[WBEL-users] NIS (and my own Holy Grail quest)

bishop bishop@platypus.bc.ca
Wed, 15 Sep 2004 11:56:49 -0700 

Denis Croombs wrote:

> I am using NIS on some thin client servers which works untill we
> change/reset the password then the user can login to the main NIS server but
> not the clients is there an easy way of updating the client server systems ?

Denis there is a set of tools your must run whenever you update your 
passwd file on the server so that it propagates the passwd info to the 
client machines not running this tool will definitely cause the client 
machines to not get the updated passwd date from the ypmaster maybe 
running ypmatch on a client box will show you if the NIS map is getting 
propagated at all to the clients and we can then learn if the NIS 
clients are actually getting the data yeah I think that that's your best 
bet right now because it will help you see if the maps are getting 
updated I think that knowing that will help immensely.

I can't type like that any longer, but it was fun.  My Mom's like that.

Really, Denis, use the ypmatch tool to see what your NIS server is 
pushing, and make sure you're updating the maps on the server;  it's got 
to be done periodically, and without it the data just doesn't get 
changed.  I think that one of those two things will advance you just a 
tiny bit toward a working solution.

And hey, I'm impressed at your bravery.  Please tell me you're in a 
private network that's guaranteed free of any tampering or 
eavesdropping, like maybe a family setup, because NIS does have some 
nifty limitations and problems.  However, it seems that, when we go for 
a decently replicated auth scenario, we can choose Security, Reliability 
and Replication ; pick any two.  Maybe a decent set of iptables over a 
TAP VTun solution may work to secure NIS.. hmm..

There was one auth project that used Hesiod for UIDs and a caching 
Kerberos-type system.  Anyone remember where that one is?  I'm hoping 
it's not a cronned-perl replication method.  Does LDAP cache *and* do 
referrals?  So can I configure this machine, 3000 miles away, to feed 
off a single auth record at home (or anywhere) and reasonably expect it 
to always work despite network access?

  - bish