[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]

Network Information Services (NIS and NIS+) Guide


Administering NIS+ Groups

An NIS+ group is a set of NIS+ principals. NIS+ groups are used to assign a set of access rights to NIS+ objects to the members of the group.

This section describes how to use NIS+ group administration commands to perform the following tasks:

The nisgrpadm command performs most group administration tasks, but several other commands affect groups as well:

Commands That Affect Groups
Command Description
nissetup Creates, among other things, the directory in which a domain's groups are stored: groups_dir.
nisls Lists the contents of the groups_dir directory; in other words, all the groups in a domain.
nischgrp Changes or assigns a group to any NIS+ object.
nisdefaults Lists, among other things, the group to be assigned to any new NIS+ object.

Specifying Group Members

NIS+ groups can have three types of members: explicit, implicit, and recursive. These member types are used when adding or removing members of a group:

Explicit
An individual principal, identified by principal name. The name does not have to be fully qualified if entered from its default domain.

Implicit
All the NIS+ principals who belong to an NIS+ domain. They are identified by their domain name, preceded by the * symbol and a dot. The operation you select applies to all the members in the group.

Recursive
All the NIS+ principals that are members of another NIS+ group. They are identified by their NIS+ group name, preceded by the @ symbol. The operation you select applies to all the members in the group.

NIS+ groups also accept nonmembers in all three categories: explicit, implicit, and recursive. Nonmembers are principals specifically excluded from a group to which they would otherwise belong. Nonmembers are identified in the following ways:

Explicit nonmember
Identified by a minus sign in front of the principal name.

Implicit nonmember
Identified by a minus sign, * symbol, and dot in front of the domain name.

Recursive nonmember
Identified by a minus sign and @ symbol in front of the group name.

The order in which inclusions and exclusions are entered is irrelevant. Exclusions always take precedence over inclusions. Thus, if a principal is a member of an included implicit domain and also a member of an excluded recursive group, then that principal is not included.

Using the nisgrpadm command, you can specify group members and nonmembers as shown in the following table.

Specifying Group Members and Nonmembers
Type of member Format
Explicit member username.domain
Implicit member *.domain
Recursive member @groupname.domain
Explicit nonmember -username.domain
Implicit nonmember -*.domain
Recursive nonmember -@groupname.domain

Using niscat with Groups

The niscat-o command can be used to list the object properties and membership of an NIS+ group.

Listing the Object Properties of a Group

To list the object properties of a group, you must have read access to the groups_dir directory in which the group is stored. Use niscat -o and the group's fully qualified name, which must include its groups_dir subdirectory:

niscat -o group-name.groups_dir.domain-name 

For example:

rootmaster# niscat -o sales.groups_dir.wiz.com.
Object Name   : sales
Owner         : rootmaster.wiz.com.
Group         : sales.wiz.com.
Access Rights : ----rmcdr---r---
Time to Live  : 1:0:0
Object Type   : GROUP
Group Flags   : 
Group Members : rootmaster.wiz.com.
                topadmin.wiz.com.
                @.admin.wiz.com.
                *.sales.wiz.com.

Several group properties are inherited from the NIS_DEFAULTS environment variable, unless they were overridden when the group was created. The Group Flags field is currently unused. In the list of group members, the * symbol identifies member domains and the @ symbol identifies member groups.

The nisgrpadm Command

The nisgrpadm command creates, deletes, and performs miscellaneous administration operations on NIS+ groups. To use the nisgrpadm command, you must have access rights appropriate for the operation.

Rights Required for nisgrpadm Command
This Operation Requires This Access Right To This Object
Create a group Create groups_dir directory
Destroy a group Destroy groups_dir directory
List the Members Read the group object
Add Members Modify the group object
Remove Members Modify the group object

The nisgrpadm has two main forms, one for working with groups and one for working with group members.

To create or delete a group, or to lists its members use this form:

nisgrpadm -c group-name.domain-name
nisgrpadm -d group-name
nisgrpadm -l group-name

To add or remove members, or determine if they belong to the group use this form (where member... can be any combination of the six membership types):

nisgrpadm -a group-name member...
nisgrpadm -r group-name member...
nisgrpadm -t group-name member...

All operations except create (-c) accept a partially qualified group names. However, even for the -c option, the nisgrpadm command does not require (nor will it accept) the use of groups_dir in the group-name argument.

Creating an NIS+ Group

To create an NIS+ group, you must have create rights to the groups_dir directory of the group's domain. Use the -c option and a fully qualified group name, as follows:

nisgrpadm -c group-name.domain-name 

A newly created group contains no members. See Adding Members to an NIS+ Group for information on how to specify group members.

The example below creates three groups named admin. The first is in the wiz.com. domain, the second in sales.wiz.com., and the third in manf.wiz.com. Each group must be created on the master server of its respective domain.

rootmaster# nisgrpadm -c admin.wiz.com.
Group admin.wiz.com. created.
salesmaster# nisgrpadm -c admin.sales.wiz.com.
Group admin.sales.wiz.com. created.
engmaster# nisgrpadm -c admin.manf.wiz.com.
Group admin.manf.wiz.com. created.

