Skip to ContentSun and Oracle Channel Sun How to Buy Log In

NIS+ and FNS Administration Guide

Contained Within

Solaris 2.5 System Administrator AnswerBook

Find More Documentation

Featured Support Resources

Download this book in PDF

Administering NIS+ Groups

9

A NIS+ group is a set of NIS+ principals. NIS+ groups are used to assign a set of access rights to NIS+ objects to the members of the group.

This chapter describes how to use NIS+ group administration commands to perform the following tasks:

*Specifying Group Members*	*page 174*
*Listing the Object Properties of a Group*	*page 176*
*Creating an NIS+ Group*	*page 178*
*Deleting an NIS+ Group*	*page 179*
*Adding Members to an NIS+ Group*	*page 179*
*Listing the Members of an NIS+ Group*	*page 180*
*Removing Members From an NIS+ Group*	*page 181*
*Testing for Membership in an NIS+ Group*	*page 182*

For a complete description of these commands and their syntax and options, see the NIS+ man pages.

Related Commands

Text Box(144x57)

The nisgrpadm command performs most group administration tasks, but several other commands affect groups as well:

Table 9-1

Command	Description	See
`nissetup`	Creates, among other things, the directory in which a domain's groups are stored: `groups_dir`.	page 223
`nisls`	Lists the contents of the `groups_dir` directory; in other words, all the groups in a domain.	page 184
`nischgrp`	Changes or assigns a group to any NIS+ object.	page 134
`nisdefault s`	Lists, among other things, the group that will be assigned to any new NIS+ object.	page 124

For a complete description of these commands and their syntax, and options, see the NIS+ man pages.

Specifying Group Members

NIS+ groups can have three types of members: explicit, implicit, and recursive; and three types of nonmembers, also explicit, implicit, and recursive. These member types are used when adding or removing members of a group as described in "The nisgrpadm Command" on page 177.

Member Types

Explicit. An individual principal. Identified by principal name. The name does not have to be fully qualified if entered from its default domain.
Implicit. All the NIS+ principals who belong to an NIS+ domain. They are identified by their domain name, preceded by the * symbol and a dot. The operation you select applies to all the members in the group.
Recursive. All the NIS+ principals that are members of another NIS+ group. They are identified by their NIS+ group name, preceded by the @ symbol. The operation you select applies to all the members in the group.

Nonmember Types NIS+ groups also accept nonmembers in all three categories: explicit, implicit, and recursive. Nonmembers are principals specifically excluded from a group that they otherwise would be part of.

Nonmembers are identified by a minus sign in front of their name:

Explicit-nonmember. Identified by a minus sign in front of the principal name.
Implicit nonmember. Identified by a minus sign, * symbol, and dot in front of the domain name.
Recursive nonmember. Identified by a minus sign and @ symbol in front of the group name.

Using Member Types

Note - The order in which inclusions and exclusions are entered does not matter. Exclusions always take precedence over inclusions. Thus, if a principal is a member of an included implicit domain and also a member of an excluded recursive group, then that principal is not included.

Thus, when using the nisgrpadm command, you can specify group members and nonmembers as shown in Table 9-2:

Table 9-2

Type of member	Syntax
Explicit member	*username.domain*
Implicit member	`.`domain*
Recursive member	`@`*groupname.domain*
Explicit nonmember	`-`*username.domain*
Implicit nonmember	-`.`domain*
Recursive nonmember	`-@`*groupname.domain*

Using `niscat` With Groups

The niscat -o command can be used to list the object properties and membership of an NIS+ group.

Listing the Object Properties of a Group

To list the object properties of a group, you must have read access to the groups_dir directory in which the group is stored. Use niscat -o and the group's fully qualified name, which must include its groups_dir subdirectory:

niscat -o group-name.groups_dir.domain-name

Text Box(142x50)

For example:


  rootmaster# niscat -o sales.groups_dir.wiz.com.  
  Object Name   : sales  
  Owner         : rootmaster.wiz.com.  
  Group         : sales.wiz.com.  
  Domain        : groups_dir.wiz.com.  
  Access Rights : ----rmcdr---r---  
  Time to Live  : 1:0:0  
  Object Type   : GROUP  
  Group Flags   :  
  Group Members : rootmaster.wiz.com.  
                  topadmin.wiz.com.  
                  @.admin.wiz.com.  
                  *.sales.wiz.com.

