A netgroup defines a network-wide group of hosts and users. Use a netgroup to restrict access to shared NFS filesystems and to restrict remote login and shell access.
Netgroup are a great way to identify people and machines under nice, neat names for access control. A good example of using this feature is for a site where users are not allowed to log in to server machines. You can create a netgroup for the system administrators and let in members of the group through a special entry in the /etc/passwd file.
Netgroup have become a daily staple for NIS administrators. They allow machines and/or users to be collected together for various administrative tasks such as grouping machines together for use in the tcp_wrappers files /etc/ hosts .allow and /etc/hosts.deny . In this next example, you restrict access via ssh only to members of the sysadmin Netgroup:
# /etc/hosts.deny sshd: ALL . . . # /etc/hosts.allow sshd: @sysadmin
What are NIS netgroups good for?#First, it's important to understand what a NIS netgroup gains the average system administrator. NIS Netgroups provide the ability to perform such tasks as:
- Control both user and group login access to individual or groups of machines.
- Manage NFS access control lists.
- Control user and group sudo command access.
- Execute remote commands or interactive logins on groups of machines with dsh (distributed shell).
- Manage the configuration of your entire network on a role basis with an IDM Implementation.
These are just a few of the excellent uses for NIS netgroups. If we take this functionality and implement an LDAP based backend, we can not only take advantage of these tools but gain the security, manageability and fault tolerance of Fedora Directory Server.
LDAP Setup#RFC 2307 describes the setup of the LDAP entries to support Netgroup. The structural nisNetgroup as directory entries. The attributes are:
- cn - The cn attribute holds the name of the netgroup
- nisNetgroupTriple - stores the (host, user, NIS-domain) entries
- memberNisNetgroup - stores the names of any nested netgroups.
Before adding any Netgroup entries to the directory, you must create a container where Netgroups are located. By convention, the ou=netgroup organizational unit is often used for storing Netgroup:
dn: ou=netgroup,dc=willeke,dc=com objectclass: organizationalUnit ou: netgroup
the sysadmin netgroup could be represented by this LDIF entry:
dn: cn=sysadmin,ou=netgroup,dc=plainjoe,dc=org objectClass: nisNetgroup objectClass: top cn: sysadmin nisNetgroupTriple: (garion.plainjoe.org,,) nisNetgroupTriple: (silk.plainjoe.org,,)LDAP Client Configuration to use the correct search suffix which would be the LDAP container which is the parent of all your Netgroup.
Name Service Switch File#Finally, you must inform the the operating system to pass off netgroup queries to the LDAP directory by updating the netgroup entry in Name Service Switch :
## /etc/nsswitch.conf ## . . . netgroup: ldap
Query for Netgroup#The getent tool can be used to query NSS for specific Netgroup by giving the group name as a command-line parameter:
getent netgroup sysadmin sysadmin (sa.willeke.com, , ) (xenhost.willeke.com, , )
/etc/hosts.allow#It would also be a good idea to verify that the /etc/hosts.allow listed in the beginning of the section obeyed the netgroups membership by actually attempting to log on to the machine using ssh from a host other than garion or silk .
Location of netgroup NIS#As a reference, Netgroup information is kept in the /etc/netgroup file and shared via NIS.
The format of a netgroups file is as follows:
groupname is the name of the group being defined, and the member-list consists of other group names or tuples of specific data. Each entry in the member-list is separated by a whitespace.
Tuples#As LDAP implementation Netgroup can be used for all host within an entire enterprise, the configuration of Netgroups in LDAP is a little different. The configuration use a tuple containing specific data in this form:
(hostname, username, domain name)
- hostname is the name of the machine for which that entry is valid
- username is the login of the person being referenced
- domain name is the NIS domain name. Any entry left blank is considered a wildcard
Some Examples#or example,
(technics,,)implies everybody on the host technics.
An entry with a dash in it (-) means that there are no valid values for that entry. For example,
(-,sshah,)Here we imply the user sshah and nothing else. This is useful for generating a list of users or machine names for use in other netgroups. NOTE: We recommend that the format to be used is:
(,sshah,)We have seen some implementations that do not like the use of the "-" for none.
Referencing Netgroups#In files where netgroups are supported (such as /etc/passwd), you reference them by placing an @ sign in front of them. If you want to give the netgroup sysadmins consisting of
(,sshah,) (,heidis,)permission to log in to a server, you add this line to your /etc/passwd file:
An example of a full netgroups file follows:
sysadmins (,sshah,) (,heidis,) (,jnguyen,) (,mpham,) servers (numark,,) (vestax,,) clients (denon,,) (technics,,) (mtx,,) research-1 (,boson,) (,jyom,) (,weals,) (,jaffe,) research-2 (,sangeet,) (,mona,) (,paresh,) (,manjari,) (,jagdish,) consultants (,arturo,) allusers sysadmins research-1 research-2 consultants allhosts servers clientsSystem Access Control using LDAP backed NIS Netgroups.