NIS recommended setting for MINGID
 

I am running a NIS server on my network. After migrating to a new server I noticed when I log in on a client I am not member of the sudo group anymore.

This is caused by the MINGID=1000 setting in the /var/yp/Makefile.

The mechanism is quite clear to me: groups < 1000 are not in the NIS database.

But I want to be member of the sudo group on every machine I log in. The workaround would be to add myself to the sudo group on each client.

But that seems to be odd. I am using a centralized authentication system so I don't have to create my UID and GID on each host.

OTOH there seems to be a security risk involved in setting the GID to such a low value to include system groups/accounts.

The nis server does allow incoming connections from the internet.

So what is the recommended way to be member of the sudo group on each host?

jlinkels

Create a domain group, linux_admin_sg, for example, give it a group ID < 999 and grant that group rights in sudoers.
Conversely you could modify the default MINGID variable to a value greater than 1000 and recompile yp. It's not replicating the GIDs that don't have groups attached to them, so it's a wash as far as network/compute is concerned. My thinking would be, if you're in sudoers, you already have more rights than any system account or group other than wheel, so what's the downside of low-balling the GID?
You're looking at a security question. On high security instances/servers, they actually disable domain level groups and users so that only local users can access them and pull rights from local groups. That makes them a serious pain in the neck to admin, you need a guy who has an account on the instance to work on it, however it's about as secure as you can make it in an enterprise environment.
Always a trade off.

I like the suggestion of creating a system group with a high GID.
OTOH you don't seem panicky about lowering the MINGID on a local network either. I was afraid it was Bad Practice.

Thanks.

jlinkels