From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: tuhs-bounces@minnie.tuhs.org X-Spam-Checker-Version: SpamAssassin 3.4.2 (2018-09-13) on inbox.vuxu.org X-Spam-Level: X-Spam-Status: No, score=0.9 required=5.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,FREEMAIL_FORGED_FROMDOMAIN,FREEMAIL_FROM, HEADER_FROM_DIFFERENT_DOMAINS,HTML_MESSAGE,MAILING_LIST_MULTI, RCVD_IN_DNSWL_NONE,SUBJ_ALL_CAPS autolearn=no autolearn_force=no version=3.4.2 Received: from minnie.tuhs.org (minnie.tuhs.org [45.79.103.53]) by inbox.vuxu.org (OpenSMTPD) with ESMTP id a9bb60c4 for ; Tue, 6 Nov 2018 03:36:40 +0000 (UTC) Received: by minnie.tuhs.org (Postfix, from userid 112) id 945B3A2445; Tue, 6 Nov 2018 13:36:39 +1000 (AEST) Received: from minnie.tuhs.org (localhost [127.0.0.1]) by minnie.tuhs.org (Postfix) with ESMTP id C7790A22EA; Tue, 6 Nov 2018 13:36:21 +1000 (AEST) Received: by minnie.tuhs.org (Postfix, from userid 112) id 9BC00A217C; Tue, 6 Nov 2018 11:47:00 +1000 (AEST) Received: from mail-qt1-f171.google.com (mail-qt1-f171.google.com [209.85.160.171]) by minnie.tuhs.org (Postfix) with ESMTPS id 33E44A215E for ; Tue, 6 Nov 2018 11:46:55 +1000 (AEST) Received: by mail-qt1-f171.google.com with SMTP id b22-v6so961237qtr.11 for ; Mon, 05 Nov 2018 17:46:55 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=mime-version:references:in-reply-to:from:date:message-id:subject:to :cc; bh=CCWJdSaE98+/lHZEPZ1a+4gBYPmcrrRTiJQYz/Lgq30=; b=CI2+3UteyCiH5tokyFEuhSOKq3iomwyhDZmX+ViWOoD5IuEc9Gn6Lg9mCP49vIhRiC VbegiwxhneYGOHO4tQQSrHSyKwQ5u8GMxXPWTOjbxM0u5kkybpZK+MPHhFxK+4JF8LLF V6IyLUBqQ75zAEWhhgisEM0ORTC/MZ6nquS0tPXY/GB3nzb1DdpawH8cKjEux7qG9x9u hkVCfNpv1k4tkbNd0SiAjJvBGWWdzGmPu/fvW+KUmgFwOCjyvS424sWpVy5/GWJ+l6ok T+O6exzzV3azn0OVXDE5OgoREJwZShXLCbeEngjBcQI/rp3MoGVEcAMRyuSrZhjWlozl d0Ow== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:mime-version:references:in-reply-to:from:date :message-id:subject:to:cc; bh=CCWJdSaE98+/lHZEPZ1a+4gBYPmcrrRTiJQYz/Lgq30=; b=Fb+zRCiB+66iBJl5nQlXSbCVYu1mw+bqQUVeYmsBIelY4ovUmwPwNDOBmZVf0Lnb2s IpHPlEUR8LssQhgzE+M5WRfrPn2kFE/drGXYPMQA6o+KSq74hgPJ8WE6BdrvvcnCTnLm iFfMbbnWr0fXt5uKLxl4W2N7AXPzgaNx0IfwMA4aCPcVLnNv/omPhpDk3IzvERDwvaoe +7zQx6NvcuidLgxLmgIy8poKtBkib5wTZGR65TQKhoWkhXepx4S6W2aZH5qYWkSuHdTN dTpm+HkgjYayqMVU90hsUow7VWzMzrvoue/wSf5Ef5O6Hqh5IkRW/0I9S4vx1Xu50kHw IPTg== X-Gm-Message-State: AGRZ1gJ8VsPE7k+vaCA9XQ9mVUOfeEKuUW1eS7v5R67tb/dv/b6PJs3r OtNrtpGXnJmRbecSmmnncwncKqGMjUReCfk+pl8= X-Google-Smtp-Source: AJdET5d8NuQYsfl1+ydEMWEJMsSjyFJ0sSn6qHuNyHZVbsw5lGaEzHxUUwLOxKnDF6GQaEGz8kpo5PyQ5QTEC34rbG4= X-Received: by 2002:aed:31c5:: with SMTP id 63mr121823qth.385.1541468814354; Mon, 05 Nov 2018 17:46:54 -0800 (PST) MIME-Version: 1.0 References: <6a64b957-5912-b102-c73c-d0b71bd24188@spamtrap.tnetconsulting.net> In-Reply-To: <6a64b957-5912-b102-c73c-d0b71bd24188@spamtrap.tnetconsulting.net> From: Dan Cross Date: Mon, 5 Nov 2018 20:46:18 -0500 Message-ID: To: Grant Taylor Content-Type: multipart/alternative; boundary="0000000000001cb44d0579f52d02" Subject: Re: [TUHS] YP / NIS / NIS+ / LDAP X-BeenThere: tuhs@minnie.tuhs.