From owner-freebsd-questions@FreeBSD.ORG Sat Dec 11 06:34:06 2004 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 4963C16A4CE for ; Sat, 11 Dec 2004 06:34:06 +0000 (GMT) Received: from pi.codefab.com (pi.codefab.com [199.103.21.227]) by mx1.FreeBSD.org (Postfix) with ESMTP id BD03B43D2D for ; Sat, 11 Dec 2004 06:34:05 +0000 (GMT) (envelope-from cswiger@mac.com) Received: from [192.168.1.250] (pool-68-160-207-47.ny325.east.verizon.net [68.160.207.47]) by pi.codefab.com (8.12.11/8.12.11) with ESMTP id iBB6Xw7w039046 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO); Sat, 11 Dec 2004 01:34:00 -0500 (EST) Message-ID: <41BA94C7.7050206@mac.com> Date: Sat, 11 Dec 2004 01:33:43 -0500 From: Chuck Swiger Organization: The Courts of Chaos User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.3) Gecko/20040910 X-Accept-Language: en-us, en MIME-Version: 1.0 To: Vulpes Velox References: <20041210232230.6c27aa92@vixen42.24-119-122-191.cpe.cableone.net> In-Reply-To: <20041210232230.6c27aa92@vixen42.24-119-122-191.cpe.cableone.net> X-Enigmail-Version: 0.86.1.0 X-Enigmail-Supports: pgp-inline, pgp-mime Content-Type: text/plain; charset=us-ascii; format=flowed Content-Transfer-Encoding: 7bit X-Spam-Status: No, hits=-4.6 required=5.5 tests=AWL,BAYES_00 autolearn=ham version=2.64 X-Spam-Checker-Version: SpamAssassin 2.64 (2004-01-11) on pi.codefab.com cc: freebsd-questions@freebsd.org Subject: Re: NIS and non-NIS question X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 11 Dec 2004 06:34:06 -0000 Vulpes Velox wrote: > I have a box I want to rework to allow it to operate outside a NIS > enviroment when outside my LAN and use NIS and NFS when it is not. Any > suggestions on how to go about this? Set up a cron job to invoke a shell script which rsync's your YP master's password file (and /etc/group, and anything else you might care about) when you are on your LAN, and not if you are not, every X minutes. Have it run pwd_mkdb too. Maybe add a little awk or perl magic spice to add or screen out a range of userid's. Then disable NIS and rely on plain old flatfiles. If you use rsync-via-ssh (which is now the default behavior), the process above will transmit sensitive password data with considerably more security than you get when using plain NIS. On the other hand, if you are running NFS, you risk profile against someone who can sniff your local subnet isn't significantly altered, so don't worry too much about this, but the issue of security is worth considering at least a little. For NFS, you might give the automounter (see "man amd") a try. So long as you don't descend into a mount point deliberately (or accidentally via recursion using find, grep, etc), the machine will not actually attempt to NFS-mount the remote filesystem. For that matter, you might even consider switching models of operation to using CIFS/samba instead of NFS. Oddly enough, even though NFS is a stateless remote filesharing system by design, it's pretty easy to wedge a lot of important processes if an NFS share becomes not available. MacOS X seems to tolerate CIFS shares going away better than it handles NFS going away, and FreeBSD might well be similar. (I haven't exhaustively tested either problem case *deliberately*, mind you...! :-) -- -Chuck