[Hoary] Centos NIS server, Hoary NIS client, groups don't match
deerfieldtech at gmail.com
Mon Jul 25 21:28:24 UTC 2005
On 7/25/05, Ewan Mac Mahon <ewan at macmahon.me.uk> wrote:
> On Sun, Jul 24, 2005 at 08:01:27PM -0400, P Jones wrote:
> > I saw a thread in the Ubuntu Forums that made some adjustments to some
> > pam configuration files, and that works to a degree (haven't played
> > around with it much yet), but I'm wondering if there is a solution to
> > my problem.
> That'll be using pam_group? I've got a similar setup here; there's no
> need for me to restrict access to the devices so I have a line in
> /etc/security/group.conf that unconditionally gives membership of the
> floppy, cdrom, audio etc groups to anyone that logs in to the Ubuntu
Correct, pam_group and /etc/security/group.conf . And likewise, in my
home network I have no reason to restrict access to those devices.
> What would be ideal would be if you could give membership of all the
> local groups based on membership of a single nis group, but from my
> reading of the docs that seems not to be possible.
Right, put some groups in a group. Googling around turned that idea up
somewhere, but I guess it was determine dthat such a technique was not
> > The whole point of me setting up NIS is to NOT have to set up user
> > accounts on every workstation, and to be able to manage access from
> > the server.
> The best way I can think of managing that is to create another admin
> group on the server with a high gid so it gets included in the nis maps
> (say wksadmin, for workstation admins), then add that group to the
> sudoers files on the clients just like the default admin group is. That
> way any local users in the 'admin' group get sudo rights, and any nis
> users in the 'wksadmin' nis group do too.
That's an interesting suggestion as my next issue, now that I'm
semi-coomfortable with the pam_groups thing, was what to do about sudo
rights on the client.
> As a side note, IMHO, it's a good idea to have a local user with admin
> rights on a nis client box, since if the network breaks you can be left
> with no way in (other than recovery mode) to fix the problem.
I have root set up on the client machine. I don't mind the Ubuntu sudo
approach on laptops and independent workstations, but I prefer the
root approach on a machine that may have multiple users, or requires
the ability to prevent certain actions from being taken.
More information about the ubuntu-users