Several of the group's properties are inherited from the NIS_DEFAULTS environment variable, unless they were overridden when the group was created. The group flags field is currently unused. In the list of group members, the * symbol identifies member domains and the @ symbol identifies member groups.

The `nisgrpadm` Command

The nisgrpadm command creates, deletes, and performs miscellaneous administration operations on NIS+ groups. To use nisgrpadm, you must have access rights appropriate for the operation,

Table 9-3 nisgrpadm

This Operation	Requires This Access Right	To This Object
Create a group	Create	`groups_dir` directory
Destroy a group	Destroy	`groups_dir` directory
List the Members	Read	the group object
Add Members	Modify	the group object
Remove Members	Modify	the group object

The nisgrpadm has two main forms, one for working with groups and one for working with group members.

To create or delete a group, or to lists its members use this form:


  nisgrpadm -c group-name.domain-name  
  nisgrpadm -d group-name  
  nisgrpadm -l group-name

To add or remove members, or determine if they belong to the group use this form (where member... can be any combination of the six membership types listed in Table 9-2 on page 175):


  nisgrpadm -a group-name member...  
  nisgrpadm -r group-name member...  
  nisgrpadm -t group-name member...

All operations except create (-c) accept a partially qualified group-names. However, even for the -c option, nisgrpadm does not require the use of groups_dir in the group-name argument. In fact, it won't accept it.

Creating an NIS+ Group

To create an NIS+ group, you must have create rights to the groups_dir directory of the group's domain. Use the -c option and a fully qualified group name:


  nisgrpadm -c group-name.domain-name

A newly created group contains no members. See "Adding Members to an NIS+ Group" on page 179 for information on how to specify who belongs to a group.

The example below creates three groups named admin. The first is in the Wiz.com. domain, the second in sales.wiz.com., and the third in manf.wiz.com. All three are created on the master server of their respective domains.


  rootmaster# nisgrpadm -c admin.wiz.com.  
  Group admin.wiz.com. created.  
  salesmaster# nisgrpadm -c admin.sales.wiz.com.  
  Group admin.sales.wiz.com. created.  
  engmaster# nisgrpadm -c admin.manf.wiz.com.  
  Group admin.manf.wiz.com. created.

The group you create will inherit all the object properties specified in the NIS_DEFAULTS variable; that is, its owner, owning group, access rights, time-to-live, and search path. You can view these defaults by using the nisdefaults command (described in Chapter 7, "Administering NIS+ Access Rights). Used without options, it provides this output:


  rootmaster# nisdefaults  
  Principal Name : rootmaster.wiz.com.  
  Domain Name    : Wiz.com.  
  Host Name      : rootmaster.WIz.com.  
  Group Name     :  
  Access Rights  : ----rmcdr---r---  
  Time to live   : 12:0:0  
  Search Path    : Wiz.com.

The owner is listed in the Principal Name: field. The owning group is listed only if you have set the NIS_GROUP environment variable.

Of course, you can override any of these defaults at the time you create the group by using the -D option:


  salesmaster# nisgrpadm -D group=special.sales.wiz.com.-c admin.sales.wiz.com.  
  Group admin.sales.wiz.com. created.

Deleting an NIS+ Group

To delete an NIS+ group, you must have destroy rights to the groups_dir directory in the group's domain. Use the -d option:

nisgrpadm -d group-name

If the default domain is set properly, you don't have to fully-qualify the group name. However, you should check first (use nisdefaults), because you could unintentionally delete a group in another domain. The example below deletes the test.sales.wiz.com. group.


  salesmaster% nisgrpadm -d test.sales.wiz.com.  
  Group 'test.sales.wiz.com.' destroyed.

