Re: [CentOS] NIS or not?
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Jeffrey Hass Sent: den 29 januari 2014 08:47 To: CentOS mailing list Subject: Re: [CentOS] NIS or not? Hi friend - what is your end goal with this effort to obtain security with your nodes over the 'wire' - there are some other solutions -- kerberos is now used heavily by microsoft so that's enough to make me run for the hills... just saying.. i've set up other solutions to be sure -- even against the blasted (not a real LDAP) AD. anyway.. just some thoughts... it's not trivial. any of the solutions, btw. not at all.. j/h San Francisco/Holland/Saudi Arabia Primarily to enable less administration in the long run with centralized logins, instead of keeping each single client updated with respect to shadow, passwd, bashrc, hosts and so on. Some sort of encryption would probably be wise to use, as NIS uses clear text passwords. I don't trust our university network that much, even though the traffic should pretty localized. I'm aware that setting up Kerberos probably will be a big project, nevertheless, we must do something about the current mess. As I'm the single sysadmin at the department, my time is finite. Automation is good, but as I wrote before, regular bash-scripting (however powerful) will only take you so far. 8-/ -- //Sorin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
On 1/28/2014 4:45 AM, Sorin Srbu wrote: Use IPA. It combines LDAP with Kerberos, a server-client environment is easily setup and the documentation (RHEL deployment) is very helpful. Thank you. I'll look it up. LDAP and Kerberos though. That does sound a lot like Microsoft Active Directory.8-) -- FreeIPA provides an open source Active Directory equivalent. its pretty easy to setup a simple directory server, and it can expand to be an enterprise-wide directory. it allows both linux and windows computers to participate in the authentication domain. yes, its basically LDAP and Kerberos, with a management suite. -- john r pierce 37N 122W somewhere on the middle of the left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
Hello Sorin, Good call - not sure how far your coding goes and with what/how languages and scripts... Make sure to have as much as possible on VM's related to your security 'servers' -- so that you also get a virtual built in Disaster recovery as well. KERBEROS is a very secure, albeit cumbersome component to implement (// network wide // think of... ) Having said this, um, with the tools available with openSource.. and I'm assuming you're such a shop due to running CentOS -- you can customize the ticket transport aspect after the encrypted authentication token is created and 'capture' that and with some slight tweaks create your own 'virtual Federated' auth method by way having total control of your requests, successes, failures and the like. Note: I didn't catch it are you using the Microsoft's implementation of Kerberos? There's a reason I ask, you said you need to do something,, sounds like fairly quick, probably a good thing, if nothing else get centralization = control! - more so -- than before ~ and so it goes, you will have encapsulated tickets on steroids, to be sure.. but if you're the only person.. is your shop that big that SSL wouldn't do the trick? with some slight coding and enhancements // customization // - usually not supported by a 'given vendor' so beware there... You will see performance over the other solutions in this space and some scalability - without know 'a lot' about your infrastructure -- and appliances therefore entered into the equation - it's hard to really say. But sounds like you have Unix/Linux backend and alot of Windows stuff (we can't seem to ever get away from the highly faulty Windows suite) -- maybe when I retire, but anyway, and you're probably hitting a few AD servers -- and therefore there is the rub. I have some implementations of several solutions if you're really serious about this as I can strip out the confidential stuff (I do weird things for various 'friendly' governments, world-wide) and have seen a thing or two here... mostly what 'not to do..' Watch out for the posers out there as they will fire off the first thing from their minds and usually because they do not know much and end up with a flame or such ~ rarely a thank you.. In any event, I offer this as is and hope you enjoy your career with security. It truly is the highest paying area of IT at this given time.. I don't care what anyone says. Think of the Target stores out there and such.. and you'll see SECURITY all over 2014 and more. We most don't get it.. They do a VISIO chart and build a server and usually *uck it up worse than ever. GOOD LUCK. CentOS - is awesome for this kind of thing as a back-end and front-end. ENCIRCLE your WINDOWS servers and crush them! heh. ~ good night. Oh summary: KERBEROS good for larger scale operations that need total control and performance for many up-calls and down-calls NTLM - um, don't do it. SSL - vxx - ~! you can do this -- with customization - the rub here is customization means little if any support, if you leave, the 'company' is toast, in many cases.. there are no 'upgrades' to security with an ENHANCEMENT or customization.. and so it goes, you own it, until you die or leave... Some experience for you here. Lots of it. Tons of it. Okay.. I did my community service for the day. Wizard of Hass! On 1/29/2014 12:11 AM, Sorin Srbu wrote: -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Jeffrey Hass Sent: den 29 januari 2014 08:47 To: CentOS mailing list Subject: Re: [CentOS] NIS or not? Hi friend - what is your end goal with this effort to obtain security with your nodes over the 'wire' - there are some other solutions -- kerberos is now used heavily by microsoft so that's enough to make me run for the hills... just saying.. i've set up other solutions to be sure -- even against the blasted (not a real LDAP) AD. anyway.. just some thoughts... it's not trivial. any of the solutions, btw. not at all.. j/h San Francisco/Holland/Saudi Arabia Primarily to enable less administration in the long run with centralized logins, instead of keeping each single client updated with respect to shadow, passwd, bashrc, hosts and so on. Some sort of encryption would probably be wise to use, as NIS uses clear text passwords. I don't trust our university network that much, even though the traffic should pretty localized. I'm aware that setting up Kerberos probably will be a big project, nevertheless, we must do something about the current mess. As I'm the single sysadmin at the department, my time is finite. Automation is good, but as I wrote before, regular bash-scripting (however powerful) will only take you so far. 8-/ -- //Sorin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list
Re: [CentOS] NIS or not?
On 01/29/2014 09:44 PM, John R Pierce wrote: On 1/28/2014 4:45 AM, Sorin Srbu wrote: Use IPA. It combines LDAP with Kerberos, a server-client environment is easily setup and the documentation (RHEL deployment) is very helpful. Thank you. I'll look it up. LDAP and Kerberos though. That does sound a lot like Microsoft Active Directory.8-) -- FreeIPA provides an open source Active Directory equivalent. its pretty easy to setup a simple directory server, and it can expand to be an enterprise-wide directory. it allows both linux and windows computers to participate in the authentication domain. yes, its basically LDAP and Kerberos, with a management suite. I've been following this with interest, about once every 6 months this topic is raised. From my observation there now appear to be two possible solutions: 1. FreeIPA - gives genuine LDAP and Kerberos with some web front end management 2. Samba4 - gives a windoze interoperable AD implementation, not sure how standards based this is, it is engineered to follow micro$oft's implementation and work well for windoze clients. Issues: option 1 will work very well with linux clients, considerable work to get all the required windoze functions working option 2 - early days of implementation, CentOS does not yet support the complete package needed for full windoze integration. decent documentation in the form of a howto for server, linux client, windoze (many versions), iOS and Android are not yet out there. As evidenced by the few that have been there, done that they ALL say it takes A LOT of time and effort, and getting all the bits involved, just right, is difficult. My appeal to those that have been there - how do we get all the tiny details that matter, documented, so that the black art / trial and error (months of) can be eliminated. Living in the hope that this will one day be accessible to the rest of us that cannot afford the many months of trial and error and frustration. BTW, I have tried openLDAP, 389 implementations, samba3 and a trial of samba4, all with limited success - there were always a few combinations that failed to work for me and I do not have the resources (mainly time/$$) to just keep trying. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Jeffrey Hass Sent: den 29 januari 2014 09:49 To: CentOS mailing list Subject: Re: [CentOS] NIS or not? Good call - not sure how far your coding goes and with what/how languages and scripts... Make sure to have as much as possible on VM's related to your security 'servers' -- so that you also get a virtual built in Disaster recovery as well. My Google Fu is usually okay. ;-) We've started offing physical servers in favour of virtual ones. So far mostly Windows servers, but I've started testing e.g. Owncloud on a virtualized CentOS guest. More Linux-machines are likely to be virtualized in due time. We (well, I actually...) decided on standardizing on Hyper-V as there was a really good P2V-tool available for migrating Windows servers. We had lots of them... Note: I didn't catch it are you using the Microsoft's implementation of Kerberos? We do have a Windows AD in place, it's the main IT here, but it's soon to be migrated to the central university IT-dept. One less thing to worry about... *nix was originally only a group-business at the dept., but over the years the Linux-ratio has upped considerably, what with backup-servers etc. running on Linux as well as us affording more machines for the original CADD-group. There's a reason I ask, you said you need to do something,, sounds like fairly quick, probably a good thing, if nothing else get centralization = control! - more so -- than before ~ and so it goes, you will have encapsulated tickets on steroids, to be sure.. but if you're the only person.. is your shop that big that SSL wouldn't do the trick? SSL? How do you mean? Can you elaborate a bit? -- //Sorin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
Hey Sorin, I'm getting ready to catch a plane to Dubai but wanted to answer you real quick and short: SSL for smaller networks in terms of authentication is fine and secure - as long as your infrastructure is secure. I'm glad to hear your using VM's more and more. It give you a lot more control to manipulate, change and recover from 'all kinds of errors' - tweaking .conf files, someone having 'root' or 'admin' on you as you have to trust someone/sometime... .. anyway, um, I'm hoping you consider the SSL implementation if you have to do something 'quick..' if not, Kerberos will certainly help you from getting 'fired ..' it won't be the reason you do anyway.. About the previous post about IPA - you're hitting LDAP anyway (that is AD) and probably a few more out there if you're somewhat of 'shop' with stuff everywhere.. IPA was hacked by a user group (exploit) in Seattle - and you get what 'you don't pay for' sometimes. Having said this, all these tools at the end of the day generally get the job done, the truth is 'what are you protecting..' and from 'what..' usually determines the component and/or tool you'd want to entertain. Once you have it in-house // and your name is on it.. // and it's in Production, really HARD to back out, in some cases impossible.. Case in point: TARGET was hacked by a 17-year old punk with no date on a Friday night... ... and, well, they went from an 'openSource (which I FIRMLY believe in)' to a mix-bag implementation to include Oracle and IBM SSO/IdM implementation .. They removed Kerberos out of the equation - mixed SSL with a non-REAL x.500 compliant LDAP, we can say it has the letters DA in it but you can 'reverse' that and come up with a name... and then, so it goes, BAM! someone's inside.. You see, the problem here is many will jump in and recommend a solution because 'they worked with it... and in most cases, IT IS all they know...' You drive this car, you love it more than all other cars but have yet to drive the other cars and see for yourself... Point is, milage may vary and WILL and I will say this in my last post here on this thread, I've been in court as a witness during DoD audits and it was always, 'we went with a solution' that was proven and tried.. and recommended... TRIED by who? Recommended by who?? Best practices?? Just a collective agreement by a bunch of dweebs that say, yeah, that sounds right. Message is: For what you need Kerberos would work and should work. Enough documentation out there... and such to help you... Also, YouTube, believe it or not has a lot of posts (many by myself but in my alter ego name, which are many) even this name is not real, but as I was saying - a ton of info. It's funny what qualifies as a guru as at one time there was no Google to get an answer and rattle a 'solution' All my recommends is actual dogfood I have eaten and I don't want to see the same thing happen to others as this Security business is getting out of hand with all 'these experts' that truly don't have the heart to do what you're doing and get it done right and to care enough to do that. SSL is implemented on every WebApplication Server, product that is Internet based except UDP - good luck with that... but having said that, you can surely -- do this with SSL and/or Kerberos.. Anything else, you're going to pay for it. Here's a snip and it comes down to your infrastructure, what you do for a business, who your audience is/what they do once they do have access.. who wants your information, risk assessment is big here... and then there you go. If you really wanted security.. you'd put another wrapper around this using a SSO tool, Access Manager -- and combined the Kerberos ticket into the packet once the SSL header is created with the credentials and CERT it down the wire. NO ONE IS GETTING IN, especially that 17-year old with a runny nose that mom is paying for his college is trying to do... Crazy world... Too bad we can meet these guys in person.. It would be a whole different world. Sorry so long.. I post a few times of year to help those that are really burning the oil at night. GOOD LUCK. 1. Kerberos SSL/TLS 2. LDAP has industrial strength protection build in if you hash the passwords/encrpt 3. Stay away from ANYTHING MICROSOFT security - Enter: Oxy-moronic 4. An openSource SSO tool built on JBoss or Tomcat THis is the real world right now.. And if anyone challenges, like the song says, it surely means they don't know: Carry on... Wizard of Hass -- Real men write their own device drivers ~ A. Tuckett On 1/29/2014 1:49 AM, Sorin Srbu wrote: -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Jeffrey Hass Sent: den 29 januari 2014 09:49 To: CentOS mailing list Subject: Re: [CentOS] NIS or not? Good call - not sure how far your coding goes and with what/how languages and scripts... Make sure to have as much as possible
Re: [CentOS] NIS or not?
