[CentOS] Re: Fix passwd/shadow/group files?

Bryan J. Smith <b.j.smith@ieee.org> thebs413 at earthlink.net
Thu Jul 14 22:39:00 UTC 2005 

From: Les Mikesell <lesmikesell at gmail.com>
> The machines in question were set up years ago when it wasn't so
> easy and are on opposite sides of a firewall

Setup an NIS slave local to each LAN (and a VPN to the NIS master,
or consider SFS tunneling for portmap), and also run a name services
cache daemon (nscd) on each client.

> (but sometimes have NFS mounts in common).

All the more reason to use NIS, for Automounter maps.  ;->
I only recommend NIS because it's cake to setup.

If you have ActiveDirectory Services (ADS), then consider
Services for UNIX (SFU).  You can even use one-way Kerberos
trust from ADS to avoid password hashes (as well as clear
text passwords using Kerberosized clients).

I don't prefer ADS-SFU when you have UNIX platforms though.
Especially Red Hat, who made NIS-Kerberos integration so
seemless as of Red Hat Linux 7 onward.

> One machine has all user accounts and things are managed
> normally there.

Great!
It's so easy to turn that one system into an NIS master then.
;->

> The others only have small subsets of users (on purpose)
> and I've pasted in the passwd entries from the machine that
> has them all to keep the uids in sync for NFS and rsync'ing
> chunks of stuff around.

Then setup multiple NIS domains.
It's easy to do even on one, physical NIS master for all.
It'll easily repay you for the manual operations you do.

[ But even then, why aren't you using a script run over ssh
to minimize your manual workload?  Just curious. ]

> I just had some duplicated lines from the last OS version
> change where I copied too much from the previous one.
> I might re-do it with LDAP someday, but it's probably
> more work to control the users that aren't supposed to
> log into these machines than to separately add the ones
> that are.

Netscape Directory Server (NsDS), now Red Hat/Fedora Directory
Server, is a great LDAP server.

But when I just want something like you need, an NIS domain
or a few from one system, with local NIS slaves and nscd running
on all the clients does everything I need.


--
Bryan J. Smith   mailto:b.j.smith at ieee.org

More information about the CentOS mailing list