> I ultimately want to go the LDAP route, but I'm having issues with our > security folks on the 'native' Linux IDs, and things > installed by vendor > software such as DB2. They are fine with things that conform > to our z/OS > ID's and passwords... but this left field stuff is causing them pain.
No pain, no gain. 8-) > For my own sanity and consistency, I was hoping that I could > simply copy > /etc/shadow and /etc/password to a new system and have a > common base of > users and process ID's in place until such time as I can > resolve the LDAP > requirements with those who control security. You could do that, but you'll regret it later. You might as well fix it now while you have a small number of systems and not have to go back and do it again. Unlike Adam, I don't find NIS all that complicated if all you're using it for is userids and passwords. What I'd suggest you do is: 0) Go through all your guests and make a list of text userids and UID values. If any of the UIDs are different on different systems, change them so that the mapping between userid and UID is unique, one-to-one and onto. This is really critical -- you have to have one userid, one UID for this to work reliably. 1) Build a separate guest that will be your NIS master server. This machine is only used to hold authentication information and shouldn't be used for anything else. 2) Load the ypserv and other NIS master packages on the NIS server machine. Set the ypdomain value to something easily recognizable. YaST can do all this, so it's probably easiest to let YaST do the work. 3) cd /var/yp and update the passwd file there with all the ids. You could do this via YaST, but it's a lot more work, and it's quicker to do a batch update. If you want, you can also do the groups file as well. 4) Do 'make' to populate the NIS maps from the file and get them ready. >From now on, all userid creation work should be done on this master server. To get the clients to use the NIS server, log on to each client system and: 1) make sure that all userids and UIDs match the ones on your list from step 0 above. If not, change them now so that they DO match. 2) Go into YaST and configure the client as a NIS client. Specify the NIS domain name and ip address of the NIS server. DO NOT ALLOW NIS TO BROADCAST -- this is a serious security hole, and makes you vulnerable to any idiot with a laptop. 3) If the YaST process is successful, then you're live with NIS. I would suggest a reboot to make sure that ypbind is running properly, but the "no reboot" police will probably come after me, so YMMV. For all your new Linux systems, just build them as NIS clients, and you don't have to do anything special -- they have a full password file, etc automagically. Eventually, you might want to build a backup NIS master, but that's not necessary to get started. The Oreilly NIS and NIS plus book is helpful here. -- db ---------------------------------------------------------------------- For LINUX-390 subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: INFO LINUX-390 or visit http://www.marist.edu/htbin/wlvindex?LINUX-390
