Re: What services / tools still require NIS domain?

2018-05-17 Thread Stephen John Smoogen 
On 17 May 2018 at 07:34, Florian Weimer  wrote:
> On 05/17/2018 01:54 AM, Ian Kent wrote:
>>
>> I think you'll find NIS is still quite widely used.
>>
>> NIS Plus was an attempt to improve NIS but (AFAIK) it never became widely
>> used.
>> LDAP is another attempt to provide much of the table information provided
>> by NIS
>> but it is far more complicated to administer.
>>
>> NIS remains the simplest and easiest way to centrally manage (key, value)
>> stores
>> such as password, group, netgroup, hosts etc. so it has endured.
>
>
> On the other hand, LDAP can be run over TLS, so that people need to do a bit
> more than manipulate networks to gain unauthorized access to systems.
>
> I've also been told that people use NIS because it doesn't have a search
> domain limit.  But we removed that from Fedora 26 (in updates) and Red Hat
> Enterprise Linux 7.5, so there should be one reason less to run NIS.
>

Most of the NIS I have run in has been set up and configured to be
that way since the late 1980's or 1990's. The original hardware may
only be in a museum, but it embedded itself in the site
administration, training, and scripts. If the site has any
ISO/ITIL/etc plans, NIS got implanted deeply into all of that
documentation which will require acts of God (aka computer center hit
by a meteorite) to remove. All of this makes the replacing of NIS a
political and social struggle versus a technical one.

That said, it doesn't mean an OS like Fedora can't put a "we aren't
looking to support NIS after Fedora 34" line in the sand. Whether the
tide of inevitability will come in and wash it away is another
question.


> Thanks,
> Florian
> ___
> devel mailing list -- devel@lists.fedoraproject.org
> To unsubscribe send an email to devel-le...@lists.fedoraproject.org
> Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives:
> https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/NPV6KSUCEFVEFMUTYGMC7RVKWWLPH5RE/



-- 
Stephen J Smoogen.
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/XYXUX4BFLY5DIUA657OM6FNF72GO4JII/

Re: What services / tools still require NIS domain?

2018-05-17 Thread Florian Weimer 

On 05/17/2018 01:54 AM, Ian Kent wrote:

I think you'll find NIS is still quite widely used.

NIS Plus was an attempt to improve NIS but (AFAIK) it never became widely used.
LDAP is another attempt to provide much of the table information provided by NIS
but it is far more complicated to administer.

NIS remains the simplest and easiest way to centrally manage (key, value) stores
such as password, group, netgroup, hosts etc. so it has endured.


On the other hand, LDAP can be run over TLS, so that people need to do a 
bit more than manipulate networks to gain unauthorized access to systems.


I've also been told that people use NIS because it doesn't have a search 
domain limit.  But we removed that from Fedora 26 (in updates) and Red 
Hat Enterprise Linux 7.5, so there should be one reason less to run NIS.


Thanks,
Florian
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/NPV6KSUCEFVEFMUTYGMC7RVKWWLPH5RE/

Re: What services / tools still require NIS domain?

2018-05-17 Thread David Kaspar [Dee'Kej] 
Thank you all for you replies, it helped a lot! :)

On Thu, May 17, 2018 at 1:54 AM, Ian Kent  wrote:

> On 16/05/18 23:17, David Kaspar [Dee'Kej] wrote:
> > On Wed, May 16, 2018 at 5:07 PM, Stephen Gallagher  > wrote:
> >
> > I don't think SSSD or FreeIPA *require* it. They offer netgroup
> functionality that can be used with it. Maybe I misunderstood your
> question? Are you just asking which things in the distro interact with NIS
> domains at all?
> >
> > Perhaps it would be better if you explained the rationale for the
> question. For example, are you trying to figure out if we can remove all of
> NIS from the distro?
> >
> >
> > ​Sorry, I don't know much about NIS. I was coming out from what I've
> been told.
>
> I think you'll find NIS is still quite widely used.
>
> NIS Plus was an attempt to improve NIS but (AFAIK) it never became widely
> used.
> LDAP is another attempt to provide much of the table information provided
> by NIS
> but it is far more complicated to administer.
>
> NIS remains the simplest and easiest way to centrally manage (key, value)
> stores
> such as password, group, netgroup, hosts etc. so it has endured.
>
> Automount maps are another (key, value) store that can be centrally
> managed by
> NIS and there are still a surprising number of autofs users that continue
> to
> use it.
>
> >
> > I'm trying to figure out, which application / tool / service still
> actually need the fedora-domainname.service to be present in Fedora in
> order to function correctly?
>
> The question is kind-off ambiguous.
>
> It's not so much applications that need the service but rather services
> that can utilize the (key, value) information stored in NIS tables for the
> functionality they provide that need the NIS domain to be set.
>
> For example autofs can use NIS as an automount map source but it doesn't
> depend on NIS, it can also use automount maps stored in files, LDAP, sss
> etc.
>
> Ian
>
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: 
https://lists.fedoraproject.org/archives/list/devel@lists.fedoraproject.org/message/UJQMCAUCS3JSVE7IDSO7OPOUURGWH5XX/

Re: What services / tools still require NIS domain?

2018-05-16 Thread Ian Kent 
On 16/05/18 23:17, David Kaspar [Dee'Kej] wrote:
> On Wed, May 16, 2018 at 5:07 PM, Stephen Gallagher  > wrote:
> 
> I don't think SSSD or FreeIPA *require* it. They offer netgroup 
> functionality that can be used with it. Maybe I misunderstood your question? 
> Are you just asking which things in the distro interact with NIS domains at 
> all?
> 
> Perhaps it would be better if you explained the rationale for the 
> question. For example, are you trying to figure out if we can remove all of 
> NIS from the distro?
> 
> 
> ​Sorry, I don't know much about NIS. I was coming out from what I've been 
> told.

I think you'll find NIS is still quite widely used.

NIS Plus was an attempt to improve NIS but (AFAIK) it never became widely used.
LDAP is another attempt to provide much of the table information provided by NIS
but it is far more complicated to administer.

NIS remains the simplest and easiest way to centrally manage (key, value) stores
such as password, group, netgroup, hosts etc. so it has endured.

Automount maps are another (key, value) store that can be centrally managed by
NIS and there are still a surprising number of autofs users that continue to
use it.

> 
> I'm trying to figure out, which application / tool / service still actually 
> need the fedora-domainname.service to be present in Fedora in order to 
> function correctly?

The question is kind-off ambiguous.

It's not so much applications that need the service but rather services
that can utilize the (key, value) information stored in NIS tables for the
functionality they provide that need the NIS domain to be set.

For example autofs can use NIS as an automount map source but it doesn't
depend on NIS, it can also use automount maps stored in files, LDAP, sss
etc.
 
Ian
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: What services / tools still require NIS domain?

2018-05-16 Thread Ralf Corsepius 

On 05/16/2018 05:02 PM, David Kaspar [Dee'Kej] wrote:

Hello people,

I would like to know if you know about any service / tool / application 
that still relies on NIS domain to be set in Fedora?


So far, I know only about SSSD/FreeIPA relying on it. Does anybody know 
anything else? All replies are welcome. :)


Existing user installations require it - and likely will continue to 
require it for at least another decade.


Ralf
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: What services / tools still require NIS domain?

2018-05-16 Thread Alexander Bokovoy 

On ke, 16 touko 2018, David Kaspar [Dee'Kej] wrote:

Hello people,

I would like to know if you know about any service / tool / application
that still relies on NIS domain to be set in Fedora?

So far, I know only about SSSD/FreeIPA relying on it. Does anybody know
anything else? All replies are welcome. :)

Sudo relies on netgroups which are provided by NIS.

FreeIPA/SSSD do not require NIS, they provide NIS server side and
implement its use for sudo and legacy clients which may require it.

--
/ Alexander Bokovoy
Sr. Principal Software Engineer
Security / Identity Management Engineering
Red Hat Limited, Finland
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: What services / tools still require NIS domain?

2018-05-16 Thread David Kaspar [Dee'Kej] 
On Wed, May 16, 2018 at 5:07 PM, Stephen Gallagher 
wrote:

> I don't think SSSD or FreeIPA *require* it. They offer netgroup
> functionality that can be used with it. Maybe I misunderstood your
> question? Are you just asking which things in the distro interact with NIS
> domains at all?
>
> Perhaps it would be better if you explained the rationale for the
> question. For example, are you trying to figure out if we can remove all of
> NIS from the distro?
>

​Sorry, I don't know much about NIS. I was coming out from what I've been
told.

I'm trying to figure out, which application / tool / service still actually
need the fedora-domainname.service to be present in Fedora in order to
function correctly?
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

Re: What services / tools still require NIS domain?

2018-05-16 Thread Stephen Gallagher 
On Wed, May 16, 2018 at 11:03 AM David Kaspar [Dee'Kej] 
wrote:

> Hello people,
>
> I would like to know if you know about any service / tool / application
> that still relies on NIS domain to be set in Fedora?
>
> So far, I know only about SSSD/FreeIPA relying on it. Does anybody know
> anything else? All replies are welcome. :)
>
>

I don't think SSSD or FreeIPA *require* it. They offer netgroup
functionality that can be used with it. Maybe I misunderstood your
question? Are you just asking which things in the distro interact with NIS
domains at all?

Perhaps it would be better if you explained the rationale for the question.
For example, are you trying to figure out if we can remove all of NIS from
the distro?
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org

What services / tools still require NIS domain?

2018-05-16 Thread David Kaspar [Dee'Kej] 
Hello people,

I would like to know if you know about any service / tool / application
that still relies on NIS domain to be set in Fedora?

So far, I know only about SSSD/FreeIPA relying on it. Does anybody know
anything else? All replies are welcome. :)

Best regards,

David Kaspar [Dee'Kej]
*Associate Software Engineer*
*Brno, Czech Republic*

RED HAT | TRIED. TESTED. TRUSTED.
Every airline in the Fortune 500 relies on Red Hat.
Find out why at Trusted | Red Hat .
___
devel mailing list -- devel@lists.fedoraproject.org
To unsubscribe send an email to devel-le...@lists.fedoraproject.org