Dear Bob, Thank you very much for your attention and details in your explanation.
As a newbie with NIS (and NFS) I'll read, and study, your message carefully. I'll copy your explanation as a tutorial. :^) Greetings, Markos Em Ter, 2013-02-12 às 15:17 -0700, Bob Proulx escreveu: > Markos wrote: > > I have a small network with 6 machines running Debian Squeeze. > > > > When installing the machines I created only the root account and a user > > student1 in "all" machines on the network. > > Sure. > > > Then I installed a NIS Service on a machine (server), to centralize > > logging of new users. > > Reasonable. > > > But now, I realized that if I shut down the server I can no longer login > > as root, or student1, on the client machines. > > That tells me that one of two things are the problem. Either 1) your > /etc/nsswitch.conf file is incorrect. Look there and make sure it has > these lines: > > passwd: files nis > group: files nis > shadow: files nis > > hosts: files dns > > Note: The use of 'shadow' depends upon the setting of MERGE_PASSWD. > Note: The hosts setting probably isn't the problem but can be if > people set it to nis. > > If those three file maps are set to files first then nis then the > local files will always override the network nis/yp account setting. > > Or possibly 2) you have your nis/yp token "+" above the locally added > accounts when it should be below the locally added accounts in the > /etc/passwd file. When using compat and the "+" token then the > account priority is in first one seen from top to bottom. (Except > when using the 'nscd' package which randomizes it through a hash. I > always remove it.) > > I strongly recommend using "files nis" instead of the old traditional > "compat" method that uses the "+" token It just makes things so much > simpler. > > > How do I remove the accounts root and student1 "only" on the NIS > > database on the server? > > You should never be using root from the nis/yp remote network > accounts! Always use the local root login account. But I think you > are doing so and just don't realize it. Because I think if you were > to try to use root account info from the network then you would have a > bootstrapping problem because the system would not be able to > bootstrap itself going. See also the MINUID variable which scrapes > the presence of the root and other system acounts out of the master > copy of the file before giving it to clients. > > Do you care about those logins on the server machine? > > If you set up nis/yp to use /etc/passwd as the master copy of the file > then simply remove the student1 account from it. (Do not remove the > root account from it!) > > Of course if /etc/passwd is both the local file and the nis/yp map > file then that will also remove the local login capability from > student1 too. But usually that is fine and normal. I never allow > random user logins on the nis/yp and nfs server master machine. It > ensures that the machine is kept dedicated to nis/yp and nfs only > which is a good thing. > > > I want to login as root or student1 on the client machines with the > > server off. > > Then they need to be configured as local users on the machine. Local > users mean that they are in the local /etc/passwd, /etc/group, > /etc/shadow files as a local user. It means that if compat and + is > used then they must appear above that token. > > > Is there any command like "delusernis" for Debian Squeeze? > > If /etc/passwd is used as the master copy of the file then you may use > the 'deluser' command just like any normal user. > > man deluser > > Or simply edit the file and make those deletions manually. It is just > a text file. There isn't anything magical or difficult about it. > > I have been saying "if /etc/passwd is used as the master copy for > nis/yp" because that is configurable for nis/yp. See the YPSRCDIR > variable. I personally never use /etc there but insteal always keep > nis/yp account data in /var/ypfiles/passwd and so forth for the group > and shadow files. That way the machine can serve accounts without > giving those accounts access to the server machine itself. To me that > makes the most sense. > > But that means that those files need to be edited by some method other > than adduser and deluser since those use /etc. That is okay. I > simply edit /var/ypfiles/passwd and so forth manually. I use scripts > with semaphore lockfiles. Or I know that it is only myself editing > those files and simply edit them with my favorite editor. > > But setting up a separate /var/ypfiles takes someone who knows they > want to set that up. It is configurable. In many years of looking at > various large corporations I have always seen it set up that way at > any larger site. For me that is the normal thing to do. But if you > haven't known that then the simple default is to use the /etc/passwd > file. But there isn't a way for me to know without asking and saying > about it both ways. > > Bob -- To UNSUBSCRIBE, email to debian-user-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org Archive: http://lists.debian.org/1360772363.4876.33.ca...@malgas.petrobras.biz
