From: Les Mikesell lesmikesell@gmail.com
The machines in question were set up years ago when it wasn't so easy and are on opposite sides of a firewall
Setup an NIS slave local to each LAN (and a VPN to the NIS master, or consider SFS tunneling for portmap), and also run a name services cache daemon (nscd) on each client.
(but sometimes have NFS mounts in common).
All the more reason to use NIS, for Automounter maps. ;-> I only recommend NIS because it's cake to setup.
If you have ActiveDirectory Services (ADS), then consider Services for UNIX (SFU). You can even use one-way Kerberos trust from ADS to avoid password hashes (as well as clear text passwords using Kerberosized clients).
I don't prefer ADS-SFU when you have UNIX platforms though. Especially Red Hat, who made NIS-Kerberos integration so seemless as of Red Hat Linux 7 onward.
One machine has all user accounts and things are managed normally there.
Great! It's so easy to turn that one system into an NIS master then. ;->
The others only have small subsets of users (on purpose) and I've pasted in the passwd entries from the machine that has them all to keep the uids in sync for NFS and rsync'ing chunks of stuff around.
Then setup multiple NIS domains. It's easy to do even on one, physical NIS master for all. It'll easily repay you for the manual operations you do.
[ But even then, why aren't you using a script run over ssh to minimize your manual workload? Just curious. ]
I just had some duplicated lines from the last OS version change where I copied too much from the previous one. I might re-do it with LDAP someday, but it's probably more work to control the users that aren't supposed to log into these machines than to separately add the ones that are.
Netscape Directory Server (NsDS), now Red Hat/Fedora Directory Server, is a great LDAP server.
But when I just want something like you need, an NIS domain or a few from one system, with local NIS slaves and nscd running on all the clients does everything I need.
-- Bryan J. Smith mailto:b.j.smith@ieee.org