On Tue, Jan 28, 2014 at 9:18 AM, <m.roth at 5-cent.us> wrote: > At this late date, I'd be really, *REALLY* leery of using NIS. You say > that *most* of your traffic is local, suggesting that some of it is *not*. > And, for that matter, how good are the firewalls keeping other traffic > out? > > I'd say no to NIS. Yes, other answers may be more difficult to set up, but > consider the alternatives. >>> >>> That is, we have an ever-growing list of special cases. UserA can >>> login to servers 1, 2 and 3. UserB can log in to servers 3, 4, and 5. >>> Nobody except UserC can login to server 6. UserD can login to >>> machines 2--6. And so on and so forth. > > Here you may not realize you're distinguishing between authentication and > authorization. Yeah, I forgot to mention that we already have Kerberos in place for authentication. It's authorization that is currently done by hand and checked with a manual script. (I needed that for the secure mount options NFSv4 provides.) > I sincerely hope it's easier to set up and administer and upgrade than > native LDAP. In '06, after a discussion with the other admin and manager I > was working with at that job, I volunteered to set up openLDAP. Let's just > say that the tools were NOT vaguely ready for prime time, though I did > find that running webmin helped a *lot* to get it working. I know you can find a horror story for any piece of software on the Internet, but my impression is that LDAP has an unusually high number of scary-sounding anecdotes. I know random Internet blogs forum posts aren't really authoritative, but they do give me a little trepidation regarding LDAP. > We have an in-house written set of scripts that administer relevant > configuration files, including /etc/passwd. It copies the correct version > of that file (among many others) to each host, and shell of /bin/noLogin > works just fine. Why set the shell to /bin/noLogin, rather than simply not create that user's /etc/passwd entry? I don't have /bin/noLogin on any of my systems - I assume you deliberately specified a non-existent program for the shell? What's the difference between setting the user's shell to a bogus program versus something like /bin/false?