Configuring the Network Information Service (NIS)

Using NIS maps in the password file

You can incorporate NIS maps in a client's /etc/passwd file to supplement entries that are valid only locally. User entries can be added from the NIS password map by starting them with the token ``+''. NIS entries for users have the following format:

+[username]:[password]:::[comment]:[directory]:[program]

The fields have the same meaning as for ordinary passwd(F) file entries except that there are no entries for the user or group IDs. That is, the UID and GID from the NIS entry are always used; they cannot be defined locally. Entries in the password, comment, directory, or program field override the corresponding value obtained from the NIS server.

The following entry inserts the entire NIS password file:

+:

Netgroup entries are added by specifying them as:

+@netgroup:

Any host information about a netgroup is ignored.

NOTE: You must specify all local entries before NIS map entries. Any local entries that are specified after NIS map entries are ignored.

You can prevent users and members of netgroups from logging in by starting their passwd entries with ``-'' instead of ``+'':

-username:
-@netgroup:

The following example passwd file is used in conjunction with the shadow(F) file to include and exclude certain users and netgroups:

   root:x:0:10:super user:/:/bin/sh
   fran:x:121:100:Fran Sisco:/u/fran/:/bin/ksh
   -renee:
   -@marketing:
   +diego::::::
   +:::::/u/guest:/bin/rksh
   +@developers:

This example, though simple, implies several things:

Local users root and fran can log in even when the system is standalone.
root and fran cannot use their NIS passwords on this client; they are local users.
renee is prevented from logging in even if she is also a member of the netgroup developers.
All members of the netgroup marketing are forbidden to log in unless they are also members of developers. fran can log in even if she is a member of marketing.
diego and all members of the network group developers can log in using their NIS passwords provided that they are not also members of marketing.
Members of the netgroup developers are restricted to using rksh(C) in the directory /u/guest by the entry +:::::/u/guest:/bin/rksh that precedes the entry defining their inclusion.

NOTE: Applications that read passwd stop as soon as they find a matching entry. For this reason, if you want to ban a member of a netgroup or allow access to a member of a banned netgroup, you must place the entry for the user before the netgroup.