This post is a similar one but about NIS & roles.
A role is an account that is used to indirectly access the system.
As a login it posses the concepts of credential and home directory.
Those resources are conveniently centrally managed by NIS services.
Unfortunately NIS can't provide nowadays security requirements.
Nevertheless, it may still be very useful on restricted scenarios.
I reinstate the assumptions listed on NIS & logins.
Nevertheless I make one exception (just for illustration):
the NIS master host nis-1 is an immutable zones of host-1.
On this example, I'll create a role called nis.
The goal is to manage NIS through this role avoiding the cumbersome sudo.
To perform the series of changes on nis-1 reboot it into read-write mode:
(when finished, reboot it once again to reenter the read-only mode)
host-1# zoneadm -z nis-1 reboot -w
Create the role account on the NIS master:
nis-1# roleadd -c "NIS" -K roleauth=user nis
nis-1# getent passwd nis
nis:x:103:10:NIS:/export/home/nis:/usr/bin/pfbash
nis-1# passwd nis
New Password:
Re-enter new Password:
passwd: password successfully changed for nis
Copy the role basic configuration to the appropriate maps' sources:
nis-1# grep nis /etc/passwd >> /var/nis/acct/passwd
nis-1# grep nis /etc/shadow >> /var/nis/acct/shadow
Clean up the local role account from the NIS master:
nis-1# roledel nis
Edit the group and home directory configuration on the passwd map.
It should look like as follows:
nis-1# grep nis /var/nis/acct/passwd
nis:x:103:1001:NIS:/home/nis:/usr/bin/pfbash
nis-1# grep nis /var/nis/group
nis::1001:
Edit the netgroup configuration.
It should look somewhat similar to:
nis-1# cat /var/nis/netgroup
...
nisadmin ... (-,nis,business.corp) ...
...
Edit the project configuration on the project map.
It should look like as follows:
nis-1# grep nis /var/nis/project
nisadmin:200:NISAdmin:nis::
nis-1# grep nis /var/nis/user_attr
nis::::type=role;project=nisadmin;profiles=All;roleauth=user
Edit the automounter configuration on the auto_home map.
It should look like as follows:
nis-1# grep nis /var/nis/auto_home
nis nfs-1.business.corp:/export/home/&
Run make on the updated sources:
nis-1:/var/yp# make
updated passwd
pushed passwd
updated ageing
updated netid
pushed netid
updated project
pushed project
updated netgroup
pushed netgroup
updated auto.home
pushed auto.home
updated user_attr
pushed user_attr
Verify that the maps were correctly updated:
nis-2$ ypmatch -k nis passwd
nis: nis:...:103:1001:NIS:/home/nis:/usr/bin/pfbash
nis-2$ ypmatch -k nis auto.home
nis: nfs-1.business.corp:/export/home/&
nis-2$ ypmatch -k nisadmin project
nisadmin: nisadmin:102:NISAdmin:nis::
nis-2$ ypmatch -k nis user_attr
nis: nis::::project=nisadmin;type=role;roleauth=user;...
nis-2$ ypcat -k netgroup | grep nis
nisadmin (-,nis,business.corp)
Create and export the home directory:
nfs-1# zfs create \
> -o quota=1g \
> -o share.nfs.sec.sys.rw="desktops:servers" \
> rpool/export/home/nis
nfs-1# cp /etc/skel/.profile /export/home/nis
nfs-1# cp /etc/skel/.bashrc /export/home/nis
nfs-1# chown -R nis:root /export/home/nis
nfs-1# ll -a /export/home/nis
total 11
drwxr-xr-x 5 root root ... ..
drwxr-xr-x 2 nis nis ... .
-rw-r--r-- 1 nis nis ... .profile
-r--r--r-- 1 nis nis ... .bashrc
nfs-1# zfs set share.nfs=on rpool/export/home/nis
nfs-1# zfs get -o value share rpool/export/home/nis
VALUE
name=...,path=/export/home/nis,...,rw=servers:desktops
In addition to the update of NIS maps, if there were changes on any NIS netgroup that's referenced on some NFS share, then it's necessary to refresh the NFS service.
In order to be useful, roles must be associated with logins.
To associate the role nis with the login user2 alter the user_attr NIS map.
nis-1# grep nis /var/nis/user_attr
nis::::project=project1;roles=nis
Then run make on the updated source:
nis-1:/var/yp# make
...
NOTE
It's important to note that during this processes there were no disruption of service to clients as all NIS clients should have been associated only to NIS slave servers.