Almost forgot, //Sorin: SSL uses public key cryptography: 1. You (or your browser) has a public/private keypair 2. The server has a public/private key as well 3. You generate a symmetric session key 4. You encrypt with the server's public key and send this encrypted session key to the server. 5. The server decrypts the encrypted session key with its private key. 6. You and the server begin communicating using the symmetric session key (basically because symmetric keys are faster). Kerberos does not use public key cryptography. It uses a trusted 3rd party. Here's a sketch: 1. You both (server and client) prove your identity to a trusted 3rd party (via a /secret/). 2. When you want to use the server, you check and see that the server is trustworthy. Meanwhile, the server checks to see that you are trustworthy. Now, mutually assured of each others' identity. You can communicate with the server. I'm always nervous about 'trusted third parties..' Can you imagine.. That's what holds our credit cards and such, like, um, at Target.. the trusted 'third-party...' Damn, people really go for that??? See, it's a hard call, isn't it?? // weigh it all out... // and make sure you get buy in and put the DISCLAIMERS in your documentation and on the Wiki's because it will come back to you at some point . if it ever goes down... BEWARE of anything related to Security solutions on the Net -- because most don't have more than three or four years experience. Most. ~ later. j/h On 1/29/2014 1:49 AM, Sorin Srbu wrote: -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Jeffrey Hass Sent: den 29 januari 2014 09:49 To: CentOS mailing list Subject: Re: [CentOS] NIS or not? Good call - not sure how far your coding goes and with what/how languages and scripts... Make sure to have as much as possible on VM's related to your security 'servers' -- so that you also get a virtual built in Disaster recovery as well. My Google Fu is usually okay. ;-) We've started offing physical servers in favour of virtual ones. So far mostly Windows servers, but I've started testing e.g. Owncloud on a virtualized CentOS guest. More Linux-machines are likely to be virtualized in due time. We (well, I actually...) decided on standardizing on Hyper-V as there was a really good P2V-tool available for migrating Windows servers. We had lots of them... Note: I didn't catch it are you using the Microsoft's implementation of Kerberos? We do have a Windows AD in place, it's the main IT here, but it's soon to be migrated to the central university IT-dept. One less thing to worry about... *nix was originally only a group-business at the dept., but over the years the Linux-ratio has upped considerably, what with backup-servers etc. running on Linux as well as us affording more machines for the original CADD-group. There's a reason I ask, you said you need to do something,, sounds like fairly quick, probably a good thing, if nothing else get centralization = control! - more so -- than before ~ and so it goes, you will have encapsulated tickets on steroids, to be sure.. but if you're the only person.. is your shop that big that SSL wouldn't do the trick? SSL? How do you mean? Can you elaborate a bit? -- //Sorin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Jeffrey Hass Sent: den 29 januari 2014 11:11 To: CentOS mailing list Subject: Re: [CentOS] NIS or not? Almost forgot, //Sorin: SSL uses public key cryptography: 1. You (or your browser) has a public/private keypair 2. The server has a public/private key as well 3. You generate a symmetric session key 4. You encrypt with the server's public key and send this encrypted session key to the server. 5. The server decrypts the encrypted session key with its private key. 6. You and the server begin communicating using the symmetric session key (basically because symmetric keys are faster). Kerberos does not use public key cryptography. It uses a trusted 3rd party. Here's a sketch: 1. You both (server and client) prove your identity to a trusted 3rd party (via a /secret/). 2. When you want to use the server, you check and see that the server is trustworthy. Meanwhile, the server checks to see that you are trustworthy. Now, mutually assured of each others' identity. You can communicate with the server. I'm always nervous about 'trusted third parties..' Can you imagine.. That's what holds our credit cards and such, like, um, at Target.. the trusted 'third-party...' Damn, people really go for that??? See, it's a hard call, isn't it?? // weigh it all out... // and make sure you get buy in and put the DISCLAIMERS in your documentation and on the Wiki's because it will come back to you at some point . if it ever goes down... BEWARE of anything related to Security solutions on the Net -- because most don't have more than three or four years experience. Most. Thanks for your insights. Appreciated. My boss just looks funny at me when I ask him about security and has he considered all those post-Snowden details. 8-) I've begun dabbling a bit with SSL while I did the Owncloud-testing and running. -- //Sorin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
--On Tuesday, January 28, 2014 12:45:09 PM + Sorin Srbu sorin.s...@orgfarm.uu.se wrote: LDAP and Kerberos though. That does sound a lot like Microsoft Active Directory. 8-) No, the other way around. Microsoft Active Directory sounds a lot like LDAP and Kerberos. Credit where credit is due ... ;) Devin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
No, the other way around. Microsoft Active Directory sounds a lot like LDAP and Kerberos. Credit where credit is due ... No, the other way around. Microsoft Active Directory implements an LDAP like directory accessible interface for its own directory. Calling Active Directory LDAP is like calling vim `echo xx yy`. If you are unaware of all the moving parts under Active Directory, it might prove very informative to explore it. Credit where credit is due ... jlc ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
brilliant. exactly. On 1/29/2014 2:24 PM, Joseph L. Casale wrote: No, the other way around. Microsoft Active Directory sounds a lot like LDAP and Kerberos. Credit where credit is due ... No, the other way around. Microsoft Active Directory implements an LDAP like directory accessible interface for its own directory. Calling Active Directory LDAP is like calling vim `echo xx yy`. If you are unaware of all the moving parts under Active Directory, it might prove very informative to explore it. Credit where credit is due ... jlc ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
On 1/29/2014 2:24 PM, Joseph L. Casale wrote: No, the other way around. Microsoft Active Directory implements an LDAP like directory accessible interface for its own directory. Calling Active Directory LDAP is like calling vim `echo xx yy`. If you are unaware of all the moving parts under Active Directory, it might prove very informative to explore it. Credit where credit is due ... AD *is* a modified/extended LDAP+Kerberos based system, it just adds a ton more proprietary stuff around it to manage Windows workstations, the whole Group Policy Object stuff etc etc. Thats all implemented via LDAP extensions. -- john r pierce 37N 122W somewhere on the middle of the left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
AD *is* a modified/extended LDAP+Kerberos based system, it just adds a ton more proprietary stuff around it to manage Windows workstations, the whole Group Policy Object stuff etc etc. Thats all implemented via LDAP extensions. I'm sorry, with all due respect I disagree. There is an unfathomable quantity of functionality not accessible via LDAP. You can query some aspects made available through the LDAP interface, you cannot set nor modify plenty. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
On 1/29/2014 3:17 PM, Joseph L. Casale wrote: I'm sorry, with all due respect I disagree. There is an unfathomable quantity of functionality not accessible via LDAP. You can query some aspects made available through the LDAP interface, you cannot set nor modify plenty. indeed, as I said, 'extended/modified'. the GPO stuff has actually nothing to do with the directory service per say, its just dispatched via it, using kerberos tickets for authentication. LDAP itself doesn't address replication either, and Microsoft made all that about as complicated as they could with their FSMO's and whatnot. its really simple and easy until something goes south, then you discover there's layers and layers of kludge under the skin and its amazing it works at all. -- john r pierce 37N 122W somewhere on the middle of the left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
Pretty much rightand is not truly X.500 compliant...This AD. It makes me nervous when one refers to it as LDAP...heh. Do a low level trace when running: ldapsearch .. Problem is AD has to be dealt with until Microsoft dies! Becomes Novell. And it will someday Anyway The LDAP with CentOS is robust enough when built up as Master Master // rep. rep. Lots of thing get missed Paris in the the Spring Did you catch that extra word there.too much wrapper...Welcome to AD. Wizard of Hass! Rarely wrong; usually right On Jan 29, 2014 3:00 PM, John R Pierce pie...@hogranch.com wrote: On 1/29/2014 2:24 PM, Joseph L. Casale wrote: No, the other way around. Microsoft Active Directory implements an LDAP like directory accessible interface for its own directory. Calling Active Directory LDAP is like calling vim `echo xx yy`. If you are unaware of all the moving parts under Active Directory, it might prove very informative to explore it. Credit where credit is due ... AD *is* a modified/extended LDAP+Kerberos based system, it just adds a ton more proprietary stuff around it to manage Windows workstations, the whole Group Policy Object stuff etc etc. Thats all implemented via LDAP extensions. -- john r pierce 37N 122W somewhere on the middle of the left coast ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] NIS or not?
