Re: [CentOS] NIS or not?

[Jeffrey Hass]

Pretty much rightand is not truly X.500 compliant...This AD.
It makes me nervous when one refers to it as LDAP...heh.
Do a low level trace when running: ldapsearch ..
Problem is AD has to be dealt with until Microsoft dies! Becomes Novell.
And it will someday

Anyway The LDAP with CentOS is robust enough when built up as Master
Master // rep. rep.

Lots of thing get missed

"Paris in the the Spring"
Did you catch that extra word there.too much wrapper...Welcome to AD.

Wizard of Hass!
Rarely wrong; usually right

On Jan 29, 2014 3:00 PM, "John R Pierce"  wrote:

> On 1/29/2014 2:24 PM, Joseph L. Casale wrote:
> > No, the other way around.  Microsoft Active Directory implements an
> > LDAP like directory accessible interface for its own directory.
> >
> > Calling Active Directory "LDAP" is like calling vim `echo "xx" > yy`. If
> you
> > are unaware of all the moving parts under Active Directory, it might
> prove
> > very informative to explore it.
> >
> > Credit where credit is due ...
>
> AD *is* a modified/extended LDAP+Kerberos based system, it just adds a
> ton more proprietary stuff around it to manage Windows workstations, the
> whole Group Policy Object stuff etc etc.   Thats all implemented via
> LDAP extensions.
>
>
>
> --
> john r pierce  37N 122W
> somewhere on the middle of the left coast
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[John R Pierce]

On 1/29/2014 3:17 PM, Joseph L. Casale wrote:
> I'm sorry, with all due respect I disagree. There is an unfathomable quantity 
> of
> functionality not accessible via LDAP.
>
> You can query some aspects made available through the LDAP interface, you
> cannot set nor modify plenty.

indeed, as I said, 'extended/modified'. the GPO stuff has actually 
nothing to do with the directory service per say, its just dispatched 
via it, using kerberos tickets for authentication. LDAP itself doesn't 
address replication either, and Microsoft made all that about as 
complicated as they could with their FSMO's and whatnot.   its really 
simple and easy until something goes south, then you discover there's 
layers and layers of kludge under the skin and its amazing it works at all.



-- 
john r pierce  37N 122W
somewhere on the middle of the left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Joseph L. Casale]

> AD *is* a modified/extended LDAP+Kerberos based system, it just adds a
> ton more proprietary stuff around it to manage Windows workstations, the
> whole Group Policy Object stuff etc etc.   Thats all implemented via
> LDAP extensions.

I'm sorry, with all due respect I disagree. There is an unfathomable quantity of
functionality not accessible via LDAP.

You can query some aspects made available through the LDAP interface, you
cannot set nor modify plenty.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[John R Pierce]

On 1/29/2014 2:24 PM, Joseph L. Casale wrote:
> No, the other way around.  Microsoft Active Directory implements an
> LDAP like directory accessible interface for its own directory.
>
> Calling Active Directory "LDAP" is like calling vim `echo "xx" > yy`. If you
> are unaware of all the moving parts under Active Directory, it might prove
> very informative to explore it.
>
> Credit where credit is due ...

AD *is* a modified/extended LDAP+Kerberos based system, it just adds a 
ton more proprietary stuff around it to manage Windows workstations, the 
whole Group Policy Object stuff etc etc.   Thats all implemented via 
LDAP extensions.



-- 
john r pierce  37N 122W
somewhere on the middle of the left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Jeffrey Hass]

brilliant. 

exactly.
On 1/29/2014 2:24 PM, Joseph L. Casale wrote:
>> No, the other way around.  Microsoft Active Directory sounds a lot
>> like LDAP and Kerberos.  Credit where credit is due ...
> No, the other way around.  Microsoft Active Directory implements an
> LDAP like directory accessible interface for its own directory.
>
> Calling Active Directory "LDAP" is like calling vim `echo "xx" > yy`. If you
> are unaware of all the moving parts under Active Directory, it might prove
> very informative to explore it.
>
> Credit where credit is due ...
>
> jlc
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Joseph L. Casale]

> No, the other way around.  Microsoft Active Directory sounds a lot
> like LDAP and Kerberos.  Credit where credit is due ...

No, the other way around.  Microsoft Active Directory implements an
LDAP like directory accessible interface for its own directory.

Calling Active Directory "LDAP" is like calling vim `echo "xx" > yy`. If you
are unaware of all the moving parts under Active Directory, it might prove
very informative to explore it.

Credit where credit is due ...

jlc
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Devin Reade]

--On Tuesday, January 28, 2014 12:45:09 PM + Sorin Srbu 
 wrote:

> LDAP and Kerberos though. That does sound a lot like Microsoft Active
> Directory. 8-)

No, the other way around.  Microsoft Active Directory sounds a lot
like LDAP and Kerberos.  Credit where credit is due ...

;)

Devin



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Sorin Srbu]

> -Original Message-
> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
> Behalf Of Jeffrey Hass
> Sent: den 29 januari 2014 11:11
> To: CentOS mailing list
> Subject: Re: [CentOS] NIS or not?
>
> Almost forgot, //Sorin:
>
> SSL uses public key cryptography:
>
>  1. You (or your browser) has a public/private keypair
>  2. The server has a public/private key as well
>  3. You generate a symmetric session key
>  4. You encrypt with the server's public key and send this encrypted
> session key to the server.
>  5. The server decrypts the encrypted session key with its private key.
>  6. You and the server begin communicating using the symmetric session
> key (basically because symmetric keys are faster).
>
> Kerberos does not use public key cryptography. It uses a trusted 3rd
> party. Here's a sketch:
>
>  1. You both (server and client) prove your identity to a trusted 3rd
> party (via a /secret/).
>  2. When you want to use the server, you check and see that the server
> is trustworthy. Meanwhile, the server checks to see that you are
> trustworthy. Now, mutually assured of each others' identity. You can
> communicate with the server.
>
>
> I'm always nervous about 'trusted third parties..' Can you imagine..
> That's what holds our credit cards and such,
> like, um, at Target.. the trusted 'third-party...' Damn, people really
> go for that??? See, it's a hard call, isn't it??
>
> // weigh it all out... //  and make sure you get buy in and put the
> DISCLAIMERS in your documentation and on the Wiki's because
> it will come back to you at some point . if it ever goes down...
>
> BEWARE of anything related to Security solutions on the Net -- because
> most don't have more than three or four years experience.
> Most.

Thanks for your insights. Appreciated.

My boss just looks funny at me when I ask him about security and has he 
considered all those post-Snowden details. 8-)

I've begun dabbling a bit with SSL while I did the Owncloud-testing and 
running.
--
//Sorin
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Jeffrey Hass]

Almost forgot, //Sorin:

SSL uses public key cryptography:

 1. You (or your browser) has a public/private keypair
 2. The server has a public/private key as well
 3. You generate a symmetric session key
 4. You encrypt with the server's public key and send this encrypted
session key to the server.
 5. The server decrypts the encrypted session key with its private key.
 6. You and the server begin communicating using the symmetric session
key (basically because symmetric keys are faster).

Kerberos does not use public key cryptography. It uses a trusted 3rd 
party. Here's a sketch:

 1. You both (server and client) prove your identity to a trusted 3rd
party (via a /secret/).
 2. When you want to use the server, you check and see that the server
is trustworthy. Meanwhile, the server checks to see that you are
trustworthy. Now, mutually assured of each others' identity. You can
communicate with the server.


I'm always nervous about 'trusted third parties..' Can you imagine.. 
That's what holds our credit cards and such,
like, um, at Target.. the trusted 'third-party...' Damn, people really 
go for that??? See, it's a hard call, isn't it??

// weigh it all out... //  and make sure you get buy in and put the 
DISCLAIMERS in your documentation and on the Wiki's because
it will come back to you at some point . if it ever goes down...

BEWARE of anything related to Security solutions on the Net -- because 
most don't have more than three or four years experience.
Most.

~ later.

j/h


On 1/29/2014 1:49 AM, Sorin Srbu wrote:
>> -Original Message-
>> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
>> Behalf Of Jeffrey Hass
>> Sent: den 29 januari 2014 09:49
>> To: CentOS mailing list
>> Subject: Re: [CentOS] NIS or not?
>>
>> Good call - not sure how far your coding goes and with what/how
>> languages and scripts...
>> Make sure to have as much as possible on VM's related to your security
>> 'servers' -- so that you also get a virtual built in Disaster recovery as
>> well.
> My Google Fu is usually okay. ;-)
>
> We've started offing physical servers in favour of virtual ones. So far mostly
> Windows servers, but I've started testing e.g.  Owncloud on a virtualized
> CentOS guest.  More Linux-machines are likely to be virtualized in due time.
> We (well, I actually...) decided on standardizing on Hyper-V as there was a
> really good P2V-tool available for migrating Windows servers. We had lots of
> them...
>
>
>> Note: I didn't catch it are you using the Microsoft's implementation of
>> Kerberos?
> We do have a Windows AD in place, it's the main IT here, but it's soon to be
> migrated to the central university IT-dept. One less thing to worry about...
> *nix was originally only a group-business at the dept., but over the years the
> Linux-ratio has upped considerably, what with backup-servers etc. running on
> Linux as well as us affording more machines for the original CADD-group.
>
>
>> There's a reason I ask, you said you need to do something,, sounds like
>> fairly quick, probably a good thing,
>> if nothing else get centralization = control! - more so -- than before ~
>> and so it goes, you will have encapsulated
>> tickets on steroids, to be sure.. but if you're the only person.. is
>> your shop that big that SSL wouldn't do the trick?
> SSL? How do you mean? Can you elaborate a bit?
>
> --
> //Sorin
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Jeffrey Hass]

Hey Sorin,

I'm getting ready to catch a plane to Dubai but wanted to answer you 
real quick and short:
SSL for smaller networks in terms of authentication is fine and secure - 
as long as your infrastructure is secure.

I'm glad to hear your using VM's more and more. It give you a lot more 
control to manipulate, change and
recover from 'all kinds of errors' - tweaking .conf files, someone 
having 'root' or 'admin' on you
as you have to trust someone/sometime...

.. anyway, um, I'm hoping you consider the SSL implementation if you 
have to do something 'quick..'
if not, Kerberos will certainly help you from getting 'fired ..' it 
won't be the reason you do anyway..

About the previous post about IPA - you're hitting LDAP anyway (that is 
AD) and probably a few more out there
if you're somewhat of 'shop' with stuff everywhere..

IPA was hacked by a user group (exploit) in Seattle - and you get what 
'you don't pay for' sometimes.

Having said this, all these tools at the end of the day generally get 
the job done, the truth is 'what are you protecting..'
and from 'what..' usually determines the component and/or tool you'd 
want to entertain.

Once you have it in-house // and your name is on it.. // and it's in 
Production, really HARD to back out, in some
cases impossible.. Case in point:  TARGET was hacked by a 17-year old 
punk with no date on a Friday night...
... and, well, they went from an 'openSource (which I FIRMLY believe 
in)' to a mix-bag implementation to include
Oracle and IBM SSO/IdM implementation .. They removed Kerberos out of 
the equation - mixed SSL with a non-REAL x.500
compliant LDAP, we can say it has the letters DA in it but you can 
'reverse' that and come up with a name...
and then, so it goes, BAM! someone's inside.. You see, the problem 
here is many will jump in and recommend
a solution because 'they worked with it... and in most cases, IT IS all 
they know...'  You drive this car, you love it
more than all other cars but have yet to drive the other cars and see 
for yourself... Point is, milage may vary and WILL
and I will say this in my last post here on this thread, I've been in 
court as a witness during DoD audits
and it was always, 'we went with a solution' that was proven and tried.. 
and recommended...
TRIED by who? Recommended by who?? Best practices?? Just a collective 
agreement by a bunch of
dweebs that say, yeah, that sounds right.

Message is:  For what you need Kerberos would work and should work. 
Enough documentation out there...
and such to help you... Also, YouTube, believe it or not has a lot of 
posts (many by myself but in my alter ego name, which are many)
even this name is not real, but as I was saying - a ton of info.

It's funny what qualifies as a guru as at one time there was no Google 
to get an answer and rattle a 'solution'
All my recommends is actual dogfood I have eaten and I don't want to see 
the same thing
happen to others as this Security business is getting out of hand with 
all 'these experts' that truly
don't have the heart to do what you're doing and get it done right and 
to care enough to do that.

SSL is implemented on every WebApplication Server, product that is 
Internet based except UDP - good luck
with that... but having said that, you can surely -- do this with SSL 
and/or Kerberos.. Anything else, you're
going to pay for it.

Here's a snip and it comes down to your infrastructure, what you do for 
a business, who your audience is/what they do
once they do have access.. who wants your information, risk assessment 
is big here... and then there you go.

If you really wanted security.. you'd put another wrapper around this 
using a SSO tool, Access Manager -- and combined the Kerberos ticket
into the packet once the SSL header is created with the credentials and 
CERT it down the wire.
NO ONE IS GETTING IN, especially that 17-year old with a runny nose that 
mom is paying for his college is trying
to do... Crazy world... Too bad we can meet these guys in person.. It 
would be a whole different world.

Sorry so long.. I post a few times of year to help those that are really 
burning the oil at night.

GOOD LUCK.

1. Kerberos SSL/TLS
2. LDAP has industrial strength protection build in if you hash the 
passwords/encrpt
3. Stay away from ANYTHING MICROSOFT security - Enter: Oxy-moronic
4. An openSource SSO tool built on JBoss or Tomcat

THis is the real world right now..

And if anyone challenges, like the song says, it surely means they don't 
know: Carry on...


Wizard of Hass


--

Real men write their own device drivers ~  A. Tuckett


On 1/29/2014 1:49 AM, Sorin Srbu wrote:
>> -Original Message-
>> From: centos-boun...@centos.org [mailto:centos-boun...

Re: [CentOS] NIS or not?

[Sorin Srbu]

> -Original Message-
> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
> Behalf Of Jeffrey Hass
> Sent: den 29 januari 2014 09:49
> To: CentOS mailing list
> Subject: Re: [CentOS] NIS or not?
>
> Good call - not sure how far your coding goes and with what/how
> languages and scripts...
> Make sure to have as much as possible on VM's related to your security
> 'servers' -- so that you also get a virtual built in Disaster recovery as 
> well.

My Google Fu is usually okay. ;-)

We've started offing physical servers in favour of virtual ones. So far mostly 
Windows servers, but I've started testing e.g.  Owncloud on a virtualized 
CentOS guest.  More Linux-machines are likely to be virtualized in due time.
We (well, I actually...) decided on standardizing on Hyper-V as there was a 
really good P2V-tool available for migrating Windows servers. We had lots of 
them...


> Note: I didn't catch it are you using the Microsoft's implementation of
> Kerberos?

