[CentOS] Seeking advice about auth/home serving

Ross Walker rswwalker at gmail.com
Wed Oct 15 14:14:17 UTC 2008


On Oct 15, 2008, at 9:51 AM, "Filipe Brandenburger" <filbranden at gmail.com 
 > wrote:

> Hi,
>
> On Wed, Oct 15, 2008 at 06:05, Laurent Wandrebeck
> <l.wandrebeck at gmail.com> wrote:
>> 2008/10/15 Ian Forde <ian at duckland.org>:
>>> Without knowing more specifics, you could always try using the /net
>>> automount... as in: /net/servername/data
>>>
>>> It's ugly, and rarely used, but it works for small networks...
>>
>> automount could do the trick, but it's ugly, as you said :)
>
> automount is not ugly, what is ugly is to use paths that include the
> name of the server, in that if you change the server name the path of
> the files will change. This is also ugly because you end up having
> cross-mounts, in which machine A mounts a volume from machine B and
> machine B mounts a volume from machine A, so when you want to shut
> them down they may hang one waiting for the other one to come up (and
> with fstab instead of automount, you have the same problem when you
> boot up).

Try to write your own auto mount maps that mount to descriptive mount  
points rather than server names:

/archive/00, /archive/01...

>
> automount is actually quite a good tool if you really need to do this
> kind of stuff, which in your case you will probably have to anyway.
> The setup with automount is actually good in that volumes will be kept
> mounted only while they're used (if you use a short enough timeout),
> and in your case it seems that they will be seldomly used, so you
> would not have NFS mounted filesystems most of the time.
>
> I sure recommend you to move from NIS to LDAP, for your network size
> OpenLDAP should be good enough, but you may want to look into a
> Directory Server if you want something more robust (although it will
> be harder to set up). When you implement LDAP, make sure you implement
> it over SSL if you don't want your passwords going unencrypted over
> the network, or use LDAP for user information only and Kerberos for
> authentication.

If all your doing is serving up mount maps or netgroups then ldap is  
over kill, definitely don't put passwords in nis (or ldap) use  
kerberos for those.

A small user base can be handled more easily via nis then ldap you  
don't need to put passwords in passwd use kerberos for those.

>
> NFSv3 -> NFSv4 also looks good, but I would say this tends to be a
> more risky upgrade, since NFS3 is quite stable and NFS4 is still
> somewhat new and you may end up having some surprises with it.
> Personally I will still stick with NFSv3 for a while.

For best interoperability use v3.

-Ross



More information about the CentOS mailing list