Hi all, We're getting to a point in our linux environment where it's starting to be cumbersome to keep shadow and passwd-files up-to-date for the users to login on each computer. Scripts can only get us so far. 8-/ I've looked a bit into central login systems for linux, and NIS and LDAP seem to be prevalent. NIS being the simpler-to-setup solution for small to medium networks as I understand it, while LDAP is the more modern and scalable solution. See eg http://www.yolinux.com/TUTORIALS/NIS.html or http://sysadmin-notepad.blogspot.se/2013/06/nis-server-setup-on-rhelcentos.html. NIS-wise, what is a small to medium network? We have currently about 20-30'ish linux clients and servers, and the environment is not likely to increase much beyond this point. Is a 30ish-computer setup, a small network? The only thing I'm trying to accomplish is a system which will allow me to keep user accounts and passwords in one place, with one place only to administrate. NIS seems to be able to do that. Comments and insights are much appreciated! -- BW, Sorin --- # Sorin Srbu, Sysadmin # Uppsala University # Dept of Medicinal Chemistry # Div of Org Pharm Chem # Box 574 # SE-75123 Uppsala # Sweden# # Phone: +46 (0)18-4714482 # Visit: BMC, Husargatan 3, D5:512b # Web: http://www.orgfarm.uu.se --- # () ASCII ribbon campaign - Against html E-mail # /\ # # This message was not sent from an iProduct! # # MotD follows: # Artificial Intelligence: the art of making computers that behave like the ones in movies. -Bill Bulko ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
Hi Sorin we use here LDAP authentication and mail-control since more than 10 years. At that time, we did the conversion from passwd/shadow to LDAP using the tools on http://www.padl.com/download/ which are still available, probably in a newer version... To represent a person or a service in LDAP we use the objectclasses: objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: mailRecipient To represent a mail user for postfix we use the objectlcasses: objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: qmailUser To represent a Domain which we serve mail-wise we use the objectclasses: objectClass: qmailControl objectClass: top We also have developed an LDAP via Web Interface, which we use exclusively for LDAP administration. We have two LDAP servers, syncronized via syncrepl. suomi On 2014-01-28 10:02, Sorin Srbu wrote: Hi all, We're getting to a point in our linux environment where it's starting to be cumbersome to keep shadow and passwd-files up-to-date for the users to login on each computer. Scripts can only get us so far. 8-/ I've looked a bit into central login systems for linux, and NIS and LDAP seem to be prevalent. NIS being the simpler-to-setup solution for small to medium networks as I understand it, while LDAP is the more modern and scalable solution. See eg http://www.yolinux.com/TUTORIALS/NIS.html or http://sysadmin-notepad.blogspot.se/2013/06/nis-server-setup-on-rhelcentos.html. NIS-wise, what is a small to medium network? We have currently about 20-30'ish linux clients and servers, and the environment is not likely to increase much beyond this point. Is a 30ish-computer setup, a small network? The only thing I'm trying to accomplish is a system which will allow me to keep user accounts and passwords in one place, with one place only to administrate. NIS seems to be able to do that. Comments and insights are much appreciated! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
2014-01-28 Sorin Srbu sorin.s...@orgfarm.uu.se Hi all, We're getting to a point in our linux environment where it's starting to be cumbersome to keep shadow and passwd-files up-to-date for the users to login on each computer. Scripts can only get us so far. 8-/ I've looked a bit into central login systems for linux, and NIS and LDAP seem to be prevalent. NIS being the simpler-to-setup solution for small to medium networks as I understand it, while LDAP is the more modern and scalable solution. See eg http://www.yolinux.com/TUTORIALS/NIS.html or http://sysadmin-notepad.blogspot.se/2013/06/nis-server-setup-on-rhelcentos.html . NIS-wise, what is a small to medium network? We have currently about 20-30'ish linux clients and servers, and the environment is not likely to increase much beyond this point. Is a 30ish-computer setup, a small network? The only thing I'm trying to accomplish is a system which will allow me to keep user accounts and passwords in one place, with one place only to administrate. NIS seems to be able to do that. Comments and insights are much appreciated! -- BW, Sorin --- # Sorin Srbu, Sysadmin # Uppsala University # Dept of Medicinal Chemistry # Div of Org Pharm Chem # Box 574 # SE-75123 Uppsala # Sweden# # Phone: +46 (0)18-4714482 # Visit: BMC, Husargatan 3, D5:512b # Web: http://www.orgfarm.uu.se --- # () ASCII ribbon campaign - Against html E-mail # /\ # # This message was not sent from an iProduct! # # MotD follows: # Artificial Intelligence: the art of making computers that behave like the ones in movies. -Bill Bulko ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Use IPA. It combines LDAP with Kerberos, a server-client environment is easily setup and the documentation (RHEL deployment) is very helpful. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of anax Sent: den 28 januari 2014 12:24 To: centos@centos.org Subject: Re: [CentOS] NIS or not? Hi Sorin we use here LDAP authentication and mail-control since more than 10 years. At that time, we did the conversion from passwd/shadow to LDAP using the tools on http://www.padl.com/download/ which are still available, probably in a newer version... To represent a person or a service in LDAP we use the objectclasses: objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: mailRecipient To represent a mail user for postfix we use the objectlcasses: objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: qmailUser To represent a Domain which we serve mail-wise we use the objectclasses: objectClass: qmailControl objectClass: top We also have developed an LDAP via Web Interface, which we use exclusively for LDAP administration. We have two LDAP servers, syncronized via syncrepl. suomi On 2014-01-28 10:02, Sorin Srbu wrote: The only thing I'm trying to accomplish is a system which will allow me to keep user accounts and passwords in one place, with one place only to administrate. NIS seems to be able to do that. Thank you. Can I use just the user authentication (uid/pwd) part and skip the whole mail-cocacho, or do these two go hand in hand when using LDAP? -- //Sorin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
Hi Sorin of course: you may omit the mail cocacho and realize only the authentication cocacho in LDAP. For us, however, it has proven to be most advantageous to have both on LDAP. You may also select to do first the authentication in LDAP and later on, if you are familiar with LDAP, realize the mail. suomi On 2014-01-28 13:32, Sorin Srbu wrote: -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of anax Sent: den 28 januari 2014 12:24 To: centos@centos.org Subject: Re: [CentOS] NIS or not? Hi Sorin we use here LDAP authentication and mail-control since more than 10 years. At that time, we did the conversion from passwd/shadow to LDAP using the tools on http://www.padl.com/download/ which are still available, probably in a newer version... To represent a person or a service in LDAP we use the objectclasses: objectClass: account objectClass: posixAccount objectClass: top objectClass: shadowAccount objectClass: mailRecipient To represent a mail user for postfix we use the objectlcasses: objectClass: top objectClass: person objectClass: organizationalPerson objectClass: inetOrgPerson objectClass: qmailUser To represent a Domain which we serve mail-wise we use the objectclasses: objectClass: qmailControl objectClass: top We also have developed an LDAP via Web Interface, which we use exclusively for LDAP administration. We have two LDAP servers, syncronized via syncrepl. suomi On 2014-01-28 10:02, Sorin Srbu wrote: The only thing I'm trying to accomplish is a system which will allow me to keep user accounts and passwords in one place, with one place only to administrate. NIS seems to be able to do that. Thank you. Can I use just the user authentication (uid/pwd) part and skip the whole mail-cocacho, or do these two go hand in hand when using LDAP? -- //Sorin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Darod Zyree Sent: den 28 januari 2014 13:00 To: CentOS mailing list Subject: Re: [CentOS] NIS or not? Use IPA. It combines LDAP with Kerberos, a server-client environment is easily setup and the documentation (RHEL deployment) is very helpful. Thank you. I'll look it up. LDAP and Kerberos though. That does sound a lot like Microsoft Active Directory. 8-) -- //Sorin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of anax Sent: den 28 januari 2014 13:45 To: centos@centos.org Subject: Re: [CentOS] NIS or not? Hi Sorin of course: you may omit the mail cocacho and realize only the authentication cocacho in LDAP. For us, however, it has proven to be most advantageous to have both on LDAP. You may also select to do first the authentication in LDAP and later on, if you are familiar with LDAP, realize the mail. Cool. Thanks! -- //Sorin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
On 01/28/2014 04:02 AM, Sorin Srbu wrote: Hi all, We're getting to a point in our linux environment where it's starting to be cumbersome to keep shadow and passwd-files up-to-date for the users to login on each computer. Scripts can only get us so far. 8-/ I've looked a bit into central login systems for linux, and NIS and LDAP seem to be prevalent. NIS being the simpler-to-setup solution for small to medium networks as I understand it, while LDAP is the more modern and scalable solution. See eg http://www.yolinux.com/TUTORIALS/NIS.html or http://sysadmin-notepad.blogspot.se/2013/06/nis-server-setup-on-rhelcentos.html. NIS-wise, what is a small to medium network? We have currently about 20-30'ish linux clients and servers, and the environment is not likely to increase much beyond this point. Is a 30ish-computer setup, a small network? The only thing I'm trying to accomplish is a system which will allow me to keep user accounts and passwords in one place, with one place only to administrate. NIS seems to be able to do that. Comments and insights are much appreciated! ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos I used NIS for many years while working on Sun Solaris and it worked extremely well, although when it breaks it can be a real challenge to figure out the problems. I don't know how well it's implemented in Linux, bound to be a bit different than Solaris. In either case if it's important be aware of the potential security issues related to NIS, mainly the clear text passing of the password which is what pretty much doomed it. Depending on how ansi your users get I would recommend a slave server as well, you might also consider using autofs to mount the user's homes. The biggest potential problem that you might run into when you first implement NIS is to take a look at the uid of all the users on each host, you will need to ensure that they are the same before you start NIS or else it will be a mess for the users because they won't own their own files. With all of that said I do think though that LDAP would be a better solution although I've not used LDAP. Good luck with it either way. Pete -- Unencumbered by the thought process. -- Click and Clack the Tappet brothers ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Pete Geenhuizen Sent: den 28 januari 2014 14:12 To: CentOS mailing list Subject: Re: [CentOS] NIS or not? I used NIS for many years while working on Sun Solaris and it worked extremely well, although when it breaks it can be a real challenge to figure out the problems. I don't know how well it's implemented in Linux, bound to be a bit different than Solaris. In either case if it's important be aware of the potential security issues related to NIS, mainly the clear text passing of the password which is what pretty much doomed it. Yeah, that last bit made me squirm over here. I don't feel good about that, even though the linux machines are all pretty much localized to one spot, so that hardly any traffic goes out of the department. With all of that said I do think though that LDAP would be a better solution although I've not used LDAP. Good luck with it either way. Thanks. I'll look into LDAP some more. //Sorin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
We have been using NIS for over a decade on our network, and it has been an effective solution. The network spans several subnets, and we have been able to deploy slave NIS servers on the various subnets. The reason for this is several fold: Quicker response for login and other domain requests Network policy requires slave servers to be on subnets to reduce network traffic. While the security is not as strong as it is for the LDAP solution, as long as you are employing NIS on an internal network, you should be all set. -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Sorin Srbu Sent: Tuesday, January 28, 2014 4:03 AM To: CentOS mailing list Subject: [CentOS] NIS or not? Hi all, We're getting to a point in our linux environment where it's starting to be cumbersome to keep shadow and passwd-files up-to-date for the users to login on each computer. Scripts can only get us so far. 8-/ I've looked a bit into central login systems for linux, and NIS and LDAP seem to be prevalent. NIS being the simpler-to-setup solution for small to medium networks as I understand it, while LDAP is the more modern and scalable solution. See eg http://www.yolinux.com/TUTORIALS/NIS.html or http://sysadmin-notepad.blogspot.se/2013/06/nis-server-setup-on-rhelcentos.html. NIS-wise, what is a small to medium network? We have currently about 20-30'ish linux clients and servers, and the environment is not likely to increase much beyond this point. Is a 30ish-computer setup, a small network? The only thing I'm trying to accomplish is a system which will allow me to keep user accounts and passwords in one place, with one place only to administrate. NIS seems to be able to do that. Comments and insights are much appreciated! -- BW, Sorin --- # Sorin Srbu, Sysadmin # Uppsala University # Dept of Medicinal Chemistry # Div of Org Pharm Chem # Box 574 # SE-75123 Uppsala # Sweden# # Phone: +46 (0)18-4714482 # Visit: BMC, Husargatan 3, D5:512b # Web: http://www.orgfarm.uu.se --- # () ASCII ribbon campaign - Against html E-mail # /\ # # This message was not sent from an iProduct! # # MotD follows: # Artificial Intelligence: the art of making computers that behave like the ones in movies. -Bill Bulko The information in this e-mail is intended only for the person to whom it is addressed. If you believe this e-mail was sent to you in error and the e-mail contains patient information, please contact the Partners Compliance HelpLine at http://www.partners.org/complianceline . If the e-mail was sent to you in error but does not contain patient information, please contact the sender and properly dispose of the e-mail. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
Where I work we use NIS + Kerberos (Active Directory). We have about 150 machines at our site. It works quite well, as someone said, the big draw back to NIS is that it sends passwords insecurely, but if you use Kerberos for authentication it's really quite easy to manage. On Jan 28, 2014 6:23 AM, Sorin Srbu sorin.s...@orgfarm.uu.se wrote: -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Pete Geenhuizen Sent: den 28 januari 2014 14:12 To: CentOS mailing list Subject: Re: [CentOS] NIS or not? I used NIS for many years while working on Sun Solaris and it worked extremely well, although when it breaks it can be a real challenge to figure out the problems. I don't know how well it's implemented in Linux, bound to be a bit different than Solaris. In either case if it's important be aware of the potential security issues related to NIS, mainly the clear text passing of the password which is what pretty much doomed it. Yeah, that last bit made me squirm over here. I don't feel good about that, even though the linux machines are all pretty much localized to one spot, so that hardly any traffic goes out of the department. With all of that said I do think though that LDAP would be a better solution although I've not used LDAP. Good luck with it either way. Thanks. I'll look into LDAP some more. //Sorin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
Security is a major consideration, and even though as you say most of the traffic is local, most problems are internal as opposed to external. Pete On 01/28/2014 08:22 AM, Sorin Srbu wrote: Yeah, that last bit made me squirm over here. I don't feel good about that, even though the linux machines are all pretty much localized to one spot, so that hardly any traffic goes out of the department. Thanks. I'll look into LDAP some more. //Sorin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Unencumbered by the thought process. -- Click and Clack the Tappet brothers ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Kaplan, Andrew H. Sent: den 28 januari 2014 14:31 To: 'CentOS mailing list' Subject: Re: [CentOS] NIS or not? We have been using NIS for over a decade on our network, and it has been an effective solution. The network spans several subnets, and we have been able to deploy slave NIS servers on the various subnets. The reason for this is several fold: Quicker response for login and other domain requests Network policy requires slave servers to be on subnets to reduce network traffic. While the security is not as strong as it is for the LDAP solution, as long as you are employing NIS on an internal network, you should be all set. So you don't have any problem running clear-text passwords as mentioned in a previous post? -- //Sorin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Logan McNaughton Sent: den 28 januari 2014 14:33 To: CentOS mailing list Subject: Re: [CentOS] NIS or not? Where I work we use NIS + Kerberos (Active Directory). We have about 150 machines at our site. It works quite well, as someone said, the big draw back to NIS is that it sends passwords insecurely, but if you use Kerberos for authentication it's really quite easy to manage. We do have Active Directory as well, but only for the Windows clients. But I'd rather keep them separated. Kerberos on linux. Is that a pain or a bigger pain? Whenever I've worked with Kerberos on Windows I've come out all sweaty afterwards... 8-S -- //Sorin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
