Edward> Call me crazy, but I do all of what you've described below as follows:
Edward> NIS Master in US. Edward> NIS Slaves scattered about the world. Edward> (No LDAP.) Edward> (No AD, although it might be a possibility) I sorta have this now, but it's hacky and prone to breakage. Basically, it was setup before we had fast(ish) WAN links, so each site was pretty much on it's own. Now that I've spent the time finding conflicts, moving usernames/uids, merging groups, etc, it's time to update it. Home directories are the problem. We have site specific home dirs for the same user account (new solution to fix this in the works) and some users have seperate homedirs at seperate sites. Merging *those* is going to be painful, but doable. Again, we're an engineering shop and the users move lots of data around, so NFS sucks over the WAN, though it's honestly tolerable for home dirs. We're about 200+ live accounts, lots more dead account whcih need to be cleaned out, but bosses are nervous. It's the nature of the ASIC design business that old projects come back from the dead at times. Edward> WAN goes down, nobody cares. (Well, all the systems stay up Edward> and usable.) That's my goal. Edward> No separation of which-password-where. What happens when someone changes their password on a remote site without connection to the master? Duh... stupid question. It means they can't change it. Sorry, low of sleep... Edward> Create a user here, it appears everywhere. My goal for sure. Edward> The only problem I've ever had was - One time, one nis slave Edward> got out of sync with the server. So I had to re- ypinit the Edward> slave, and that was the end of that. Edward> This is for a multinational company, but only for about 50 Edward> users within that company. Up for about 18 months now. I guess my goal is to start moving to LDAP and possibly AD integration down the line sometime, so I figure taking the baby steps with the pam_ldap and pam_nss modules might be the way to go. But you're making me think I should really just bite the bullet and finish the NIS map merge and cleanup home dirs so that things aren't seperated by NIS domain. John >> -----Original Message----- >> From: [email protected] [mailto:[email protected]] On Behalf >> Of John Stoffel >> Sent: Friday, January 02, 2009 1:24 PM >> To: Christophe Kalt >> Cc: LOPSA Technical Discussions >> Subject: Re: [lopsa-tech] AD integration with Unix >> >> >> This has been a great discussion about Unix/AD integration, esp the >> part where the unix and AD admins need to coordinate well. I've got a >> related, but different issue. >> >> We have distributed engineering sites, and each site has it's own NIS >> domain, so that if/when the WAN links go down, they can continue to >> work. >> >> I spent a bunch of time cleaning up the various UIDs, usernames, GIDs, >> groupnames, etc to bring them more closely in sync. But now I'd like >> to really bind them all into one LDAP domain, possibly with NIS slaves >> at each site. >> >> We support RHEL3, RHEL4, some RHEL5, Solaris 8, 9 & 10 (very little >> any more) and some ancient RH7.3 boxes. Most boxes are compute >> cluster boxes and they only allow login access via LSF (moving to >> rtda.com's NC) to our users. >> >> I'd like to have it so that all usernames/passwords are synced between >> sites, and that I can create new user accounts from one master and >> have it goto all the others. Yes, I could do some hackery and copy >> data from the master NIS domain to the sub-domains, but it just sucks >> to manage. And when a user changes their password in a remote NIS >> domain, I then need to push that change back to the master. Blech. >> >> So to me, it looks like LDAP, with multiple slaves and possibly even >> NIS slaves binding to LDAP, is the way to go. Esp if I can be >> tolerant of WAN failures. >> >> I just don't want to have to support LDAP on Solaris 8 if I can avoid >> it, though I guess it could be ok. Esp if we can easily tweak and >> restrict access in various ways. >> >> Should I look at the Padl.com stuff again? I looked at it a while >> ago, but they wanted alot of money at the time. Maybe it's >> changed... goes and looks. >> >> Hmm... looks like I can/should use either the nss_ldap, or the >> pam_ldap modules. Anyone have comments on using these on Solaris 8-10 >> systems? Any issues? >> >> Thanks, >> John >> >> >> _______________________________________________ >> Tech mailing list >> [email protected] >> http://lopsa.org/cgi-bin/mailman/listinfo/tech >> This list provided by the League of Professional System Administrators >> http://lopsa.org/ _______________________________________________ Tech mailing list [email protected] http://lopsa.org/cgi-bin/mailman/listinfo/tech This list provided by the League of Professional System Administrators http://lopsa.org/
