Markos wrote: > I have a small network with 6 machines running Debian Squeeze. > > When installing the machines I created only the root account and a user > student1 in "all" machines on the network. Sure. > Then I installed a NIS Service on a machine (server), to centralize > logging of new users. Reasonable. > But now, I realized that if I shut down the server I can no longer login > as root, or student1, on the client machines. That tells me that one of two things are the problem. Either 1) your /etc/nsswitch.conf file is incorrect. Look there and make sure it has these lines: passwd: files nis group: files nis shadow: files nis hosts: files dns Note: The use of 'shadow' depends upon the setting of MERGE_PASSWD. Note: The hosts setting probably isn't the problem but can be if people set it to nis. If those three file maps are set to files first then nis then the local files will always override the network nis/yp account setting. Or possibly 2) you have your nis/yp token "+" above the locally added accounts when it should be below the locally added accounts in the /etc/passwd file. When using compat and the "+" token then the account priority is in first one seen from top to bottom. (Except when using the 'nscd' package which randomizes it through a hash. I always remove it.) I strongly recommend using "files nis" instead of the old traditional "compat" method that uses the "+" token It just makes things so much simpler. > How do I remove the accounts root and student1 "only" on the NIS > database on the server? You should never be using root from the nis/yp remote network accounts! Always use the local root login account. But I think you are doing so and just don't realize it. Because I think if you were to try to use root account info from the network then you would have a bootstrapping problem because the system would not be able to bootstrap itself going. See also the MINUID variable which scrapes the presence of the root and other system acounts out of the master copy of the file before giving it to clients. Do you care about those logins on the server machine? If you set up nis/yp to use /etc/passwd as the master copy of the file then simply remove the student1 account from it. (Do not remove the root account from it!) Of course if /etc/passwd is both the local file and the nis/yp map file then that will also remove the local login capability from student1 too. But usually that is fine and normal. I never allow random user logins on the nis/yp and nfs server master machine. It ensures that the machine is kept dedicated to nis/yp and nfs only which is a good thing. > I want to login as root or student1 on the client machines with the > server off. Then they need to be configured as local users on the machine. Local users mean that they are in the local /etc/passwd, /etc/group, /etc/shadow files as a local user. It means that if compat and + is used then they must appear above that token. > Is there any command like "delusernis" for Debian Squeeze? If /etc/passwd is used as the master copy of the file then you may use the 'deluser' command just like any normal user. man deluser Or simply edit the file and make those deletions manually. It is just a text file. There isn't anything magical or difficult about it. I have been saying "if /etc/passwd is used as the master copy for nis/yp" because that is configurable for nis/yp. See the YPSRCDIR variable. I personally never use /etc there but insteal always keep nis/yp account data in /var/ypfiles/passwd and so forth for the group and shadow files. That way the machine can serve accounts without giving those accounts access to the server machine itself. To me that makes the most sense. But that means that those files need to be edited by some method other than adduser and deluser since those use /etc. That is okay. I simply edit /var/ypfiles/passwd and so forth manually. I use scripts with semaphore lockfiles. Or I know that it is only myself editing those files and simply edit them with my favorite editor. But setting up a separate /var/ypfiles takes someone who knows they want to set that up. It is configurable. In many years of looking at various large corporations I have always seen it set up that way at any larger site. For me that is the normal thing to do. But if you haven't known that then the simple default is to use the /etc/passwd file. But there isn't a way for me to know without asking and saying about it both ways. Bob
Attachment:
signature.asc
Description: Digital signature