----- Original Message ----- > From: "Konstantin Olchanski" <olcha...@triumf.ca> > To: "Stephen John Smoogen" <smo...@gmail.com> > Cc: "Dirk Hoffmann" <hoffm...@cppm.in2p3.fr>, "SCIENTIFIC-LINUX-USERS" > <SCIENTIFIC-LINUX-USERS@LISTSERV.FNAL.GOV> > Sent: Tuesday, 6 January, 2015 22:18:54 > Subject: Re: ypbind not registering with rpcbind on SL7 > > On Tue, Jan 06, 2015 at 11:20:30AM -0700, Stephen John Smoogen wrote: >> On 6 January 2015 at 05:08, Dirk Hoffmann <hoffm...@cppm.in2p3.fr> wrote: >> > >> > I installed SL7 yesterday from the standard DVD in "Computing node" >> > flavour. "yum update" ran correctly, then I needed YP/NIS. >> >> >> Wow.. I didn't know ypbind was still in use :)? >> > > There is no replacement to NIS for small clusters. > > Vendors send us in the direction of LDAP, which is supposed to be "light > weight". > > Well, if LDAP is light-weight, I hate to see what they consider as > normal-weight. > > With NIS, management is "vi /etc/auto.home; make -C /var/yp". > > Wake me up when LDAP gets anywhere near that easy to use.
I'll admit that my IT career has mostly missed the yp/nis days (mostly due to working in companies with just a few handful servers or less). But! I dare you to try out FreeIPA. I've tested it in a slightly bigger environment (~30 boxes), and decided to roll it out at home "just for fun" to play more with it. It doesn't eat that much CPU or disk resources (well some 100MB), but it is really easy to set up and play with. And with both a reasonable webUI and a command line interface for the same tasks. Firewall and SELinux friendly, and lets you do really nice stuff such as DNS SSHFP (no more need for hosts in ~/.ssh/known_hosts), centralised SSH public key management, Kerberos SSO and all the other stuff NIS can do. Regarding resource usage, at home I installed FreeIPA on an slightly well loaded HP Microserver G7 (AMD N36L) with 8GB RAM running 5 VMs. The average CPU load is 60% and using ~7GB for VMs. And the admin web console works very well and all IPA domain members gets the authentication done fairly quickly. I've not noticed any performance drop on the VMs either. What I basically did: * IPA server - yum install ipa-server - ipa-server-install (see --help for enabling DNS server and more features) - Go to http://$SERVER - Login as admin and start playing * IPA clients to become "domain members" - yum install ipa-client - Ensure /etc/resolv.conf 'nameserver' points at the IPA server - ipa-client-install (see --help for more advanced features) Also check out the documentation (you'll find relevant versions of it in https://access.redhat.com under Identity Management). It is quite good and accurate. And that's basically it ... run kinit and you have SSO to all your boxes. Or upload your SSH public key to your IPA user account, and you can SSH to all boxes without uploading any public keys anywhere else. My playing has been done with SL6, SL7 and Fedora 19. My next step is to start playing with IPA servers on SL7, which is an even newer version of FreeIPA with some more features. By the way, setting up master-master replication with more IPA servers is also really easy. However, there is a bug in the LDAP server which needs a configuration workaround. But once that's done, it works really smooth. Yes, IPA is probably using more resources than yp/nis, but it also provides much more than just yp/nis. -- kind regards, David Sommerseth
