Very Computer

First, the situation and reason for my question:

We have a really heterogenous network here with Linux, Solaris, Windows
2000, Mac OS 9 and Mac OS X machines here. So far, we had only Linux
servers and clients were able to access netatalk and samba services. We
hold users in a standard shadow password file on the fileserver with all
accounts. The passwords are only stored in samba's smbpasswd, pam_smb
allows netatalk to authenticate users against this file / our samba server.

No, I get real unix clients into the net. Fine, I have nis and nfs. But for
security, I have set all users' shells to /bin/false on the fileserver, as
they don't need a shell there. On the other hand, they should have a shell
on unix clients. And on one of these clients, I want to make a special
"program" to become the users shell. So while I need to get user
information from the file servers shadow file via nis, I need different
shell-settings on clients and servers for my users.

My first idea is to create a link /bin/netusershell, and make it point to
/bin/false on the fileserver, to /bin/bash on the unix clients and to
/bin/startsession on my "special" client (I want to use a script that
allows tcp/ip-connections from our wireless lan by altering iptables, so
that a user logs in via ssh, gets the "shell" which is a script allowing
tcp/ip-packets from his ip/mac).

Is there a better way? As you see, I'm quite new to nis, as I didn't need
it so far.

Thank You for any help and hints, CU, Lars O.Grobe.

--
Rechnerpool - www.rechnerpool.com
students' computer lab at the dept. of architecture,
University of Technology Darmstadt, Germany

Quote:>No, I get real unix clients into the net. Fine, I have nis and nfs. But for
>security, I have set all users' shells to /bin/false on the fileserver, as
>they don't need a shell there. On the other hand, they should have a shell
>on unix clients. And on one of these clients, I want to make a special
>"program" to become the users shell. So while I need to get user
>information from the file servers shadow file via nis, I need different
>shell-settings on clients and servers for my users.

Then to your problem; you might be able to specify "compat" mode for
passwd and group in nsswitch.conf (see the man page on how it works).
This should make it possible for you to have the last line of passwd
to read
+::::::/shell/override

... causing all NIS users to get /shell/override as their shell on that

override the shell for some users (your admin group?). But then, these
are more or less "fringe features" of NIS, so the quality (and even
availability) of this feature seems to vary a lot between platforms and
versions. Check yours -- if this works (and the security implications
of NIS do not scare you), it's quite a neat feature.

Also, there are differences between insane shells listed and not listed
in /etc/shells, so f.ex. you could have "/no/shell/here" listed as one
line in /etc/shells (yep, literally that, or some other random string
with no file with that name) to f.ex. allow sendmail do run things such
as procmail filtering on hosts that the users are not allowed to log in
(sendmail security checks only allow execution of external commands for
users with valid shells). Again, this has some security implications
(the users will be able to run any command on the "closed" host with
their own privileges), so only do this if you trust your users not to
misuse this feature.
--
Wolf  a.k.a.  Juha Laiho     Espoo, Finland

         PS(+) PE Y+ PGP(+) t- 5 !X R !tv b+ !DI D G e+ h---- r+++ y++++
"...cancel my subscription to the resurrection!" (Jim Morrison)