Re: ypbind not registering with rpcbind on SL7

[David Sommerseth]

On 08/01/15 02:26, Konstantin Olchanski wrote:
 On Wed, Jan 07, 2015 at 05:27:32PM -0700, Stephen John Smoogen wrote:
 On 7 January 2015 at 17:06, Konstantin Olchanski olcha...@triumf.ca wrote:
[...snip...]
 And I expect that you had at that point still stories from people saying
 NIS broke everything when it went down and we should just use some homebrew
 kit (or worse yet.. add each user by hand because lord how are you going to
 know it got done.)

 Yes, nis broke everything. But this went away since we install secondary 
 NIS servers
 on every critical machine - as long as local ypserv and local ypbind stay up,
 no problems with NIS, even survives network outages (alsmost, DNS outages 
 still cause problems).
 
 Yes, add each user by hand, just happened on one of the systems I built,
 because local admins cannot figure out NIS and because ypbind keeps dying
 on that machine. Not that adding the user manually did any good, without 
 ypbind
 they lose access to the auto-mounted home directory for that user.

And these things are *exactly* what IPA can provide an *easy* user
interface for.  If you would really look at it, instead of shooting it
down.  Local admins just need to run *one* *single* command as root
(ipa-client-install), and the system is configured and is ready for use.
 This single commands configures everything and the options
ipa-client-install take shouldn't make you able to shoot yourself in the
foot, unless you really do it on purpose - and you would know in advance
that it would be stupid.

 With this experience - people cannot figure out service ypbind restart
 and vi /etc/auto.home; make -C /var/yp - I am not putting out anything as
 complex as LDAP, Kerberos, Web based administration, etc.

If people can't figure out that ypbind needs to be started or manually
modify /etc/auto.home and updating it with a make command, then I'd say
NIS is too complex too.  Then doing the single ipa-client-install *is*
simpler from their perspective.

You seem not to have grasped that IPA doesn't need users to understand
LDAP or Kerberos at all.  IPA does all that for you, and all you need to
understand is to run ipa-client-install on the clients.  And the IPA
admin provides a lot of safe-guards, helping you not doing anything stupid.

Since I deployed FreeIPA on two networks, I have only _once_ needed to
use an LDIF file to update the 389-DS configuration on the servers to
workaround a bug in the replication (which, btw, should be fixed in
newer upstream versions of 389-DS).  And that is the only time I needed
to touch more lower-level LDAP pieces.  And _not_ _once_ have I needed
to touch kadmin tools.

[...snip]

 Yes, so true. And yet, in 10 years, no viable replacement, other than
 the light weight 800 poud gorilla of identity management product.

Do you mean server or client side?  On my server at home (HP Microserver
with AMD N54L! That's a fairly low performance CPU) the IPA server
(389DS, Kerberos daemons, Apache httpd) spends roughly 130MB of RAM
today.  The SSSD daemon which clients needs uses something like 40MB.
And neither server nor client processes uses much CPU time.  On todays
computers (even on embedded), the SSSD RAM usage won't be a problem.

Yes, it might be far more than your ypbind setup.  But IPA provides a
far more robust and feature rich implementation with far better security
which is better suited for the 21th century.

As Stephen said earlier, it's your shop and you'll do it how you want it
on your site.  But please stop spreading FUD about IPA being such
gigantic monster.  Such FUD was what kept me away from IPA for far too
long, and I was incredibly surprised to see how easy it was to setup and
configure, and how little intrusive the setup really was.  I instantly
regretted not having done this earlier.

Yes, the documentation suggests that IPA servers should provide DNS and
NTP services as well.  Those are *optional*.  In fact the default
installation of FreeIPA servers *does not* include DNS, you must add
--setup-dns to do get that.  NTP can also be ignored by passing --no-ntp
to ipa-{client,server}-install.  But, yes, it is *recommended* to
provide these services to your domain.

I tried the IPA DNS setup at home, where I already had my own BIND
server running.  I decided to only try DNS on the sub-domain for IPA
clients.  It took me less than a week before I had migrated the
complete DNS to IPA, because it just made my life so much easier -
despite I didn't have to do this at all.  So now my old DNS server is
mostly a slave DNS to my IPA server instead - and the rest of my boxes
(even DHCP server) didn't need to be updated.  At home, things are
definitely in a better state now than before.

For NTP, as long as the clocks on all boxes are in sync, there's really
no need to worry about that.  But once clocks are more than 5 minutes
(IIRC) out of sync against the IPA server, authentication may fail.  I
even think the time scew tolerance is configurable too.


-- 

RE: ypbind not registering with rpcbind on SL7

[James M. Pulver]

“My main concern is that most places I have seen that kept with ypbind get 
replaced with Active Directory”

In fact, we’re in the process of doing that now. We’ve got user logins and 
groups working well. The next challenge is the automount maps. It’s not a bad 
thing, in fact it has made our Windows / Linux integration much easier. It’s 
quite nice to be able to use Putty on Windows and have it pass the Kerberos 
ticket you logged into Windows with over to the Linux server you’re connecting 
to.

--
James Pulver
CLASSE Computer Group
Cornell University

From: owner-scientific-linux-us...@listserv.fnal.gov 
[mailto:owner-scientific-linux-us...@listserv.fnal.gov] On Behalf Of Stephen 
John Smoogen
Sent: Wednesday, January 07, 2015 5:22 PM
To: scientific-linux-users@fnal.gov
Subject: Re: ypbind not registering with rpcbind on SL7



On 7 January 2015 at 14:54, Konstantin Olchanski 
olcha...@triumf.camailto:olcha...@triumf.ca wrote:
Yes, thank you for the references to the Red Hat identity management system.

Of course it is based on LDAP, but also it requires use of Kerberos
(which we do not have fun with in the AFS/Kerberos environement at CERN),
and recommended practice is to have it take over the DNS and NTP services.

To me this looks like software designed to manage central IT at IBM
(complete with a full staff of professional sysadmins).

Too heavy weight (in the number of software components and
in the number of books to read) for running small clusters of 5-10 machines 
managed
by non-dedicated non-sysadmin non-IT people.

Hehe. I remember when 20 years ago people would say the exact same thing about 
ypbind over some sort of script set which copied everything with root rcp. 
Those then got replaced by people who had used ypbind somewhere and were 
comfortable on it.

My main concern is that most places I have seen that kept with ypbind get 
replaced with Active Directory (which FreeIPA is really trying to give an 
answer for).

But in the end, it is your shop and you will do it however it is needed :).

--
Stephen J Smoogen.

Re: ypbind not registering with rpcbind on SL7

[Karel Lang AFD]

Hi guys,
if i might add my view onto this matter .. :]

I think the LDAP doesn't complicate things - on the contrary, it 
simplify them.
Ofc, the installation and configuration of 389 Directory server (if 
speaking about RHEL and clones) is definitely much more demanding in 
know-how compared to YP.


But speaking then about day-to-day work, and setting up other things 
than need authentication, the LDAP is a blessing.


Half year ago i helped to do a 'switch' to LDAP for a company (300 
users) in mixed env of Windows workstations and servers, Linux 
workstations and servers.


DC was 3.6 samba authenticating windows users and YP for unix /linx users.

Then other various systems needing authentication (printers, IM system, 
zimbra, blackberry server ... maintaining anything user-data related was 
hell for the IT team.


I implemented 389DS with as a authentication backend for Samba and SSSD. 
And i pointed all other applications / devices that require 
authentication to LDAP too (printers, openfire server, osticket system, 
zimbra server etc etc).


With the help of smbldap-tools and written scripts i recrunched data, 
changed needed rights, Samba RIDs and SIDs, Linux UIDs and migrated 
everything.


Since then, no more user-data problems.

What i want to say is, YP server, thanks to it's simplicity still has 
its uses in purely Unix/Linux secured LANs, but such an environment is 
quite a rarity nowadays.


LDAP is the standard these days in both worlds - unix and windows alike. 
No matter if speaking about windows AD with multimaster replication or 
about IPA (again with mulstimaster repl) the backend storing user data 
is still LDAP.


cheers,

--
*Karel Lang*
*Unix/Linux Administration*
l...@afd.cz | +420 731 13 40 40
AUFEER DESIGN, s.r.o. | www.aufeerdesign.cz

Re: gdbm update broke my yp make

[Roderick Johnstone]

On 07/01/2015 22:23, Konstantin Olchanski wrote:

On Wed, Jan 07, 2015 at 02:35:46PM +, Roderick Johnstone wrote:

With the update that came in this morning from fastbugs,
gdbm-1.8.0-37.el6.x86_64, I now get:

# make
gmake[1]: Entering directory `xxx'
Updating auto.home...
makedbm: dbm_store: Success
gmake[1]: [auto.home] Error 1 (ignored)

By downgrading to the -36 package I can restore the yp make to
working again.



Confirmed. NIS becomes broken all right.

And there is more breakage, see other comments here:
https://bugzilla.redhat.com/show_bug.cgi?id=629640#c31



Thanks for confirming.

I've cc'ed myself on the Red Hat bug, so I guess we just wait for a new 
update to be released.


Roderick