Dan Cross crossd at gmail.com
Tue Nov 6 11:46:18 AEST 2018

On Mon, Nov 5, 2018 at 7:33 PM Grant Taylor via TUHS <tuhs at minnie.tuhs.org>

> [snip]
> Translation:  What is the current Unix (Linux) method to provide central
> user directory / authentication for about a dozen Unix (Linux / Solaris
> / *BSD / AIX) systems /without/ a Windows Server in the mix.  I don't
> own a license for any version of Windows Server that supports AD.  Nor
> do I feel compelled to buy one.

On small networks, I eventually jettisoned YP/LDAP et al in favor of flat
text files in a directory tree on an NFS server. All clients mounted that
and every $n$ minutes cron ran a script that sync'ed important files on
each host. We were already using Kerberized NFS everywhere; this eliminated
the directory service as another point of failure. Since passwords were in
the Kerberos master, I didn't care about the contents of /etc/passwd,
though I used make and cpp to generate "ACL" files that drove a script that
generated /etc/passwd on each host so that e.g., normal users couldn't log
into the NFS server; not because I cared about them logging in but rather
because I didn't want them running real programs there and slowing it down.

Root was probably the only account with an actual password in
/etc/{shadow,master.passwd} but that was explicitly chosen with enough
entropy that if someone got the hash and ran crack or john the ripper or
whatever against it they were only going to succeed in generating lots of

If I only got a dozen or so systems, that's what I'd do again. Setting up
an LDAP schema probably isn't worth the complexity; NIS would be the only
other realistic option and it's just not secure enough in this day and age.
Setting up a KDC and an NFS server is much easier.

        - Dan C.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://minnie.tuhs.org/pipermail/tuhs/attachments/20181105/e469faea/attachment.html>

More information about the TUHS mailing list