Our company has a central NIS configuration that we are using to access our teams servers (Redhat)...
The current configuration allows all valid NIS authenticated users to connect to our servers. We cannot update or change something on the NIS Master Server... so...
Is there a way to use netgroups or some other configuration to allow our team members to authenticate using the NIS server but still restrict access to all other users?
Thanks!
Is there a way to use netgroups or some other configuration to allow our team members to authenticate using the NIS server but still restrict access to all other users?
That is pretty much why netgroups exist.
The easiest solution to do what you want is to use the compat functionality of nsswitch.conf. This is documented -- briefly and poorly -- in nsswitch.conf(5):
Interaction with +/- syntax (compat mode)
...In /etc/passwd you could have entries of the form +user or +@netgroup (include the specified user from the NIS passwd map), -user or -@netgroup (exclude the specified user), and + (include every user, except the excluded ones, from the NIS passwd map).
In practical terms, this means that if your nsswitch.conf looks like this:
passwd: compat
And your /etc/passwd ends with a line like this:
+@myusers
Then only members of the myusers netgroup will be able to authenticate to the system.
You can accomplish something similar using the pam_listfile module in your PAM configuration and creating restrictions based on group (rather than netgroup) membership. This is nice if you have groups and netgroups that you're trying to keep in sync (because now you can just use standard Unix groups). This document has an example of restricting logins to specific groups using pam_listfile.