We do have a Windows AD in place, it's the main IT here, but it's soon to be 
migrated to the central university IT-dept. One less thing to worry about...
*nix was originally only a group-business at the dept., but over the years the 
Linux-ratio has upped considerably, what with backup-servers etc. running on 
Linux as well as us affording more machines for the original CADD-group.


> There's a reason I ask, you said you need to do something,, sounds like
> fairly quick, probably a good thing,
> if nothing else get centralization = control! - more so -- than before ~
> and so it goes, you will have encapsulated
> tickets on steroids, to be sure.. but if you're the only person.. is
> your shop that big that SSL wouldn't do the trick?

SSL? How do you mean? Can you elaborate a bit?

--
//Sorin
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Rob Kampen]

On 01/29/2014 09:44 PM, John R Pierce wrote:

On 1/28/2014 4:45 AM, Sorin Srbu wrote:

Use IPA. It combines LDAP with Kerberos, a server-client environment is

easily setup and the documentation (RHEL deployment) is very helpful.

Thank you. I'll look it up.

LDAP and Kerberos though. That does sound a lot like Microsoft Active
Directory.8-)

--

FreeIPA provides an open source Active Directory equivalent.   its
pretty easy to setup a simple directory server, and it can expand to be
an enterprise-wide directory.   it allows both linux and windows
computers to participate in the authentication domain.

yes, its basically LDAP and Kerberos, with a management suite.

I've been following this with interest, about once every 6 months this 
topic is raised.

From my observation there now appear to be two possible solutions:
1. FreeIPA - gives genuine LDAP and Kerberos with some web front end 
management
2. Samba4 - gives a windoze interoperable AD implementation, not sure 
how "standards" based this is, it is engineered to follow micro$oft's 
implementation and work well for windoze clients.


Issues: option 1 will work very well with linux clients, considerable 
work to get all the required windoze functions working
option 2 - early days of implementation, CentOS does not yet support the 
complete package needed for full windoze integration.
decent documentation in the form of a howto for server, linux client, 
windoze (many versions), iOS and Android are not yet out there.
As evidenced by the few that have "been there, done that" they ALL say 
it takes A LOT of time and effort, and getting all the bits involved, 
just right, is difficult.


My appeal to those that have been there - how do we get all the tiny 
details that matter, documented, so that the black art / trial and error 
(months of) can be eliminated.
Living in the hope that this will one day be accessible to the rest of 
us that cannot afford the many months of trial and error and frustration.
BTW, I have tried openLDAP, 389 implementations, samba3 and a trial of 
samba4, all with limited success - there were always a few combinations 
that failed to work for me and I do not have the resources (mainly 
time/$$) to just keep trying.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Jeffrey Hass]

Hello Sorin,

Good call - not sure how far your coding goes and with what/how 
languages and scripts...
Make sure to have as much as possible on VM's related to your security 
'servers' -- so
that you also get a virtual built in Disaster recovery as well.

KERBEROS is a very secure, albeit cumbersome component to implement (// 
network wide // think of... )

Having said this, um, with the tools available with openSource.. and I'm 
assuming you're such a shop
due to running CentOS -- you can customize the ticket transport aspect 
after the encrypted
authentication token is created and 'capture' that and with some slight 
tweaks create your
own 'virtual Federated' auth method by way having total control of your 
requests, successes, failures and
the like.

Note: I didn't catch it are you using the Microsoft's implementation of 
Kerberos?
There's a reason I ask, you said you need to do something,, sounds like 
fairly quick, probably a good thing,
if nothing else get centralization = control! - more so -- than before ~ 
and so it goes, you will have encapsulated
tickets on steroids, to be sure.. but if you're the only person.. is 
your shop that big that SSL wouldn't do the trick?
with some slight coding and enhancements // customization // - usually 
not supported by a 'given vendor' so
beware there...

You will see performance over the other solutions in this space and some 
scalability - without know 'a lot' about your
infrastructure -- and appliances therefore entered into the equation - 
it's hard to really say.

But sounds like you have Unix/Linux backend and alot of Windows stuff 
(we can't seem to ever get away from the
highly faulty Windows suite) -- maybe when I retire, but anyway, and 
you're probably hitting a few AD servers --
and therefore there is the rub.

I have some implementations of several solutions if you're really 
serious about this as I can strip out the
confidential stuff (I do weird things for various 'friendly' 
governments, world-wide) and have seen
a thing or two here... mostly what 'not to do..'

Watch out for the posers out there as they will fire off the first thing 
from their minds and usually because they
do not know much and end up with a flame or such ~ rarely a thank you..

In any event, I offer this as is and hope you enjoy your career with 
security.
It truly is the highest paying area of IT at this given time.. I don't 
care what anyone says.

Think of the Target stores out there and such.. and you'll see SECURITY 
all over 2014  and more.
We most don't get it.. They do a VISIO chart and build a server and 
usually *uck it up worse than ever.

GOOD LUCK. CentOS - is awesome for this kind of thing as a back-end and 
front-end.
ENCIRCLE your WINDOWS servers and crush them! heh.

~ good night.

Oh summary:

KERBEROS good for larger scale operations that need total control and 
performance for many up-calls and down-calls
NTLM - um, don't do it.
SSL - vxx - ~! you can do this -- with customization - the rub here is 
customization means little if any support,
if you leave, the 'company' is toast, in many cases.. there are no 
'upgrades' to security with an ENHANCEMENT
or customization.. and so it goes, you own it, until you die or leave...

Some experience for you here. Lots of it. Tons of it.

Okay.. I did my community service for the day.

Wizard of Hass!

On 1/29/2014 12:11 AM, Sorin Srbu wrote:
>> -Original Message-
>> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
>> Behalf Of Jeffrey Hass
>> Sent: den 29 januari 2014 08:47
>> To: CentOS mailing list
>> Subject: Re: [CentOS] NIS or not?
>>
>> Hi friend -
>>
>> what is your end goal with this effort to obtain security with your
>> nodes over the 'wire' -
>>
>> there are some other solutions -- kerberos is now used heavily by
>> microsoft so that's enough to make me
>> run for the hills... just saying..
>>
>> i've set up other solutions to be sure -- even against the blasted (not
>> a real LDAP) AD.
>>
>> anyway.. just some thoughts... it's not trivial. any of the solutions, btw.
>> not at all..
>>
>> j/h
>> San Francisco/Holland/Saudi Arabia
> Primarily to enable less administration in the long run with centralized
> logins, instead of keeping each single client updated with respect to shadow,
> passwd, bashrc, hosts and so on.
>
> Some sort of encryption would probably be wise to use, as NIS uses clear text
> passwords. I don't trust our university network that much, even though the
> traffic should pretty localized.
>
> I'm aware that setting up Kerberos probably will be a big project,
> nevertheless, we must do so

Re: [CentOS] NIS or not?

[John R Pierce]

On 1/28/2014 4:45 AM, Sorin Srbu wrote:
>> Use IPA. It combines LDAP with Kerberos, a server-client environment is
>> >easily setup and the documentation (RHEL deployment) is very helpful.
> Thank you. I'll look it up.
>
> LDAP and Kerberos though. That does sound a lot like Microsoft Active
> Directory.8-)
>
> --

FreeIPA provides an open source Active Directory equivalent.   its 
pretty easy to setup a simple directory server, and it can expand to be 
an enterprise-wide directory.   it allows both linux and windows 
computers to participate in the authentication domain.

yes, its basically LDAP and Kerberos, with a management suite.

-- 
john r pierce  37N 122W
somewhere on the middle of the left coast

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Sorin Srbu]

> -Original Message-
> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
> Behalf Of Jeffrey Hass
> Sent: den 29 januari 2014 08:47
> To: CentOS mailing list
> Subject: Re: [CentOS] NIS or not?
>
> Hi friend -
>
> what is your end goal with this effort to obtain security with your
> nodes over the 'wire' -
>
> there are some other solutions -- kerberos is now used heavily by
> microsoft so that's enough to make me
> run for the hills... just saying..
>
> i've set up other solutions to be sure -- even against the blasted (not
> a real LDAP) AD.
>
> anyway.. just some thoughts... it's not trivial. any of the solutions, btw.
> not at all..
>
> j/h
> San Francisco/Holland/Saudi Arabia

Primarily to enable less administration in the long run with centralized 
logins, instead of keeping each single client updated with respect to shadow, 
passwd, bashrc, hosts and so on.

Some sort of encryption would probably be wise to use, as NIS uses clear text 
passwords. I don't trust our university network that much, even though the 
traffic should pretty localized.

I'm aware that setting up Kerberos probably will be a big project, 
nevertheless, we must do something about the current mess. As I'm the single 
sysadmin at the department, my time is finite. Automation is good, but as I 
wrote before, regular bash-scripting (however powerful) will only take you so 
far. 8-/
--
//Sorin
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Jeffrey Hass]

Hi friend -

what is your end goal with this effort to obtain security with your 
nodes over the 'wire' -

there are some other solutions -- kerberos is now used heavily by 
microsoft so that's enough to make me
run for the hills... just saying..

i've set up other solutions to be sure -- even against the blasted (not 
a real LDAP) AD.

anyway.. just some thoughts... it's not trivial. any of the solutions, btw.
not at all..

j/h
San Francisco/Holland/Saudi Arabia

389882830-$$ (for those that know)


On 1/28/2014 11:30 PM, Sorin Srbu wrote:
>> -Original Message-
>> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
>> Behalf Of m.r...@5-cent.us
>> Sent: den 28 januari 2014 17:09
>> To: CentOS mailing list
>> Subject: Re: [CentOS] NIS or not?
>>
>>> Hmm, yes. It would seem most everybody recomends Kerberos. Will have to
>>> look into it then.
>>>
>> Remember, kerboros came from the Unix world, so you'd expect it to work
>> well in Linux. M$ added it in much later
> I would like to thank you all for your hints, advice and suggestions. I now
> have quite a few  leads to follow up on. Will probably be back later on with
> more questions if Google can't help me.
>
> Thanks again.
> --
> //Sorin
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Sorin Srbu]

> -Original Message-
> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
> Behalf Of m.r...@5-cent.us
> Sent: den 28 januari 2014 17:09
> To: CentOS mailing list
> Subject: Re: [CentOS] NIS or not?
>
> > Hmm, yes. It would seem most everybody recomends Kerberos. Will have to
> > look into it then.
> >
> Remember, kerboros came from the Unix world, so you'd expect it to work
> well in Linux. M$ added it in much later

I would like to thank you all for your hints, advice and suggestions. I now 
have quite a few  leads to follow up on. Will probably be back later on with 
more questions if Google can't help me.

Thanks again.
--
//Sorin
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Les Mikesell]

On Tue, Jan 28, 2014 at 11:38 AM, Matt Garman  wrote:
> >> Here you may not realize you're distinguishing between authentication and
>> authorization.
>
> Yeah, I forgot to mention that we already have Kerberos in place for
> authentication.  It's authorization that is currently done by hand and
> checked with a manual script.  (I needed that for the secure mount
> options NFSv4 provides.)
>

What is it that your scripts tweak?  I have a small setup using
kerberos against an AD for authentication, but the linux servers have
their own passwd files for the small subset of users there.  /home is
shared from one server to all of the others in the set.   This worked
when initially set up with matching users (w/matching uids) but when I
added new ones, nfsv4 mapped them to 'nobody' until I rebooted the
clients.   Restarting nfs and/or idmapd didn't help.  Is there some
way to make added users work?

-- 
   Les Mikesell
lesmikes...@gmail.com
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[m . roth]

Matt Garman wrote:
> On Tue, Jan 28, 2014 at 9:18 AM,   wrote:

>> We have an in-house written set of scripts that administer relevant
>> configuration files, including /etc/passwd. It copies the correct
>> version of that file (among many others) to each host, and shell of
/bin/noLogin
>> works just fine.
>
> Why set the shell to /bin/noLogin, rather than simply not create that
> user's /etc/passwd entry?
>
> I don't have /bin/noLogin on any of my systems - I assume you
> deliberately specified a non-existent program for the shell?  What's
> the difference between setting the user's shell to a bogus program
> versus something like /bin/false?

There's one master passwd file, and the scripts that centrally manage it
set the shell, one way or another, depending on a different configuration
file. Why noLogin? I know I've seen it elsewhere; I think I've also seen
it as /bin/false. That's a call above my pay grade 

   mark


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Matt Garman]

On Tue, Jan 28, 2014 at 9:18 AM,   wrote:
> At this late date, I'd be really, *REALLY* leery of using NIS. You say
> that *most* of your traffic is local, suggesting that some of it is *not*.
> And, for that matter, how good are the firewalls keeping other traffic
> out?
>
> I'd say no to NIS. Yes, other answers may be more difficult to set up, but
> consider the alternatives.
>>>
>>> That is, we have an ever-growing list of special cases.  UserA can
>>> login to servers 1, 2 and 3.  UserB can log in to servers 3, 4, and 5.
>>>  Nobody except UserC can login to server 6.  UserD can login to
>>> machines 2--6.  And so on and so forth.
>
> Here you may not realize you're distinguishing between authentication and
> authorization.

Yeah, I forgot to mention that we already have Kerberos in place for
authentication.  It's authorization that is currently done by hand and
checked with a manual script.  (I needed that for the secure mount
options NFSv4 provides.)

> I sincerely hope it's easier to set up and administer and upgrade than
> native LDAP. In '06, after a discussion with the other admin and manager I
> was working with at that job, I volunteered to set up openLDAP. Let's just
> say that the tools were NOT vaguely ready for prime time, though I did
> find that running webmin helped a *lot* to get it working.

I know you can find a horror story for any piece of software on the
Internet, but my impression is that LDAP has an unusually high number
of scary-sounding anecdotes.  I know random Internet blogs forum posts
aren't really authoritative, but they do give me a little trepidation
regarding LDAP.

> We have an in-house written set of scripts that administer relevant
> configuration files, including /etc/passwd. It copies the correct version
> of that file (among many others) to each host, and shell of /bin/noLogin
> works just fine.

Why set the shell to /bin/noLogin, rather than simply not create that
user's /etc/passwd entry?

