On Tue, Sep 18, 2001 at 04:22:44PM -0500, Mike Hicks wrote:
> Shawn Fertch <fertch at mninter.net> wrote:
> > 
> > Anyone familiar enough with NIS on this?
> > 
> > At work we have varying *nix platforms:
> > 
> > Solaris (2.4, 2.6, 8)
> > HP-UX to 11
> > AIX 4.3.2 and 4.3.3 some older versions well I believe
> > Tru64 4.0D, 4.0F, 5.1
> > Linux
> > SCO
> > A few others I'm certain of
> > 
> > Will NIS work cross platfoms, as well as being able to exclude certain 
> > servers to which the person shouldn't have access to?  Someone was
> > looking into it months ago, and said that it would not work because of
> the
> > various *nix platforms we run.
> 
> I would think it'd work, but you have to be somewhat wary about the data
> that gets transferred..  One big problem these days is that Linux uses
> more complex password hashes than most other Unix variants (save for the
> *BSDs).  You'll probably have to go to the least common denominator and
> use standard crypt()ed passwords.

Mike's right.  Linux is the only platform of those you mentioned that has
special requirements.  If your NIS master is a Linux box, you'll need to
modify /etc/login.defs and tell it _not_ to encrypt passwords in MD5.
(Though, this is RedHat specific - I'm not sure what you'd need to do to
get other distros to not use MD5).

Also, you'll have to keep it from using a shadow map as all the other
platforms don't support shadow passwords.

If your NIS master is one of the other platforms, then you're fine.  Linux
will fall back to using standard crypt()ed passwords and a non-shadowed
passwd map if that's what the master is using.

To answer your other question - being able to exclude certain servers to
which the person shouldn't have access to - this is simple with NIS.
Basically, you create a netgroup only containing those who should be able
to log into the restricted machines.  Then, in /etc/passwd on those
machines, you put something like

+ at admins::0:0::::
+::0:0::::/usr/local/etc/not_welcome

at the end.

This tells the system that those users in the 'admins' netgroup can log in,
while all other users get assigned '/usr/local/etc/not_welcome' as their
shell, and '/usr/local/etc/not_welcome' is a simple shell script like

#!/bin/sh

echo ""
echo ""
echo "This machine is not available for interactive use."
echo "Please log into foo.bar.com."
echo ""
echo ""

Hope this helps,

Gabe

-- 
------------------------------------------------------------------------
Gabe Turner                                             gabe at msi.umn.edu
SGI Origin Systems Administrator,
University of Minnesota Supercomputing Institute
 for Digital Simulation and Advanced Computation         www.msi.umn.edu
------------------------------------------------------------------------