1netgroup(4)                      File Formats                      netgroup(4)
2
3
4

NAME

6       netgroup - list of network groups
7

SYNOPSIS

9       /etc/netgroup
10
11

DESCRIPTION

13       A  netgroup defines a network-wide group of hosts and users. Use a net‐
14       group to restrict access to shared  NFS  filesystems  and  to  restrict
15       remote login and shell access.
16
17
18       Network  groups  are  stored in a network information services, such as
19       LDAP, NIS, or NIS+, not in a local file.
20
21
22       This manual page describes the format for a file that is used to supply
23       input  to  a  program  such as ldapaddent(1M) for LDAP, makedbm(1M) for
24       NIS, or nisaddent(1M) for NIS+. These programs  build  maps  or  tables
25       used by their corresponding network information services.
26
27
28       Each  line  of  the  file  defines the name and membership of a network
29       group. The line should have the format:
30
31         groupname     member...
32
33
34
35
36       The items on a line can be separated by a combination of  one  or  more
37       spaces or tabs.
38
39
40       The  groupname is the name of the group being defined. This is followed
41       by a list of members of the group. Each member is either another  group
42       name,  all  of  whose  members  are  to  be included in the group being
43       defined, or a triple of the form:
44
45         (hostname,username,domainname)
46
47
48
49
50       In each triple, any of the three fields hostname, username, and domain‐
51       name,  can  be  empty. An empty field signifies a wildcard that matches
52       any value in that field. Thus:
53
54         everything (,,this.domain)
55
56
57
58
59       defines a group named "everything"  for  the  domain  "this.domain"  to
60       which every host and user belongs.
61
62
63       The domainname field refers to the domain in which the triple is valid,
64       not the domain containing the host or user. In fact, applications using
65       netgroup generally do not check the domainname. Therefore, using
66
67         (,,domain)
68
69
70
71
72       is equivalent to
73
74         (,,)
75
76
77
78
79       You   can   also  use  netgroups  to  control  NFS  mount  access  (see
80       share_nfs(1M)) and to  control  remote  login  and  shell  access  (see
81       hosts.equiv(4)).  You  can  also use them to control local login access
82       (see passwd(4), shadow(4), and compat in nsswitch.conf(4)).
83
84
85       When used for these purposes, a host is considered a member of  a  net‐
86       group  if  the netgroup contains any triple in which the hostname field
87       matches the name of the host requesting access and the domainname field
88       matches the domain of the host controlling access.
89
90
91       Similarly,  a user is considered a member of a netgroup if the netgroup
92       contains any triple in which the username field matches the name of the
93       user  requesting  access and the domainname field matches the domain of
94       the host controlling access.
95
96
97       Note that when netgroups are used to control NFS mount  access,  access
98       is granted depending only on whether the requesting host is a member of
99       the netgroup. Remote login and shell access can be controlled  both  on
100       the basis of host and user membership in separate netgroups.
101

FILES

103       /etc/netgroup    Used  by  a  network  information service's utility to
104                        construct a map or table that contains netgroup infor‐
105                        mation. For example, ldapaddent(1M) uses /etc/netgroup
106                        to construct an LDAP container.
107
108
109
110       Note that the netgroup information must always be stored in  a  network
111       information service, such as LDAP, NIS, or NIS+. The local file is only
112       used to construct a map or table for the network  information  service.
113       It is never consulted directly.
114

SEE ALSO

116       NIS+(1),  ldapaddent(1M),  makedbm(1M),  nisaddent(1M),  share_nfs(1M),
117       innetgr(3C),  hosts(4),  hosts.equiv(4),  nsswitch.conf(4),  passwd(4),
118       shadow(4)
119

NOTES

121       netgroup  requires  a network information service such as LDAP, NIS, or
122       NIS+.
123
124
125       Applications may make general  membership  tests  using  the  innetgr()
126       function. See innetgr(3C).
127
128
129       Because the "-" character will not match any specific username or host‐
130       name, it is commonly used as a placeholder that will match  only  wild‐
131       carded membership queries. So, for example:
132
133         onlyhosts (host1,-,our.domain) (host2,-,our.domain)
134         onlyusers (-,john,our.domain) (-,linda,our.domain)
135
136
137
138
139       effectively  define  netgroups  containing  only  hosts and only users,
140       respectively. Any other string that is guaranteed not  to  be  a  legal
141       username or hostname will also suffice for this purpose.
142
143
144       Use of placeholders will improve search performance.
145
146
147       When  a  machine with multiple interfaces and multiple names is defined
148       as a member of a  netgroup,  one  must  list  all  of  the  names.  See
149       hosts(4).  A manageable way to do this is to define a netgroup contain‐
150       ing all of the machine names. For example, for a  host  "gateway"  that
151       has  names  "gateway-subnet1"  and "gateway-subnet2" one may define the
152       netgroup:
153
154         gateway (gateway-subnet1,,our.domain) (gateway-subnet2,,our.domain)
155
156
157
158
159       and use this netgroup "gateway" whenever the host is to be included  in
160       another netgroup.
161
162
163
164SunOS 5.11                        22 Jul 2004                      netgroup(4)
Impressum