[OpenAFS] Distributing passwd

Stephen Joyce stephen@physics.unc.edu
Wed, 11 Jun 2003 09:35:01 -0400 (EDT)


On Tue, 10 Jun 2003, Charles Clancy wrote:

> On Tue, 10 Jun 2003, fronils wrote:
>
> > Hi,
> >
> > how does people go about the problem of distributing files like /etc/passwd to
> > clients? Using NIS or something else?
>
> NIS, NIS+, and LDAP are all likely candidates.  The major security flaws
> of NIS/NIS+ are less important in the AFS environment, as you don't need
> to use them for distributing encrypted passwords.  IMHO, NIS is easiest to
> setup/maintain and has the widest client support.

It would be wise to think twice (or more!) before deploying NIS due to
security concerns.

Have you considered simply storing master copies of your passwd, group,
hosts files, etc in AFS and having each client regularly update its local
copy from the master?

Our cell is not huge, but we've been using such a mechanism for ~6 years.
We wrote a perl script to query pts group memberships to determine what
users are allowed access to a given client and build the appropriate
/etc/passwd file (with lots of sanity checking along the way).  For
managing simpler files such as /etc/hosts, nsswitch.conf, etc., cfengine,
http://www.cfengine.org, is excellent.

I've been thinking hard about transitioning to LDAP, but our existing setup
has "just worked" extremely well.

Cheers,
Stephen
--
Stephen Joyce
Systems Administrator                                            P A N I C
Physics & Astronomy Department                         Physics & Astronomy
University of North Carolina at Chapel Hill         Network Infrastructure
voice: (919) 962-7214                                        and Computing
fax: (919) 962-0480                               http://www.panic.unc.edu