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: The Unix Heritage Society mailing list List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Cc: TUHS main list Errors-To: tuhs-bounces@minnie.tuhs.org Sender: "TUHS" --0000000000001cb44d0579f52d02 Content-Type: text/plain; charset="UTF-8" On Mon, Nov 5, 2018 at 7:33 PM Grant Taylor via TUHS wrote: > [snip] > Translation: What is the current Unix (Linux) method to provide central > user directory / authentication for about a dozen Unix (Linux / Solaris > / *BSD / AIX) systems /without/ a Windows Server in the mix. I don't > own a license for any version of Windows Server that supports AD. Nor > do I feel compelled to buy one. > On small networks, I eventually jettisoned YP/LDAP et al in favor of flat text files in a directory tree on an NFS server. All clients mounted that and every $n$ minutes cron ran a script that sync'ed important files on each host. We were already using Kerberized NFS everywhere; this eliminated the directory service as another point of failure. Since passwords were in the Kerberos master, I didn't care about the contents of /etc/passwd, though I used make and cpp to generate "ACL" files that drove a script that generated /etc/passwd on each host so that e.g., normal users couldn't log into the NFS server; not because I cared about them logging in but rather because I didn't want them running real programs there and slowing it down. Root was probably the only account with an actual password in /etc/{shadow,master.passwd} but that was explicitly chosen with enough entropy that if someone got the hash and ran crack or john the ripper or whatever against it they were only going to succeed in generating lots of heat. If I only got a dozen or so systems, that's what I'd do again. Setting up an LDAP schema probably isn't worth the complexity; NIS would be the only other realistic option and it's just not secure enough in this day and age. Setting up a KDC and an NFS server is much easier. - Dan C. --0000000000001cb44d0579f52d02 Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
On Mon, Nov 5, 2018 at 7:33 PM Grant Taylor via TUHS <tuhs@minnie.tuhs.org> wrote:
[snip]
Translation:=C2=A0 What is the current Unix (Linux) method to provide centr= al
user directory / authentication for about a dozen Unix (Linux / Solaris / *BSD / AIX) systems /without/ a Windows Server in the mix.=C2=A0 I don= 9;t
own a license for any version of Windows Server that supports AD.=C2=A0 Nor=
do I feel compelled to buy one.

On smal= l networks, I eventually jettisoned YP/LDAP et al in favor of flat text fil= es in a directory tree on an NFS server. All clients mounted that and every= $n$ minutes cron ran a script that sync'ed important files on each hos= t. We were already using Kerberized NFS everywhere; this eliminated the dir= ectory service as another point of failure. Since passwords were in the Ker= beros master, I didn't care about the contents of /etc/passwd, though I= used make and cpp to generate "ACL" files that drove a script th= at generated /etc/passwd on each host so that e.g., normal users couldn'= ;t log into the NFS server; not because I cared about them logging in but r= ather because I didn't want them running real programs there and slowin= g it down.

Root was probably the only account with= an actual password in /etc/{shadow,master.passwd} but that was explicitly = chosen with enough entropy that if someone got the hash and ran crack or jo= hn the ripper or whatever against it they were only going to succeed in gen= erating lots of heat.

If I only got a dozen or so = systems, that's what I'd do again. Setting up an LDAP schema probab= ly isn't worth the complexity; NIS would be the only other realistic op= tion and it's just not secure enough in this day and age. Setting up a = KDC and an NFS server is much easier.

=C2=A0 =C2= =A0 =C2=A0 =C2=A0 - Dan C.

--0000000000001cb44d0579f52d02--