[CentOS] Odd issue with C6 and NIS

Thu Oct 6 23:46:46 UTC 2011
Steve Rikli <sr at genyosha.net>

In article <alpine.LRH.2.02.1110062331450.27186 at pfyva-tcf.pfhavk.pbzc.yrrqf.np.hx>, John Hodrien  <centos at centos.org> wrote:
>On Thu, 6 Oct 2011, Steve Rikli wrote:
>> That's what I thought.  But doesn't that "lookup" account need to have
>> a published password (and likewise, hardcoded in scripts and config
>> files and whatnot) in order to do the LDAP querying without end-user
>> interactivity?
>Yes.  Either you're talking about a samba tdb file, a password in plain text,
>or a kerberos keytab file.  GSSAPI means you don't need to hardcode anything,
>as it just fishes around in your keytab.
>> Granted, we're talking about "public data" in this example (i.e. automount
>> map data) so security isn't a concern for that part; but the "lookup"
>> account could potentially be used for other means, yes?
>It can be used to do what you grant it access to do (but it can be
>constrained).  That's not worse than NIS.

Well, somewhat.  E.g. my NIS master doesn't need to publish a "passwd"
map in order to provide "auto.home" map or whatever, and I don't need
a "lookup" account to get at the required data in the case of NIS.

[ other useful info & ideas for research deleted for brevity ]

Thanks for the discussion & sharing the benefits of your experience,
John -- much appreciated.