Users and Groups

Edit online
Attention: An NIS record has a maximum size of 1024 bytes. This limitation applies to all NIS map files. For example, a list of users in a group can contain a maximum of 1024 characters in single-byte character set file format. Before doing the following procedure, ensure that no configuration file is beyond this limit. NIS cannot operate correctly with map files that exceed this maximum.

By default, NIS uses the /etc/passwd and /etc/group files on the master server as the input for the passwd and group maps. All users and groups on the master server are thus included automatically in the maps. The simplest configuration is to add every user and group in this entire domain to the /etc/passwd and /etc/group files.

Note: It is possible to manage users and groups without using NIS; however, managing users and groups is the primary benefit of NIS.

Either for security, accounting, or performance reasons, you may not want certain users to log into the master server. If so, you can build the passwd and group maps from other files, such as /var/yp/passwd and /var/yp/group, that are for NIS users and groups only. With this, /etc/passwd and /etc/group can contain only the minimum necessary entries. (Using a separate password file also affects the yppasswdd daemon. See Configuring the NIS Master Server for more information.) To configure the master server in this way, do the following:

  1. Create the new file to be used instead of the /etc/group file (for example, assume that you name the file /var/yp/group) by entering the following command: 
    cp /etc/group /var/yp/group
    You can use a copy of any machine's /etc/group file, not just the /etc/group file on the master server. Then, using an editor, remove from the /etc/group file all the non-local entries, and add the NIS escape sequence (+:) as the last line in the file.
  2. Create the new file to be used instead of the /etc/passwd file (for example, assume that you name the file /var/yp/passwd). Again, you can use a copy of any machine's /etc/passwd file, not just the /etc/passwd file on the master server. Also, you can use the password information from another NIS domain by entering ypcat passwd > passwd at the command line of a client in the other domain. Then, copy the passwd file into the /var/yp directory of the master server in this domain.

    You can either preserve the current passwords or reset the passwords.

    • If you want to preserve existing passwords, use the mrgpwd command to merge the /etc/passwd file with the /etc/security/passwd file, where the encrypted passwords are stored. This step is actually two commands, as shown below: 
      cd /var/yp
/usr/sbin/mrgpwd > passwd
      mrgpwd takes its input from the /etc/passwd and /etc/security/passwd files only.
    • If you want to reset all the passwords, enter the following command: 
      cp /etc/passwd /var/yp/passwd
      Then, using an editor, remove the ! (exclamation point) from the password field in each entry in the /var/yp/passwd file. Finally, using an editor, remove from the /etc/passwd file all the non-local entries, and add the NIS escape sequence (+::0:0:::) as the last line in the file.
      Note: User IDs (UIDs) created in this way initially contain no passwords.
  3. Change the /var/yp/Makefile file to reflect the new locations of the input files. You can do so using one of two methods:
    • Locate only the /etc/passwd and /etc/group files in /var/yp. Using an editor, open the /var/yp/Makefile file and create a new variable called PWDIR=/var/yp. In the passwd.time and group.time stanzas, replace every occurrence of the DIR variable with PWDIR.
    • Locate all the /etc files in /var/yp. Edit the Makefile file to modify the default DIR variable. Change DIR=/etc (the default configuration) to DIR=/var/yp. In contrast to the first method, you do not have to edit any of the Makefile stanzas.
      Note: The SMIT fast paths smit mkuser and smit mkgroup can be used to create users and groups only in the /etc/passwd and /etc/group files.
Note: As the number of groups managed by NIS increases, it becomes more important to ensure that the netid.byname map contains an entry for each user. This can help improve the performance of the NIS servers by reducing the number of lookups required in the group maps. The netid.byname map can be queried by running ypcat netid.byname. For more information on creating the netid.byname map, see the mknetid command.