On Tue, Jan 28, 2014 at 8:56 AM, Sorin Srbu sorin.s...@orgfarm.uu.se wrote: -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Logan McNaughton Sent: den 28 januari 2014 14:33 To: CentOS mailing list Subject: Re: [CentOS] NIS or not? Where I work we use NIS + Kerberos (Active Directory). We have about 150 machines at our site. It works quite well, as someone said, the big draw back to NIS is that it sends passwords insecurely, but if you use Kerberos for authentication it's really quite easy to manage. We do have Active Directory as well, but only for the Windows clients. But I'd rather keep them separated. Kerberos on linux. Is that a pain or a bigger pain? Whenever I've worked with Kerberos on Windows I've come out all sweaty afterwards... 8-S Then stop playing with yourself already! ;) Kerberos on linux works quite well; keep everyone's clock within 5min of the auth server and you will be ok. I have not done sssd yet though. I did have timeout with nfs automount issues due to expired tickets, but that setup is old. -- //Sorin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
On Tue, Jan 28, 2014 at 3:02 AM, Sorin Srbu sorin.s...@orgfarm.uu.se wrote: The only thing I'm trying to accomplish is a system which will allow me to keep user accounts and passwords in one place, with one place only to administrate. NIS seems to be able to do that. Comments and insights are much appreciated! A related question: is NIS or LDAP (or something else entirely) better if the machines are not uniform in their login configuration? That is, we have an ever-growing list of special cases. UserA can login to servers 1, 2 and 3. UserB can log in to servers 3, 4, and 5. Nobody except UserC can login to server 6. UserD can login to machines 2--6. And so on and so forth. I currently have a custom script with a substantial configuration file for checking that the actual machines are configured as per our intent. It would be nice if there was a single tool where the configuration and management/auditing could be rolled into one. Thanks! Matt ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
Matt Garman matthew.gar...@gmail.com a écrit : On Tue, Jan 28, 2014 at 3:02 AM, Sorin Srbu sorin.s...@orgfarm.uu.se wrote: The only thing I'm trying to accomplish is a system which will allow me to keep user accounts and passwords in one place, with one place only to administrate. NIS seems to be able to do that. Comments and insights are much appreciated! A related question: is NIS or LDAP (or something else entirely) better if the machines are not uniform in their login configuration? That is, we have an ever-growing list of special cases. UserA can login to servers 1, 2 and 3. UserB can log in to servers 3, 4, and 5. Nobody except UserC can login to server 6. UserD can login to machines 2--6. And so on and so forth. I currently have a custom script with a substantial configuration file for checking that the actual machines are configured as per our intent. It would be nice if there was a single tool where the configuration and management/auditing could be rolled into one. Thanks! Matt You’d be fine with IPA which allows you to create such rules. HTH, Laurent. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
2014-01-28 Laurent Wandrebeck l.wandreb...@quelquesmots.fr Matt Garman matthew.gar...@gmail.com a écrit : On Tue, Jan 28, 2014 at 3:02 AM, Sorin Srbu sorin.s...@orgfarm.uu.se wrote: The only thing I'm trying to accomplish is a system which will allow me to keep user accounts and passwords in one place, with one place only to administrate. NIS seems to be able to do that. Comments and insights are much appreciated! A related question: is NIS or LDAP (or something else entirely) better if the machines are not uniform in their login configuration? That is, we have an ever-growing list of special cases. UserA can login to servers 1, 2 and 3. UserB can log in to servers 3, 4, and 5. Nobody except UserC can login to server 6. UserD can login to machines 2--6. And so on and so forth. I currently have a custom script with a substantial configuration file for checking that the actual machines are configured as per our intent. It would be nice if there was a single tool where the configuration and management/auditing could be rolled into one. Thanks! Matt You'd be fine with IPA which allows you to create such rules. HTH, Laurent. ___ Indeed, and IPA does this quite well. We use IPA on all servers and workstations. - Sudo information comes from IPA - Autofs information comes from IPA - Host based access control comes from IPA - Central user management/identity It all works really good. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
On Tue, Jan 28, 2014 at 9:47 AM, Darod Zyree darodzy...@gmail.com wrote: 2014-01-28 Laurent Wandrebeck l.wandreb...@quelquesmots.fr Matt Garman matthew.gar...@gmail.com a écrit : On Tue, Jan 28, 2014 at 3:02 AM, Sorin Srbu sorin.s...@orgfarm.uu.se wrote: The only thing I'm trying to accomplish is a system which will allow me to keep user accounts and passwords in one place, with one place only to administrate. NIS seems to be able to do that. Comments and insights are much appreciated! A related question: is NIS or LDAP (or something else entirely) better if the machines are not uniform in their login configuration? That is, we have an ever-growing list of special cases. UserA can login to servers 1, 2 and 3. UserB can log in to servers 3, 4, and 5. Nobody except UserC can login to server 6. UserD can login to machines 2--6. And so on and so forth. I currently have a custom script with a substantial configuration file for checking that the actual machines are configured as per our intent. It would be nice if there was a single tool where the configuration and management/auditing could be rolled into one. Thanks! Matt You'd be fine with IPA which allows you to create such rules. HTH, Laurent. ___ Indeed, and IPA does this quite well. We use IPA on all servers and workstations. - Sudo information comes from IPA - Autofs information comes from IPA - Host based access control comes from IPA - Central user management/identity i read that IPA can do multimaster. How well does it do it compared to openldap? It all works really good. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
2014-01-28 Mauricio Tavares raubvo...@gmail.com On Tue, Jan 28, 2014 at 9:47 AM, Darod Zyree darodzy...@gmail.com wrote: 2014-01-28 Laurent Wandrebeck l.wandreb...@quelquesmots.fr Matt Garman matthew.gar...@gmail.com a écrit : On Tue, Jan 28, 2014 at 3:02 AM, Sorin Srbu sorin.s...@orgfarm.uu.se wrote: The only thing I'm trying to accomplish is a system which will allow me to keep user accounts and passwords in one place, with one place only to administrate. NIS seems to be able to do that. Comments and insights are much appreciated! A related question: is NIS or LDAP (or something else entirely) better if the machines are not uniform in their login configuration? That is, we have an ever-growing list of special cases. UserA can login to servers 1, 2 and 3. UserB can log in to servers 3, 4, and 5. Nobody except UserC can login to server 6. UserD can login to machines 2--6. And so on and so forth. I currently have a custom script with a substantial configuration file for checking that the actual machines are configured as per our intent. It would be nice if there was a single tool where the configuration and management/auditing could be rolled into one. Thanks! Matt You'd be fine with IPA which allows you to create such rules. HTH, Laurent. ___ Indeed, and IPA does this quite well. We use IPA on all servers and workstations. - Sudo information comes from IPA - Autofs information comes from IPA - Host based access control comes from IPA - Central user management/identity i read that IPA can do multimaster. How well does it do it compared to openldap? I can't say how well it does compared to openldap but the replication is quick reliable. For example; we test IPA masters by (re)applying settings in user accounts etc. while crashing them at random (removing power; they were virtual machines) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
Laurent Wandrebeck wrote: Matt Garman matthew.gar...@gmail.com a écrit : On Tue, Jan 28, 2014 at 3:02 AM, Sorin Srbu sorin.s...@orgfarm.uu.se wrote: The only thing I'm trying to accomplish is a system which will allow me to keep user accounts and passwords in one place, with one place only to administrate. NIS seems to be able to do that. Comments and insights are much appreciated! A related question: is NIS or LDAP (or something else entirely) better if the machines are not uniform in their login configuration? At this late date, I'd be really, *REALLY* leery of using NIS. You say that *most* of your traffic is local, suggesting that some of it is *not*. And, for that matter, how good are the firewalls keeping other traffic out? I'd say no to NIS. Yes, other answers may be more difficult to set up, but consider the alternatives. That is, we have an ever-growing list of special cases. UserA can login to servers 1, 2 and 3. UserB can log in to servers 3, 4, and 5. Nobody except UserC can login to server 6. UserD can login to machines 2--6. And so on and so forth. Here you may not realize you're distinguishing between authentication and authorization. I currently have a custom script with a substantial configuration file for checking that the actual machines are configured as per our intent. It would be nice if there was a single tool where the configuration and management/auditing could be rolled into one. We have an in-house written set of scripts that administer relevant configuration files, including /etc/passwd. It copies the correct version of that file (among many others) to each host, and shell of /bin/noLogin works just fine. You’d be fine with IPA which allows you to create such rules. I'd vaguely heard of IPA, so I just looked it up. *chuckle* You do notice that it has its own implementation of LDAP and uses kerboros, right? So seems like several folks are recommending LDAP and kerboros. I sincerely hope it's easier to set up and administer and upgrade than native LDAP. In '06, after a discussion with the other admin and manager I was working with at that job, I volunteered to set up openLDAP. Let's just say that the tools were NOT vaguely ready for prime time, though I did find that running webmin helped a *lot* to get it working. But that was nearly 8 years ago mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Mauricio Tavares Sent: den 28 januari 2014 15:20 To: CentOS mailing list Subject: Re: [CentOS] NIS or not? We do have Active Directory as well, but only for the Windows clients. But I'd rather keep them separated. Kerberos on linux. Is that a pain or a bigger pain? Whenever I've worked with Kerberos on Windows I've come out all sweaty afterwards... 8-S Then stop playing with yourself already! ;) Kerberos on linux works quite well; keep everyone's clock within 5min of the auth server and you will be ok. I have not done sssd yet though. I did have timeout with nfs automount issues due to expired tickets, but that setup is old. LOL! Hmm, yes. It would seem most everybody recomends Kerberos. Will have to look into it then. -- //Sorin (has self-consciously stopped playing with himself now... ;-)) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
Sorin Srbu wrote: Behalf Of Mauricio Tavares We do have Active Directory as well, but only for the Windows clients. But I'd rather keep them separated. Kerberos on linux. Is that a pain or a bigger pain? Whenever I've worked with Kerberos on Windows I've come out all sweaty afterwards... 8-S Then stop playing with yourself already! ;) Kerberos on linux works quite well; keep everyone's clock within 5min of the auth server and you will be ok. I have not done sssd yet though. I did have timeout with nfs automount issues due to expired tickets, but that setup is old. LOL! Hmm, yes. It would seem most everybody recomends Kerberos. Will have to look into it then. Remember, kerboros came from the Unix world, so you'd expect it to work well in Linux. M$ added it in much later mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
On Tue, Jan 28, 2014 at 9:18 AM, m.r...@5-cent.us wrote: At this late date, I'd be really, *REALLY* leery of using NIS. You say that *most* of your traffic is local, suggesting that some of it is *not*. And, for that matter, how good are the firewalls keeping other traffic out? I'd say no to NIS. Yes, other answers may be more difficult to set up, but consider the alternatives. That is, we have an ever-growing list of special cases. UserA can login to servers 1, 2 and 3. UserB can log in to servers 3, 4, and 5. Nobody except UserC can login to server 6. UserD can login to machines 2--6. And so on and so forth. Here you may not realize you're distinguishing between authentication and authorization. Yeah, I forgot to mention that we already have Kerberos in place for authentication. It's authorization that is currently done by hand and checked with a manual script. (I needed that for the secure mount options NFSv4 provides.) I sincerely hope it's easier to set up and administer and upgrade than native LDAP. In '06, after a discussion with the other admin and manager I was working with at that job, I volunteered to set up openLDAP. Let's just say that the tools were NOT vaguely ready for prime time, though I did find that running webmin helped a *lot* to get it working. I know you can find a horror story for any piece of software on the Internet, but my impression is that LDAP has an unusually high number of scary-sounding anecdotes. I know random Internet blogs forum posts aren't really authoritative, but they do give me a little trepidation regarding LDAP. We have an in-house written set of scripts that administer relevant configuration files, including /etc/passwd. It copies the correct version of that file (among many others) to each host, and shell of /bin/noLogin works just fine. Why set the shell to /bin/noLogin, rather than simply not create that user's /etc/passwd entry? I don't have /bin/noLogin on any of my systems - I assume you deliberately specified a non-existent program for the shell? What's the difference between setting the user's shell to a bogus program versus something like /bin/false? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
Matt Garman wrote: On Tue, Jan 28, 2014 at 9:18 AM, m.r...@5-cent.us wrote: snip We have an in-house written set of scripts that administer relevant configuration files, including /etc/passwd. It copies the correct version of that file (among many others) to each host, and shell of /bin/noLogin works just fine. Why set the shell to /bin/noLogin, rather than simply not create that user's /etc/passwd entry? I don't have /bin/noLogin on any of my systems - I assume you deliberately specified a non-existent program for the shell? What's the difference between setting the user's shell to a bogus program versus something like /bin/false? There's one master passwd file, and the scripts that centrally manage it set the shell, one way or another, depending on a different configuration file. Why noLogin? I know I've seen it elsewhere; I think I've also seen it as /bin/false. That's a call above my pay grade g mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
On Tue, Jan 28, 2014 at 11:38 AM, Matt Garman matthew.gar...@gmail.com wrote: Here you may not realize you're distinguishing between authentication and authorization. Yeah, I forgot to mention that we already have Kerberos in place for authentication. It's authorization that is currently done by hand and checked with a manual script. (I needed that for the secure mount options NFSv4 provides.) What is it that your scripts tweak? I have a small setup using kerberos against an AD for authentication, but the linux servers have their own passwd files for the small subset of users there. /home is shared from one server to all of the others in the set. This worked when initially set up with matching users (w/matching uids) but when I added new ones, nfsv4 mapped them to 'nobody' until I rebooted the clients. Restarting nfs and/or idmapd didn't help. Is there some way to make added users work? -- Les Mikesell lesmikes...@gmail.com ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of m.r...@5-cent.us Sent: den 28 januari 2014 17:09 To: CentOS mailing list Subject: Re: [CentOS] NIS or not? Hmm, yes. It would seem most everybody recomends Kerberos. Will have to look into it then. Remember, kerboros came from the Unix world, so you'd expect it to work well in Linux. M$ added it in much later I would like to thank you all for your hints, advice and suggestions. I now have quite a few leads to follow up on. Will probably be back later on with more questions if Google can't help me. Thanks again. -- //Sorin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS or not?
