Re: How to remove users "only" on NIS database?
Dear Bob,
Em Ter, 2013-02-12 às 15:17 -0700, Bob Proulx escreveu:
> Markos wrote:
> > I have a small network with 6 machines running Debian Squeeze.
> >
> > When installing the machines I created only the root account and a user
> > student1 in "all" machines on the network.
>
> Sure.
>
> > Then I installed a NIS Service on a machine (server), to centralize
> > logging of new users.
>
> Reasonable.
>
> > But now, I realized that if I shut down the server I can no longer login
> > as root, or student1, on the client machines.
>
> That tells me that one of two things are the problem. Either 1) your
> /etc/nsswitch.conf file is incorrect. Look there and make sure it has
> these lines:
>
> passwd: files nis
> group: files nis
> shadow: files nis
>
> hosts: files dns
>
That was the problem!
I simply did what you suggested and now I can log in clients with or
without the server. :^)
> Note: The use of 'shadow' depends upon the setting of MERGE_PASSWD.
> Note: The hosts setting probably isn't the problem but can be if
> people set it to nis.
>
I imagine that you're referring to the variable MERGE_PASSWD in /var/
yp/Makefile at server.
In my case it is set to "false"
MERGE_PASSWD=false
I think it is better to leave it as is?
> If those three file maps are set to files first then nis then the
> local files will always override the network nis/yp account setting.
>
Now I understand a little better how things work in NIS. :^)
> Or possibly 2) you have your nis/yp token "+" above the locally added
> accounts when it should be below the locally added accounts in the
> /etc/passwd file. When using compat and the "+" token then the
> account priority is in first one seen from top to bottom. (Except
> when using the 'nscd' package which randomizes it through a hash. I
> always remove it.)
>
I'm not using "+" in the file /etc/passwd
> I strongly recommend using "files nis" instead of the old traditional
> "compat" method that uses the "+" token It just makes things so much
> simpler.
>
> > How do I remove the accounts root and student1 "only" on the NIS
> > database on the server?
>
> You should never be using root from the nis/yp remote network
> accounts! Always use the local root login account. But I think you
> are doing so and just don't realize it.
I think that's what was happening. But I was confused!
> Because I think if you were
> to try to use root account info from the network then you would have a
> bootstrapping problem because the system would not be able to
> bootstrap itself going. See also the MINUID variable which scrapes
> the presence of the root and other system acounts out of the master
> copy of the file before giving it to clients.
>
In /var/yp/Makefile
MINUID=1000
> Do you care about those logins on the server machine?
>
No. Only local.
> If you set up nis/yp to use /etc/passwd as the master copy of the file
> then simply remove the student1 account from it. (Do not remove the
> root account from it!)
>
OK!
> Of course if /etc/passwd is both the local file and the nis/yp map
> file then that will also remove the local login capability from
> student1 too. But usually that is fine and normal. I never allow
> random user logins on the nis/yp and nfs server master machine. It
> ensures that the machine is kept dedicated to nis/yp and nfs only
> which is a good thing.
>
> > I want to login as root or student1 on the client machines with the
> > server off.
>
> Then they need to be configured as local users on the machine. Local
> users mean that they are in the local /etc/passwd, /etc/group,
> /etc/shadow files as a local user. It means that if compat and + is
> used then they must appear above that token.
>
Yes, I understand.
They already exist as local accounts because they were created before
configuring the NIS on network.
> > Is there any command like "delusernis" for Debian Squeeze?
>
> If /etc/passwd is used as the master copy of the file then you may use
> the 'deluser' command just like any normal user.
>
> man deluser
>
> Or simply edit the file and make those deletions manually. It is just
> a text file. There isn't anything magical or difficult about it.
>
Ok!
> I have been saying "if /etc/passwd is used as the master copy for
> nis/yp" because that is configurable for nis/yp. See the YPSRCDIR
> variable. I personally never use /etc there but insteal always keep
> nis/yp account data in /var/ypfiles/passwd and so forth for the group
> and shadow files. That way the machine can serve accounts without
> giving those accounts access to the server machine itself. To me that
> makes the most sense.
>
> But that means that those files need to be edited by some method other
> than adduser and deluser since those use /etc. That is okay. I
> simply edit /var/ypfiles/passwd and so forth manually. I use scripts
> with semaphore lockfiles. Or I know that it is only myself editing
> those files and simply edit them with my favorite editor.
>
> But setting up a separate /var/ypfiles takes someone who knows they
> want to set that up. It is configurable. In many years of looking at
> various large corporations I have always seen it set up that way at
> any larger site. For me that is the normal thing to do. But if you
> haven't known that then the simple default is to use the /etc/passwd
> file. But there isn't a way for me to know without asking and saying
> about it both ways.
>
I understood.
The network has only an educational purpose and is not continuously
connected to the Internet.
So I believe there is no need to keep copies of the passwd, group and
shadow in another location besides the /etc.
This would generate an additional task for me to manage the network.
But your tip was very important in my learning.
> Bob
In the beginning I was lost with so much information.
I think the answers of other more experienced users in a thread not only
serve to provide technical information but also, and especially, offer a
sense of confidence and safety for the newbies to feel that they are not
alone.
And being able to, calmly, connect information and build a global
vision.
Thanks again for your contribution.
Markos
www.c2o.pro.br
Reply to: