From owner-freebsd-questions@freebsd.org Sun Mar 15 08:30:24 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id C3E98265F1E for ; Sun, 15 Mar 2020 08:30:24 +0000 (UTC) (envelope-from sniffer@dewberryfields.co.uk) Received: from ictmail.ictprovision.com (ictmail.ictprovision.com [35.178.134.240]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) server-signature RSA-PSS (4096 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48gCL65B7dz3NFG for ; Sun, 15 Mar 2020 08:30:22 +0000 (UTC) (envelope-from sniffer@dewberryfields.co.uk) Subject: Re: Centralized user/group/whatever management To: freebsd-questions@freebsd.org References: <20200313091923.GA98495@admin.sibptus.ru> <20200313143130.GA68871@geeks.org> <96ed1afa-e0e1-51a2-997b-e95097a1d0b4@gmx.net> <20200314060747.GH27346@admin.sibptus.ru> <20200315061714.GC64075@admin.sibptus.ru> From: Michael Howard Message-ID: <84ee1925-e5f2-2048-7a65-1ac3b41d7d4e@dewberryfields.co.uk> Date: Sun, 15 Mar 2020 08:30:20 +0000 MIME-Version: 1.0 In-Reply-To: <20200315061714.GC64075@admin.sibptus.ru> Content-Language: en-GB ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=dewberryfields.co.uk; s=2019; t=1584261057; h=from:from:reply-to:subject:subject:date:date:message-id:message-id: to:to:cc:mime-version:mime-version:content-type:content-type: in-reply-to:in-reply-to:references:references; bh=bh9S8RMOrm1ATrT5HVz9H8VYGoK9rcuglsl8O0NLoN4=; b=R8iDUeFHKqkJhf3FRwrNckzDIlAK8W4bFdTvxUi2tc/Zw7tlY1xmIAGES4KS+s8m1rvFyx UVrBjR5BUTzg9kuCAYUWaSVk0oakHRBfKPCZJnWQdROCHCNhGnZFtPhcCFOsnU/kL324MK aiXMBBTWB+uDXTmrtNjrHHaNY2/7Zzk= ARC-Seal: i=1; s=2019; d=dewberryfields.co.uk; t=1584261057; a=rsa-sha256; cv=none; b=G/CHF71k6aOk1HPybJ4JwPi4t5t0sy6CI7ztx91NhLeVQ7vrWna+JQu+U2yqn/0nZuLaED 5nsKIGh7k6J5TjJKujufGlSgMHaLLyw447JV5i93fpS/6IwnZ/4cz3E83RN5UOqOYQzB+r bFW3rL/PqAkkkP5oTDuF+Y7bLXVmD/I= ARC-Authentication-Results: i=1; ORIGINATING; auth=pass smtp.auth=sniffer@dewberryfields.co.uk smtp.mailfrom=sniffer@dewberryfields.co.uk X-Rspamd-Queue-Id: 48gCL65B7dz3NFG X-Spamd-Bar: --- X-Spamd-Result: default: False [-3.05 / 15.00]; R_DKIM_ALLOW(-0.20)[dewberryfields.co.uk:s=2019]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+a:ictmail.ictprovision.com]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.10)[multipart/alternative,text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; NEURAL_SPAM_MEDIUM(0.16)[0.165,0]; RCPT_COUNT_ONE(0.00)[1]; DKIM_TRACE(0.00)[dewberryfields.co.uk:+]; DMARC_POLICY_ALLOW(-0.50)[dewberryfields.co.uk,reject]; RCVD_COUNT_ZERO(0.00)[0]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; IP_SCORE(-0.22)[asn: 16509(-1.04), country: US(-0.05)]; ASN(0.00)[asn:16509, ipnet:35.178.0.0/15, country:US]; ARC_ALLOW(-1.00)[i=1]; MID_RHS_MATCH_FROM(0.00)[] Content-Type: text/plain; charset=windows-1252; format=flowed Content-Transfer-Encoding: 7bit X-Content-Filtered-By: Mailman/MimeDel 2.1.29 X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 15 Mar 2020 08:30:24 -0000 On 15/03/2020 06:17, Victor Sudakov wrote: > Michael Howard via freebsd-questions wrote: >>>>>> Do you think there exists a modern solution for centralized user/group/... >>>>>> management compatible with FreeBSD and Linux? >>>>> I think the best combination is probably a Windows AD setup, with >>>>> FreeBSD/Linux clients attaching to it. (Although I still do external DNS >>>>> importing the AD objects into it, really can't stand windows DNS). >>>>> >>>>> This does work really seamless, the GUI tools are well utilized. >>>>> >>>>> It really gets you the hard part (LDAP, Kerberos) in a pretty easy to >>>>> use package. I don't know how many hours I've spent on OpenLDAP >>>>> getting it to work with things, and management packages for OpenLDAP >>>>> are pretty sucky overall. >>>> I agree here with Doug, as strange as it sounds, Samba is your best bet. >>>> When you provision your domain you shall enable the POSIX extensions. It >>>> will create all GECOS stuff. pam_winbind is also nice. >>> So pam_winbind it is, if you want to use AD for user/group management? >>> Does winbindd not crash any more under FreeBSD? >>> >>> Do you need to also enable winbind somehow in nsswitch.conf? >>> >>>> One must simply admit that Active Directory is a wellthought system not >>>> just for Unix. You may join your machines either with Samba, more easily >>>> with msktutil (disclainer, I am a maintainer) with works flawlessly on >>>> FreeBSD. >>> I'll certainly look at it if I have to integrate FreeBSD into Windows AD. >>> >>> However first I'd like to find a free, open source solution for a >>> Unix-only office. Hope it will not eventually come to buying a Windows >>> server to manage Linux and FreeBSD workstations. >>> >> Samba is free and open source. Absolutely no need to buy MS Windows. > What do you mean by "Samba" in this context? A centralized user/group > management server? A centralized user/group management client? > Both of course. One without the other is not much use in your context. You still leave yourself at the mercy of one of your original issues with NIS and that is you need the server available over the network. I doubt you'll find any system _without_ drawbacks but Samba is good and free. It can be managed through a MS gui, albeit from a MS Windows based PC and has a very large user base.