From owner-freebsd-current@FreeBSD.ORG Tue Feb 14 18:40:49 2006 Return-Path: X-Original-To: current@freebsd.org Delivered-To: freebsd-current@FreeBSD.ORG Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4861B16A423 for ; Tue, 14 Feb 2006 18:40:49 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id 5A22543D55 for ; Tue, 14 Feb 2006 18:40:40 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from localhost (localhost [127.0.0.1]) by pi.codefab.com (Postfix) with ESMTP id B91C65CA3; Tue, 14 Feb 2006 13:40:39 -0500 (EST) Received: from pi.codefab.com ([127.0.0.1]) by localhost (pi.codefab.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 53045-04; Tue, 14 Feb 2006 13:40:38 -0500 (EST) Received: from [192.168.1.3] (pool-68-161-67-103.ny325.east.verizon.net [68.161.67.103]) (using TLSv1 with cipher DHE-RSA-AES256-SHA (256/256 bits)) (No client certificate requested) by pi.codefab.com (Postfix) with ESMTP id A0D7E5C59; Tue, 14 Feb 2006 13:40:38 -0500 (EST) Message-ID: <43F22433.3080500@mac.com> Date: Tue, 14 Feb 2006 13:40:51 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Thunderbird 1.5 (Windows/20051201) MIME-Version: 1.0 To: Luigi Rizzo References: <20060214091150.A70808@xorpc.icir.org> In-Reply-To: <20060214091150.A70808@xorpc.icir.org> X-Enigmail-Version: 0.94.0.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Scanned: amavisd-new at codefab.com Cc: current@freebsd.org Subject: Re: options for centralized 'passwd' database for a diskless lab ? X-BeenThere: freebsd-current@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: Discussions about the use of FreeBSD-current List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Tue, 14 Feb 2006 18:40:49 -0000 Luigi Rizzo wrote: > as per the subjects, what options do i have to set a centralized > 'passwd' database for a lab with FreeBSD diskless machines ? > > In the past (4.x times) i used YP/NIS which did the job but was > highly insecure (all traffic unencrypted) and also a bit of a pain to configure. > It was convenient though because it let users change their > password and other info just using the passwd command. Yes. Sun solved the issue of plaintext traffic via SecureRPC, which adds encryption to the low-level protocol that YP/NIS talks over. I don't believe FreeBSD supports SecureRPC, but I'd be happy to be wrong about that. > I have been browsing around a bit, and i see that pam_* (tried pam_radius) > can do for the authentication part but not for the other info; > nss_* seems to be a better suit but the only thing i see is nss_ldap > and i am not familiar with the latter. > > So any suggestions or pointers to pages describing what to do ? Most people seem to end up with LDAP, and spend a fair amount of time going through the O'Reilly book (which is worth a read) and looking at various schemas to figure out how to organize their info. Even so, LDAP is kinda painful to setup. You might take a look at how Samba integrates with LDAP, since that also plays nice with Windows and Mac clients. If you install Webmin, you can use a point-n-click interface which is easier than gaining a low-level understanding of how the pieces work together. Webmin will deal with syncronizing the Samba users and actual FreeBSD user accounts if you change information; otherwise you end up having to configure a script for smbpasswd, or you end up having users run both passwd and smbpasswd. -- -Chuck