Adding Members to an NIS+ Group

To add members to an NIS+ group you must have modify rights to the group object. Use the -a option:


  nisgrpadm -a group-name    members. . .

As described in "Specifying Group Members" on page 174, you can add principals (explicit members), domains (implicit members), and groups (recursive members). You don't have to fully qualify the name of the group or the name of the members who belong to the default domain. This example

adds the NIS+ principals panza and valjean, both from the default domain, sales.wiz.com., and the principal makeba, from the manf.wiz.com. domain, to the group Ateam.sales.wizCom.


  client% nisgrpadm -a Ateam panza valjean makeba.manf.wiz.com.  
  Added panza.sales.wiz.com to group Ateam.sales.wiz.com  
  Added valjean.sales.wiz.com to group Ateam.sales.wiz.com  
  Added makeba.manf.wiz.com to group Ateam.sales.wiz.com

To verify the operation, use the nisgrpadm -l option. Look for the members under the Explicit members heading.

This example adds all the NIS+ principals in the Wiz.com. domain to the Staff.wiz.com. group. It is entered from a client in the wiz.com. domain. Note the * symbol and the dot in front of the domain name.


  client% nisgrpadm -a Staff *.wiz.com.  
  Added *.wiz.com. to group Staff.manf.wiz.com.

This example adds the NIS+ group admin.wiz.com. to the admin.manf.wiz.com. group. It is entered from a client of the manf.wiz.com. domain. Note the @ symbol in front of the group name.


  client% nisgrpadm -a admin @admin.wiz.com.  
  Added @admin.wiz.com. to group admin.manf.wiz.com.

Listing the Members of an NIS+ Group

To list the members of an NIS+ group, you must have read rights to the group object. Use the -l option:


  nisgrpadm -l group-name

This example lists the members of the admin.manf.wiz.com. group. It is entered from a client in the manf.wiz.com. group:


  client% nisgrpadm -l admin  
  Group entry for admin.manf.wiz.com. group:  
      No explicit members  
      No implicit members:  
      Recursive members:  
           @admin.wiz.com.  
      No explicit nonmembers  
      No implicit nonmembers  
      No recursive nonmembers

Removing Members From an NIS+ Group

To remove members from an NIS+ group, you must have modify rights to the group object. Use the -r option:


  nisgrpadm -r group-name   members. . .

This example removes the NIS+ principals allende and hugo.manf.wiz.com. from the Ateam.sales.wiz.com group. It is entered from a client in the sales.wiz.com. domain:


  client% nisgrpadm -r Ateam allende hugo.manf.wiz.com.  
  Removed allende.sales.wiz.com. from group Ateam.sales.wiz.com.  
  Removed hugo.manf.wiz.com. from group Ateam.sales.wiz.com.

This example removes the admin.wiz.com. group from the admin.manf.wiz.com. group. It is entered from a client in the manf.wiz.com. domain:


  client% nisgrpadm -r admin @admin.wiz.com.  
  Removed @admin.wiz.com. from group admin.manf.wiz.com.

Testing for Membership in an NIS+ Group

To find out whether an NIS+ principal is a member of a particular NIS+ group you must have read access to the group object. Use the -t option:


  nisgrpadm -t group-name   members. . .

This example tests whether the NIS+ principal topadmin belongs to the admin.wiz.com. group. It is entered from a client in the Wiz.com. domain.


  client% nisgrpadm -t admin topadmin  
  topadmin.wiz.com. is a member of group admin.wiz.com.

This example tests whether the NIS+ principal jo, from the sales.wiz.com. domain, belongs to the admin.sales.wiz.com. group. It is entered from a client in the wiz.com. domain.


  client% nisgrpadm -t admin.sales.wiz.com. jo.sales.wiz.com.  
  jo.sales.wiz.com. is a member of group admin.sales.wiz.com.