I don't have /bin/noLogin on any of my systems - I assume you
deliberately specified a non-existent program for the shell?  What's
the difference between setting the user's shell to a bogus program
versus something like /bin/false?
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[m . roth]

Sorin Srbu wrote:
>> Behalf Of Mauricio Tavares
>>
>> > We do have Active Directory as well, but only for the Windows clients.
>> >
>> > But I'd rather keep them separated.
>> >
>> > Kerberos on linux. Is that a pain or a bigger pain?
>> > Whenever I've worked with Kerberos on Windows I've come out all sweaty
>> > afterwards... 8-S
>> >
>>   Then stop playing with yourself already! ;)
>>
>>   Kerberos on linux works quite well; keep everyone's clock within
>> 5min of the auth server and you will be ok. I have not done sssd yet
>> though. I did have timeout with nfs automount issues due to expired
>> tickets, but that setup is old.
>
> LOL!
>
> Hmm, yes. It would seem most everybody recomends Kerberos. Will have to
> look into it then.
>
Remember, kerboros came from the Unix world, so you'd expect it to work
well in Linux. M$ added it in much later

mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Sorin Srbu]

> -Original Message-
> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
> Behalf Of Mauricio Tavares
> Sent: den 28 januari 2014 15:20
> To: CentOS mailing list
> Subject: Re: [CentOS] NIS or not?
> 
> > We do have Active Directory as well, but only for the Windows clients.
> >
> > But I'd rather keep them separated.
> >
> > Kerberos on linux. Is that a pain or a bigger pain?
> > Whenever I've worked with Kerberos on Windows I've come out all sweaty
> > afterwards... 8-S
> >
>   Then stop playing with yourself already! ;)
> 
>   Kerberos on linux works quite well; keep everyone's clock within
> 5min of the auth server and you will be ok. I have not done sssd yet
> though. I did have timeout with nfs automount issues due to expired
> tickets, but that setup is old.

LOL!

Hmm, yes. It would seem most everybody recomends Kerberos. Will have to look
into it then.

--
//Sorin (has self-consciously stopped playing with himself now... ;-))
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[m . roth]

Laurent Wandrebeck wrote:
> Matt Garman  a écrit :
>> On Tue, Jan 28, 2014 at 3:02 AM, Sorin Srbu 
>> wrote:
>>> The only thing I'm trying to accomplish is a system which will allow me
>>> to keep user accounts and passwords in one place, with one place only to
>>> administrate. NIS seems to be able to do that.
>>>
>>> Comments and insights are much appreciated!
>>
>> A related question: is NIS or LDAP (or something else entirely) better
>> if the machines are not uniform in their login configuration?

At this late date, I'd be really, *REALLY* leery of using NIS. You say
that *most* of your traffic is local, suggesting that some of it is *not*.
And, for that matter, how good are the firewalls keeping other traffic
out?

I'd say no to NIS. Yes, other answers may be more difficult to set up, but
consider the alternatives.
>>
>> That is, we have an ever-growing list of special cases.  UserA can
>> login to servers 1, 2 and 3.  UserB can log in to servers 3, 4, and 5.
>>  Nobody except UserC can login to server 6.  UserD can login to
>> machines 2--6.  And so on and so forth.

Here you may not realize you're distinguishing between authentication and
authorization.
>>
>> I currently have a custom script with a substantial configuration file
>> for checking that the actual machines are configured as per our
>> intent.  It would be nice if there was a single tool where the
>> configuration and management/auditing could be rolled into one.

We have an in-house written set of scripts that administer relevant
configuration files, including /etc/passwd. It copies the correct version
of that file (among many others) to each host, and shell of /bin/noLogin
works just fine.
>>
> You’d be fine with IPA which allows you to create such rules.

I'd vaguely heard of IPA, so I just looked it up. *chuckle* You do notice
that it has its own implementation of LDAP and uses kerboros, right? So
seems like several folks are recommending LDAP and kerboros.

I sincerely hope it's easier to set up and administer and upgrade than
native LDAP. In '06, after a discussion with the other admin and manager I
was working with at that job, I volunteered to set up openLDAP. Let's just
say that the tools were NOT vaguely ready for prime time, though I did
find that running webmin helped a *lot* to get it working.

But that was nearly 8 years ago

   mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Darod Zyree]

2014-01-28 Mauricio Tavares 

> On Tue, Jan 28, 2014 at 9:47 AM, Darod Zyree  wrote:
> > 2014-01-28 Laurent Wandrebeck 
> >
> >>
> >> Matt Garman  a écrit :
> >>
> >> > On Tue, Jan 28, 2014 at 3:02 AM, Sorin Srbu  >
> >> wrote:
> >> >> The only thing I'm trying to accomplish is a system which will allow
> me
> >> to
> >> >> keep user accounts and passwords in one place, with one place only to
> >> >> administrate. NIS seems to be able to do that.
> >> >>
> >> >> Comments and insights are much appreciated!
> >> >
> >> > A related question: is NIS or LDAP (or something else entirely) better
> >> > if the machines are not uniform in their login configuration?
> >> >
> >> > That is, we have an ever-growing list of special cases.  UserA can
> >> > login to servers 1, 2 and 3.  UserB can log in to servers 3, 4, and 5.
> >> >  Nobody except UserC can login to server 6.  UserD can login to
> >> > machines 2--6.  And so on and so forth.
> >> >
> >> > I currently have a custom script with a substantial configuration file
> >> > for checking that the actual machines are configured as per our
> >> > intent.  It would be nice if there was a single tool where the
> >> > configuration and management/auditing could be rolled into one.
> >> >
> >> > Thanks!
> >> > Matt
> >>
> >> You'd be fine with IPA which allows you to create such rules.
> >>
> >> HTH,
> >> Laurent.
> >> ___
> >>
> >
> >
> >
> >
> >
> > Indeed, and IPA does this quite well.
> >
> > We use IPA on all servers and workstations.
> >
> > - Sudo information comes from IPA
> >
> > - Autofs information comes from IPA
> >
> > - Host based access control comes from IPA
> >
> > - Central user management/identity
> >
>   i read that IPA can do multimaster. How well does it do it
> compared to openldap?
>
>
>

I can't say how well it does compared to openldap but the replication is
quick reliable.


For example; we test IPA masters by (re)applying settings in user accounts
etc. while "crashing" them at random (removing power; they were virtual
machines)
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Mauricio Tavares]

On Tue, Jan 28, 2014 at 9:47 AM, Darod Zyree  wrote:
> 2014-01-28 Laurent Wandrebeck 
>
>>
>> Matt Garman  a écrit :
>>
>> > On Tue, Jan 28, 2014 at 3:02 AM, Sorin Srbu 
>> wrote:
>> >> The only thing I'm trying to accomplish is a system which will allow me
>> to
>> >> keep user accounts and passwords in one place, with one place only to
>> >> administrate. NIS seems to be able to do that.
>> >>
>> >> Comments and insights are much appreciated!
>> >
>> > A related question: is NIS or LDAP (or something else entirely) better
>> > if the machines are not uniform in their login configuration?
>> >
>> > That is, we have an ever-growing list of special cases.  UserA can
>> > login to servers 1, 2 and 3.  UserB can log in to servers 3, 4, and 5.
>> >  Nobody except UserC can login to server 6.  UserD can login to
>> > machines 2--6.  And so on and so forth.
>> >
>> > I currently have a custom script with a substantial configuration file
>> > for checking that the actual machines are configured as per our
>> > intent.  It would be nice if there was a single tool where the
>> > configuration and management/auditing could be rolled into one.
>> >
>> > Thanks!
>> > Matt
>>
>> You'd be fine with IPA which allows you to create such rules.
>>
>> HTH,
>> Laurent.
>> ___
>>
>
>
>
>
>
> Indeed, and IPA does this quite well.
>
> We use IPA on all servers and workstations.
>
> - Sudo information comes from IPA
>
> - Autofs information comes from IPA
>
> - Host based access control comes from IPA
>
> - Central user management/identity
>
  i read that IPA can do multimaster. How well does it do it
compared to openldap?

> It all works really good.
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Darod Zyree]

2014-01-28 Laurent Wandrebeck 

>
> Matt Garman  a écrit :
>
> > On Tue, Jan 28, 2014 at 3:02 AM, Sorin Srbu 
> wrote:
> >> The only thing I'm trying to accomplish is a system which will allow me
> to
> >> keep user accounts and passwords in one place, with one place only to
> >> administrate. NIS seems to be able to do that.
> >>
> >> Comments and insights are much appreciated!
> >
> > A related question: is NIS or LDAP (or something else entirely) better
> > if the machines are not uniform in their login configuration?
> >
> > That is, we have an ever-growing list of special cases.  UserA can
> > login to servers 1, 2 and 3.  UserB can log in to servers 3, 4, and 5.
> >  Nobody except UserC can login to server 6.  UserD can login to
> > machines 2--6.  And so on and so forth.
> >
> > I currently have a custom script with a substantial configuration file
> > for checking that the actual machines are configured as per our
> > intent.  It would be nice if there was a single tool where the
> > configuration and management/auditing could be rolled into one.
> >
> > Thanks!
> > Matt
>
> You'd be fine with IPA which allows you to create such rules.
>
> HTH,
> Laurent.
> ___
>





Indeed, and IPA does this quite well.

We use IPA on all servers and workstations.

- Sudo information comes from IPA

- Autofs information comes from IPA

- Host based access control comes from IPA

- Central user management/identity

It all works really good.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Laurent Wandrebeck]

Matt Garman  a écrit :

> On Tue, Jan 28, 2014 at 3:02 AM, Sorin Srbu  wrote:
>> The only thing I'm trying to accomplish is a system which will allow me to
>> keep user accounts and passwords in one place, with one place only to
>> administrate. NIS seems to be able to do that.
>>
>> Comments and insights are much appreciated!
>
> A related question: is NIS or LDAP (or something else entirely) better
> if the machines are not uniform in their login configuration?
>
> That is, we have an ever-growing list of special cases.  UserA can
> login to servers 1, 2 and 3.  UserB can log in to servers 3, 4, and 5.
>  Nobody except UserC can login to server 6.  UserD can login to
> machines 2--6.  And so on and so forth.
>
> I currently have a custom script with a substantial configuration file
> for checking that the actual machines are configured as per our
> intent.  It would be nice if there was a single tool where the
> configuration and management/auditing could be rolled into one.
>
> Thanks!
> Matt

You’d be fine with IPA which allows you to create such rules.

HTH,
Laurent.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Matt Garman]

On Tue, Jan 28, 2014 at 3:02 AM, Sorin Srbu  wrote:
> The only thing I'm trying to accomplish is a system which will allow me to
> keep user accounts and passwords in one place, with one place only to
> administrate. NIS seems to be able to do that.
>
> Comments and insights are much appreciated!

A related question: is NIS or LDAP (or something else entirely) better
if the machines are not uniform in their login configuration?

That is, we have an ever-growing list of special cases.  UserA can
login to servers 1, 2 and 3.  UserB can log in to servers 3, 4, and 5.
 Nobody except UserC can login to server 6.  UserD can login to
machines 2--6.  And so on and so forth.

I currently have a custom script with a substantial configuration file
for checking that the actual machines are configured as per our
intent.  It would be nice if there was a single tool where the
configuration and management/auditing could be rolled into one.

Thanks!
Matt
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Mauricio Tavares]

On Tue, Jan 28, 2014 at 8:56 AM, Sorin Srbu  wrote:
>> -Original Message-
>> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
>> Behalf Of Logan McNaughton
>> Sent: den 28 januari 2014 14:33
>> To: CentOS mailing list
>> Subject: Re: [CentOS] NIS or not?
>>
>> Where I work we use NIS + Kerberos (Active Directory). We have about 150
>> machines at our site. It works quite well, as someone said, the big draw
>> back to NIS is that it sends passwords insecurely, but if you use Kerberos
>> for authentication it's really quite easy to manage.
>
> We do have Active Directory as well, but only for the Windows clients.
>
> But I'd rather keep them separated.
>
> Kerberos on linux. Is that a pain or a bigger pain?
> Whenever I've worked with Kerberos on Windows I've come out all sweaty
> afterwards... 8-S
>
  Then stop playing with yourself already! ;)

  Kerberos on linux works quite well; keep everyone's clock within
5min of the auth server and you will be ok. I have not done sssd yet
though. I did have timeout with nfs automount issues due to expired
tickets, but that setup is old.

> --
> //Sorin
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Sorin Srbu]

> -Original Message-
> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
> Behalf Of Logan McNaughton
> Sent: den 28 januari 2014 14:33
> To: CentOS mailing list
> Subject: Re: [CentOS] NIS or not?
> 
> Where I work we use NIS + Kerberos (Active Directory). We have about 150
> machines at our site. It works quite well, as someone said, the big draw
> back to NIS is that it sends passwords insecurely, but if you use Kerberos
> for authentication it's really quite easy to manage.

We do have Active Directory as well, but only for the Windows clients.

But I'd rather keep them separated.

Kerberos on linux. Is that a pain or a bigger pain?
Whenever I've worked with Kerberos on Windows I've come out all sweaty
afterwards... 8-S

--
//Sorin
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Sorin Srbu]

> -Original Message-
> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
> Behalf Of Kaplan, Andrew H.
> Sent: den 28 januari 2014 14:31
> To: 'CentOS mailing list'
> Subject: Re: [CentOS] NIS or not?
>
> We have been using NIS for over a decade on our network, and it has been
> an effective solution.
> The network spans several subnets, and we have been able to deploy slave
> NIS servers on the various
> subnets. The reason for this is several fold:
>
> Quicker response for login and other domain requests
> Network policy requires slave servers to be on subnets to reduce network
> traffic.
>
> While the security is not as strong as it is for the LDAP solution, as long 
> as you
> are employing
> NIS on an internal network, you should be all set.

So you don't have any problem running clear-text passwords as mentioned in a 
previous post?

--
//Sorin
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Pete Geenhuizen]

Security is  a major consideration, and even though as you say most of 
the traffic is local, most problems are internal as opposed to external.

Pete
On 01/28/2014 08:22 AM, Sorin Srbu wrote:
> Yeah, that last bit made me squirm over here. I don't feel good about that,
> even though the linux machines are all pretty much localized to one spot, so
> that hardly any traffic goes out of the department.
>
>
> Thanks. I'll look into LDAP some more.
>
> //Sorin
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos

-- 
Unencumbered by the thought process.
  -- Click and Clack the Tappet brothers

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Logan McNaughton]

Where I work we use NIS + Kerberos (Active Directory). We have about 150
machines at our site. It works quite well, as someone said, the big draw
back to NIS is that it sends passwords insecurely, but if you use Kerberos
for authentication it's really quite easy to manage.
On Jan 28, 2014 6:23 AM, "Sorin Srbu"  wrote:

> > -Original Message-
> > From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
> > Behalf Of Pete Geenhuizen
> > Sent: den 28 januari 2014 14:12
> > To: CentOS mailing list
> > Subject: Re: [CentOS] NIS or not?
> >
> > I used NIS for many years while working on Sun Solaris and it worked
> > extremely well, although when it breaks it can be a real challenge to
> > figure out the problems.
> > I don't know how well it's implemented in Linux, bound to be a bit
> > different than Solaris.  In either case if it's important be aware of
> > the potential security issues related to NIS, mainly the clear text
> > passing of the password which is what pretty much doomed it.
>
> Yeah, that last bit made me squirm over here. I don't feel good about that,
> even though the linux machines are all pretty much localized to one spot,
> so
> that hardly any traffic goes out of the department.
>
>
> > With all of that said I do think though that LDAP would be a better
> > solution although I've not used LDAP.
> >
> > Good luck with it either way.
>
> Thanks. I'll look into LDAP some more.
>
> //Sorin
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Kaplan, Andrew H.]

