Contained Within
Find More Documentation
Featured Support Resources
|  Download this book in PDF
Administering NIS+ Groups
10
- This chapter describes how to use NIS+ group administration commands to perform the following tasks:
-
- For a complete description of these commands, their syntax, and options, see the NIS+ man pages.
Related Commands
- The nisgrpadm command performs most group administration tasks, but several other commands affect groups as well:
-
Table 10-1
| Command | Description | See |
|
| nissetup | Creates, among other things, the directory in which a domain's groups are stored: groups_dir | page 205 |
| nisls | Lists the contents of the groups_dir directory; in other
words, all the groups in a domain | page 169 |
| nischgrp | Assigns a group to any NIS+ object | page 155 |
| nisdefault s | Lists, among other things, the group that will be assigned to any new NIS+ object. | page 144 |
Specifying Group Members in All Commands
- NIS+ groups can have three types of members: explicit, implicit, and recursive:
-
Figure 10-1 Types of Members in NIS+ Groups:
-
member ::=explicit-member
implicit-member
recursive-member
explicit-member ::= principal-name
implicit-member::= *.domain-name
recursive-member::= @group-name.domain-name
|
- Explicit members are individual NIS+ principals. They are identified, in all group administration commands, by their principal name. The name does not have to be fully qualified if entered from its default domain.
- Implicit members are all the NIS+ principals who belong to an NIS+ domain. They are identified by their domain name, preceded by the * symbol and a dot. The operation you select applies to all the members in the group.
- Recursive members are all the NIS+ principals that are members of another NIS+ group. They are identified by their NIS+ group name, preceded by the @ symbol. The operation you select applies to all the members in the group.
Non-Members
- NIS+ groups also accept non-members in all three categories, explicit, implicit, and recursive. Non-members are identified by a minus sign in front of their name:
-
Figure 10-2 Types of Non-Members in NIS+ Groups:
-
explicit-non-member ::= -principal-name
implicit-non-member ::= -*.domain-name
recursive-non-member::= -@group-name.domain-name
|
Using niscat With Groups
- The niscat -o command can be used to list the object properties of an NIS+ group.
· Listing the Object Properties of a Group
- To list the object properties of a group, you must have Read access to the groups_dir directory in which the group is stored. Use niscat -o and the group's fully-qualified name, which must include its "groups_dir" subdirectory:
-
-
niscat -o group-name.groups_dir.domain-name
- For example:
-
rootmaster# niscat -o misc.groups_dir.Wiz.Com.
Object Name : misc
Owner : rootmaster.Wiz.Com.
Group : admin.Wiz.Com.
Domain : groups_dir.Wiz.Com.
Access Rights : ----rmcdr---r---
Time to Live : 1:0:0
Object Type : GROUP
Group Flags :
Group Members : rootmaster.Wiz.Com.
topadmin.Wiz.Com.
@.admin.Wiz.Com.
*.Eng.Wiz.Com.
|
- Several of the group's properties are inherited from the NIS_DEFAULTS environment variable, unless they were overridden when the group was created. The Group Flags field is currently unused. In the list of group members, the * symbol identifies member domains and the @ symbol identifies member groups. See the syntax below for an explanation. A better arranged list of members is provided by the nisgrpadm -l command, on page 164.
The nisgrpadm Command
- The nisgrpadm command creates, deletes, and performs miscellaneous administration operations on NIS+ groups. To use nisgrpadm, you must have access rights appropriate for the operation:
-
Table 10-2 nisgrpadm
| This Operation | Requires This Access Right | To This Object |
|
| Create a Group | Create | groups_dir
directory |
| Destroy a Group | Destroy | groups_dir
directory |
| List the Members | Read | the group object |
| Add Members | Modify | the group object |
| Remove Members | Modify | the group object |
Syntax
- The nisgrpadm has two main forms, one for working with groups, one for working with group members.
- To create or delete a group, or to lists its members:
-
nisgrpadm -c group-name.domain-name
nisgrpadm -d group-name
nisgrpadm -l group-name
|
- To add or remove members, or determine if they belong to the group:
-
nisgrpadm -a group-name member...
nisgrpadm -r group-name member...
nisgrpadm -t group-name member...
|
- All operations except create (-c) accept a partially-qualified group-name. However, even for the -c option, nisgrpadm does not require the use of groups_dir in the group-name argument. In fact, it won't accept it.
Creating an NIS+ Group
- To create an NIS+ group, you must have Create rights to the groups_dir directory of the group's domain. Use the -c option and a fully-qualified group name:
-
nisgrpadm -c group-name.domain-name
|
- The example below creates three groups named admin. The first is in the Wiz.Com. domain, the second in Sales.Wiz.Com., and the third in Eng.Wiz.Com. All three are created from the master server of their respective domains.
-
rootmaster# nisgrpadm -c admin.Wiz.Com.
Group "admin.Wiz.Com." created.
salesmaster# nisgrpadm -c admin.Sales.Wiz.Com.