Hi friend - what is your end goal with this effort to obtain security with your nodes over the 'wire' - there are some other solutions -- kerberos is now used heavily by microsoft so that's enough to make me run for the hills... just saying.. i've set up other solutions to be sure -- even against the blasted (not a real LDAP) AD. anyway.. just some thoughts... it's not trivial. any of the solutions, btw. not at all.. j/h San Francisco/Holland/Saudi Arabia 389882830-$$ (for those that know) On 1/28/2014 11:30 PM, Sorin Srbu wrote: -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of m.r...@5-cent.us Sent: den 28 januari 2014 17:09 To: CentOS mailing list Subject: Re: [CentOS] NIS or not? Hmm, yes. It would seem most everybody recomends Kerberos. Will have to look into it then. Remember, kerboros came from the Unix world, so you'd expect it to work well in Linux. M$ added it in much later I would like to thank you all for your hints, advice and suggestions. I now have quite a few leads to follow up on. Will probably be back later on with more questions if Google can't help me. Thanks again. -- //Sorin ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS expiration of passwords
On Jun 28, 2012, at 4:49 PM, Michael Coffman michael.coff...@avagotech.com wrote: I would believe this information is shared from the server to the other computers but here users still can connect (via SSH). If I try to get the information on the user connected I have: # chage -l USER user 'USER' does not exist in /etc/passwd This looks normal as there is no user there but then I do not know how to enable the expiration information through NIS. Do someone has an idea? You can't. NIS on linux does not support password aging. If your using NIS then I would use Kerberos for the users passwords to maintain security. If your using Kerberos then I believe password aging is handled on the Kerberos server. -Ross ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] NIS expiration of passwords
Dear all, I have a NIS server which shares a database of users between some computers (nodes exactly) and I would like that, on the first login, the user changes its password. So, on the NIS server I have made: chage -d 0 USER Then: # cd /var/yp # make On the NIS server I have: chage -l USER Last password change: password must be changed Password expires: password must be changed Password inactive : password must be changed Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 9 Number of days of warning before password expires : 7 I would believe this information is shared from the server to the other computers but here users still can connect (via SSH). If I try to get the information on the user connected I have: # chage -l USER user 'USER' does not exist in /etc/passwd This looks normal as there is no user there but then I do not know how to enable the expiration information through NIS. Do someone has an idea? Thanks, Fabien ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS expiration of passwords
On Thu, Jun 28, 2012 at 7:23 AM, Fabien Archambault fabien.archamba...@univ-amu.fr wrote: Dear all, I have a NIS server which shares a database of users between some computers (nodes exactly) and I would like that, on the first login, the user changes its password. So, on the NIS server I have made: chage -d 0 USER Then: # cd /var/yp # make On the NIS server I have: chage -l USER Last password change: password must be changed Password expires: password must be changed Password inactive : password must be changed Account expires : never Minimum number of days between password change : 0 Maximum number of days between password change : 9 Number of days of warning before password expires : 7 I would believe this information is shared from the server to the other computers but here users still can connect (via SSH). If I try to get the information on the user connected I have: # chage -l USER user 'USER' does not exist in /etc/passwd This looks normal as there is no user there but then I do not know how to enable the expiration information through NIS. Do someone has an idea? You can't. NIS on linux does not support password aging. Thanks, Fabien ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- -MichaelC ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] NIS passwd and paswd.byname map encryption
Hello listmates. It appears that in order to authenticate a Mac OS X Lion client via NIS the passwords in passwd and passwd.byname maps need to be MD5 encrypted. How do I see what encryption has been used in my maps? How do I change it? Thanks. Boris. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS passwd and paswd.byname map encryption
Boris Epstein wrote: Hello listmates. It appears that in order to authenticate a Mac OS X Lion client via NIS the passwords in passwd and passwd.byname maps need to be MD5 encrypted. How do I see what encryption has been used in my maps? How do I change it? I think it is the case that Lion only supports DES password hashes in NIS passwd maps - see the thread at: https://discussions.apple.com/message/16772720#16772720 i.e. they only support the standard crypt() password hashes - which is a regression from previous versions of MacOS X - MacOS 10.6 supports MD5 NIS password hashes ... James Pearson ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS question
ann kok writes: Hi How can we use NIS to control a user in different servers? eg: serverA /home/userA/javaapplication serverB /export/home/userA/javaapplication serverC /vol/home/javaapplication If you use NIS auto.home for home directories in general, e.g. /home/user, you can install a local auto.home map on each server so that /home/userA is a different physical directory on each server See 18.3.3.1 at http://www.centos.org/docs/5/html/Deployment_Guide-en-US/s1-nfs-client-config-autofs.html. --- This message and any attachments may contain Cypress (or its subsidiaries) confidential information. If it has been received in error, please advise the sender and immediately delete this message. --- ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] NIS question
Hi How can we use NIS to control a user in different servers? eg: serverA /home/userA/javaapplication serverB /export/home/userA/javaapplication serverC /vol/home/javaapplication Thank you ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS question
ann kok wrote: Hi How can we use NIS to control a user in different servers? eg: serverA /home/userA/javaapplication serverB /export/home/userA/javaapplication serverC /vol/home/javaapplication Thank you Could you be more specific on what you are trying to do ? ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS question
On Tue, May 04, 2010 at 05:05:40PM -0700, ann kok wrote: Hi How can we use NIS to control a user in different servers? eg: serverA /home/userA/javaapplication serverB /export/home/userA/javaapplication serverC /vol/home/javaapplication Thank you Automounter maps? I guess they'd need a bit of intelligence Ray ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
After dealing with a couple of issues with OpenLDAP, I'd say it beats the piss out of NIS all day long. NIS is ancient and decrepit. Hard to believe, but certain very well known organizations refuse to get off NIS for critical and secure systems. Peter On Thu, Dec 17, 2009 at 11:50 AM, John R. Dennison j...@gerdesas.com wrote: On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.r...@5-cent.us wrote: Not one you want to hear: ditch NIS. It's known to have a *lot* of security holes. At the very least, NIS+. Better would be either RH Out of curiousity, can you point me to writeups of known working exploits against current yp-family versions on CentOS? NIS+ is not, the last time I checked, available for Linux; if my understanding is in error I would very much welcome correction. John -- We cannot do everything at once, but we can do something at once. -- Calvin Coolidge (1872-1933), 30th president of the United States ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- Peter Serwe http://truthlightway.blogspot.com/ ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
On Fri, 18 Dec 2009, Peter Serwe wrote: After dealing with a couple of issues with OpenLDAP, I'd say it beats the piss out of NIS all day long. NIS is ancient and decrepit. Agreed. Hard to believe, but certain very well known organizations refuse to get off NIS for critical and secure systems. Astonishing. -s ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
Hard to believe, but certain very well known organizations refuse to get off NIS for critical and secure systems. {{citation needed}} :-) -- Drew Nothing in life is to be feared. It is only to be understood. --Marie Curie ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] NIS failover
We just updated our configuratiosn to have multiple NIS servers, when we initiated a test of client failover, we were disapointed. It seemed that the only way to get a filaover was to /etc/init.d/ypbind restart. It behaves as indicated in http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=5084845 using ypbind-1.17.2-13 on Centos 4.5 / Linux 2.6.9-55.0.12.ELsmp #1 SMP Fri Nov 2 12:38:56 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192 Any advice? -Jason -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
We just updated our configuratiosn to have multiple NIS servers, when we initiated a test of client failover, we were disapointed. It seemed that the only way to get a filaover was to /etc/init.d/ypbind restart. It behaves as indicated in http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=5084845 using ypbind-1.17.2-13 on Centos 4.5 / Linux 2.6.9-55.0.12.ELsmp #1 SMP Fri Nov 2 12:38:56 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192 Any advice? Not one you want to hear: ditch NIS. It's known to have a *lot* of security holes. At the very least, NIS+. Better would be either RH directory server (which I've never worked with), or openLDAP (which is, IMO, NOT ready for prime time, but is built for security. mark ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.r...@5-cent.us wrote: Not one you want to hear: ditch NIS. It's known to have a *lot* of security holes. At the very least, NIS+. Better would be either RH Out of curiousity, can you point me to writeups of known working exploits against current yp-family versions on CentOS? NIS+ is not, the last time I checked, available for Linux; if my understanding is in error I would very much welcome correction. John -- We cannot do everything at once, but we can do something at once. -- Calvin Coolidge (1872-1933), 30th president of the United States pgpoTba4YQaYF.pgp Description: PGP signature ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
On Thu, Dec 17, 2009 at 01:50:16PM -0600, John R. Dennison wrote: On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.r...@5-cent.us wrote: Not one you want to hear: ditch NIS. It's known to have a *lot* of security holes. At the very least, NIS+. Better would be either RH Out of curiousity, can you point me to writeups of known working exploits against current yp-family versions on CentOS? NIS+ is not, the last time I checked, available for Linux; if my understanding is in error I would very much welcome correction. I believe Sun recently dropped NIS+ from Solaris/OpenSolaris as well. The authors noted the irony in NIS outliving that which was meant to replace it. :) Main weakness of NIS is that it's pretty easy to just sniff out potentially valuable information over the wire. But if you're on a secure / internal network and have legacy clients to support often times the reality is you'll need to use NIS. At work, we still rely on NIS, but hope to integrate with AD at some point -- however, we'll undoubtedly need some sort of NIS shim that can talk to the LDAP backend to provide functionality to older, legacy Unix clients... Ray ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
On Thu, Dec 17, 2009 at 12:44:54PM -0700, m.r...@5-cent.us wrote: Not one you want to hear: ditch NIS. It's known to have a *lot* of security holes. At the very least, NIS+. Better would be either RH NIS+ is a dead product. Even Sun gave up pushing it. (Funny; in 1995 the Solaris training courses barely mentioned NIS and had 2 or 3 chapters on NIS+; in 2007 the equivalent course had a bit on NIS, didn't mention NIS+ at all, and had 2 or 3 chapters on LDAP). Don't migrate to NIS+. directory server (which I've never worked with), or openLDAP (which is, IMO, NOT ready for prime time, but is built for security. The problem with LDAP is that it's a lot slower than NIS, and nscd is essential in order to get even minimally adequate performance. Unfortunately. I say unfortunately because in many respects LDAP is superior to NIS (especially with respect to security). Just not needing crypt strings is a big win. I use it at work, but very carefully :-) NIS is insecure, but it has a massive advantage of being fast and (normally) just works. Evaluate the security in your environment and determine if the risk is acceptable. -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
On Thu, Dec 17, 2009 at 01:50:16PM -0600, John R. Dennison wrote: Out of curiousity, can you point me to writeups of known working exploits against current yp-family versions on CentOS? The problem isn't an exploit of the specific tools; the whole mechanism is insecure, unless you use secureRPC everywhere. For example, there's no verification that the server you are bound to is, indeed, a valid server for the network and not a rogue sending out bad data. (Opens you to many MITM attacks). Exposure of passwords? Well, the crypt string, anyway. If you're not using md5 password encryption everywhere then you've opened yourself to simple brute-force attacks on your network. No validation that client machines are authorized to see the data (I plug a machine into your network and can grab all the data from NIS, to hack against in my own time... and forget about the pseudo 'shadow' map in that case!) And so on. -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
-Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Jason Pyeron Sent: Thursday, December 17, 2009 14:37 To: 'CentOS mailing list' Subject: [CentOS] NIS failover We just updated our configuratiosn to have multiple NIS servers, when we initiated a test of client failover, we were disapointed. It seemed that the only way to get a filaover was to /etc/init.d/ypbind restart. It behaves as indicated in http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=508 4845 using ypbind-1.17.2-13 on Centos 4.5 / Linux 2.6.9-55.0.12.ELsmp #1 SMP Fri Nov 2 12:38:56 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192 Any advice? So, avoiding the security flamewars... It seems that it behaves slightly different than I indicated before. Snippet of the strace for # ypcat passwd ... mprotect(0x2a9566a000, 4096, PROT_READ) = 0 arch_prctl(ARCH_SET_FS, 0x2a959bde00) = 0 munmap(0x2a9556c000, 33321) = 0 brk(0) = 0x503000 brk(0x524000) = 0x524000 open(/usr/lib/locale/locale-archive, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=48528816, ...}) = 0 mmap(NULL, 48528816, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2a959bf000 close(3)= 0 uname({sys=Linux, node=xxx, ...}) = 0 open(/var/yp/nicknames, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=185, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2a98807000 read(3, passwd\t\tpasswd.byname\ngroup\t\tgro..., 4096) = 185 read(3, , 4096) = 0 close(3)= 0 munmap(0x2a98807000, 4096) = 0 open(/var/yp/binding/XXX.2, O_RDONLY) = 3 pread(3, \1\0\0\0\300\250\1\\2\315\0\0, 12, 2) = 12 socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 4 getpid()= 13062 bind(4, {sa_family=AF_INET, sin_port=htons(942), sin_addr=inet_addr(0.0.0.0)}, 16) = 0 ioctl(4, FIONBIO, [1]) = 0 setsockopt(4, SOL_IP, IP_RECVERR, [1], 4) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 close(3)= 0 close(4)= 0 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3 bind(3, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr(0.0.0.0)}, 16) = 0 connect(3, {sa_family=AF_INET, sin_port=htons(111), sin_addr=inet_addr(192.168.1.34)}, 16) = -1 ETIMEDOUT (Connection timed out) close(3)= 0 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3 bind(3, {sa_family=AF_INET, sin_port=htons(943), sin_addr=inet_addr(0.0.0.0)}, 16) = 0 connect(3, {sa_family=AF_INET, sin_port=htons(111), sin_addr=inet_addr(192.168.1.34)}, 16 unfinished ... Then when I ^C it and run again it has failed over, but otherwise it hangs there for more than 300 seconds. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
Jason Pyeron wrote: -Original Message- From: centos-boun...@centos.org [mailto:centos-boun...@centos.org] On Behalf Of Jason Pyeron Sent: Thursday, December 17, 2009 14:37 To: 'CentOS mailing list' Subject: [CentOS] NIS failover We just updated our configuratiosn to have multiple NIS servers, when we initiated a test of client failover, we were disapointed. It seemed that the only way to get a filaover was to /etc/init.d/ypbind restart. It behaves as indicated in http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=508 4845 using ypbind-1.17.2-13 on Centos 4.5 / Linux 2.6.9-55.0.12.ELsmp #1 SMP Fri Nov 2 12:38:56 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192 Any advice? So, avoiding the security flamewars... It seems that it behaves slightly different than I indicated before. Snippet of the strace for # ypcat passwd ... mprotect(0x2a9566a000, 4096, PROT_READ) = 0 arch_prctl(ARCH_SET_FS, 0x2a959bde00) = 0 munmap(0x2a9556c000, 33321) = 0 brk(0) = 0x503000 brk(0x524000) = 0x524000 open(/usr/lib/locale/locale-archive, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=48528816, ...}) = 0 mmap(NULL, 48528816, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2a959bf000 close(3)= 0 uname({sys=Linux, node=xxx, ...}) = 0 open(/var/yp/nicknames, O_RDONLY) = 3 fstat(3, {st_mode=S_IFREG|0644, st_size=185, ...}) = 0 mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2a98807000 read(3, passwd\t\tpasswd.byname\ngroup\t\tgro..., 4096) = 185 read(3, , 4096) = 0 close(3)= 0 munmap(0x2a98807000, 4096) = 0 open(/var/yp/binding/XXX.2, O_RDONLY) = 3 pread(3, \1\0\0\0\300\250\1\\2\315\0\0, 12, 2) = 12 socket(PF_INET, SOCK_DGRAM, IPPROTO_UDP) = 4 getpid()= 13062 bind(4, {sa_family=AF_INET, sin_port=htons(942), sin_addr=inet_addr(0.0.0.0)}, 16) = 0 ioctl(4, FIONBIO, [1]) = 0 setsockopt(4, SOL_IP, IP_RECVERR, [1], 4) = 0 fcntl(4, F_SETFD, FD_CLOEXEC) = 0 close(3)= 0 close(4)= 0 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3 bind(3, {sa_family=AF_INET, sin_port=htons(0), sin_addr=inet_addr(0.0.0.0)}, 16) = 0 connect(3, {sa_family=AF_INET, sin_port=htons(111), sin_addr=inet_addr(192.168.1.34)}, 16) = -1 ETIMEDOUT (Connection timed out) close(3)= 0 socket(PF_INET, SOCK_STREAM, IPPROTO_TCP) = 3 bind(3, {sa_family=AF_INET, sin_port=htons(943), sin_addr=inet_addr(0.0.0.0)}, 16) = 0 connect(3, {sa_family=AF_INET, sin_port=htons(111), sin_addr=inet_addr(192.168.1.34)}, 16 unfinished ... Then when I ^C it and run again it has failed over, but otherwise it hangs there for more than 300 seconds. -- -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is copyright PD Inc, subject to license 20080407P00. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos How is your /etc/yp.conf defined. NIS failover works flawlessly here if we have /etc/yp.conf like ypserver nis2 ypserver nis But have had problems if we use broadcast. :) ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
Jason Pyeron wrote: We just updated our configuratiosn to have multiple NIS servers, when we initiated a test of client failover, we were disapointed. It seemed that the only way to get a filaover was to /etc/init.d/ypbind restart. We've been using NIS like this for years - failover works just fine. In fact that is one of things I like about NIS, failover is built in and works with virtually no extra set up ... What do you have in your /etc/yp.conf ? James Pearson ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
On Fri, Dec 18, 2009 at 09:51:24AM +1300, Clint Dilks wrote: How is your /etc/yp.conf defined. NIS failover works flawlessly here if we have /etc/yp.conf like ypserver nis2 ypserver nis You also need to ensure you can resolve nis and nis2 without using NIS, so you may also need to them into /etc/hosts and ensure nsswitch.conf hosts entry begins with files. -- rgds Stephen ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS failover
On Thu, Dec 17, 2009 at 11:37 AM, Jason Pyeron jpye...@pdinc.us wrote: We just updated our configuratiosn to have multiple NIS servers, when we initiated a test of client failover, we were disapointed. It seemed that the only way to get a filaover was to /etc/init.d/ypbind restart. It behaves as indicated in http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=5084845 using ypbind-1.17.2-13 on Centos 4.5 / Linux 2.6.9-55.0.12.ELsmp #1 SMP Fri Nov 2 12:38:56 EDT 2007 x86_64 x86_64 x86_64 GNU/Linux http://bugs.opensolaris.org/bugdatabase/view_bug.do?bug_id=4858192 Any advice? Are you broadcasting for the a NIS sever? Probably should post your /etc/yp.conf file. -- Enjoy global warming while it lasts. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] NIS
Hi list Does anyone know about a good howto setup nis and to make ad see it and use the usernames? Regards Per Qvindesland E-mail: p...@norhex.com [1] http://www.linkedin.com/in/perqvindesland [2] Links: -- [1] http://webmail.norhex.com/# [2] http://www.linkedin.com/in/perqvindesland ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS
Per Qvindesland wrote: Hi list Does anyone know about a good howto setup nis and to make ad see it and use the usernames? http://www.linux-nis.org/nis-howto/HOWTO/ I don't think you can get AD to 'use' NIS as a directory service, but AD can be set up as a NIS server using IDMU (Identity Management for Unix) James Pearson ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS
Per Qvindesland wrote: Hi list Does anyone know about a good howto setup nis and to make ad see it and use the usernames? I haven't actually set up NIS in the machine I'm using right now, but if I remember correctly, what you need to do to get a machine to use the usernames and passwords on an existing NIS server is: 1. Insert a line like domain yourdomainname broadcast in the file /etc/yp.conf. 2. Edit /etc/nsswitch.conf; change the line passwd: files to passwd: files nis or passwd: nis files 3. /sbin/chkconfig ypbind start If you are using DHCP and the DHCP server knows the NIS domain name, it's even simpler, as 1) should be done automatically (but it's always a good idea to check the file just in case.) If you're talking about setting up a NIS server, I can't recall much about how it's done, I'm afraid... - Toralf Regards Per Qvindesland E-mail: p...@norhex.com http://webmail.norhex.com/# http://www.linkedin.com/in/perqvindesland ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos This e-mail, any attachments and response string may contain proprietary information, which are confidential and may be legally privileged. It is for the intended recipient only and if you are not the intended recipient or transmission error has misdirected this e-mail, please notify the author by return e-mail and delete this message and any attachment immediately. If you are not the intended recipient you must not use, disclose, distribute, forward, copy, print or rely in this e-mail in any way except as permitted by the author. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS
Ok I am done getting it up and running. Thanks a million for everybodys help Regards Per Qvindesland E-mail: p...@norhex.com [1] http://www.linkedin.com/in/perqvindesland [2] --- Original message follows --- SUBJECT:Â Re: [CentOS] NIS FROM: Â James Pearson TO:Â CentOS mailing list DATE:Â 22-07-2009 12:35 Per Qvindesland wrote: Hi list Does anyone know about a good howto setup nis and to make ad see it and use the usernames? I don't think you can get AD to 'use' NIS as a directory service, but AD can be set up as a NIS server using IDMU (Identity Management for Unix) James Pearson ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos Links: -- [1] http://webmail.norhex.com/# [2] http://www.linkedin.com/in/perqvindesland___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] nis and new users
Every time a new user logs into a development box (which does not use nfs for the home dirs) the get could not chdir to their home dir. They call me with the error and I do a: cp -a /etc/skel/ ~USER chown USER.users -R ~USER/ and it is fixed. Is there an automated way? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] nis and new users
Jason Pyeron wrote: Every time a new user logs into a development box (which does not use nfs for the home dirs) the get could not chdir to their home dir. They call me with the error and I do a: cp -a /etc/skel/ ~USER chown USER.users -R ~USER/ and it is fixed. Is there an automated way? Look at pam_mkhomedir and see if it fits your bill. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] nis and new users
On Tue, 2008-04-15 at 10:27 -0400, Jason Pyeron wrote: Every time a new user logs into a development box (which does not use nfs for the home dirs) the get could not chdir to their home dir. They call me with the error and I do a: cp -a /etc/skel/ ~USER chown USER.users -R ~USER/ and it is fixed. Is there an automated way? From CLI, use useradd (man useradd) which has a parameter to automatically set up user's home, including copying /etc/skel. From an X gnome desktop session (System-Administration-Users and Groups), I can't remember if it's automatic or if it has a checkbox for that. Either case should fix it. snip sig stuff HTH -- Bill ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] NIS libuser and auto-make of maps
I have my NIS user/group files separate from the system user/group files using libuser to manage them and that works well, but I am trying to find a way to get libuser to invoke a 'make' of the NIS maps whenever it updates the master files. Is there a routine I can configure in libuser to do this, or am I stuck having to do it by cron? Ross S. W. Walker Information Systems Manager Medallion Financial, Corp. 437 Madison Avenue 38th Floor New York, NY 10022 Tel: (212) 328-2165 Fax: (212) 328-2125 WWW: http://www.medallion.com http://www.medallion.com/ __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] nis and new users
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ross S. W. Walker Sent: Tuesday, April 15, 2008 10:39 AM To: CentOS mailing list Subject: RE: [CentOS] nis and new users Jason Pyeron wrote: Every time a new user logs into a development box (which does not use nfs for the home dirs) the get could not chdir to their home dir. They call me with the error and I do a: cp -a /etc/skel/ ~USER chown USER.users -R ~USER/ and it is fixed. Is there an automated way? Look at pam_mkhomedir and see if it fits your bill. Yes that is exactly what we need. /etc/pam.d/login #%PAM-1.0 auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth # pam_selinux.so close should be the first session rule sessionrequired pam_selinux.so close sessionrequired pam_mkhomedir.so sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so sessionoptional pam_console.so # pam_selinux.so open should be the last session rule sessionrequired pam_selinux.so open but still get: Last login: Tue Apr 15 11:24:57 2008 from .myvzw.com Could not chdir to home directory /home/USER: No such file or directory -bash-3.00$ Any ideas? -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] NIS libuser and auto-make of maps