We have been using NIS for over a decade on our network, and it has been an 
effective solution.
The network spans several subnets, and we have been able to deploy slave NIS 
servers on the various
subnets. The reason for this is several fold:

Quicker response for login and other domain requests
Network policy requires slave servers to be on subnets to reduce network 
traffic.

While the security is not as strong as it is for the LDAP solution, as long as 
you are employing
NIS on an internal network, you should be all set.

 

-Original Message-
From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of 
Sorin Srbu
Sent: Tuesday, January 28, 2014 4:03 AM
To: CentOS mailing list
Subject: [CentOS] NIS or not?

Hi all,

We're getting to a point in our linux environment where it's starting to be 
cumbersome to keep shadow and passwd-files up-to-date for the users to login 
on each computer. Scripts can only get us so far. 8-/

I've looked a bit into central login systems for linux, and NIS and LDAP seem 
to be prevalent. NIS being the simpler-to-setup solution for small to medium 
networks as I understand it, while LDAP is the more modern and scalable 
solution.
See eg http://www.yolinux.com/TUTORIALS/NIS.html or 
http://sysadmin-notepad.blogspot.se/2013/06/nis-server-setup-on-rhelcentos.html.

NIS-wise, what is a "small to medium network"?
We have currently about 20-30'ish linux clients and servers, and the 
environment is not likely to increase much beyond this point.
Is a 30ish-computer setup, a small network?

The only thing I'm trying to accomplish is a system which will allow me to 
keep user accounts and passwords in one place, with one place only to 
administrate. NIS seems to be able to do that.

Comments and insights are much appreciated!

-- 
BW,
Sorin
---
# Sorin Srbu, Sysadmin
# Uppsala University
# Dept of Medicinal Chemistry
# Div of Org Pharm Chem
# Box 574
# SE-75123 Uppsala
# Sweden#
# Phone: +46 (0)18-4714482
# Visit: BMC, Husargatan 3, D5:512b
# Web: http://www.orgfarm.uu.se
---
# ()  ASCII ribbon campaign - Against html E-mail
# /\
#
# This message was not sent from an iProduct!
#
# MotD follows:
# Artificial Intelligence: the art of making computers that behave like the 
ones in movies. -Bill Bulko



The information in this e-mail is intended only for the person to whom it is
addressed. If you believe this e-mail was sent to you in error and the e-mail
contains patient information, please contact the Partners Compliance HelpLine at
http://www.partners.org/complianceline . If the e-mail was sent to you in error
but does not contain patient information, please contact the sender and properly
dispose of the e-mail.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Sorin Srbu]

> -Original Message-
> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
> Behalf Of Pete Geenhuizen
> Sent: den 28 januari 2014 14:12
> To: CentOS mailing list
> Subject: Re: [CentOS] NIS or not?
>
> I used NIS for many years while working on Sun Solaris and it worked
> extremely well, although when it breaks it can be a real challenge to
> figure out the problems.
> I don't know how well it's implemented in Linux, bound to be a bit
> different than Solaris.  In either case if it's important be aware of
> the potential security issues related to NIS, mainly the clear text
> passing of the password which is what pretty much doomed it.

Yeah, that last bit made me squirm over here. I don't feel good about that, 
even though the linux machines are all pretty much localized to one spot, so 
that hardly any traffic goes out of the department.


> With all of that said I do think though that LDAP would be a better
> solution although I've not used LDAP.
>
> Good luck with it either way.

Thanks. I'll look into LDAP some more.

//Sorin
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Pete Geenhuizen]

On 01/28/2014 04:02 AM, Sorin Srbu wrote:
> Hi all,
>
> We're getting to a point in our linux environment where it's starting to be
> cumbersome to keep shadow and passwd-files up-to-date for the users to login
> on each computer. Scripts can only get us so far. 8-/
>
> I've looked a bit into central login systems for linux, and NIS and LDAP seem
> to be prevalent. NIS being the simpler-to-setup solution for small to medium
> networks as I understand it, while LDAP is the more modern and scalable
> solution.
> See eg http://www.yolinux.com/TUTORIALS/NIS.html or
> http://sysadmin-notepad.blogspot.se/2013/06/nis-server-setup-on-rhelcentos.html.
>
> NIS-wise, what is a "small to medium network"?
> We have currently about 20-30'ish linux clients and servers, and the
> environment is not likely to increase much beyond this point.
> Is a 30ish-computer setup, a small network?
>
> The only thing I'm trying to accomplish is a system which will allow me to
> keep user accounts and passwords in one place, with one place only to
> administrate. NIS seems to be able to do that.
>
> Comments and insights are much appreciated!
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
I used NIS for many years while working on Sun Solaris and it worked 
extremely well, although when it breaks it can be a real challenge to 
figure out the problems.
I don't know how well it's implemented in Linux, bound to be a bit 
different than Solaris.  In either case if it's important be aware of 
the potential security issues related to NIS, mainly the clear text 
passing of the password which is what pretty much doomed it.

Depending on how ansi your users get I would recommend a slave server as 
well, you might also consider using autofs to mount the user's homes.

The biggest potential problem that you might run into when you first 
implement NIS is to take a look at the uid of all the users on each 
host, you will need to ensure that they are the same before you start 
NIS or else it will be a mess for the users because they won't own their 
own files.

With all of that said I do think though that LDAP would be a better 
solution although I've not used LDAP.

Good luck with it either way.

Pete


-- 
Unencumbered by the thought process.
  -- Click and Clack the Tappet brothers

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Sorin Srbu]

> -Original Message-
> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
> Behalf Of anax
> Sent: den 28 januari 2014 13:45
> To: centos@centos.org
> Subject: Re: [CentOS] NIS or not?
> 
> Hi Sorin
> of course: you may omit the mail cocacho and realize only the
> authentication cocacho in LDAP. For us, however, it has proven to be
> most advantageous to have both on LDAP.
> You may also select to do first the authentication in LDAP and later on,
> if you are familiar with LDAP, realize the mail.

Cool. Thanks!

--
//Sorin


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Sorin Srbu]

> -Original Message-
> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
> Behalf Of Darod Zyree
> Sent: den 28 januari 2014 13:00
> To: CentOS mailing list
> Subject: Re: [CentOS] NIS or not?
>
> Use IPA. It combines LDAP with Kerberos, a server-client environment is
> easily setup and the documentation (RHEL deployment) is very helpful.

Thank you. I'll look it up.

LDAP and Kerberos though. That does sound a lot like Microsoft Active 
Directory. 8-)

--
//Sorin
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[anax]

Hi Sorin
of course: you may omit the mail cocacho and realize only the 
authentication cocacho in LDAP. For us, however, it has proven to be 
most advantageous to have both on LDAP.
You may also select to do first the authentication in LDAP and later on, 
if you are familiar with LDAP, realize the mail.

suomi

On 2014-01-28 13:32, Sorin Srbu wrote:
>> -Original Message-
>> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
>> Behalf Of anax
>> Sent: den 28 januari 2014 12:24
>> To: centos@centos.org
>> Subject: Re: [CentOS] NIS or not?
>>
>> Hi Sorin
>> we use here LDAP  authentication and mail-control since more than 10 years.
>> At that time, we did the conversion from passwd/shadow to LDAP using the
>> tools on
>> http://www.padl.com/download/
>> which are still available, probably in a newer version...
>>
>> To represent a person or a service in LDAP we use the objectclasses:
>>objectClass: account
>>objectClass: posixAccount
>>objectClass: top
>>objectClass: shadowAccount
>>objectClass: mailRecipient
>>
>> To represent a mail user for postfix we use the objectlcasses:
>>
>>objectClass: top
>>objectClass: person
>>objectClass: organizationalPerson
>>objectClass: inetOrgPerson
>>objectClass: qmailUser
>>
>> To represent a Domain which we serve mail-wise we use the objectclasses:
>> objectClass: qmailControl
>> objectClass: top
>>
>>
>> We also have developed an LDAP via Web Interface, which we use
>> exclusively for LDAP administration.
>>
>> We have two LDAP servers, syncronized via syncrepl.
>>
>> suomi
>>
>>
>>
>> On 2014-01-28 10:02, Sorin Srbu wrote:
>>>
>>> The only thing I'm trying to accomplish is a system which will allow me to
>>> keep user accounts and passwords in one place, with one place only to
>>> administrate. NIS seems to be able to do that.
>
> Thank you.
> Can I use just the user authentication (uid/pwd) part and skip the whole
> mail-cocacho, or do these two go hand in hand when using LDAP?
>
> --
> //Sorin
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Sorin Srbu]

> -Original Message-
> From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On
> Behalf Of anax
> Sent: den 28 januari 2014 12:24
> To: centos@centos.org
> Subject: Re: [CentOS] NIS or not?
>
> Hi Sorin
> we use here LDAP  authentication and mail-control since more than 10 years.
> At that time, we did the conversion from passwd/shadow to LDAP using the
> tools on
> http://www.padl.com/download/
> which are still available, probably in a newer version...
>
> To represent a person or a service in LDAP we use the objectclasses:
>   objectClass: account
>   objectClass: posixAccount
>   objectClass: top
>   objectClass: shadowAccount
>   objectClass: mailRecipient
>
> To represent a mail user for postfix we use the objectlcasses:
>
>   objectClass: top
>   objectClass: person
>   objectClass: organizationalPerson
>   objectClass: inetOrgPerson
>   objectClass: qmailUser
>
> To represent a Domain which we serve mail-wise we use the objectclasses:
> objectClass: qmailControl
> objectClass: top
>
>
> We also have developed an LDAP via Web Interface, which we use
> exclusively for LDAP administration.
>
> We have two LDAP servers, syncronized via syncrepl.
>
> suomi
>
>
>
> On 2014-01-28 10:02, Sorin Srbu wrote:
> >
> > The only thing I'm trying to accomplish is a system which will allow me to
> > keep user accounts and passwords in one place, with one place only to
> > administrate. NIS seems to be able to do that.

Thank you.
Can I use just the user authentication (uid/pwd) part and skip the whole 
mail-cocacho, or do these two go hand in hand when using LDAP?

--
//Sorin

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[Darod Zyree]

2014-01-28 Sorin Srbu 

> Hi all,
>
> We're getting to a point in our linux environment where it's starting to be
> cumbersome to keep shadow and passwd-files up-to-date for the users to
> login
> on each computer. Scripts can only get us so far. 8-/
>
> I've looked a bit into central login systems for linux, and NIS and LDAP
> seem
> to be prevalent. NIS being the simpler-to-setup solution for small to
> medium
> networks as I understand it, while LDAP is the more modern and scalable
> solution.
> See eg http://www.yolinux.com/TUTORIALS/NIS.html or
>
> http://sysadmin-notepad.blogspot.se/2013/06/nis-server-setup-on-rhelcentos.html
> .
>
> NIS-wise, what is a "small to medium network"?
> We have currently about 20-30'ish linux clients and servers, and the
> environment is not likely to increase much beyond this point.
> Is a 30ish-computer setup, a small network?
>
> The only thing I'm trying to accomplish is a system which will allow me to
> keep user accounts and passwords in one place, with one place only to
> administrate. NIS seems to be able to do that.
>
> Comments and insights are much appreciated!
>
> --
> BW,
> Sorin
> ---
> # Sorin Srbu, Sysadmin
> # Uppsala University
> # Dept of Medicinal Chemistry
> # Div of Org Pharm Chem
> # Box 574
> # SE-75123 Uppsala
> # Sweden#
> # Phone: +46 (0)18-4714482
> # Visit: BMC, Husargatan 3, D5:512b
> # Web: http://www.orgfarm.uu.se
> ---
> # ()  ASCII ribbon campaign - Against html E-mail
> # /\
> #
> # This message was not sent from an iProduct!
> #
> # MotD follows:
> # Artificial Intelligence: the art of making computers that behave like the
> ones in movies. -Bill Bulko
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>


Use IPA. It combines LDAP with Kerberos, a server-client environment is
easily setup and the documentation (RHEL deployment) is very helpful.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS or not?

[anax]

Hi Sorin
we use here LDAP  authentication and mail-control since more than 10 years.
At that time, we did the conversion from passwd/shadow to LDAP using the 
tools on
http://www.padl.com/download/
which are still available, probably in a newer version...

To represent a person or a service in LDAP we use the objectclasses:
  objectClass: account
  objectClass: posixAccount
  objectClass: top
  objectClass: shadowAccount
  objectClass: mailRecipient

To represent a mail user for postfix we use the objectlcasses:

  objectClass: top
  objectClass: person
  objectClass: organizationalPerson
  objectClass: inetOrgPerson
  objectClass: qmailUser

To represent a Domain which we serve mail-wise we use the objectclasses:
objectClass: qmailControl
objectClass: top


We also have developed an LDAP via Web Interface, which we use 
exclusively for LDAP administration.

We have two LDAP servers, syncronized via syncrepl.

suomi



On 2014-01-28 10:02, Sorin Srbu wrote:
> Hi all,
>
> We're getting to a point in our linux environment where it's starting to be
> cumbersome to keep shadow and passwd-files up-to-date for the users to login
> on each computer. Scripts can only get us so far. 8-/
>
> I've looked a bit into central login systems for linux, and NIS and LDAP seem
> to be prevalent. NIS being the simpler-to-setup solution for small to medium
> networks as I understand it, while LDAP is the more modern and scalable
> solution.
> See eg http://www.yolinux.com/TUTORIALS/NIS.html or
> http://sysadmin-notepad.blogspot.se/2013/06/nis-server-setup-on-rhelcentos.html.
>
> NIS-wise, what is a "small to medium network"?
> We have currently about 20-30'ish linux clients and servers, and the
> environment is not likely to increase much beyond this point.
> Is a 30ish-computer setup, a small network?
>
> The only thing I'm trying to accomplish is a system which will allow me to
> keep user accounts and passwords in one place, with one place only to
> administrate. NIS seems to be able to do that.
>
> Comments and insights are much appreciated!
>
>
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] NIS or not?

[Sorin Srbu]

Hi all,

We're getting to a point in our linux environment where it's starting to be 
cumbersome to keep shadow and passwd-files up-to-date for the users to login 
on each computer. Scripts can only get us so far. 8-/

I've looked a bit into central login systems for linux, and NIS and LDAP seem 
to be prevalent. NIS being the simpler-to-setup solution for small to medium 
networks as I understand it, while LDAP is the more modern and scalable 
solution.
See eg http://www.yolinux.com/TUTORIALS/NIS.html or 
http://sysadmin-notepad.blogspot.se/2013/06/nis-server-setup-on-rhelcentos.html.

NIS-wise, what is a "small to medium network"?
We have currently about 20-30'ish linux clients and servers, and the 
environment is not likely to increase much beyond this point.
Is a 30ish-computer setup, a small network?

The only thing I'm trying to accomplish is a system which will allow me to 
keep user accounts and passwords in one place, with one place only to 
administrate. NIS seems to be able to do that.

Comments and insights are much appreciated!

-- 
BW,
Sorin
---
# Sorin Srbu, Sysadmin
# Uppsala University
# Dept of Medicinal Chemistry
# Div of Org Pharm Chem
# Box 574
# SE-75123 Uppsala
# Sweden#
# Phone: +46 (0)18-4714482
# Visit: BMC, Husargatan 3, D5:512b
# Web: http://www.orgfarm.uu.se
---
# ()  ASCII ribbon campaign - Against html E-mail
# /\
#
# This message was not sent from an iProduct!
#
# MotD follows:
# Artificial Intelligence: the art of making computers that behave like the 
ones in movies. -Bill Bulko

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS expiration of passwords

[Ross Walker]

On Jun 28, 2012, at 4:49 PM, Michael Coffman  
wrote:

>> I would believe this information is shared from the server to the
>> other computers but here users still can connect (via SSH). If I try
>> to get the information on the user connected I have:
>> # chage -l USER
>> user 'USER' does not exist in /etc/passwd
>> 
>> This looks normal as there is no user there but then I do not know how
>> to enable the expiration information through NIS. Do someone has an
>> idea?
>> 
>> 
> You can't.   NIS on linux does not support password aging.

If your using NIS then I would use Kerberos for the users passwords to maintain 
security. If your using Kerberos then I believe password aging is handled on 
the Kerberos server.

-Ross

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS expiration of passwords

[Michael Coffman]

On Thu, Jun 28, 2012 at 7:23 AM, Fabien Archambault <
fabien.archamba...@univ-amu.fr> wrote:

> Dear all,
>
> I have a NIS server which shares a database of users between some
> computers (nodes exactly) and I would like that, on the first login,
> the user changes its password.
>
> So, on the NIS server I have made: chage -d 0 USER
> Then:
> # cd /var/yp
> # make
>
> On the NIS server I have:
> chage -l USER
> Last password change: password
> must be changed
> Password expires: password
> must be changed
> Password inactive   : password
> must be changed
> Account expires : never
> Minimum number of days between password change  : 0
> Maximum number of days between password change  : 9
> Number of days of warning before password expires   : 7
>
>
> I would believe this information is shared from the server to the
> other computers but here users still can connect (via SSH). If I try
> to get the information on the user connected I have:
> # chage -l USER
> user 'USER' does not exist in /etc/passwd
>
> This looks normal as there is no user there but then I do not know how
> to enable the expiration information through NIS. Do someone has an
> idea?
>
>
You can't.   NIS on linux does not support password aging.



> Thanks,
> Fabien
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>



-- 
-MichaelC
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] NIS expiration of passwords

[Fabien Archambault]

Dear all,

I have a NIS server which shares a database of users between some
computers (nodes exactly) and I would like that, on the first login,
the user changes its password.

So, on the NIS server I have made: chage -d 0 USER
Then:
# cd /var/yp
# make

On the NIS server I have:
chage -l USER
Last password change: password
must be changed
Password expires: password
must be changed
Password inactive   : password
must be changed
Account expires : never
Minimum number of days between password change  : 0
Maximum number of days between password change  : 9
Number of days of warning before password expires   : 7


I would believe this information is shared from the server to the
other computers but here users still can connect (via SSH). If I try
to get the information on the user connected I have:
# chage -l USER
user 'USER' does not exist in /etc/passwd

This looks normal as there is no user there but then I do not know how
to enable the expiration information through NIS. Do someone has an
idea?

Thanks,
Fabien
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS passwd and paswd.byname map encryption

[James Pearson]

Boris Epstein wrote:
> Hello listmates.
> 
> It appears that in order to authenticate a Mac OS X Lion client via NIS the
> passwords in passwd and passwd.byname maps need to be MD5 encrypted. How do
> I see what encryption has been used in my maps? How do I change it?

I think it is the case that Lion only supports DES password hashes in 
NIS passwd maps - see the thread at:



i.e. they only support the standard crypt() password hashes - which is a 
regression from previous versions of MacOS X - MacOS 10.6 supports MD5 
NIS password hashes ...

James Pearson
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] NIS passwd and paswd.byname map encryption

[Boris Epstein]

Hello listmates.

It appears that in order to authenticate a Mac OS X Lion client via NIS the
passwords in passwd and passwd.byname maps need to be MD5 encrypted. How do
I see what encryption has been used in my maps? How do I change it?

Thanks.

Boris.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS question

[Lars Hecking]

ann kok writes:
> Hi
> 
> How can we use NIS to control a user in different servers?
> 
> eg: serverA /home/userA/javaapplication
> serverB /export/home/userA/javaapplication
> serverC /vol/home/javaapplication

 If you use NIS auto.home for home directories in general, e.g. /home/user,
 you can install a local auto.home map on each server so that /home/userA is
 a different physical directory on each server See 18.3.3.1 at
 
http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-nfs-client-config-autofs.html.



---
This message and any attachments may contain Cypress (or its
subsidiaries) confidential information. If it has been received
in error, please advise the sender and immediately delete this
message.
---

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS question

[Ray Van Dolson]

On Tue, May 04, 2010 at 05:05:40PM -0700, ann kok wrote:
> Hi
> 
> How can we use NIS to control a user in different servers?
> 
> eg: serverA /home/userA/javaapplication
> serverB /export/home/userA/javaapplication
> serverC /vol/home/javaapplication
> 
> Thank you

Automounter maps?  I guess they'd need a bit of intelligence

Ray
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS question

[Larry Brower]

ann kok wrote:
> Hi
> 
> How can we use NIS to control a user in different servers?
> 
> eg: serverA /home/userA/javaapplication
> serverB /export/home/userA/javaapplication
> serverC /vol/home/javaapplication
> 
> Thank you
> 

Could you be more specific on what you are trying to do ?

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] NIS question

[ann kok]

Hi

How can we use NIS to control a user in different servers?

eg: serverA /home/userA/javaapplication
serverB /export/home/userA/javaapplication
serverC /vol/home/javaapplication

Thank you


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS failover

[Drew]

> Hard to believe, but certain very well known organizations refuse to get off
> NIS for critical and secure systems.

{{citation needed}}

:-)


-- 
Drew

"Nothing in life is to be feared. It is only to be understood."
--Marie Curie
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS failover

[Steve Thompson]

On Fri, 18 Dec 2009, Peter Serwe wrote:

> After dealing with a couple of issues with OpenLDAP, I'd say it beats the
> piss out of NIS all day long.  NIS is ancient and decrepit.

Agreed.

> Hard to believe, but certain very well known organizations refuse to get off
> NIS for critical and secure systems.

Astonishing.

-s
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS failover

[Peter Serwe]

After dealing with a couple of issues with OpenLDAP, I'd say it beats the
piss out of NIS all day long.  NIS is ancient and decrepit.

Hard to believe, but certain very well known organizations refuse to get off
NIS for critical and secure systems.

Peter

On Thu, Dec 17, 2009 at 11:50 AM, John R. Dennison  wrote:

> On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.r...@5-cent.us wrote:
> >
> > Not one you want to hear: ditch NIS. It's known to have a *lot* of
> > security holes. At the very least, NIS+. Better would be either RH
>
> Out of curiousity, can you point me to writeups of known working
>exploits against current yp-family versions on CentOS?
>
>NIS+ is not, the last time I checked, available for Linux; if
>my understanding is in error I would very much welcome
>correction.
>
>
>
>
>John
>
> --
> We cannot do everything at once, but we can do something at once.
>
> -- Calvin Coolidge (1872-1933), 30th president of the United States
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>


-- 
Peter Serwe
http://truthlightway.blogspot.com/
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS failover

[Agile Aspect]

On Thu, Dec 17, 2009 at 11:37 AM, Jason Pyeron  wrote:
> We just updated our configuratiosn to have multiple NIS servers, when we
> initiated a test of client failover, we were disapointed.
>
> It seemed that the only way to get a filaover was to /etc/init.d/ypbind 
> restart.
>
> It behaves as indicated in
> http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=5084845 using
> ypbind-1.17.2-13 on Centos 4.5 / Linux  2.6.9-55.0.12.ELsmp #1 SMP
> Fri Nov 2 12:38:56 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
>
> http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192
>
>
> Any advice?

Are you broadcasting for the a NIS sever?

Probably should post your /etc/yp.conf file.



-- 
  Enjoy global warming while it lasts.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS failover

[Stephen Harris]

On Fri, Dec 18, 2009 at 09:51:24AM +1300, Clint Dilks wrote:
> How is your /etc/yp.conf defined.  NIS failover works flawlessly here if 
> we have /etc/yp.conf like
> ypserver nis2
> ypserver nis

You also need to ensure you can resolve "nis" and "nis2" without using
NIS, so you may also need to them into /etc/hosts and ensure
nsswitch.conf hosts entry begins with "files".

-- 

rgds
Stephen
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS failover

[James Pearson]

Jason Pyeron wrote:
> We just updated our configuratiosn to have multiple NIS servers, when we
> initiated a test of client failover, we were disapointed.
> 
> It seemed that the only way to get a filaover was to /etc/init.d/ypbind 
> restart.

We've been using NIS like this for years - failover works just fine. In 
fact that is one of things I like about NIS, failover is built in and 
works with virtually no extra set up ...

What do you have in your /etc/yp.conf ?

James Pearson
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS failover

[Clint Dilks]

Jason Pyeron wrote:
>  
>
>   
>> -Original Message-
>> From: centos-boun...@centos.org 
>> [mailto:centos-boun...@centos.org] On Behalf Of Jason Pyeron
>> Sent: Thursday, December 17, 2009 14:37
>> To: 'CentOS mailing list'
>> Subject: [CentOS] NIS failover
>>
>> We just updated our configuratiosn to have multiple NIS 
>> servers, when we initiated a test of client failover, we were 
>> disapointed.
>>
>> It seemed that the only way to get a filaover was to 
>> /etc/init.d/ypbind restart.
>>
>> It behaves as indicated in
>> http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=508
>> 
> 4845 using
>   
>> ypbind-1.17.2-13 on Centos 4.5 / Linux  
>> 2.6.9-55.0.12.ELsmp #1 SMP Fri Nov 2 12:38:56 EDT 2007 x86_64 
>> x86_64 x86_64 GNU/Linux
>>
>> http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192
>>
>>
>> Any advice?
>> 
>
> So, avoiding the security flamewars...
>
> It seems that it behaves slightly different than I indicated before.
>
> Snippet of the strace for # ypcat passwd
> ...
> mprotect(0x2a9566a000, 4096, PROT_READ) = 0
> arch_prctl(ARCH_SET_FS, 0x2a959bde00)   = 0
> munmap(0x2a9556c000, 33321) = 0
> brk(0)  = 0x503000
> brk(0x524000)   = 0x524000
> open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=48528816, ...}) = 0
> mmap(NULL, 48528816, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2a959bf000
> close(3)= 0
> uname({sys="Linux", node="xxx", ...}) = 0
> open("/var/yp/nicknames", O_RDONLY) = 3
> fstat(3, {st_mode=S_IFREG|0644, st_size=185, ...}) = 0
> mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
> 0x2a98807000
> read(3, "passwd\t\tpasswd.byname\ngroup\t\tgro"..., 4096) = 185
> read(3, "", 4096)   = 0
> close(3)= 0
> munmap(0x2a98807000, 4096)  = 0
> open("/var/yp/binding/XXX.2", O_RDONLY) = 3
> pread(3, "\1\0\0\0\300\250\1\"\2\315\0\0", 12, 2) = 12
> socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 4
> getpid()= 13062
> bind(4, {sa_family=AF_INET, sin_port=htons(942), 
> sin_addr=inet_addr("0.0.0.0")},
> 16) = 0
> ioctl(4, FIONBIO, [1])  = 0
> setsockopt(4, SOL_IP, IP_RECVERR, [1], 4) = 0
> fcntl(4, F_SETFD, FD_CLOEXEC)   = 0
> close(3)= 0
> close(4)= 0
> socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
> bind(3, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")},
> 16) = 0
> connect(3, {sa_family=AF_INET, sin_port=htons(111),
> sin_addr=inet_addr("192.168.1.34")}, 16) = -1 ETIMEDOUT (Connection timed out)
> close(3)= 0
> socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
> bind(3, {sa_family=AF_INET, sin_port=htons(943), 
> sin_addr=inet_addr("0.0.0.0")},
> 16) = 0
> connect(3, {sa_family=AF_INET, sin_port=htons(111),
> sin_addr=inet_addr("192.168.1.34")}, 16 
>
> Then when I ^C it and run again it has failed over, but otherwise it hangs 
> there
> for more than 300 seconds.
>
> --
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> -   -
> - Jason Pyeron  PD Inc. http://www.pdinc.us -
> - Principal Consultant  10 West 24th Street #100-
> - +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
> -   -
> -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
> This message is copyright PD Inc, subject to license 20080407P00.
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>
>   
How is your /etc/yp.conf defined.  NIS failover works flawlessly here if 
we have /etc/yp.conf like
ypserver nis2
ypserver nis

But have had problems if we use broadcast. :)

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS failover

[Jason Pyeron]

 

> -Original Message-
> From: centos-boun...@centos.org 
> [mailto:centos-boun...@centos.org] On Behalf Of Jason Pyeron
> Sent: Thursday, December 17, 2009 14:37
> To: 'CentOS mailing list'
> Subject: [CentOS] NIS failover
> 
> We just updated our configuratiosn to have multiple NIS 
> servers, when we initiated a test of client failover, we were 
> disapointed.
> 
> It seemed that the only way to get a filaover was to 
> /etc/init.d/ypbind restart.
> 
> It behaves as indicated in
> http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=508
4845 using
> ypbind-1.17.2-13 on Centos 4.5 / Linux  
> 2.6.9-55.0.12.ELsmp #1 SMP Fri Nov 2 12:38:56 EDT 2007 x86_64 
> x86_64 x86_64 GNU/Linux
> 
> http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192
> 
> 
> Any advice?

So, avoiding the security flamewars...

It seems that it behaves slightly different than I indicated before.

Snippet of the strace for # ypcat passwd
...
mprotect(0x2a9566a000, 4096, PROT_READ) = 0
arch_prctl(ARCH_SET_FS, 0x2a959bde00)   = 0
munmap(0x2a9556c000, 33321) = 0
brk(0)  = 0x503000
brk(0x524000)   = 0x524000
open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=48528816, ...}) = 0
mmap(NULL, 48528816, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2a959bf000
close(3)= 0
uname({sys="Linux", node="xxx", ...}) = 0
open("/var/yp/nicknames", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=185, ...}) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) =
0x2a98807000
read(3, "passwd\t\tpasswd.byname\ngroup\t\tgro"..., 4096) = 185
read(3, "", 4096)   = 0
close(3)= 0
munmap(0x2a98807000, 4096)  = 0
open("/var/yp/binding/XXX.2", O_RDONLY) = 3
pread(3, "\1\0\0\0\300\250\1\"\2\315\0\0", 12, 2) = 12
socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 4
getpid()= 13062
bind(4, {sa_family=AF_INET, sin_port=htons(942), sin_addr=inet_addr("0.0.0.0")},
16) = 0
ioctl(4, FIONBIO, [1])  = 0
setsockopt(4, SOL_IP, IP_RECVERR, [1], 4) = 0
fcntl(4, F_SETFD, FD_CLOEXEC)   = 0
close(3)= 0
close(4)= 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr("0.0.0.0")},
16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(111),
sin_addr=inet_addr("192.168.1.34")}, 16) = -1 ETIMEDOUT (Connection timed out)
close(3)= 0
socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(943), sin_addr=inet_addr("0.0.0.0")},
16) = 0
connect(3, {sa_family=AF_INET, sin_port=htons(111),
sin_addr=inet_addr("192.168.1.34")}, 16 

Then when I ^C it and run again it has failed over, but otherwise it hangs there
for more than 300 seconds.

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-   -
- Jason Pyeron  PD Inc. http://www.pdinc.us -
- Principal Consultant  10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
-   -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS failover

[Stephen Harris]

On Thu, Dec 17, 2009 at 01:50:16PM -0600, John R. Dennison wrote:
>   Out of curiousity, can you point me to writeups of known working
>   exploits against current yp-family versions on CentOS?

The problem isn't an exploit of the specific tools; the whole mechanism
is insecure, unless you use secureRPC everywhere.

For example, there's no verification that the server you are bound to
is, indeed, a valid server for the network and not a rogue sending out
bad data.  (Opens you to many MITM attacks).

Exposure of passwords?  Well, the crypt string, anyway.  If you're not
using md5 password encryption everywhere then you've opened yourself to
simple brute-force attacks on your network.

No validation that client machines are authorized to see the data (I
plug a machine into your network and can grab all the data from NIS,
to hack against in my own time... and forget about the pseudo 'shadow'
map in that case!)

And so on.

-- 

rgds
Stephen
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS failover

[Stephen Harris]

On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.r...@5-cent.us wrote:
> Not one you want to hear: ditch NIS. It's known to have a *lot* of
> security holes. At the very least, NIS+. Better would be either RH

NIS+ is a dead product.  Even Sun gave up pushing it.  (Funny; in 1995 the
Solaris training courses barely mentioned NIS and had 2 or 3 chapters on
NIS+; in 2007 the equivalent course had a bit on NIS, didn't mention NIS+
at all, and had 2 or 3 chapters on LDAP).  Don't migrate to NIS+.

> directory server (which I've never worked with), or openLDAP (which is,
> IMO, NOT ready for prime time, but is built for security.

The problem with LDAP is that it's a lot slower than NIS, and nscd
is essential in order to get even minimally adequate performance.
Unfortunately.  I say "unfortunately" because in many respects LDAP is
superior to NIS (especially with respect to security).  Just not needing
crypt strings is a big win.  I use it at work, but very carefully :-)

NIS is insecure, but it has a massive advantage of being fast and
(normally) "just works".  Evaluate the security in your environment and
determine if the risk is acceptable.

-- 

rgds
Stephen
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS failover

[Ray Van Dolson]

On Thu, Dec 17, 2009 at 01:50:16PM -0600, John R. Dennison wrote:
> On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.r...@5-cent.us wrote:
> > 
> > Not one you want to hear: ditch NIS. It's known to have a *lot* of
> > security holes. At the very least, NIS+. Better would be either RH
> 
>   Out of curiousity, can you point me to writeups of known working
>   exploits against current yp-family versions on CentOS?
> 
>   NIS+ is not, the last time I checked, available for Linux; if
>   my understanding is in error I would very much welcome
>   correction.

I believe Sun recently dropped NIS+ from Solaris/OpenSolaris as well.
The authors noted the irony in NIS outliving that which was meant to
replace it. :)

Main weakness of NIS is that it's pretty easy to just sniff out
potentially valuable information over the wire.  But if you're on a
secure / internal network and have legacy clients to support often
times the reality is you'll need to use NIS.

At work, we still rely on NIS, but hope to integrate with AD at some
point -- however, we'll undoubtedly need some sort of NIS shim that can
talk to the LDAP backend to provide functionality to older, legacy Unix
clients... 

Ray
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS failover

[John R. Dennison]

On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.r...@5-cent.us wrote:
> 
> Not one you want to hear: ditch NIS. It's known to have a *lot* of
> security holes. At the very least, NIS+. Better would be either RH

Out of curiousity, can you point me to writeups of known working
exploits against current yp-family versions on CentOS?

NIS+ is not, the last time I checked, available for Linux; if
my understanding is in error I would very much welcome
correction.




John

-- 
We cannot do everything at once, but we can do something at once.

-- Calvin Coolidge (1872-1933), 30th president of the United States


pgpoTba4YQaYF.pgp
Description: PGP signature
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS failover

[m . roth]

> We just updated our configuratiosn to have multiple NIS servers, when we
> initiated a test of client failover, we were disapointed.
>
> It seemed that the only way to get a filaover was to /etc/init.d/ypbind
> restart.
>
> It behaves as indicated in
> http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=5084845 using
> ypbind-1.17.2-13 on Centos 4.5 / Linux  2.6.9-55.0.12.ELsmp #1
> SMP
> Fri Nov 2 12:38:56 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux
>
> http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192
>
> Any advice?

Not one you want to hear: ditch NIS. It's known to have a *lot* of
security holes. At the very least, NIS+. Better would be either RH
directory server (which I've never worked with), or openLDAP (which is,
IMO, NOT ready for prime time, but is built for security.

 mark

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] NIS failover

[Jason Pyeron]

We just updated our configuratiosn to have multiple NIS servers, when we
initiated a test of client failover, we were disapointed.

It seemed that the only way to get a filaover was to /etc/init.d/ypbind restart.

It behaves as indicated in
http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=5084845 using
ypbind-1.17.2-13 on Centos 4.5 / Linux  2.6.9-55.0.12.ELsmp #1 SMP
Fri Nov 2 12:38:56 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux

http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192


Any advice?

-Jason

--
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-   -
- Jason Pyeron  PD Inc. http://www.pdinc.us -
- Principal Consultant  10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
-   -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
This message is copyright PD Inc, subject to license 20080407P00.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS

[Per Qvindesland]

Ok I am done getting it up and running.

Thanks a million for everybodys help

Regards
Per Qvindesland
E-mail: p...@norhex.com [1]
http://www.linkedin.com/in/perqvindesland [2]
--- Original message follows ---
SUBJECT: Re: [CentOS] NIS
FROM:  James Pearson
TO: "CentOS mailing list"
DATE: 22-07-2009 12:35

Per Qvindesland wrote:
> Hi list
> 
> Does anyone know about a good howto setup nis and to make ad see it
> and use the usernames?

I don't think you can get AD to 'use' NIS as a directory service, but
AD
can be set up as a NIS server using IDMU (Identity Management for
Unix)

James Pearson
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Links:
--
[1] http://webmail.norhex.com/#
[2] http://www.linkedin.com/in/perqvindesland___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS

[Toralf Lund]

Per Qvindesland wrote:
> Hi list
>
> Does anyone know about a good howto setup nis and to make ad see it 
> and use the usernames?
I haven't actually set up NIS in the machine I'm using right now, but if 
I remember correctly, what you need to do to get a machine to use the 
usernames and passwords on an existing NIS server is:

   1. Insert a line like
  domain yourdomainname broadcast
  in the file /etc/yp.conf.
   2. Edit /etc/nsswitch.conf; change the line
  passwd: files
  to
  passwd: files nis
  or
  passwd: nis files
   3. /sbin/chkconfig ypbind start

If you are using DHCP and the DHCP server knows the NIS domain name, 
it's even simpler, as 1) should be done automatically (but it's always a 
good idea to check the file just in case.)

If you're talking about setting up a NIS server, I can't recall much 
about how it's done, I'm afraid...

- Toralf
> Regards
> Per Qvindesland
> E-mail: p...@norhex.com 
> http://www.linkedin.com/in/perqvindesland
> 
>
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
>   


This e-mail, any attachments and response string may contain proprietary 
information, which are confidential and may be legally privileged.  It is for 
the intended recipient only and if you are not the intended recipient or 
transmission error has misdirected this e-mail, please notify the author by 
return e-mail and delete this message and any attachment immediately.  If you 
are not the intended recipient you must not use, disclose, distribute, forward, 
copy, print or rely in this e-mail in any way except as permitted by the author.
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS

[James Pearson]

Per Qvindesland wrote:
> Hi list
> 
> Does anyone know about a good howto setup nis and to make ad see it
> and use the usernames?



I don't think you can get AD to 'use' NIS as a directory service, but AD 
can be set up as a NIS server using IDMU (Identity Management for Unix)

James Pearson
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] NIS

[Per Qvindesland]

Hi list

Does anyone know about a good howto setup nis and to make ad see it
and use the usernames?

Regards
Per Qvindesland
E-mail: p...@norhex.com [1]
http://www.linkedin.com/in/perqvindesland [2]

Links:
--
[1] http://webmail.norhex.com/#
[2] http://www.linkedin.com/in/perqvindesland
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

RE: [CentOS] nis and new users

[Ross S. W. Walker]

Jason Pyeron wrote:
> 
> Ross S. W. Walker wrote:
> > 
> > Well what you have will only cover console logins via the login
> > process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins.
> > 
> > Try this:
> > 
> > /etc/pam.d/system-auth
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > authrequired  pam_env.so
> > authoptional  pam_group.so
> > authsufficientpam_unix.so nullok try_first_pass
> > authrequisite pam_succeed_if.so uid >= 500 quiet
> > authsufficientpam_krb5.so use_first_pass
> > authrequired  pam_deny.so
> > 
> > account required  pam_unix.so broken_shadow
> > account sufficientpam_localuser.so
> > account sufficientpam_succeed_if.so uid < 500 quiet
> > account [default=bad success=ok user_unknown=ignore] pam_krb5.so
> > account required  pam_permit.so
> > 
> > passwordrequisite pam_cracklib.so try_first_pass retry=3
> > passwordsufficientpam_unix.so md5 shadow nullok try_first_pass 
> > use_authtok
> > passwordsufficientpam_krb5.so use_authtok
> > passwordrequired  pam_deny.so
> > 
> > session optional  pam_keyinit.so revoke
> > session required  pam_mkhomedir.so skel=/etc/skel umask=0077 silent
> > session required  pam_limits.so
> > session [success=1 default=ignore] pam_succeed_if.so service in crond 
> > quiet use_uid
> > session required  pam_unix.so
> > session optional  pam_krb5.so
> > 
> 
> Hmm, it worked for su -l but not ssh logins 
> 
> 
> Making progress.

Weird it works for ssh as well as kdm here:

[EMAIL PROTECTED] ~]$ ssh [EMAIL PROTECTED]
[EMAIL PROTECTED]'s password:
Last login: Fri Jan 25 13:17:20 2008 from mfg-nyc-pc3823b.nyc.mfg.prv
[EMAIL PROTECTED] ~]# cd /home
[EMAIL PROTECTED] home]# ls -l
total 4
drwx--  3   rwalker domain users 4096 Jan  3 12:52 rwalker
[EMAIL PROTECTED] home]# rm -rf rwalker
[EMAIL PROTECTED] home]# ls -l
total 0
[EMAIL PROTECTED] etc]# logout
[EMAIL PROTECTED] ~]$ ssh mfg-nyc-pc3823a
Last login: Thu Jan 24 14:31:50 2008 from mfg-nyc-pc3823b.nyc.mfg.prv
[EMAIL PROTECTED] ~]$ pwd
/home/rwalker
[EMAIL PROTECTED] ~]$ cd ..
[EMAIL PROTECTED] home]$ ls -l
total 4
drwx--  3 rwalker   domain users 4096 Apr 15 13:48 rwalker
[EMAIL PROTECTED] home]$

Typo somewhere maybe?

-Ross

__
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

RE: [CentOS] nis and new users

[Ross S. W. Walker]

Jason Pyeron wrote:
> 
> Ross S. W. Walker wrote:
> > 
> > Jason Pyeron wrote:
> > >
> > > but still get:
> > >
> > > Last login: Tue Apr 15 11:24:57 2008 from .myvzw.com
> > > Could not chdir to home directory /home/USER: No such file or
> > > directory
> > > -bash-3.00$
> > >
> > > Any ideas?
> > 
> > Well what you have will only cover console logins via the login
> > process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins.
> > 
> > Try this:
> > 
> > /etc/pam.d/system-auth
> > #%PAM-1.0
> > # This file is auto-generated.
> > # User changes will be destroyed the next time authconfig is run.
> > authrequired  pam_env.so
> > authoptional  pam_group.so
> > authsufficientpam_unix.so nullok try_first_pass
> > authrequisite pam_succeed_if.so uid >= 500 quiet
> > authsufficientpam_krb5.so use_first_pass
> > authrequired  pam_deny.so
> > 
> > account required  pam_unix.so broken_shadow
> > account sufficientpam_localuser.so
> > account sufficientpam_succeed_if.so uid < 500 quiet
> > account [default=bad success=ok user_unknown=ignore] pam_krb5.so
> > account required  pam_permit.so
> > 
> > passwordrequisite pam_cracklib.so try_first_pass retry=3
> > passwordsufficientpam_unix.so md5 shadow nullok try_first_pass 
> > use_authtok
> > passwordsufficientpam_krb5.so use_authtok
> > passwordrequired  pam_deny.so
> > 
> > session optional  pam_keyinit.so revoke
> > session required  pam_mkhomedir.so skel=/etc/skel umask=0077 silent
> > session required  pam_limits.so
> > session [success=1 default=ignore] pam_succeed_if.so service in crond 
> > quiet use_uid
> > session required  pam_unix.so
> > session optional  pam_krb5.so
> > 
> > Of course tailor for your environment.
> > 
> 
> Defaults are fine for our use.
> 
> > I have tested this config to persist through different authconfig's.
> > 
> 
> How? It gets blown away here.
> 

Disregard, I must have been thinking of something else, yes
authconfig blows these away.

