Re: Group ID conflicts between different distros: how to manage them with NIS?
Excellent. Time to read about udev. Will do my homework, try a few tests, and will get back with results and, possibly, more questions :-D Thank you, everybody for your valuable help (and time). Best regards, João On Mon, Aug 20, 2018 at 2:54 AM Reco wrote: > Hi. > > On Mon, Aug 20, 2018 at 12:51:24AM -0300, Joao Roscoe wrote: > > Hmmm... > > > > If I create a NIS group (with a high ID), called serial_ports, dhould I > > just, as root, chgrp /dev/ttyS0 so that it's group is serial_ports ? > > You could, and it may even work, but it would be temporary. > To make it truly work you should write your own udev rule for these (and > other) devices. > > The reason being - udev creates everything under the /dev (system boot). > Udev changes everything under the /dev (vt switch, user relogins). > > In that particular case you should override changes made by > /lib/udev/rules.d/50-udev-default.rules. > > Reco > >
Re: Group ID conflicts between different distros: how to manage them with NIS?
Hi. On Mon, Aug 20, 2018 at 12:51:24AM -0300, Joao Roscoe wrote: > Hmmm... > > If I create a NIS group (with a high ID), called serial_ports, dhould I > just, as root, chgrp /dev/ttyS0 so that it's group is serial_ports ? You could, and it may even work, but it would be temporary. To make it truly work you should write your own udev rule for these (and other) devices. The reason being - udev creates everything under the /dev (system boot). Udev changes everything under the /dev (vt switch, user relogins). In that particular case you should override changes made by /lib/udev/rules.d/50-udev-default.rules. Reco
Re: Group ID conflicts between different distros: how to manage them with NIS?
Hmmm... If I create a NIS group (with a high ID), called serial_ports, dhould I just, as root, chgrp /dev/ttyS0 so that it's group is serial_ports ? João On Sun, Aug 19, 2018 at 12:47 PM Michael Stone wrote: > On Fri, Aug 17, 2018 at 02:48:56PM -0300, Joao Roscoe wrote: > >Right, that's best practice. > > > >But, what if I need to include a user who is defined in NIS in lp or ttyS0 > >group? Would going into /etc/group in *every* machine be unavoidable? > > That's one option. Another would be to create new centrally-managed > groups and give those groups permissions to do what is needed across the > environment. A third option would be to give people certain permissions > when they log in. There are any number of solutions, all of which will > be more reliable than trying to centrally manage system groups. The best > option really depends on what you're trying to accomplish. > > Mike Stone > >
Re: Group ID conflicts between different distros: how to manage them with NIS?
On Fri, Aug 17, 2018 at 02:48:56PM -0300, Joao Roscoe wrote: Right, that's best practice. But, what if I need to include a user who is defined in NIS in lp or ttyS0 group? Would going into /etc/group in *every* machine be unavoidable? That's one option. Another would be to create new centrally-managed groups and give those groups permissions to do what is needed across the environment. A third option would be to give people certain permissions when they log in. There are any number of solutions, all of which will be more reliable than trying to centrally manage system groups. The best option really depends on what you're trying to accomplish. Mike Stone
Re: Group ID conflicts between different distros: how to manage them with NIS?
Joao Roscoe wrote: > But, what if I need to include a user who is defined in NIS in lp or ttyS0 > group? Would going into /etc/group in *every* machine be unavoidable? your print server will be the only one to consider for lp group for example or just do something with ansible or puppet or whatever matches your taste
Re: Group ID conflicts between different distros: how to manage them with NIS?
Right, that's best practice. But, what if I need to include a user who is defined in NIS in lp or ttyS0 group? Would going into /etc/group in *every* machine be unavoidable? João On Fri, Aug 17, 2018 at 1:42 PM Greg Wooledge wrote: > On Fri, Aug 17, 2018 at 01:27:32PM -0300, Joao Roscoe wrote: > > However, it will not solve the problem on how to centrally manage system > > resources access across distros. > > You don't manage OS-specific (or "distro"-specific if you prefer that term) > group IDs in a network database. Those are managed on a per-system basis > in the local /etc/group or analogous file(s). > > Your network database should contain only your organization's local user > and group identities. That's why the default NIS Makefile has MINUID > and MINGID settings. > >
Re: Group ID conflicts between different distros: how to manage them with NIS?
On Fri, Aug 17, 2018 at 01:27:32PM -0300, Joao Roscoe wrote: > However, it will not solve the problem on how to centrally manage system > resources access across distros. You don't manage OS-specific (or "distro"-specific if you prefer that term) group IDs in a network database. Those are managed on a per-system basis in the local /etc/group or analogous file(s). Your network database should contain only your organization's local user and group identities. That's why the default NIS Makefile has MINUID and MINGID settings.
Re: Group ID conflicts between different distros: how to manage them with NIS?
You are right, I forgot to state that yes, I do use NFS to share files - great tip, this GID / UID remapping thing - thanks a lot. However, it will not solve the problem on how to centrally manage system resources access across distros. Joao On Fri, Aug 17, 2018 at 10:49 AM wrote: > -BEGIN PGP SIGNED MESSAGE- > Hash: SHA1 > > On Fri, Aug 17, 2018 at 10:36:38AM -0300, Joao Roscoe wrote: > > I have redhat and debian machines in the same network. Users and groups > are > > controlled via NIS > > > > I have realized that redhat and debian have different groups definitions > > for system resources access control. For instance, redhat machines have > > group lp with GID 4, while debian states that lp group is GID 7. > > If you are using NFS to share files (you aren't saying that), the newer > nfs system allow UID and GID remapping. > > No experience with that, though. > > Cheers > - -- tomás > -BEGIN PGP SIGNATURE- > Version: GnuPG v1.4.12 (GNU/Linux) > > iEYEARECAAYFAlt20j8ACgkQBcgs9XrR2kbZrACfYlhKhddMf7vIebeBySbaXEnv > RQAAoIB78xIg01lkJpylchkqtpajI+Wj > =9S30 > -END PGP SIGNATURE- > >
Re: Group ID conflicts between different distros: how to manage them with NIS?
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Fri, Aug 17, 2018 at 10:36:38AM -0300, Joao Roscoe wrote: > I have redhat and debian machines in the same network. Users and groups are > controlled via NIS > > I have realized that redhat and debian have different groups definitions > for system resources access control. For instance, redhat machines have > group lp with GID 4, while debian states that lp group is GID 7. If you are using NFS to share files (you aren't saying that), the newer nfs system allow UID and GID remapping. No experience with that, though. Cheers - -- tomás -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.12 (GNU/Linux) iEYEARECAAYFAlt20j8ACgkQBcgs9XrR2kbZrACfYlhKhddMf7vIebeBySbaXEnv RQAAoIB78xIg01lkJpylchkqtpajI+Wj =9S30 -END PGP SIGNATURE-
Re: Group ID conflicts between different distros: how to manage them with NIS?
On Fri, Aug 17, 2018 at 10:36:38AM -0300, Joao Roscoe wrote: What would be the best way to manage this (other than managing groups on machines themselves, individually)? Different NIS domains for different distros? Is there any tutorial on managing multiple domains on the same NIS server, out there? Other ideas? Not trying to manage system groups with NIS.
Group ID conflicts between different distros: how to manage them with NIS?
I have redhat and debian machines in the same network. Users and groups are controlled via NIS I have realized that redhat and debian have different groups definitions for system resources access control. For instance, redhat machines have group lp with GID 4, while debian states that lp group is GID 7. That means that I cannot manage his kind of group based resource access control from NIS - not from a single one, at least, without doing something to remedy the conflicts Maybe I could just chgrp the device files as needed, but I'd rather avoid doing this kind of intrusive tinkering. New boxes installs would be a problem, also. What would be the best way to manage this (other than managing groups on machines themselves, individually)? Different NIS domains for different distros? Is there any tutorial on managing multiple domains on the same NIS server, out there? Other ideas? Best regards, João