We use 5* cron too. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us http://www.pdinc.us/ - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited. _ From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ross S. W. Walker Sent: Tuesday, April 15, 2008 10:43 AM To: CentOS mailing list Subject: [CentOS] NIS libuser and auto-make of maps I have my NIS user/group files separate from the system user/group files using libuser to manage them and that works well, but I am trying to find a way to get libuser to invoke a 'make' of the NIS maps whenever it updates the master files. Is there a routine I can configure in libuser to do this, or am I stuck having to do it by cron? Ross S. W. Walker Information Systems Manager Medallion Financial, Corp. 437 Madison Avenue 38th Floor New York, NY 10022 Tel: (212) 328-2165 Fax: (212) 328-2125 WWW: http://www.medallion.com http://www.medallion.com/ _ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] NIS libuser and auto-make of maps
Jason Pyeron wrote: Ross S. W. Walker wrote: I have my NIS user/group files separate from the system user/group files using libuser to manage them and that works well, but I am trying to find a way to get libuser to invoke a 'make' of the NIS maps whenever it updates the master files. Is there a routine I can configure in libuser to do this, or am I stuck having to do it by cron? We use 5* cron too. So every 5 minutes, well I do it every 15 now, but it would be nice to have libuser kick off a 'make' 'push' everytime the user/group database is modified. It would save a lot of pushing of maps unnecessarily. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] nis and new users
Jason Pyeron wrote: Ross S. W. Walker wrote: Jason Pyeron wrote: Every time a new user logs into a development box (which does not use nfs for the home dirs) the get could not chdir to their home dir. They call me with the error and I do a: cp -a /etc/skel/ ~USER chown USER.users -R ~USER/ and it is fixed. Is there an automated way? Look at pam_mkhomedir and see if it fits your bill. Yes that is exactly what we need. /etc/pam.d/login #%PAM-1.0 auth required pam_securetty.so auth required pam_stack.so service=system-auth auth required pam_nologin.so accountrequired pam_stack.so service=system-auth password required pam_stack.so service=system-auth # pam_selinux.so close should be the first session rule sessionrequired pam_selinux.so close sessionrequired pam_mkhomedir.so sessionrequired pam_stack.so service=system-auth sessionrequired pam_loginuid.so sessionoptional pam_console.so # pam_selinux.so open should be the last session rule sessionrequired pam_selinux.so open but still get: Last login: Tue Apr 15 11:24:57 2008 from .myvzw.com Could not chdir to home directory /home/USER: No such file or directory -bash-3.00$ Any ideas? Well what you have will only cover console logins via the login process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins. Try this: /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authoptional pam_group.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_krb5.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordsufficientpam_krb5.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so Of course tailor for your environment. I have tested this config to persist through different authconfig's. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] NIS libuser and auto-make of maps
Sorry no I meant a 5 star cron job = * * * * * -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ross S. W. Walker Sent: Tuesday, April 15, 2008 12:21 PM To: CentOS mailing list Subject: RE: [CentOS] NIS libuser and auto-make of maps Jason Pyeron wrote: Ross S. W. Walker wrote: I have my NIS user/group files separate from the system user/group files using libuser to manage them and that works well, but I am trying to find a way to get libuser to invoke a 'make' of the NIS maps whenever it updates the master files. Is there a routine I can configure in libuser to do this, or am I stuck having to do it by cron? We use 5* cron too. So every 5 minutes, well I do it every 15 now, but it would be nice to have libuser kick off a 'make' 'push' everytime the user/group database is modified. It would save a lot of pushing of maps unnecessarily. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] nis and new users
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ross S. W. Walker Sent: Tuesday, April 15, 2008 12:16 PM To: CentOS mailing list Subject: RE: [CentOS] nis and new users Jason Pyeron wrote: but still get: Last login: Tue Apr 15 11:24:57 2008 from .myvzw.com Could not chdir to home directory /home/USER: No such file or directory -bash-3.00$ Any ideas? Well what you have will only cover console logins via the login process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins. Try this: /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authoptional pam_group.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_krb5.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordsufficientpam_krb5.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so Of course tailor for your environment. Defaults are fine for our use. I have tested this config to persist through different authconfig's. How? It gets blown away here. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] nis and new users
-Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Ross S. W. Walker Sent: Tuesday, April 15, 2008 12:16 PM To: CentOS mailing list Subject: RE: [CentOS] nis and new users Well what you have will only cover console logins via the login process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins. Try this: /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authoptional pam_group.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_krb5.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordsufficientpam_krb5.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so Hmm, it worked for su -l but not ssh logins Making progress. -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Principal Consultant 10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] nis and new users
Jason Pyeron wrote: Ross S. W. Walker wrote: Jason Pyeron wrote: but still get: Last login: Tue Apr 15 11:24:57 2008 from .myvzw.com Could not chdir to home directory /home/USER: No such file or directory -bash-3.00$ Any ideas? Well what you have will only cover console logins via the login process, not GUI xdm/gdm/kdm or ssh/telnet/ftp/rsh logins. Try this: /etc/pam.d/system-auth #%PAM-1.0 # This file is auto-generated. # User changes will be destroyed the next time authconfig is run. authrequired pam_env.so authoptional pam_group.so authsufficientpam_unix.so nullok try_first_pass authrequisite pam_succeed_if.so uid = 500 quiet authsufficientpam_krb5.so use_first_pass authrequired pam_deny.so account required pam_unix.so broken_shadow account sufficientpam_localuser.so account sufficientpam_succeed_if.so uid 500 quiet account [default=bad success=ok user_unknown=ignore] pam_krb5.so account required pam_permit.so passwordrequisite pam_cracklib.so try_first_pass retry=3 passwordsufficientpam_unix.so md5 shadow nullok try_first_pass use_authtok passwordsufficientpam_krb5.so use_authtok passwordrequired pam_deny.so session optional pam_keyinit.so revoke session required pam_mkhomedir.so skel=/etc/skel umask=0077 silent session required pam_limits.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so session optional pam_krb5.so Of course tailor for your environment. Defaults are fine for our use. I have tested this config to persist through different authconfig's. How? It gets blown away here. Disregard, I must have been thinking of something else, yes authconfig blows these away. It would be nice if authconfig stuck in includes to a separate pam for local configuration to be preserved, or if they used template files for creating the default configuration. If they used templates the python scripts would probably be a lot smaller and less complex and would allow administrators to customize the templates for their environment. Anyways I'm going to put mine in a system-auth-local file and stick in includes and see if that works better in the long run. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS and NIS+
Jason Pyeron wrote: How can I tell if I am using NIS+? I would like the data to be encrypted on the lan. I don't think NIS+ is 'supported' on Linux - see: http://www.linux-nis.org/nisplus/ James Pearson ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] NIS and NIS+
So what is the proper way to ensure root and others password (hashes) are not sent over the lan? -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Sr. Consultant10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited. -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of James Pearson Sent: Tuesday, January 22, 2008 6:49 To: CentOS mailing list Subject: Re: [CentOS] NIS and NIS+ Jason Pyeron wrote: How can I tell if I am using NIS+? I would like the data to be encrypted on the lan. I don't think NIS+ is 'supported' on Linux - see: http://www.linux-nis.org/nisplus/ James Pearson ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS and NIS+
Jason Pyeron wrote: So what is the proper way to ensure root and others password (hashes) are not sent over the lan? kerberos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] NIS and NIS+
How can I tell if I am using NIS+? I would like the data to be encrypted on the lan. -Jason -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- - - - Jason Pyeron PD Inc. http://www.pdinc.us - - Sr. Consultant10 West 24th Street #100- - +1 (443) 269-1555 x333Baltimore, Maryland 21218 - - - -=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=- This message is for the designated recipient only and may contain privileged, proprietary, or otherwise private information. If you have received it in error, purge the message from your system and notify the sender immediately. Any other use of the email by you is prohibited. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS/YP revelation (I think)
Scott Ehrlich wrote: I'm using http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch30_:_Configuring_NIS as a guide and the services all show appropriately on the production server and client, and on a working test setup that is identical to production. Do you have any firewall setup on the server and/or clients? What does 'rpcinfo -p' give on the server and clients? James Pearson ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS/YP revelation (I think)
On Wed, 24 Oct 2007, James Pearson wrote: Scott Ehrlich wrote: I'm using http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch30_:_Configuring_NIS as a guide and the services all show appropriately on the production server and client, and on a working test setup that is identical to production. Do you have any firewall setup on the server and/or clients? Disabled all around. What does 'rpcinfo -p' give on the server and clients? Exactly what the referenced URL says should be running. Again, it works perfectly on a test setup. I may start to use tcpdump for more details. /var/log/messages shows nothing. I can ssh back and forth fine between client and server, so Ethernet connectivity works fine. Scott James Pearson ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS/YP revelation (I think)
Scott Ehrlich wrote: On Wed, 24 Oct 2007, James Pearson wrote: Do you have any firewall setup on the server and/or clients? Disabled all around. What does 'rpcinfo -p' give on the server and clients? Exactly what the referenced URL says should be running. It would still be handy to see what they are ... Again, it works perfectly on a test setup. I may start to use tcpdump for more details. /var/log/messages shows nothing. I can ssh back and forth fine between client and server, so Ethernet connectivity works fine. What happens when you type (on a client): ypwhich If that works: ypcat passwd (or another map) James Pearson ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS/YP revelation (I think)
I did discover tcpdump produces an ICMP host hostname unreachable error during ypbind, but does NOT do so when ypbind is not running. I also was reminded the firewall on the server is running, but I had these exact problems when the firewall was disabled. Trying to track down the problem via google, and am open to any responses people have here... Thanks. Scott On Wed, 24 Oct 2007, James Pearson wrote: Scott Ehrlich wrote: On Wed, 24 Oct 2007, James Pearson wrote: Do you have any firewall setup on the server and/or clients? Disabled all around. What does 'rpcinfo -p' give on the server and clients? Exactly what the referenced URL says should be running. It would still be handy to see what they are ... Again, it works perfectly on a test setup. I may start to use tcpdump for more details. /var/log/messages shows nothing. I can ssh back and forth fine between client and server, so Ethernet connectivity works fine. What happens when you type (on a client): ypwhich If that works: ypcat passwd (or another map) James Pearson ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS/YP revelation (I think)
Scott Ehrlich wrote: I did discover tcpdump produces an ICMP host hostname unreachable error during ypbind, but does NOT do so when ypbind is not running. I also was reminded the firewall on the server is running, but I had these exact problems when the firewall was disabled. Trying to track down the problem via google, and am open to any responses people have here... What does your /etc/nsswitch.conf file contain? James Pearson ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS/YP revelation (I think)