It would be nice if authconfig stuck in includes to a separate
pam for local configuration to be preserved, or if they used
template files for creating the default configuration.

If they used templates the python scripts would probably be
a lot smaller and less complex and would allow administrators
to customize the templates for their environment.

Anyways I'm going to put mine in a system-auth-local file
and stick in includes and see if that works better in the
long run.

-Ross

__
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

RE: [CentOS] nis and new users

[Jason Pyeron]

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of Ross S. W. Walker
> Sent: Tuesday, April 15, 2008 12:16 PM
> To: CentOS mailing list
> Subject: RE: [CentOS] nis and new users
> 
> Well what you have will only cover console logins via the login
> process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins.
> 
> Try this:
> 
> /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> authrequired  pam_env.so
> authoptional  pam_group.so
> authsufficientpam_unix.so nullok try_first_pass
> authrequisite pam_succeed_if.so uid >= 500 quiet
> authsufficientpam_krb5.so use_first_pass
> authrequired  pam_deny.so
> 
> account required  pam_unix.so broken_shadow
> account sufficientpam_localuser.so
> account sufficientpam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_krb5.so
> account required  pam_permit.so
> 
> passwordrequisite pam_cracklib.so try_first_pass retry=3
> passwordsufficientpam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> passwordsufficientpam_krb5.so use_authtok
> passwordrequired  pam_deny.so
> 
> session optional  pam_keyinit.so revoke
> session required  pam_mkhomedir.so skel=/etc/skel umask=0077
> silent
> session required  pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required  pam_unix.so
> session optional  pam_krb5.so
> 

Hmm, it worked for su -l but not ssh logins 


Making progress.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-   -
- Jason Pyeron  PD Inc. http://www.pdinc.us -
- Principal Consultant  10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
-   -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 
This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you
have received it in error, purge the message from your system and
notify the sender immediately.  Any other use of the email by you
is prohibited.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

RE: [CentOS] nis and new users

[Jason Pyeron]

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of Ross S. W. Walker
> Sent: Tuesday, April 15, 2008 12:16 PM
> To: CentOS mailing list
> Subject: RE: [CentOS] nis and new users
> 
> Jason Pyeron wrote:
> >
> > but still get:
> >
> > Last login: Tue Apr 15 11:24:57 2008 from .myvzw.com
> > Could not chdir to home directory /home/USER: No such file or
> > directory
> > -bash-3.00$
> >
> > Any ideas?
> 
> Well what you have will only cover console logins via the login
> process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins.
> 
> Try this:
> 
> /etc/pam.d/system-auth
> #%PAM-1.0
> # This file is auto-generated.
> # User changes will be destroyed the next time authconfig is run.
> authrequired  pam_env.so
> authoptional  pam_group.so
> authsufficientpam_unix.so nullok try_first_pass
> authrequisite pam_succeed_if.so uid >= 500 quiet
> authsufficientpam_krb5.so use_first_pass
> authrequired  pam_deny.so
> 
> account required  pam_unix.so broken_shadow
> account sufficientpam_localuser.so
> account sufficientpam_succeed_if.so uid < 500 quiet
> account [default=bad success=ok user_unknown=ignore] pam_krb5.so
> account required  pam_permit.so
> 
> passwordrequisite pam_cracklib.so try_first_pass retry=3
> passwordsufficientpam_unix.so md5 shadow nullok try_first_pass
> use_authtok
> passwordsufficientpam_krb5.so use_authtok
> passwordrequired  pam_deny.so
> 
> session optional  pam_keyinit.so revoke
> session required  pam_mkhomedir.so skel=/etc/skel umask=0077
> silent
> session required  pam_limits.so
> session [success=1 default=ignore] pam_succeed_if.so service in crond
> quiet use_uid
> session required  pam_unix.so
> session optional  pam_krb5.so
> 
> Of course tailor for your environment.
> 

Defaults are fine for our use.

> I have tested this config to persist through different authconfig's.
> 

How? It gets blown away here.

> -Ross
> 
> __
> This e-mail, and any attachments thereto, is intended only for use by
> the addressee(s) named herein and may contain legally privileged
> and/or confidential information. If you are not the intended recipient
> of this e-mail, you are hereby notified that any dissemination,
> distribution or copying of this e-mail, and any attachments thereto,
> is strictly prohibited. If you have received this e-mail in error,
> please immediately notify the sender and permanently delete the
> original and any copy or printout thereof.
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos



-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-   -
- Jason Pyeron  PD Inc. http://www.pdinc.us -
- Principal Consultant  10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
-   -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 
This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you
have received it in error, purge the message from your system and
notify the sender immediately.  Any other use of the email by you
is prohibited.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

RE: [CentOS] NIS libuser and auto-make of maps

[Jason Pyeron]

Sorry no I meant a 5 star cron job = * * * * *

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-   -
- Jason Pyeron  PD Inc. http://www.pdinc.us -
- Principal Consultant  10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
-   -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 
This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you
have received it in error, purge the message from your system and
notify the sender immediately.  Any other use of the email by you
is prohibited. 
 

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of Ross S. W. Walker
> Sent: Tuesday, April 15, 2008 12:21 PM
> To: CentOS mailing list
> Subject: RE: [CentOS] NIS libuser and auto-make of maps
> 
> Jason Pyeron wrote:
> >
> > Ross S. W. Walker wrote:
> > >
> > > I have my NIS user/group files separate from the system user/group
> > > files using libuser to manage them and that works well, but I am
> > > trying to find a way to get libuser to invoke a 'make' of the NIS
> > > maps whenever it updates the master files. Is there a routine I
> > > can configure in libuser to do this, or am I stuck having to do
> > > it by cron?
> >
> > We use 5* cron too.
> >
> 
> So every 5 minutes, well I do it every 15 now, but it would
> be nice to have libuser kick off a 'make' 'push' everytime
> the user/group database is modified. It would save a lot of
> pushing of maps unnecessarily.
> 
> -Ross
> 
> __
> This e-mail, and any attachments thereto, is intended only for use by
> the addressee(s) named herein and may contain legally privileged
> and/or confidential information. If you are not the intended recipient
> of this e-mail, you are hereby notified that any dissemination,
> distribution or copying of this e-mail, and any attachments thereto,
> is strictly prohibited. If you have received this e-mail in error,
> please immediately notify the sender and permanently delete the
> original and any copy or printout thereof.
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

RE: [CentOS] NIS libuser and auto-make of maps

[Ross S. W. Walker]

Jason Pyeron wrote:
> 
> Ross S. W. Walker wrote:
> >
> > I have my NIS user/group files separate from the system user/group
> > files using libuser to manage them and that works well, but I am
> > trying to find a way to get libuser to invoke a 'make' of the NIS
> > maps whenever it updates the master files. Is there a routine I
> > can configure in libuser to do this, or am I stuck having to do
> > it by cron?
>
> We use 5* cron too.
> 

So every 5 minutes, well I do it every 15 now, but it would
be nice to have libuser kick off a 'make' 'push' everytime
the user/group database is modified. It would save a lot of
pushing of maps unnecessarily.

-Ross

__
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

RE: [CentOS] nis and new users

[Ross S. W. Walker]

Jason Pyeron wrote:
> 
> Ross S. W. Walker wrote:
> > 
> > Jason Pyeron wrote:
> > >
> > > Every time a "new" user logs into a development box (which does not use 
> > > nfs
> > > for the home dirs) the get could not chdir to their home dir. They call me
> > > with the error and I do a:
> > >
> > > cp -a /etc/skel/ ~USER && chown USER.users -R ~USER/
> > >
> > > and it is fixed.
> > >
> > > Is there an automated way?
> > 
> > Look at pam_mkhomedir and see if it fits your bill.
> > 
> 
> 
> Yes that is exactly what we need.
> 
> /etc/pam.d/login
> 
> #%PAM-1.0
> auth   required pam_securetty.so
> auth   required pam_stack.so service=system-auth
> auth   required pam_nologin.so
> accountrequired pam_stack.so service=system-auth
> password   required pam_stack.so service=system-auth
> # pam_selinux.so close should be the first session rule
> sessionrequired pam_selinux.so close
> sessionrequired pam_mkhomedir.so
> sessionrequired pam_stack.so service=system-auth
> sessionrequired pam_loginuid.so
> sessionoptional pam_console.so
> # pam_selinux.so open should be the last session rule
> sessionrequired pam_selinux.so open
> 
> 
> but still get:
> 
> Last login: Tue Apr 15 11:24:57 2008 from .myvzw.com
> Could not chdir to home directory /home/USER: No such file or 
> directory
> -bash-3.00$
> 
> Any ideas?

Well what you have will only cover console logins via the login
process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins.

Try this:

/etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
authrequired  pam_env.so
authoptional  pam_group.so
authsufficientpam_unix.so nullok try_first_pass
authrequisite pam_succeed_if.so uid >= 500 quiet
authsufficientpam_krb5.so use_first_pass
authrequired  pam_deny.so

account required  pam_unix.so broken_shadow
account sufficientpam_localuser.so
account sufficientpam_succeed_if.so uid < 500 quiet
account [default=bad success=ok user_unknown=ignore] pam_krb5.so
account required  pam_permit.so

passwordrequisite pam_cracklib.so try_first_pass retry=3
passwordsufficientpam_unix.so md5 shadow nullok try_first_pass 
use_authtok
passwordsufficientpam_krb5.so use_authtok
passwordrequired  pam_deny.so

session optional  pam_keyinit.so revoke
session required  pam_mkhomedir.so skel=/etc/skel umask=0077 silent
session required  pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet 
use_uid
session required  pam_unix.so
session optional  pam_krb5.so

Of course tailor for your environment.

I have tested this config to persist through different authconfig's.

-Ross

__
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

RE: [CentOS] NIS libuser and auto-make of maps

[Jason Pyeron]

We use 5* cron too.

 

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

-   -

- Jason Pyeron  PD Inc. http://www.pdinc.us
<http://www.pdinc.us/>  -

- Principal Consultant  10 West 24th Street #100-

- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -

-   -

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

 

This message is for the designated recipient only and may contain

privileged, proprietary, or otherwise private information. If you

have received it in error, purge the message from your system and

notify the sender immediately.  Any other use of the email by you

is prohibited. 

 

  _  

From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf
Of Ross S. W. Walker
Sent: Tuesday, April 15, 2008 10:43 AM
To: CentOS mailing list
Subject: [CentOS] NIS libuser and auto-make of maps

 

I have my NIS user/group files separate from the system user/group

files using libuser to manage them and that works well, but I am

trying to find a way to get libuser to invoke a 'make' of the NIS

maps whenever it updates the master files. Is there a routine I

can configure in libuser to do this, or am I stuck having to do

it by cron?

 

Ross S. W. Walker
Information Systems Manager
Medallion Financial, Corp.
437 Madison Avenue
38th Floor
New York, NY 10022
Tel: (212) 328-2165
Fax: (212) 328-2125
WWW: http://www.medallion.com <http://www.medallion.com/>  

 

  _  

This e-mail, and any attachments thereto, is intended only for use by the
addressee(s) named herein and may contain legally privileged and/or
confidential information. If you are not the intended recipient of this
e-mail, you are hereby notified that any dissemination, distribution or
copying of this e-mail, and any attachments thereto, is strictly prohibited.
If you have received this e-mail in error, please immediately notify the
sender and permanently delete the original and any copy or printout thereof.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

RE: [CentOS] nis and new users

[Jason Pyeron]

> -Original Message-
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On
> Behalf Of Ross S. W. Walker
> Sent: Tuesday, April 15, 2008 10:39 AM
> To: CentOS mailing list
> Subject: RE: [CentOS] nis and new users
> 
> Jason Pyeron wrote:
> >
> > Every time a "new" user logs into a development box (which does not use
> nfs
> > for the home dirs) the get could not chdir to their home dir. They call
> me
> > with the error and I do a:
> >
> > cp -a /etc/skel/ ~USER && chown USER.users -R ~USER/
> >
> > and it is fixed.
> >
> > Is there an automated way?
> 
> Look at pam_mkhomedir and see if it fits your bill.
> 


Yes that is exactly what we need.

/etc/pam.d/login

#%PAM-1.0
auth   required pam_securetty.so
auth   required pam_stack.so service=system-auth
auth   required pam_nologin.so
accountrequired pam_stack.so service=system-auth
password   required pam_stack.so service=system-auth
# pam_selinux.so close should be the first session rule
sessionrequired pam_selinux.so close
sessionrequired pam_mkhomedir.so
sessionrequired pam_stack.so service=system-auth
sessionrequired pam_loginuid.so
sessionoptional pam_console.so
# pam_selinux.so open should be the last session rule
sessionrequired pam_selinux.so open


but still get:

Last login: Tue Apr 15 11:24:57 2008 from .myvzw.com
Could not chdir to home directory /home/USER: No such file or directory
-bash-3.00$

Any ideas?

> -Ross
> 
> __
> This e-mail, and any attachments thereto, is intended only for use by
> the addressee(s) named herein and may contain legally privileged
> and/or confidential information. If you are not the intended recipient
> of this e-mail, you are hereby notified that any dissemination,
> distribution or copying of this e-mail, and any attachments thereto,
> is strictly prohibited. If you have received this e-mail in error,
> please immediately notify the sender and permanently delete the
> original and any copy or printout thereof.
> 
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos



-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-   -
- Jason Pyeron  PD Inc. http://www.pdinc.us -
- Principal Consultant  10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
-   -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 
This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you
have received it in error, purge the message from your system and
notify the sender immediately.  Any other use of the email by you
is prohibited.


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] NIS libuser and auto-make of maps

[Ross S. W. Walker]

I have my NIS user/group files separate from the system user/group
files using libuser to manage them and that works well, but I am
trying to find a way to get libuser to invoke a 'make' of the NIS
maps whenever it updates the master files. Is there a routine I
can configure in libuser to do this, or am I stuck having to do
it by cron?
 

Ross S. W. Walker
Information Systems Manager
Medallion Financial, Corp.
437 Madison Avenue
38th Floor
New York, NY 10022
Tel: (212) 328-2165
Fax: (212) 328-2125
WWW: http://www.medallion.com   

 

__
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] nis and new users

[William L. Maltby]

On Tue, 2008-04-15 at 10:27 -0400, Jason Pyeron wrote:
> Every time a "new" user logs into a development box (which does not use nfs
> for the home dirs) the get could not chdir to their home dir. They call me
> with the error and I do a:
> 
> cp -a /etc/skel/ ~USER && chown USER.users -R ~USER/
> 
> and it is fixed.
> 
> Is there an automated way?

>From CLI, use useradd (man useradd) which has a parameter to
automatically set up user's home, including copying /etc/skel.

>From an X gnome desktop session (System->Administration->Users and
Groups), I can't remember if it's automatic or if it has a checkbox for
that.

Either case should fix it.

> 

HTH
-- 
Bill

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

RE: [CentOS] nis and new users

[Ross S. W. Walker]

Jason Pyeron wrote:
> 
> Every time a "new" user logs into a development box (which does not use nfs
> for the home dirs) the get could not chdir to their home dir. They call me
> with the error and I do a:
> 
> cp -a /etc/skel/ ~USER && chown USER.users -R ~USER/
> 
> and it is fixed.
> 
> Is there an automated way?

Look at pam_mkhomedir and see if it fits your bill.

-Ross

__
This e-mail, and any attachments thereto, is intended only for use by
the addressee(s) named herein and may contain legally privileged
and/or confidential information. If you are not the intended recipient
of this e-mail, you are hereby notified that any dissemination,
distribution or copying of this e-mail, and any attachments thereto,
is strictly prohibited. If you have received this e-mail in error,
please immediately notify the sender and permanently delete the
original and any copy or printout thereof.

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] nis and new users

[Jason Pyeron]

Every time a "new" user logs into a development box (which does not use nfs
for the home dirs) the get could not chdir to their home dir. They call me
with the error and I do a:

cp -a /etc/skel/ ~USER && chown USER.users -R ~USER/

and it is fixed.

Is there an automated way?

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-   -
- Jason Pyeron  PD Inc. http://www.pdinc.us -
- Principal Consultant  10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
-   -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
 
This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you
have received it in error, purge the message from your system and
notify the sender immediately.  Any other use of the email by you
is prohibited. 
 



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS and NIS+

[John R Pierce]

Jason Pyeron wrote:

So what is the proper way to ensure root and others password (hashes) are
not sent over the lan?
  

kerberos


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

RE: [CentOS] NIS and NIS+

[Jason Pyeron]

So what is the proper way to ensure root and others password (hashes) are
not sent over the lan?

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-   -
- Jason Pyeron  PD Inc. http://www.pdinc.us -
- Sr. Consultant10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
-   -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you
have received it in error, purge the message from your system and
notify the sender immediately.  Any other use of the email by you
is prohibited. 

 

> -Original Message-
> From: [EMAIL PROTECTED] 
> [mailto:[EMAIL PROTECTED] On Behalf Of James Pearson
> Sent: Tuesday, January 22, 2008 6:49
> To: CentOS mailing list
> Subject: Re: [CentOS] NIS and NIS+
> 
> Jason Pyeron wrote:
> > How can I tell if I am using NIS+?
> > 
> > I would like the data to be encrypted on the lan.
> 
> I don't think NIS+ is 'supported' on Linux - see:
> 
> <http://www.linux-nis.org/nisplus/>
> 
> James Pearson
> ___
> CentOS mailing list
> CentOS@centos.org
> http://lists.centos.org/mailman/listinfo/centos
> 

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS and NIS+

[James Pearson]

Jason Pyeron wrote:

How can I tell if I am using NIS+?

I would like the data to be encrypted on the lan.


I don't think NIS+ is 'supported' on Linux - see:



James Pearson
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] NIS and NIS+

[Jason Pyeron]

How can I tell if I am using NIS+?

I would like the data to be encrypted on the lan.

-Jason 

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-
-   -
- Jason Pyeron  PD Inc. http://www.pdinc.us -
- Sr. Consultant10 West 24th Street #100-
- +1 (443) 269-1555 x333Baltimore, Maryland 21218   -
-   -
-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

This message is for the designated recipient only and may contain
privileged, proprietary, or otherwise private information. If you
have received it in error, purge the message from your system and
notify the sender immediately.  Any other use of the email by you
is prohibited. 


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS/YP revelation (I think)

[James Pearson]

Scott Ehrlich wrote:

On Wed, 24 Oct 2007, James Pearson wrote:


Scott Ehrlich wrote:

I did discover tcpdump produces an ICMP host  unreachable 
error during ypbind, but does NOT do so when ypbind is not running.


I also was reminded the firewall on the server is running, but I had 
these exact problems when the firewall was disabled.


Trying to track down the problem via google, and am open to any 
responses people have here...



What does your /etc/nsswitch.conf file contain?



#/etc/nsswitch.conf
passwd: files nis
shadow: files nis
group:  files nis


What's the entry for hosts?

I also was reminded to perform ypinit -s server and was reminded again 
of the Can't enumerate maps error.  ypinit -m on the server has been 
performed numerous times, but still nothing...


'ypinit -s server' is only needed for slave servers.

James Pearson
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS/YP revelation (I think)

[Scott Ehrlich]

On Wed, 24 Oct 2007, James Pearson wrote:


Scott Ehrlich wrote:
I did discover tcpdump produces an ICMP host  unreachable error 
during ypbind, but does NOT do so when ypbind is not running.


I also was reminded the firewall on the server is running, but I had these 
exact problems when the firewall was disabled.


Trying to track down the problem via google, and am open to any responses 
people have here...


What does your /etc/nsswitch.conf file contain?


#/etc/nsswitch.conf
passwd: files nis
shadow: files nis
group:  files nis


I also was reminded to perform ypinit -s server and was reminded again of 
the Can't enumerate maps error.  ypinit -m on the server has been 
performed numerous times, but still nothing...


Scott



James Pearson
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS/YP revelation (I think)

[James Pearson]

Scott Ehrlich wrote:
I did discover tcpdump produces an ICMP host  unreachable 
error during ypbind, but does NOT do so when ypbind is not running.


I also was reminded the firewall on the server is running, but I had 
these exact problems when the firewall was disabled.


Trying to track down the problem via google, and am open to any 
responses people have here...


What does your /etc/nsswitch.conf file contain?

James Pearson
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS/YP revelation (I think)

[Scott Ehrlich]

I did discover tcpdump produces an ICMP host  unreachable error 
during ypbind, but does NOT do so when ypbind is not running.


I also was reminded the firewall on the server is running, but I had these 
exact problems when the firewall was disabled.


Trying to track down the problem via google, and am open to any responses 
people have here...


Thanks.

Scott

On Wed, 24 Oct 2007, James Pearson wrote:


Scott Ehrlich wrote:

On Wed, 24 Oct 2007, James Pearson wrote:



Do you have any firewall setup on the server and/or clients?



Disabled all around.



What does 'rpcinfo -p' give on the server and clients?


Exactly what the referenced URL says should be running.


It would still be handy to see what they are ...

Again, it works perfectly on a test setup.  I may start to use tcpdump for 
more details.  /var/log/messages shows nothing.  I can ssh back and forth 
fine between client and server, so Ethernet connectivity works fine.


What happens when you type (on a client):

ypwhich

If that works:

ypcat passwd (or another map)

James Pearson

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS/YP revelation (I think)

[James Pearson]

Scott Ehrlich wrote:

On Wed, 24 Oct 2007, James Pearson wrote:



Do you have any firewall setup on the server and/or clients?



Disabled all around.



What does 'rpcinfo -p' give on the server and clients?


Exactly what the referenced URL says should be running.


It would still be handy to see what they are ...

Again, it works perfectly on a test setup.  I may start to use tcpdump 
for more details.  /var/log/messages shows nothing.  I can ssh back and 
forth fine between client and server, so Ethernet connectivity works fine.


What happens when you type (on a client):

ypwhich

If that works:

ypcat passwd (or another map)

James Pearson

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS/YP revelation (I think)

[Scott Ehrlich]

On Wed, 24 Oct 2007, James Pearson wrote:


Scott Ehrlich wrote:
I'm using 
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch30_:_Configuring_NIS 
as a guide and the services all show appropriately on the production server 
and client, and on a working test setup that is identical to production.


Do you have any firewall setup on the server and/or clients?


Disabled all around.



What does 'rpcinfo -p' give on the server and clients?



Exactly what the referenced URL says should be running.

Again, it works perfectly on a test setup.  I may start to use tcpdump for 
more details.  /var/log/messages shows nothing.  I can ssh back and forth 
fine between client and server, so Ethernet connectivity works fine.


Scott


James Pearson
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS/YP revelation (I think)

[James Pearson]

Scott Ehrlich wrote:
I'm using 
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch30_:_Configuring_NIS 
as a guide and the services all show appropriately on the production 
server and client, and on a working test setup that is identical to 
production.


Do you have any firewall setup on the server and/or clients?

What does 'rpcinfo -p' give on the server and clients?

James Pearson
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS/YP revelation (I think)

[Scott Ehrlich]

I'm using 
http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch30_:_Configuring_NIS 
as a guide and the services all show appropriately on the production 
server and client, and on a working test setup that is identical to 
production.


The test setup works flawlessly.

Scott

On Tue, 23 Oct 2007, James Pearson wrote:


On 23/10/2007, Scott Ehrlich <[EMAIL PROTECTED]> wrote:

So I configured my Enterprise 5 server to have NFS configured on specific
ports via the NFS Server menu option.

Since having done that, I am unable to get my two CentOS 5 workstations to
bind via YP.  One worked just fine before the port reconfiguration, but
broke after.   The other never worked fine.

NFS works fine on both, but NIS will no longer bind.

What do I need to change on the client side to permit binding?  I presume
the port changes are the problem, and solution.


What is the output of 'rpcinfo -p' on the NIS clients and server?

James Pearson
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS/YP revelation (I think)

[James Pearson]

On 23/10/2007, Scott Ehrlich <[EMAIL PROTECTED]> wrote:
> So I configured my Enterprise 5 server to have NFS configured on specific
> ports via the NFS Server menu option.
>
> Since having done that, I am unable to get my two CentOS 5 workstations to
> bind via YP.  One worked just fine before the port reconfiguration, but
> broke after.   The other never worked fine.
>
> NFS works fine on both, but NIS will no longer bind.
>
> What do I need to change on the client side to permit binding?  I presume
> the port changes are the problem, and solution.

What is the output of 'rpcinfo -p' on the NIS clients and server?

James Pearson
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

[CentOS] NIS/YP revelation (I think)

[Scott Ehrlich]

So I configured my Enterprise 5 server to have NFS configured on specific 
ports via the NFS Server menu option.


Since having done that, I am unable to get my two CentOS 5 workstations to 
bind via YP.  One worked just fine before the port reconfiguration, but 
broke after.   The other never worked fine.


NFS works fine on both, but NIS will no longer bind.

What do I need to change on the client side to permit binding?  I presume 
the port changes are the problem, and solution.


Thanks.

Scott
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS problems

[James Pearson]

On 18/10/2007, Scott Ehrlich <[EMAIL PROTECTED]> wrote:
> On Thu, 18 Oct 2007, John Allen wrote:
>
> > When you do the ypinit -s, what name do you provide for the server?
> >
> > It must match the name the server expects, so if the server host name is 
> > nis,
> > then you
> > do
> >
> > ypinit -s nis.domainname
>
> I have successfully done ypinit -s ip_address or hostname on several
> 32-bit clients and they've all been successful.

Why are you running ypinit -s on clients?

You only need to do this if you want to set up slave servers.

NIS clients shouldn't need to do anything special on clients to bind
to a server, all that needs to be done is to set up /etc/yp.conf

James Pearson
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS problems

[Scott Ehrlich]

I'm at a complete loss as to what is going on.   I changed kernels and 
disabled the video driver, removed the firewire card.   NIS refuses to 
work on this workstation.


Unless this gets figured out, I'm going to simply have to create local 
user accounts, then let NFS take over.


It would be really nice to figure it out one of these days, as if I can 
learn the culprit, I'll be better educated the next time I face something 
like this.  I did try tcpdump, but no obvious things popped up.


Scott
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

Re: [CentOS] NIS problems

[Scott Ehrlich]

An interesting sidenote -

Things do work fine on another test setup consisting of C5 64-bit and an 
Intel NIC.   The problem C5 64-bit system has a Broadcom 57xx NIC.


I may opt to change NICs and see if that makes any difference...

Scott

On Thu, 18 Oct 2007, John Allen wrote:


When you do the ypinit -s, what name do you provide for the server?

It must match the name the server expects, so if the server host name is nis, 
then you

do

ypinit -s nis.domainname

Scott Ehrlich wrote:

On Wed, 17 Oct 2007, sam wrote:


so...

if i'm understanding:

-you have a 32bit NIS server that you've


Correction here - server is 64-bit RHEL 5 Server.   All machines are full, 
out-of-box, unpatched systems, with no Internet connection.


Working clients are 32-bit.   Problem machine is 64-bit CentOS 5 client.


 configured for your network.
-you are not running dns, but are instead using /etc/hosts,
 and /etc/resolv.conf on your boxes
-you have a couple of 32bit clients that can attach to the
 NIS server, and that you can log against. you can run
 'ypcat passwd' on these machines with no issues..

-attaching a 64bit machine as a NIS Client which you've
 configured as best you can, is giving you errors...

I just had a conversation with a Sr. Redhat Tech support eng, where he was
telling me that there might be an issue with my situation that might be
related to the fact that the server is 64 bit, and the slave is 32bit...

might not be related but hmm...

can you post your ypserv.conf, as well as your yp.conf files




I'll have to check on my ypserv.comf file - I don't recall having edited 
that.


yp.conf on the server is:
ypserver 127.0.0.1

yp.conf on the client is:
domain my-nis-domain server ip-of-server

Scott





-Original Message-
From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]
Behalf Of Scott Ehrlich
Sent: Wednesday, October 17, 2007 3:58 PM
To: CentOS mailing list
Subject: Re: [CentOS] NIS problems


On Thu, 18 Oct 2007, Clint Dilks wrote:



Scott Ehrlich wrote:

I've got a RHEL5 server acting as a NIS/NFS server, and connected one C5
machine just fine.

I'm trying to connect another, and for the life of me, cannot figure out
why NIS won't bind.  NFS works fine.  ypbind just hangs.  I disabled
SELinux and the firewall.   I just cannot get it to bind.

Ideas?



Hi do you have the appropriate entry in /etc/hosts for ypserv on NIS

Server ?

Yep.  This is on a small lan - /etc/hosts acts as local dns.

The error is the one when ypinit -s server hasn't been run.   I've had two
successful runs on 32-bit C5 adding said 32-bit hosts to the network, but
this one 64-bit C5 system is giving me the NIS problems.  I can ssh, ping,
and doing anything else I want.  Again, the 32-bit hosts work fine against
the server.   This one 64-bit machine is simply giving me the NIS
headaches.

Thanks for any/all ideas.

Scott




Thanks.

Scott
___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos



___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos





--
John Allen  mailto:[EMAIL PROTECTED]
CodeMountainhttp://www.codemountain.net

Ubuntu 7.04, kernel 2.6.20-16-generic
up 6 days, 23:51, 16 users,  load average: 0.98, 0.88, 0.95

___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos


___
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos