re #11201 nss: need local netgroup implementation

          --- old/usr/src/man/man4/netgroup.4.man.txt
          +++ new/usr/src/man/man4/netgroup.4.man.txt

   1    1  NETGROUP(4)             File Formats and Configurations            NETGROUP(4)
   2    2  
   3    3  
   4    4  
   5    5  NAME
   6    6         netgroup - list of network groups
   7    7  

   8    8  SYNOPSIS
   9    9         /etc/netgroup
  10   10  
  11   11  
  12   12  DESCRIPTION
  13   13         A netgroup defines a network-wide group of hosts and users. Use a
  14   14         netgroup to restrict access to shared NFS filesystems and to restrict
  15   15         remote login and shell access.
  16   16  
  17   17  
  18      -       Network groups are stored in a network information service, such as
  19      -       LDAP or NIS, not in a local file.
       18 +       Network groups are usually stored in network information services, such
       19 +       as LDAP, or NIS, but may alternatively be stored in the local
       20 +       /etc/netgroup file.  The netgroup line of the nsswitch.conf(4) file
       21 +       determines which of those sources are used.
  20   22  
  21   23  
  22   24         This manual page describes the format for a file that is used to supply
  23      -       input to a program such as ldapaddent(1M) for LDAP or makedbm(1M) for
  24      -       NIS. These programs build maps or tables used by their corresponding
  25      -       network information services.
       25 +       input to a program such as ldapaddent(1M) for LDAP, or makedbm(1M) for
       26 +       NIS.  The same file format is used in the local /etc/netgroup file.
  26   27  
  27   28  
  28   29         Each line of the file defines the name and membership of a network
  29   30         group. The line should have the format:
  30   31  
  31   32           groupname     member...
  32   33  
  33   34  
  34   35  
  35   36  

  36   37         The items on a line can be separated by a combination of one or more
  37   38         spaces or tabs.
  38   39  
  39   40  
  40   41         The groupname is the name of the group being defined. This is followed
  41   42         by a list of members of the group. Each member is either another group
  42   43         name, all of whose members are to be included in the group being
  43   44         defined, or a triple of the form:
  44   45  
  45   46           (hostname,username,domainname)
  46   47  
  47   48  
  48   49  
  49   50  
  50   51         In each triple, any of the three fields hostname, username, and
  51   52         domainname, can be empty. An empty field signifies a wildcard that
  52   53         matches any value in that field. Thus:
  53   54  
  54   55           everything (,,this.domain)
  55   56  
  56   57  
  57   58  
  58   59  
  59   60         defines a group named "everything" for the domain "this.domain" to
  60   61         which every host and user belongs.
  61   62  
  62   63  
  63   64         The domainname field refers to the domain in which the triple is valid,
  64   65         not the domain containing the host or user. In fact, applications using
  65   66         netgroup generally do not check the domainname. Therefore, using
  66   67  
  67   68           (,,domain)
  68   69  
  69   70  
  70   71  
  71   72  
  72   73         is equivalent to
  73   74  
  74   75           (,,)
  75   76  
  76   77  
  77   78  
  78   79  
  79   80         You can also use netgroups to control NFS mount access (see
  80   81         share_nfs(1M)) and to control remote login and shell access (see
  81   82         hosts.equiv(4)). You can also use them to control local login access
  82   83         (see passwd(4), shadow(4), and compat in nsswitch.conf(4)).
  83   84  
  84   85  
  85   86         When used for these purposes, a host is considered a member of a
  86   87         netgroup if the netgroup contains any triple in which the hostname
  87   88         field matches the name of the host requesting access and the domainname
  88   89         field matches the domain of the host controlling access.
  89   90  
  90   91  
  91   92         Similarly, a user is considered a member of a netgroup if the netgroup
  92   93         contains any triple in which the username field matches the name of the
  93   94         user requesting access and the domainname field matches the domain of
  94   95         the host controlling access.
  95   96  
  96   97  
  97   98         Note that when netgroups are used to control NFS mount access, access

  98   99         is granted depending only on whether the requesting host is a member of
  99  100         the netgroup. Remote login and shell access can be controlled both on
 100  101         the basis of host and user membership in separate netgroups.
 101  102  
 102  103  FILES
 103  104         /etc/netgroup
 104  105                          Used by a network information service's utility to
 105  106                          construct a map or table that contains netgroup
 106  107                          information. For example, ldapaddent(1M) uses
 107  108                          /etc/netgroup to construct an LDAP container.
      109 +                        Alternatively, the /etc/netgroup file may be used
      110 +                        directly if the files source is specified in
      111 +                        nsswitch.conf(4) for the netgroup database.
 108  112  
 109  113  
 110  114  
 111      -       Note that the netgroup information must always be stored in a network
 112      -       information service, such as LDAP or NIS. The local file is only used
 113      -       to construct a map or table for the network information service. It is
 114      -       never consulted directly.
 115      -
 116  115  SEE ALSO
 117  116         ldapaddent(1M), makedbm(1M), share_nfs(1M), innetgr(3C), hosts(4),
 118  117         hosts.equiv(4), nsswitch.conf(4), passwd(4), shadow(4)
 119  118  
 120  119  NOTES
 121      -       netgroup requires a network information service such as LDAP or NIS.
 122      -
 123      -
 124  120         Applications may make general membership tests using the innetgr()
 125  121         function. See innetgr(3C).
 126  122  
 127  123  
 128  124         Because the "-" character will not match any specific username or
 129  125         hostname, it is commonly used as a placeholder that will match only
 130  126         wildcarded membership queries. So, for example:
 131  127  
 132  128           onlyhosts (host1,-,our.domain) (host2,-,our.domain)
 133  129           onlyusers (-,john,our.domain) (-,linda,our.domain)

 134  130  
 135  131  
 136  132  
 137  133  
 138  134         effectively define netgroups containing only hosts and only users,
 139  135         respectively. Any other string that is guaranteed not to be a legal
 140  136         username or hostname will also suffice for this purpose.
 141  137  
 142  138  
 143  139         Use of placeholders will improve search performance.
 144  140  
 145  141  
 146  142         When a machine with multiple interfaces and multiple names is defined
 147  143         as a member of a netgroup, one must list all of the names. See
 148  144         hosts(4).  A manageable way to do this is to define a netgroup
 149  145         containing all of the machine names. For example, for a host "gateway"
 150  146         that has names "gateway-subnet1" and "gateway-subnet2" one may define
 151  147         the netgroup:
 152  148  
 153  149           gateway (gateway-subnet1,,our.domain) (gateway-subnet2,,our.domain)
 154  150  
 155  151  
 156  152  
 157  153  
 158  154         and use this netgroup "gateway" whenever the host is to be included in
 159  155         another netgroup.
 160  156  
 161  157  
 162  158  
 163  159                                 February 25, 2017                   NETGROUP(4)

XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX