Using netgroups to control login and admin privileges on OS X

I wanted to use netgroups defined in /etc/netgroup to control:

• Login access via access_loginwindow
• OS X admin privs via the admin local group
• sudo access via /etc/sudoers

Unfortunately I couldn't get it to work (on 10.6), but I'll document here for my own sake and the rest of the internet :) I suspect this was because I wanted to just use the flat file, without any NIS server, and OS X was expecting to do lookups to refresh the information in the file.

Run Directory Utility

open /System/Library/CoreServices/Directory\ Utility.app/

and tick 'BSD Flat File and NIS' and inside there tick 'Use User and Group records in BSD Local node'. Interestingly this is gone on Lion - it is now just NIS and there is no option for BSD local node...

Assuming you have some entries in /etc/netgroup:

smalltest (-,auser,)

You should be able to see them with dscl:

$ dscl localhost -read /BSD/local/NetGroups/smalltest
dsAttrTypeNative:triplet: -,auser,
AppleMetaNodeLocation: /BSD/local
RecordName: smalltest

And should theoretically be able to use them. I tried this for sudo, and although it passed syntax checking it just didn't work.

+smalltest ALL=(ALL) ALL

And I couldn't get dseditgroup to recognise the netgroup for use in access_loginwindow:

$ sudo dseditgroup -o edit -a smalltest -t group com.apple.access_loginwindow
Group not found.