Each group created in the above example inherits all the object properties specified in the NIS_DEFAULTS variable; that is, its owner, owning group, access rights, and time-to-live. You can view these defaults by using the nisdefaults command (described in Administering NIS+ Access Rights). Used without options, the nisdefaults command provides the following output:

rootmaster# nisdefaults
Principal Name : rootmaster.wiz.com.
Domain Name    : Wiz.com.
Host Name      : rootmaster.wiz.com.
Group Name     : 
Access Rights  : ----rmcdr---r---
Time to live   : 12:0:0
Search Path    : Wiz.com.

The owner is listed in the Principal Name field. The owning group is listed only if you have set the NIS_GROUP environment variable.

You can use the -D option to override any of these defaults when you create the group. The following example defines the group name as it creates the group:

salesmaster# nisgrpadm -D group=special.sales.wiz.com.-c admin.sales.wiz.com.
Group admin.sales.wiz.com. created.

Deleting an NIS+ Group

To delete an NIS+ group, you must have destroy rights to the groups_dir directory in the group's domain. Use the -d option, as follows:

nisgrpadm -d group-name 

Note: Before deleting a group, first use the nisdefaults command to check the domain setup and avoid unintentionally deleting a group in another domain.

If the default domain is set correctly, you do not have to fully qualify the group name. The following example deletes the test.sales.wiz.com. group.

salesmaster% nisgrpadm -d test.sales.wiz.com.
Group 'test.sales.wiz.com.' destroyed.

Adding Members to an NIS+ Group

To add members to an NIS+ group, you must have modify rights to the group object. Use the -a option, as follows:

nisgrpadm -a group-name  members. . .

As described in Specifying Group Members, you can add principals (explicit members), domains (implicit members), and groups (recursive members). You do not have to fully qualify the name of the group or the name of the members who belong to the default domain. The following example adds the NIS+ principals panza and valjean, both from the default domain, sales.wiz.com., as well as the principal makeba, from the manf.wiz.com. domain, to the group Ateam.sales.wiz.com.

client% nisgrpadm -a Ateam panza valjean makeba.manf.wiz.com.
Added panza.sales.wiz.com to group Ateam.sales.wiz.com
Added valjean.sales.wiz.com to group Ateam.sales.wiz.com
Added makeba.manf.wiz.com to group Ateam.sales.wiz.com

To verify that the members were added, use the nisgrpadm -l option. Look for the members under the Explicit members heading.

The following example adds all the NIS+ principals in the wiz.com. domain to the Staff.wiz.com. group. The command is entered from a client in the wiz.com. domain. Note the * symbol and the dot in front of the domain name.

client% nisgrpadm -a Staff *.wiz.com.
Added *.wiz.com. to group Staff.manf.wiz.com.

The following example adds the NIS+ group admin.wiz.com. to the admin.manf.wiz.com. group. The command is entered from a client of the manf.wiz.com. domain. Note the @ symbol in front of the group name.

client% nisgrpadm -a admin @admin.wiz.com.
Added @admin.wiz.com. to group admin.manf.wiz.com.

Listing the Members of an NIS+ Group

To list the members of an NIS+ group, you must have read rights to the group object. Use the -l option, as follows:

nisgrpadm -l group-name

The following example lists the members of the admin.manf.wiz.com. group. The command is entered from a client in the manf.wiz.com. group:

client% nisgrpadm -l admin 
Group entry for admin.manf.wiz.com. group:    
    No explicit members
    No implicit members:
    Recursive members:         @admin.wiz.com.
    No explicit nonmembers
    No implicit nonmembers
    No recursive nonmembers

Removing Members from an NIS+ Group

To remove members from an NIS+ group, you must have modify rights to the group object. Use the -r option, as follows:

nisgrpadm -r group-name   members. . .

The following example removes the NIS+ principals allende and hugo.manf.wiz.com. from the Ateam.sales.wiz.com. group. The command is entered from a client in the sales.wiz.com. domain:

client% nisgrpadm -r Ateam allende hugo.manf.wiz.com.
Removed allende.sales.wiz.com. from group Ateam.sales.wiz.com.
Removed hugo.manf.wiz.com. from group Ateam.sales.wiz.com.

The following example removes the admin.wiz.com. group from the admin.manf.wiz.com. group. The command is entered from a client in the manf.wiz.com. domain:

client% nisgrpadm -r admin @admin.wiz.com.
Removed @admin.wiz.com. from group admin.manf.wiz.com.

Testing Membership in an NIS+ Group

To test whether an NIS+ principal is a member of a particular NIS+ group, you must have read access to the group object. Use the -t option, as follows:

nisgrpadm -t group-name   members. . .

The following example tests whether the NIS+ principal topadmin belongs to the admin.wiz.com. group. The command is entered from a client in the wiz.com. domain.

client% nisgrpadm -t admin topadmin
topadmin.wiz.com. is a member of group admin.wiz.com.

The following example tests whether the NIS+ principal jo, from the sales.wiz.com. domain, belongs to the admin.sales.wiz.com. group. The command is entered from a client in the wiz.com. domain.

client% nisgrpadm -t admin.sales.wiz.com. jo.sales.wiz.com. 
jo.sales.wiz.com. is a member of group admin.sales.wiz.com.


[ Previous | Next | Table of Contents | Index | Library Home | Legal | Search ]