[ale] Managing passwd and sudoers files on multiple servers.
Jim Kinney
jim.kinney at gmail.com
Fri Aug 22 11:48:57 EDT 2014
Just saw a note on the freeIPA list that the devels hope to have a server
working by Dec in Debian unstable. No status of client support was
mentioned.
On Fri, Aug 22, 2014 at 9:25 AM, Jim Kinney <jim.kinney at gmail.com> wrote:
> I don't use Debian anywhere to test. Once I get caught up on current
> projects, I'll set up an Ubuntu VM for IPA testing as that is the other
> distro used internally.
> On Aug 22, 2014 8:24 AM, "JD" <jdp at algoloma.com> wrote:
>
>> Sounds like NIS/NIS+.
>>
>> I looked a few months ago and the debian port of freeIPA seemed stalled
>> over the
>> 50+ different languages used in the 100+ tiny tools that make up the
>> offering. A
>> few of the key tools didn't work on Debian. I'm exaggerating a little,
>> but not
>> much. Have things changed?
>>
>>
>> On 08/22/2014 07:59 AM, Jim Kinney wrote:
>> > Bite the bullet and look at freeIPA. It's designed to run AD out of the
>> > workplace.
>> > The clincher for me was the hostgroup. All users are in a primary group
>> and
>> > as many secondary groups as needed. Hosts are also in groups or not.
>> User
>> > groups of the proper type can access host groups as allowed. This can
>> also
>> > setup sudo capabilities by user, user group, host and host group. So a
>> > script that runs as root that does a particular needed task can be
>> deployed
>> > to all systems but only accessed by allowed users on allowed hosts. Time
>> > controls exist as well.
>> >
>> > Backups of freeIPA are a bit unnerving. They basically don't exist other
>> > than turn down the service and copy all files. What is used is the multi
>> > master replication.
>> >
>> > I have 2 primary masters that are department wide. There's a new group
>> in a
>> > remote location that has their own big server. It's a secondary master.
>> > Masters run DNS as well as user with. So the clients in that group use
>> that
>> > as their primary DNS and the others as secondary. If network is flaky,
>> they
>> > have only a single switch between client and server. And the server
>> stays
>> > synchronized with the larger group.
>> > A really nice feature if freeIPA is it can hold ssh pub keys for users.
>> SSh
>> > and Pam knows to check the LDAP for pub keys on login. For users, no
>> more
>> > key migration. If you're allowed on that machine, it just works. For
>> > admins, if a user must be locked out, just dumping their key and locking
>> > the account to disabled handles it.
>> >
>> > Yes, it's run/funded by RedHat now. Debian supports it but I found some
>> > blockers in Ubuntu (10 I think. Not tried 12). I don't know if SUSE has
>> a
>> > pam/ssh compatible or not.
>> > It works. It works very well. Active support community with developers
>> on
>> > the mailing list who help.
>> >
>> > Added bonus is dogtag is used for CA and cert management. This can
>> provide
>> > user certs for authenticated access to internal websites.
>> > On Aug 22, 2014 6:58 AM, "JD" <jdp at algoloma.com> wrote:
>> >
>> >> On 08/22/2014 12:19 AM, Jeff Hubbs wrote:
>> >>> On 8/21/14, 11:43 PM, JD wrote:
>> >>>> NIS if you don't care about security.
>> >>>>
>> >>>> LDAP if you do. FreeIPA is the RH answer for this - I'm jealous.
>> >>> Agree re LDAP; if you're syncing passwd/group/sudoers files, you're
>> >> Doing It
>> >>> Wrong (tm). I long advocated avoiding "X's LDAP solution" (for values
>> >> of X to
>> >>> include Red Hat and Microsoft) so you are motivated to keep things
>> >> simple and
>> >>> manageable and don't wind up in abandonwareland or experience
>> >>> embrace/extend/extinguish.
>> >>>
>> >>
>> >> So - if not puppet/ansible - then how should we be managing sudoers?
>> >> Teach me Obiwan.
>> >>
>> >> Please don't say eTrust. ;)
>> >> _______________________________________________
>> >> Ale mailing list
>> >> Ale at ale.org
>> >> http://mail.ale.org/mailman/listinfo/ale
>> >> See JOBS, ANNOUNCE and SCHOOLS lists at
>> >> http://mail.ale.org/mailman/listinfo
>> >>
>> > -------------- next part --------------
>> > An HTML attachment was scrubbed...
>> > URL: <
>> http://mail.ale.org/pipermail/ale/attachments/20140822/7f67a92b/attachment.html
>> >
>> > _______________________________________________
>> > Ale mailing list
>> > Ale at ale.org
>> > http://mail.ale.org/mailman/listinfo/ale
>> > See JOBS, ANNOUNCE and SCHOOLS lists at
>> > http://mail.ale.org/mailman/listinfo
>> >
>>
>>
>> --
>> JD Pflugrath
>> Value | Results
>> Direct: +001.678.685.8882
>> Ofc: 1.866.963.2546
>> Managing Director
>> Algoloma Systems, LLC
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>
--
--
James P. Kinney III
Every time you stop a school, you will have to build a jail. What you gain
at one end you lose at the other. It's like feeding a dog on his own tail.
It won't fatten the dog.
- Speech 11/23/1900 Mark Twain
*http://heretothereideas.blogspot.com/
<http://heretothereideas.blogspot.com/>*
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20140822/64056eeb/attachment.html>
More information about the Ale
mailing list