Group "admin.Sales.Wiz.Com." created.
engmaser# nisgrpadm -c admin.Eng.Wiz.Com.
Group "admin.Eng.Wiz.Com." created.
|
- The group you create will inherit all the object properties specified in the NIS_DEFAULTS variable; that is, its owner, owning group, access rights, time-to-live, and search path. You can view these defaults by using the nisdefaults command (described in Chapter 9, "Administering NIS+ Access Rights). Used without options, it provides this output:
-
rootmaster# nisdefaults
Principal Name : rootmaster.Wiz.Com.
Domain Name : Wiz.Com.
Host Name : rootmaster.WIz.Com.
Group Name :
Access Rights : ----rmcdr---r---
Time to live : 12:0:0
Search Path : Wiz.Com.
|
- The owner is listed in the "Principal Name:" field. The owning group is listed only if you have set the NIS_GROUP environment variable.
- Of course, you can override any of these defaults at the time you create the group by using the -D option:
-
salesmaster# nisgrpadm -D group=special.Sales.Wiz.Com. \
-c admin.Sales.Wiz.Com.
Group "admin.Sales.Wiz.Com." created.
|
Deleting an NIS+ Group
- To delete an NIS+ group, you must have Destroy rights to the groups_dir directory in the group's domain. Use the -d option:
-
-
nisgrpadm -d group-name
- If the default domain is set properly, you don't have to fully-qualify the group name. However, you should check first (use nisdefaults), because you could unintentionally delete a group in another domain. The example below deletes the test.Sales.Wiz.Com. group.
-
salesmaster% nisgrpadm -d test.Sales.Wiz.Com.
Group "test.Sales.Wiz.Com." destroyed.
|
Adding Members to an NIS+ Group
- To add members to an NIS+ group you must have modify rights to the group object. Use the -a option:
-
nisgrpadm -a group-name members . . .
|
- As described earlier, you can add principals (explicit members), domains (implicit members), and groups (recursive members). You don't have to fully qualify the name of the group or the name of the members who belong to the default domain. This example adds the NIS+ principals grace and beth, both from the default domain, Alma.Com., and the principals nahny and umpa, from the Villas.Com. domain, to the group
- diapers.Alma.Com.
-
- To verify the operation, use the nisgrpadm -l option. Look for the members under the Explicit members category.
- This example adds all the NIS+ principals in the Wiz.Com. domain to the all.Wiz.Com. group. It is entered from a client in the Wiz.Com. domain. Note the * symbol and the dot in front of the domain name.
-
- This example adds the NIS+ group admin.Wiz.Com. to the admin.Eng.Wiz.Com. group. It is entered from a client of the Eng.Wiz.Com. domain. Note the @ symbol in front of the group name.
-
Listing the Members of an NIS+ Group
- To list the members of an NIS+ group, you must have Read rights to the group object. Use the -l option:
-
- This example lists the members of the "admin.Eng.Wiz.Com." group. It is entered from a client in the Eng.Wiz.Com. group:
-
client% nisgrpadm -l admin
Group entry for "admin.Eng.Wiz.Com." group:
No explicit members
No implicit members:
Recursive members:
@admin.Wiz.Com.
No explicit non-members
No implicit non-members
No recursive non-members
|
Removing Members From an NIS+ Group
- To remove members from an NIS+ group, you must have Modify rights to the group object. Use the -r option:
-
nisgrpadm -r group-name members . . .
|
- This example removes the NIS+ principals "grace" and "nahny.Villas.Home.Com." from the "diapers.Alma.Home.Com." group. It is entered from a client in the Alma.Home.Com. domain:
-
client% nisgrpadm -r diapers grace nahny.Villas.Home.Com.
Removed "grace.Alma.Home.Com." from group
"diapers.Alma.Home.Com.".
|
- This example removes the admin.Wiz.Com. group from the admin.Eng.Wiz.Com. group. It is entered from a client in the Eng.Wiz.Com. domain:
-
client% nisgrpadm -r admin @admin.Wiz.Com.
Removed "@admin.Wiz.Com." from group "admin.Eng.Wiz.Com.".
|
Testing for Membership in an NIS+ Group
- To find out whether an NIS+ principal is a member of a particular NIS+ group you must have Read access to the group object. Use the -t option:
-
nisgrpadm -t group-name members . . .
|
- This example tests whether the NIS+ principal topadmin belongs to the admin.Wiz.Com. group. It is entered from a client in the Wiz.Com. domain.
-
client% nisgrpadm -t admin topadmin
"topadmin.Wiz.Com." is a member of group "admin.Wiz.Com.".
|
- This example tests whether the NIS+ principal joe, from the Sales.Wiz.Com. domain, belongs to the admin.SalesWiz.Com. group. It is entered from a client in the Wiz.Com. domain.
-
client% nisgrpadm -t admin.Sales.Wiz.Com. joe.Sales.Wiz.Com.
"joe.Sales.Wiz.Com." is a member of group "admin.Sales.Wiz.Com.".
|
|
|