Scott Ehrlich wrote: On Wed, 24 Oct 2007, James Pearson wrote: Scott Ehrlich wrote: I did discover tcpdump produces an ICMP host hostname unreachable error during ypbind, but does NOT do so when ypbind is not running. I also was reminded the firewall on the server is running, but I had these exact problems when the firewall was disabled. Trying to track down the problem via google, and am open to any responses people have here... What does your /etc/nsswitch.conf file contain? #/etc/nsswitch.conf passwd: files nis shadow: files nis group: files nis What's the entry for hosts? I also was reminded to perform ypinit -s server and was reminded again of the Can't enumerate maps error. ypinit -m on the server has been performed numerous times, but still nothing... 'ypinit -s server' is only needed for slave servers. James Pearson ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS/YP revelation (I think)
On 23/10/2007, Scott Ehrlich [EMAIL PROTECTED] wrote: So I configured my Enterprise 5 server to have NFS configured on specific ports via the NFS Server menu option. Since having done that, I am unable to get my two CentOS 5 workstations to bind via YP. One worked just fine before the port reconfiguration, but broke after. The other never worked fine. NFS works fine on both, but NIS will no longer bind. What do I need to change on the client side to permit binding? I presume the port changes are the problem, and solution. What is the output of 'rpcinfo -p' on the NIS clients and server? James Pearson ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS/YP revelation (I think)
I'm using http://www.linuxhomenetworking.com/wiki/index.php/Quick_HOWTO_:_Ch30_:_Configuring_NIS as a guide and the services all show appropriately on the production server and client, and on a working test setup that is identical to production. The test setup works flawlessly. Scott On Tue, 23 Oct 2007, James Pearson wrote: On 23/10/2007, Scott Ehrlich [EMAIL PROTECTED] wrote: So I configured my Enterprise 5 server to have NFS configured on specific ports via the NFS Server menu option. Since having done that, I am unable to get my two CentOS 5 workstations to bind via YP. One worked just fine before the port reconfiguration, but broke after. The other never worked fine. NFS works fine on both, but NIS will no longer bind. What do I need to change on the client side to permit binding? I presume the port changes are the problem, and solution. What is the output of 'rpcinfo -p' on the NIS clients and server? James Pearson ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS problems
When you do the ypinit -s, what name do you provide for the server? It must match the name the server expects, so if the server host name is nis, then you do ypinit -s nis.domainname Scott Ehrlich wrote: On Wed, 17 Oct 2007, sam wrote: so... if i'm understanding: -you have a 32bit NIS server that you've Correction here - server is 64-bit RHEL 5 Server. All machines are full, out-of-box, unpatched systems, with no Internet connection. Working clients are 32-bit. Problem machine is 64-bit CentOS 5 client. configured for your network. -you are not running dns, but are instead using /etc/hosts, and /etc/resolv.conf on your boxes -you have a couple of 32bit clients that can attach to the NIS server, and that you can log against. you can run 'ypcat passwd' on these machines with no issues.. -attaching a 64bit machine as a NIS Client which you've configured as best you can, is giving you errors... I just had a conversation with a Sr. Redhat Tech support eng, where he was telling me that there might be an issue with my situation that might be related to the fact that the server is 64 bit, and the slave is 32bit... might not be related but hmm... can you post your ypserv.conf, as well as your yp.conf files I'll have to check on my ypserv.comf file - I don't recall having edited that. yp.conf on the server is: ypserver 127.0.0.1 yp.conf on the client is: domain my-nis-domain server ip-of-server Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Scott Ehrlich Sent: Wednesday, October 17, 2007 3:58 PM To: CentOS mailing list Subject: Re: [CentOS] NIS problems On Thu, 18 Oct 2007, Clint Dilks wrote: Scott Ehrlich wrote: I've got a RHEL5 server acting as a NIS/NFS server, and connected one C5 machine just fine. I'm trying to connect another, and for the life of me, cannot figure out why NIS won't bind. NFS works fine. ypbind just hangs. I disabled SELinux and the firewall. I just cannot get it to bind. Ideas? Hi do you have the appropriate entry in /etc/hosts for ypserv on NIS Server ? Yep. This is on a small lan - /etc/hosts acts as local dns. The error is the one when ypinit -s server hasn't been run. I've had two successful runs on 32-bit C5 adding said 32-bit hosts to the network, but this one 64-bit C5 system is giving me the NIS problems. I can ssh, ping, and doing anything else I want. Again, the 32-bit hosts work fine against the server. This one 64-bit machine is simply giving me the NIS headaches. Thanks for any/all ideas. Scott Thanks. Scott ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- John Allen mailto:[EMAIL PROTECTED] CodeMountainhttp://www.codemountain.net Ubuntu 7.04, kernel 2.6.20-16-generic up 6 days, 23:51, 16 users, load average: 0.98, 0.88, 0.95 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS problems
On Thu, 18 Oct 2007, John Allen wrote: When you do the ypinit -s, what name do you provide for the server? It must match the name the server expects, so if the server host name is nis, then you do ypinit -s nis.domainname I have successfully done ypinit -s ip_address or hostname on several 32-bit clients and they've all been successful. I did learn that if I at least have a local account created on the client for the same account on the NIS server, then, with NFS also working, I am able to have pesudo-NIS running. I tried to disable checksum offloading, rebooted, but it didn't make any difference. I also tried changing the MTU to something like 1470, but that didn't matter, either. Not sure where to go next... Can't enumerate maps from ip or host, depending on what I set as the server. Please check that it is running... will continue to exist until an answer is found... Scott Scott Ehrlich wrote: On Wed, 17 Oct 2007, sam wrote: so... if i'm understanding: -you have a 32bit NIS server that you've Correction here - server is 64-bit RHEL 5 Server. All machines are full, out-of-box, unpatched systems, with no Internet connection. Working clients are 32-bit. Problem machine is 64-bit CentOS 5 client. configured for your network. -you are not running dns, but are instead using /etc/hosts, and /etc/resolv.conf on your boxes -you have a couple of 32bit clients that can attach to the NIS server, and that you can log against. you can run 'ypcat passwd' on these machines with no issues.. -attaching a 64bit machine as a NIS Client which you've configured as best you can, is giving you errors... I just had a conversation with a Sr. Redhat Tech support eng, where he was telling me that there might be an issue with my situation that might be related to the fact that the server is 64 bit, and the slave is 32bit... might not be related but hmm... can you post your ypserv.conf, as well as your yp.conf files I'll have to check on my ypserv.comf file - I don't recall having edited that. yp.conf on the server is: ypserver 127.0.0.1 yp.conf on the client is: domain my-nis-domain server ip-of-server Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Scott Ehrlich Sent: Wednesday, October 17, 2007 3:58 PM To: CentOS mailing list Subject: Re: [CentOS] NIS problems On Thu, 18 Oct 2007, Clint Dilks wrote: Scott Ehrlich wrote: I've got a RHEL5 server acting as a NIS/NFS server, and connected one C5 machine just fine. I'm trying to connect another, and for the life of me, cannot figure out why NIS won't bind. NFS works fine. ypbind just hangs. I disabled SELinux and the firewall. I just cannot get it to bind. Ideas? Hi do you have the appropriate entry in /etc/hosts for ypserv on NIS Server ? Yep. This is on a small lan - /etc/hosts acts as local dns. The error is the one when ypinit -s server hasn't been run. I've had two successful runs on 32-bit C5 adding said 32-bit hosts to the network, but this one 64-bit C5 system is giving me the NIS problems. I can ssh, ping, and doing anything else I want. Again, the 32-bit hosts work fine against the server. This one 64-bit machine is simply giving me the NIS headaches. Thanks for any/all ideas. Scott Thanks. Scott ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- John Allen mailto:[EMAIL PROTECTED] CodeMountainhttp://www.codemountain.net Ubuntu 7.04, kernel 2.6.20-16-generic up 6 days, 23:51, 16 users, load average: 0.98, 0.88, 0.95 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS problems
An interesting sidenote - Things do work fine on another test setup consisting of C5 64-bit and an Intel NIC. The problem C5 64-bit system has a Broadcom 57xx NIC. I may opt to change NICs and see if that makes any difference... Scott On Thu, 18 Oct 2007, John Allen wrote: When you do the ypinit -s, what name do you provide for the server? It must match the name the server expects, so if the server host name is nis, then you do ypinit -s nis.domainname Scott Ehrlich wrote: On Wed, 17 Oct 2007, sam wrote: so... if i'm understanding: -you have a 32bit NIS server that you've Correction here - server is 64-bit RHEL 5 Server. All machines are full, out-of-box, unpatched systems, with no Internet connection. Working clients are 32-bit. Problem machine is 64-bit CentOS 5 client. configured for your network. -you are not running dns, but are instead using /etc/hosts, and /etc/resolv.conf on your boxes -you have a couple of 32bit clients that can attach to the NIS server, and that you can log against. you can run 'ypcat passwd' on these machines with no issues.. -attaching a 64bit machine as a NIS Client which you've configured as best you can, is giving you errors... I just had a conversation with a Sr. Redhat Tech support eng, where he was telling me that there might be an issue with my situation that might be related to the fact that the server is 64 bit, and the slave is 32bit... might not be related but hmm... can you post your ypserv.conf, as well as your yp.conf files I'll have to check on my ypserv.comf file - I don't recall having edited that. yp.conf on the server is: ypserver 127.0.0.1 yp.conf on the client is: domain my-nis-domain server ip-of-server Scott -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Scott Ehrlich Sent: Wednesday, October 17, 2007 3:58 PM To: CentOS mailing list Subject: Re: [CentOS] NIS problems On Thu, 18 Oct 2007, Clint Dilks wrote: Scott Ehrlich wrote: I've got a RHEL5 server acting as a NIS/NFS server, and connected one C5 machine just fine. I'm trying to connect another, and for the life of me, cannot figure out why NIS won't bind. NFS works fine. ypbind just hangs. I disabled SELinux and the firewall. I just cannot get it to bind. Ideas? Hi do you have the appropriate entry in /etc/hosts for ypserv on NIS Server ? Yep. This is on a small lan - /etc/hosts acts as local dns. The error is the one when ypinit -s server hasn't been run. I've had two successful runs on 32-bit C5 adding said 32-bit hosts to the network, but this one 64-bit C5 system is giving me the NIS problems. I can ssh, ping, and doing anything else I want. Again, the 32-bit hosts work fine against the server. This one 64-bit machine is simply giving me the NIS headaches. Thanks for any/all ideas. Scott Thanks. Scott ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos -- John Allen mailto:[EMAIL PROTECTED] CodeMountainhttp://www.codemountain.net Ubuntu 7.04, kernel 2.6.20-16-generic up 6 days, 23:51, 16 users, load average: 0.98, 0.88, 0.95 ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Re: [CentOS] NIS problems
I'm at a complete loss as to what is going on. I changed kernels and disabled the video driver, removed the firewire card. NIS refuses to work on this workstation. Unless this gets figured out, I'm going to simply have to create local user accounts, then let NFS take over. It would be really nice to figure it out one of these days, as if I can learn the culprit, I'll be better educated the next time I face something like this. I did try tcpdump, but no obvious things popped up. Scott ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
[CentOS] NIS problems
I've got a RHEL5 server acting as a NIS/NFS server, and connected one C5 machine just fine. I'm trying to connect another, and for the life of me, cannot figure out why NIS won't bind. NFS works fine. ypbind just hangs. I disabled SELinux and the firewall. I just cannot get it to bind. Ideas? Thanks. Scott ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
RE: [CentOS] NIS problems
Scott Ehrlich wrote: I've got a RHEL5 server acting as a NIS/NFS server, and connected one C5 machine just fine. I'm trying to connect another, and for the life of me, cannot figure out why NIS won't bind. NFS works fine. ypbind just hangs. I disabled SELinux and the firewall. I just cannot get it to bind. Ideas? Check your DNS setup and make sure it is sane. -Ross __ This e-mail, and any attachments thereto, is intended only for use by the addressee(s) named herein and may contain legally privileged and/or confidential information. If you are not the intended recipient of this e-mail, you are hereby notified that any dissemination, distribution or copying of this e-mail, and any attachments thereto, is strictly prohibited. If you have received this e-mail in error, please immediately notify the sender and permanently delete the original and any copy or printout thereof. ___ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos