Date: Sat, 11 Dec 2004 09:09:10 -0600 From: Vulpes Velox <v.velox@vvelox.net> To: Chuck Swiger <cswiger@mac.com> Cc: freebsd-questions@freebsd.org Subject: Re: NIS and non-NIS question Message-ID: <20041211090910.0d1579e9@vixen42.24-119-122-191.cpe.cableone.net> In-Reply-To: <41BA94C7.7050206@mac.com> References: <20041210232230.6c27aa92@vixen42.24-119-122-191.cpe.cableone.net> <41BA94C7.7050206@mac.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On Sat, 11 Dec 2004 01:33:43 -0500 Chuck Swiger <cswiger@mac.com> wrote: > Vulpes Velox wrote: > > I have a box I want to rework to allow it to operate outside a NIS > > enviroment when outside my LAN and use NIS and NFS when it is not. > > Any suggestions on how to go about this? > > Set up a cron job to invoke a shell script which rsync's your YP > master's password file (and /etc/group, and anything else you might > care about) when you are on your LAN, and not if you are not, every > X minutes. Have it run pwd_mkdb too. Maybe add a little awk or > perl magic spice to add or screen out a range of userid's. Then > disable NIS and rely on plain old flatfiles. > > If you use rsync-via-ssh (which is now the default behavior), the > process above will transmit sensitive password data with > considerably more security than you get when using plain NIS. On > the other hand, if you are running NFS, you risk profile against > someone who can sniff your local subnet isn't significantly altered, > so don't worry too much about this, but the issue of security is > worth considering at least a little. > > For NFS, you might give the automounter (see "man amd") a try. So > long as you don't descend into a mount point deliberately (or > accidentally via recursion using find, grep, etc), the machine will > not actually attempt to NFS-mount the remote filesystem. > > For that matter, you might even consider switching models of > operation to using CIFS/samba instead of NFS. Oddly enough, even > though NFS is a stateless remote filesharing system by design, it's > pretty easy to wedge a lot of important processes if an NFS share > becomes not available. MacOS X seems to tolerate CIFS shares going > away better than it handles NFS going away, and FreeBSD might well > be similar. (I haven't exhaustively tested either problem case > *deliberately*, mind you...! :-) Not using fstab becuase of that :) What I am doing is I run a small program to fingerprint my server and then dump it all to a file. I then hash that file. When it starts up it reruns that trying to grab info for that IP and then it is hashed and compare it to what the hash is suppose to be. If they don't match it mounts 127.0.0.1:/usr/localhome to /usr/home. If it does match, it runs a different script that mounts the stuff that should be mounted for being on the LAN. Any ways, got my big problem with it sorted out... was forgeting to rebuild the password database. BTW any one know of any way to change the timeout time for getting a NIS password?
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?20041211090910.0d1579e9>