[WBEL-users] NIS (and my own Holy Grail quest)
Wed, 15 Sep 2004 11:56:49 -0700
Denis Croombs wrote:
> I am using NIS on some thin client servers which works untill we
> change/reset the password then the user can login to the main NIS server but
> not the clients is there an easy way of updating the client server systems ?
Denis there is a set of tools your must run whenever you update your
passwd file on the server so that it propagates the passwd info to the
client machines not running this tool will definitely cause the client
machines to not get the updated passwd date from the ypmaster maybe
running ypmatch on a client box will show you if the NIS map is getting
propagated at all to the clients and we can then learn if the NIS
clients are actually getting the data yeah I think that that's your best
bet right now because it will help you see if the maps are getting
updated I think that knowing that will help immensely.
I can't type like that any longer, but it was fun. My Mom's like that.
Really, Denis, use the ypmatch tool to see what your NIS server is
pushing, and make sure you're updating the maps on the server; it's got
to be done periodically, and without it the data just doesn't get
changed. I think that one of those two things will advance you just a
tiny bit toward a working solution.
And hey, I'm impressed at your bravery. Please tell me you're in a
private network that's guaranteed free of any tampering or
eavesdropping, like maybe a family setup, because NIS does have some
nifty limitations and problems. However, it seems that, when we go for
a decently replicated auth scenario, we can choose Security, Reliability
and Replication ; pick any two. Maybe a decent set of iptables over a
TAP VTun solution may work to secure NIS.. hmm..
There was one auth project that used Hesiod for UIDs and a caching
Kerberos-type system. Anyone remember where that one is? I'm hoping
it's not a cronned-perl replication method. Does LDAP cache *and* do
referrals? So can I configure this machine, 3000 miles away, to feed
off a single auth record at home (or anywhere) and reasonably expect it
to always work despite network access?