6 Nov
2018
6 Nov
'18
2:46 a.m.
On Mon, Nov 5, 2018 at 7:33 PM Grant Taylor via TUHS <tuhs(a)minnie.tuhs.org>
wrote:
[snip]
Translation: What is the current Unix (Linux) method to provide central
user directory / authentication for about a dozen Unix (Linux / Solaris
/ *BSD / AIX) systems /without/ a Windows Server in the mix. I don't
own a license for any version of Windows Server that supports AD. Nor
do I feel compelled to buy one.
On small networks, I eventually jettisoned YP/LDAP et al in favor of flat
text files in a directory tree on an NFS server. All clients mounted that
and every $n$ minutes cron ran a script that sync'ed important files on
each host. We were already using Kerberized NFS everywhere; this eliminated
the directory service as another point of failure. Since passwords were in
the Kerberos master, I didn't care about the contents of /etc/passwd,
though I used make and cpp to generate "ACL" files that drove a script that
generated /etc/passwd on each host so that e.g., normal users couldn't log
into the NFS server; not because I cared about them logging in but rather
because I didn't want them running real programs there and slowing it down.
Root was probably the only account with an actual password in
/etc/{shadow,master.passwd} but that was explicitly chosen with enough
entropy that if someone got the hash and ran crack or john the ripper or
whatever against it they were only going to succeed in generating lots of
heat.
If I only got a dozen or so systems, that's what I'd do again. Setting up
an LDAP schema probably isn't worth the complexity; NIS would be the only
other realistic option and it's just not secure enough in this day and age.
Setting up a KDC and an NFS server is much easier.
- Dan C.