On Tue, Jan 28, 2014 at 9:18 AM, m.roth@5-cent.us wrote:
At this late date, I'd be really, *REALLY* leery of using NIS. You say that *most* of your traffic is local, suggesting that some of it is *not*. And, for that matter, how good are the firewalls keeping other traffic out?
I'd say no to NIS. Yes, other answers may be more difficult to set up, but consider the alternatives.
That is, we have an ever-growing list of special cases. UserA can login to servers 1, 2 and 3. UserB can log in to servers 3, 4, and 5. Nobody except UserC can login to server 6. UserD can login to machines 2--6. And so on and so forth.
Here you may not realize you're distinguishing between authentication and authorization.
Yeah, I forgot to mention that we already have Kerberos in place for authentication. It's authorization that is currently done by hand and checked with a manual script. (I needed that for the secure mount options NFSv4 provides.)
I sincerely hope it's easier to set up and administer and upgrade than native LDAP. In '06, after a discussion with the other admin and manager I was working with at that job, I volunteered to set up openLDAP. Let's just say that the tools were NOT vaguely ready for prime time, though I did find that running webmin helped a *lot* to get it working.
I know you can find a horror story for any piece of software on the Internet, but my impression is that LDAP has an unusually high number of scary-sounding anecdotes. I know random Internet blogs forum posts aren't really authoritative, but they do give me a little trepidation regarding LDAP.
We have an in-house written set of scripts that administer relevant configuration files, including /etc/passwd. It copies the correct version of that file (among many others) to each host, and shell of /bin/noLogin works just fine.
Why set the shell to /bin/noLogin, rather than simply not create that user's /etc/passwd entry?
I don't have /bin/noLogin on any of my systems - I assume you deliberately specified a non-existent program for the shell? What's the difference between setting the user's shell to a bogus program versus something like /bin/false?