> This is a variant of the convenience argument. > Systems with root as a > ole require a local user account with Primary > Administrator role. When > I installed OpenSolaris it did the right thing and > created such an > account that does not depend on NIS or LDAP and is > thus insulated from > issues with those servers. That user account should > only have local > paths in the PATH and a local home directory for > greater reliability.
If one person (or a sealed envelope in a safe, with multiple administrators) can handle it all, that may work. It is the only sure thing if root is a role (and I'd make the login directory for that account be in the root filesystem somewhere, to minimize what needed to be working for it to be used, although Solaris usually does ok with an unavailable login directory, probably thanks to having to deal with that if NFS is fouled up). But it does not scale to a few thousand servers and a dozen or two admins working as a pool across those few thousand servers. I'd hate to have to delete and create local accounts across a few thousand systems. Then we're back to a group account, and if the sealed envelope is broken, realistically the password has to be changed (by someone that probably will stay put for a long time) on all of those systems. Otherwise, that group account is a vulnerability in its own right. Come right down to it, it's hard to imagine anything that is very secure, very robust in the face of failed global services or networks, and decently maintainable. One could work around it all sorts of ways, but it's ugly. It would be nice to have a small set of accounts that were managed with a distributed naming service, but where the information was locally cacheable, refreshed at boot (and perhaps once or twice a day from cron), such that creating or deleting such an account centrally would automatically get a local copy of the changes pushed out to everything within a few hours or a day at most. Such an account might have to specify on the central service a reference to a list of systems allowed to cache the account information. Is there any reasonable way to do something like that? -- This message posted from opensolaris.org _______________________________________________ opensolaris-discuss mailing list [email protected]
