Sorry for late response. Thanks for all the insightful comments. Unanimous consensus to handle these many systems is using LDAP. There are some useful references, included most responses beneath. ***********from Damir Delija********** Hard problem! Try to avoid nis and nis+, nis+ is a administrative nightmare and implemetations amnog vendors are diffrent and buggy. LDAP is a good choice but can be tricky since amnog all this OS and machines you can have some really old oses where LDAP / PAMs can not work. Same is with nis/nis+, once I had freaky nis+ on AIX 4.3.3 SP machine and it was a horror story and we were incapable of integrating it with other unixes. You'll actually have to solve more than one problem 1) chose new tool/method (define what are important features for your various boxes) 2) find out how to speard it out on 800+ various machines (do bootstrap of new configutarion) 3) how to keep it under control (packeting and versioning) CFengine is a great tool http://www.iu.hio.no/cfengine/ which can help you to automate tasks, because one of the initial targets was such huge workstation enviroment to be kept in order expect tools can help also as "automation tools" for initial dispersion and webmin can be very usefull too. I expect that you'll have to separate machines into various domains based on its capabilities (on this class ssh can not work, this one is LDAP capable, this class can not work with PAM etc ..) and than do the job. I suppose somewhere down the road security will raise as problem so take it into account from start as system monitoring too. > What are the best practices - is it good to setup an admin server and > setup> passwordless root access? Or LDAP setup preferred? > Passwordless root is a not good idea, it can be "emulated" with ssh key bassed autthentication there is a nice description with ideas in the snail book Daniel J. Barrett and Richard E. Silverman ISBN: 0-596-00011-1 The Secure Shell: The Definitive Guide. > It has become a nightmare to add/delete lot of admin accounts as the > number keep changing. > There were some papers on Linux grids/clusters but mostly on nis/nis+. There was some articels in the sysadmin magazine http://www.sysadminmag.com/ > Any thoughts?? > I hope this helps it looks like you'll get long hot summer! :)) PS: there are some good redbooks on LDAP nis/nis+ migration cooperation http://www.redbooks.ibm.com/ Also you can look into A.E Firsh Essential System Admnistration and Perl for System Administration", by David N. Blank-Edelman, ISBN 1-56592-609-9 for some ideas and recepies. ***********from Damir Delija********** Alan Pae wrote: LDAP is the future, if all of your systems will support it, otherwise standardize on NIS or NIS+ for the time being. ****Garly Law**** In the long run, LDAP is the way to go. In the short run, about the only thing supported out-of-the-box on all Unicies is NIS. Sun's JES (formerly SunONE) LDAP server can serve up posix login information for recent releases of Solaris and Linux. Alternatively, you can use the OpenLDAP / Linux approach and reconfigure Solaris to match (padl.com for more). Sun have an LDAP-to-NIS gateway to support those clients that can't do LDAP natively (eg older Solaris etc). They also have a Active Directory syncing tool. WinBind from samba is a way to replace both LDAP and NIS for user accounts and groups with Active Directory. For those older OSes that WinBind can't support, use the Microsoft Services for Unix NIS server. There are some fairly good commercial solutions -- although it is surprising how many of them don't do two-way password sync from the UNIX command line. One forms part of the Tivoli suite from IBM - I forget the name. You could, of course, roll your own solution with (a) a master password file (b) shadow (c) groups (d) hosts; a system for ensuring the right entries go on the right machines (shell / grep / sed / awk / cron); and a system for pushing them out (rsync, rdist, scp). These files could be maintained as flat files on master server, or out of a database or an LDAP directory. My recommendation would be (a) go down the Sun LDAP route and try and shoehorn the other OSes in - those that fail use the NIS gateway - or - (b) roll your own solution with rsync and ssh. I've worked in shops that do both; and they can both be made to work. ********** ***********Christophe Dupre ******** Here's my experience administrating ~100 machines, a mix of Solaris [8|9], and various flavors of Linux. 1/ For user authentication, use LDAP. That way you can centralize the user information and creating a new user means updating one central server. Older servers may not support LDAP out of the box, so special circumstances might apply. Here we have one older SGI that doesn't have LDAP support, but is used by only two users, so they have local accounts. 2/ Each machine has a local root password, which is then stored in a safe and never used again. We use sudo to give limited (or not so limited) access to root. In the sudo config file, we defined level of access and assigned each level to a unix group. Then make users part of the group for the stuff they need. The sudoers file can be centrally managed through NFS, rdist or any other mean. For example, we have a backup group that can run all the netbackup command line tools as root. To revoke access, just remove the user from the group. ******Christophe Dupre <duprec@scorec.rpi.edu******* Baldwin Sung wrote: I totally prefer LDAP :) No way on passwordless root access. ********************* **** Will Chow***** Probably the best thing to do is setup LDAP as your naming/authentication/user account service and write a couple of customer perl/python scripts to administrate users. Since LDAP is an open standard it is easy to interface with using common tools and it is cross-platform. Setting up seperate domains is easy also and replication is simple. Since LDAP is easily integrated into existing language/toolsets you can write simple custom GUIs for the helpdesk people that need to interface with the system but lack the requisite skillset. Since there are a variety of LDAP platforms to choose from you're also not looked into one vendor or platform. Since Sun has dropped NIS+ and NIS has major scalability and security flaws LDAP is the way to go. Setting up LDAP obviously is non-trivial, but then administrating hundreds of boxes with thousands of accounts with multitudes of NFS automount maps is non-trivial. *******Chris Ferry ******** I'd advise using LDAP w/TLS and PAM. Make sure you have two ldap servers running replication through an encrypted tunnel for redundancy. OpenLDAP is a great opensource LDAP server, I'd advise using it. *******Chris Ferry ******** ----- Original Message ----- From: <janerams@hotmail.com> To: <sunmanagers@sunmanagers.org> Sent: Monday, August 09, 2004 2:50 PM Subject: Best practices - user accounts setup and administering on 800 systems > > Trying to figure out a standard way to setup and administer accounts on our huge env with 800+ unix boxes that include Solaris/HP-UX/AIX/Linux/Tru64/DG-UX/Irix located all over with local admins controlling bulk of operations? A group of them user NIS and some others use NIS+ and a large number use neigther. > > What are the best practices - is it good to setup an admin server and setup passwordless root access? Or LDAP setup preferred? > > It has become a nightmare to add/delete lot of admin accounts as the number keep changing. > > Any thoughts?? > > Kind Regards > Jane _______________________________________________ sunmanagers mailing list sunmanagers@sunmanagers.org http://www.sunmanagers.org/mailman/listinfo/sunmanagersReceived on Wed Aug 18 23:04:44 2004
This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:36 EST