The company where I work is mostly a Windows shop, but I run a few CentOS servers and desktops. I have configured my systems as follows with Kickstart:
authconfig --enablemd5 --passalgo=sha512 --enablenis --nisdomain=XXX \ --nisserver=nis1.XXX.com,nis2.XXX.com --useshadow --enablekrb5 \ --krb5realm=XXX.COM --krb5kdc=ldap.XXX.com --krb5adminserver=ldap.XXX.com
The /etc/nsswitch.conf file looks like this:
passwd: files nis shadow: files nis group: files nis
The NIS services are provided by the Windows Domain controllers using Windows Unix Services (or something similarly named). This allows anyone that’s in the NIS database to log into any CentOS system with their Windows username and password. Home directories are automounted from a big NAS box (and are also available on Windows). This all works great most of the time. However, if the network or the NIS server goes down, the CentOS system just hangs.
For CentOS 7 I'd like to make the systems more robust to network failures. I could create local accounts (I believe there is a way to autocreate an account and a home directory upon login), but I'm not sure how to go about it. This also implies that the home directories will not be shared among the systems, so ssh keys will have to be manually copied to the local home directories. Ideally, I'd like to get rid of NIS altogether and use LDAP and Kerberos for everything, but I don't know if that is feasible. I think these are the only services that we currently rely on NIS for:
- passwd file - group file - automount maps (including auto.home for home directories)
Before I go re-inventing the wheel, I'd like to find out how others manage multiple users on multiple systems using a central service. And in case it wasn’t obvious, I want to use the same usernames and passwords that are used in the Windows environment.
Thanks, Alfred