.LP
153 149 Applications may make general membership tests using the \fBinnetgr()\fR
154 150 function. See \fBinnetgr\fR(3C).
155 151 .sp
156 152 .LP
157 153 Because the "-" character will not match any specific username or hostname, it
158 154 is commonly used as a placeholder that will match only wildcarded membership
159 155 queries. So, for example:
160 156 .sp
161 157 .in +2
162 158 .nf
163 159 onlyhosts (host1,-,our.domain) (host2,-,our.domain)
164 160 onlyusers (-,john,our.domain) (-,linda,our.domain)
165 161 .fi
166 162 .in -2
167 163 .sp
168 164
169 165 .sp
170 166 .LP
171 167 effectively define netgroups containing only hosts and only users,
172 168 respectively. Any other string that is guaranteed not to be a legal username or
173 169 hostname will also suffice for this purpose.
174 170 .sp
175 171 .LP
176 172 Use of placeholders will improve search performance.
177 173 .sp
178 174 .LP
179 175 When a machine with multiple interfaces and multiple names is defined as a
180 176 member of a \fBnetgroup\fR, one must list all of the names. See \fBhosts\fR(4).
181 177 A manageable way to do this is to define a \fBnetgroup\fR containing all of the
182 178 machine names. For example, for a host "gateway" that has names
183 179 "gateway-subnet1" and "gateway-subnet2" one may define the \fBnetgroup\fR:
184 180 .sp
185 181 .in +2
186 182 .nf
187 183 gateway (gateway-subnet1,\|,our.domain) (gateway-subnet2,\|,our.domain)
188 184 .fi
189 185 .in -2
190 186 .sp
191 187
192 188 .sp
193 189 .LP
194 190 and use this \fBnetgroup\fR "\fBgateway\fR" whenever the host is to be included
195 191 in another \fBnetgroup\fR.
|
↓ open down ↓ |
33 lines elided |
↑ open up ↑ |
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX