Kevin, You certainly haven't left any questions out. My replies below. It should work for Suse.
On Wed, 2004-03-03 at 11:26, Kevin wrote: > > As would most people I guess, I'd like to have all AFS > user data (stuff found in /etc/passwd (login shell, > unix uid, unix gid, Name, home directory), /etc/shadow > (password and related data), the kerberos database > (principals and their privileges), openafs acls, > openafs uid, etc.) be centrally located, universally > accessible, and easy to maintain. > > Based on the docs I've read thus far, I should be > making a common /etc/passwd file on AFS and merging it > with each client machine's /etc/passwd file whenever a > change is made to the AFS /etc/passwd file using cron > or something. > > My question(s) is/are: > > Is that still the best way to do this? > > And what about /etc/shadow? Do I need to write a > script for shadow that is similar to that found in the > docs on merging the AFS /etc/passwd file with each > client machine's /etc/passwd file? > > For my purposes, except for each client machine's root > account, I'd like to have all users be authenticated > from a single (perhaps replicated) source, and not > have any user accounts on each client machine's local > authentication source (no local users except > root---only Kerberos users for the network) . May I suggest researching LDAP. It will provide the central data source you are looking for. You can store all users, hosts, groups, etc. in the LDAP database and access that at login to provide more info than /etc/passwd. Very adaptable. Also, pam modules (pluggable authentication module) will enable you to limit users/groups access to any particular machine. Works nicely in concert with LDAP. > > Or even, is there a way to make a "network superuser" > that would have root access to all client computers? > Or is that a bad idea? What do people do for the root > password on each client machine when there are > hundreds (or more) client machines? Make them all the > same? Keep a database of machines and their root > passwords handy? Just curious... Pam again. Or if you have a need to update client machines on a regular basis, 'package' can be compiled into OpenAFS (see the Transarc documentation for this). This will enable you to push out config changes, upgrades, etc to local clients. Not a good idea to keep root passwords lying around. > > I'm sure someone else besides me has encountered this > issue. Care to share your ideas on the best way to do > this? I guess LDAP is an option, but I haven't done > much with that. What are others in similar > circumstances doing? LDAP isn't as difficult as getting AFS and Kerb5 working together. You've already done the hard part. You won't have difficulty with LDAP. Just don't plan on LDAP for auth, keep the kerberos for ticket granting. -- Facade: Provide a unified interface to a set of interfaces in a subsystem. Andrew Bacchi Staff Systems Programmer Rensselaer Polytechnic Institute phone: 518 276-6415 fax: 518 276-2809 http://www.rpi.edu/~bacchi/ _______________________________________________ OpenAFS-info mailing list [EMAIL PROTECTED] https://lists.openafs.org/mailman/listinfo/openafs-info
