From owner-freebsd-fs@freebsd.org Tue Jun 21 02:11:17 2016 Return-Path: Delivered-To: freebsd-fs@mailman.ysv.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) by mailman.ysv.freebsd.org (Postfix) with ESMTP id 7C4E0A7AAB6; Tue, 21 Jun 2016 02:11:17 +0000 (UTC) (envelope-from deischen@freebsd.org) Received: from mail.netplex.net (mail.netplex.net [204.213.176.9]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client CN "*.netplex.net", Issuer "RapidSSL SHA256 CA - G3" (verified OK)) by mx1.freebsd.org (Postfix) with ESMTPS id 33CD319F5; Tue, 21 Jun 2016 02:11:17 +0000 (UTC) (envelope-from deischen@freebsd.org) Received: from sea.ntplx.net (sea.ntplx.net [204.213.176.11]) by mail.netplex.net (8.15.1/8.15.1/NETPLEX) with ESMTP id u5L20VdP025342; Mon, 20 Jun 2016 22:00:31 -0400 X-Virus-Scanned: by AMaViS and Clam AntiVirus (mail.netplex.net) X-Greylist: Message whitelisted by DRAC access database, not delayed by milter-greylist-4.4.3 (mail.netplex.net [204.213.176.9]); Mon, 20 Jun 2016 22:00:31 -0400 (EDT) Date: Mon, 20 Jun 2016 22:00:31 -0400 (EDT) From: Daniel Eischen X-X-Sender: eischen@sea.ntplx.net Reply-To: Daniel Eischen To: Zaphod Beeblebrox cc: Chris Watson , freebsd-fs , FreeBSD Hackers Subject: Re: The small installations network filesystem and users. In-Reply-To: Message-ID: References: <9BB7E8B3-EC0E-457E-B2B2-FB80B1CF02B0@gmail.com> MIME-Version: 1.0 Content-Type: TEXT/PLAIN; charset=US-ASCII; format=flowed X-BeenThere: freebsd-fs@freebsd.org X-Mailman-Version: 2.1.22 Precedence: list List-Id: Filesystems List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 21 Jun 2016 02:11:17 -0000 On Mon, 20 Jun 2016, Zaphod Beeblebrox wrote: > > That-all-said, authentication is a possible huge win. I was recently > involved in a deployment of ubuntu that included LDAP and even though it > was a mess, it eventually was hammered into working. Ubuntu and the > implementation were not my choice, but you do-what-you're-told when someone > else is paying the bill. Honestly, I don't know how I would have pitched > FreeBSD there. Not even ubuntu itself had LDAP right. It was a > combination of third parties. Even with that gigantic head start, LDAP was > a bear --- but AFAICT, LDAP is _required_ for NFSv4 deployments. Now, LDAP > without Winblows is slightly less of a bear, _but_ > > Maybe this dovetails with a subtext at BSDCan's keysigning BOF: that many > projects risk irrelevance with their complexity. It's not that I believe > complex setups are bad. But simple things need be simple. I have 3 > machines at home (for instance) and a cluster of 8 machines in colo (run > the ISP). On my 3 machines at home, I run NFSv3 because it works and I can > get it setup. I'd like to run NFSv4 because then my windows machines would > look at it, but I run SMB instead (v3, no less) because it roughly works. > So at home... I have three machines and a fairly liberal hacking time > budget. I have failed at LDAP several times. I'm back to copying the > master.password file around because that works. I don't like it, but it > works. It seems like the breakeven for LDAP effort vs. scp master.password > is somewhere around 50 machines. -ish. > > I realize the real problem is that authentication has become more complex > in the world since networks can't be trusted. I have to wonder if we're > getting back closer to that now with all the tunneling on wifi and campus > networks. Sigh. I'm starting to feel like this whole post has no purpose. We should support LDAP client out of the box, in base. What sucks now is that we need 3 packages (plus their dependencies) and multiple config files for ldap: pam_ldap nss_ldap openldap-client And modify/tailor 3 config files in ${LOCALBASE}, all similarly: ldap.conf nss_ldap.conf openldap/ldap.conf Then the secret files also in ${LOCALBASE}, again with the same info: etc/ldap.secret etc/nss_ldap.secret Then you have to deal with the certificates, and more than one is a pain. Then in ${BASE} you have to add an ldap file in /etc/pam.d/. And modify /etc/nsswitch.conf. It seems easier, with less config duplication, in Solaris (11): # Initialize the NSS database. $ certutil -N -d /var/ldap $ chmod 444 /var/ldap/*.db # Add your certificate(s). $ certutil -A -n -i /tmp/certfile.pem -t CT -d /var/ldap # Setup the system as an LDAP client. $ ldapclient init Modifying /etc/nsswitch.conf on FreeBSD is easier than Solaris, still haven't gotten use to the many keystrokes needed for svc mods: $ svccfg svc:/system/name-service/switch> setprop config/host = astring: "files dns" svc:/system/name-service/switch> setprop config/password = astring: "files [NOTFOUND=continue] ldap" svc:/system/name-service/switch> setprop config/group = astring: "files [NOTFOUND=continue] ldap" svc:/system/name-service/switch> select system/name-service/switch:default svc:/system/name-service/switch:default> refresh svc:/system/name-service/switch:default> validate svc:/system/name-service/switch:default> quit $ svcadm refresh name-service/switch -- DE