CentOS - Jun 2014 - How to configure user accounts without NIS

The company where I work is mostly a Windows shop, but I run a few CentOS
servers and desktops.  I have configured my systems as follows with Kickstart:

  authconfig --enablemd5 --passalgo=sha512 --enablenis --nisdomain=XXX \
  --nisserver=nis1.XXX.com,nis2.XXX.com  --useshadow --enablekrb5 \
  --krb5realm=XXX.COM --krb5kdc=ldap.XXX.com --krb5adminserver=ldap.XXX.com

The /etc/nsswitch.conf file looks like this:

  passwd:     files nis
  shadow:     files nis
  group:      files nis

The NIS services are provided by the Windows Domain controllers using Windows
Unix Services (or something similarly named).  This allows anyone that?s in
the NIS database to log into any CentOS system with their Windows username
and password.  Home directories are automounted from a big NAS box (and are
also available on Windows).  This all works great most of the time.  However,
if the network or the NIS server goes down, the CentOS system just hangs.

For CentOS 7 I'd like to make the systems more robust to network failures.
I could create local accounts (I believe there is a way to autocreate an
account and a home directory upon login), but I'm not sure how to go about
it.  This also implies that the home directories will not be shared among
the systems, so ssh keys will have to be manually copied to the local home
directories.  Ideally, I'd like to get rid of NIS altogether and use LDAP
and Kerberos for everything, but I don't know if that is feasible.  I
think these are the only services that we currently rely on NIS for:

  - passwd file
  - group file
  - automount maps (including auto.home for home directories)

Before I go re-inventing the wheel, I'd like to find out how others manage
multiple users on multiple systems using a central service.  And in case
it wasn?t obvious, I want to use the same usernames and passwords that are
used in the Windows environment.

Thanks,
Alfred

Integrated linux domain controller -> http://www.freeipa.org/

Its brilliant!

ta,

Andrew


On 11 June 2014 00:28, Alfred von Campe <alfred at von-campe.com> wrote:
> The company where I work is mostly a Windows shop, but I run a few CentOS
> servers and desktops.  I have configured my systems as follows with
> Kickstart:
>
>   authconfig --enablemd5 --passalgo=sha512 --enablenis --nisdomain=XXX \
>   --nisserver=nis1.XXX.com,nis2.XXX.com  --useshadow --enablekrb5 \
>   --krb5realm=XXX.COM --krb5kdc=ldap.XXX.com --krb5adminserver>
ldap.XXX.com
>
> The /etc/nsswitch.conf file looks like this:
>
>   passwd:     files nis
>   shadow:     files nis
>   group:      files nis
>
> The NIS services are provided by the Windows Domain controllers using
> Windows
> Unix Services (or something similarly named).  This allows anyone that?s in
> the NIS database to log into any CentOS system with their Windows username
> and password.  Home directories are automounted from a big NAS box (and are
> also available on Windows).  This all works great most of the time.
>  However,
> if the network or the NIS server goes down, the CentOS system just hangs.
>
> For CentOS 7 I'd like to make the systems more robust to network
failures.
> I could create local accounts (I believe there is a way to autocreate an
> account and a home directory upon login), but I'm not sure how to go
about
> it.  This also implies that the home directories will not be shared among
> the systems, so ssh keys will have to be manually copied to the local home
> directories.  Ideally, I'd like to get rid of NIS altogether and use
LDAP
> and Kerberos for everything, but I don't know if that is feasible.  I
> think these are the only services that we currently rely on NIS for:
>
>   - passwd file
>   - group file
>   - automount maps (including auto.home for home directories)
>
> Before I go re-inventing the wheel, I'd like to find out how others
manage
> multiple users on multiple systems using a central service.  And in case
> it wasn?t obvious, I want to use the same usernames and passwords that are
> used in the Windows environment.
>
> Thanks,
> Alfred
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> http://lists.centos.org/mailman/listinfo/centos
>

2014-06-11 1:28 GMT+03:00 Alfred von Campe <alfred at von-campe.com>:
> The company where I work is mostly a Windows shop, but I run a few CentOS
> servers and desktops.  I have configured my systems as follows with
> Kickstart:
>
>   authconfig --enablemd5 --passalgo=sha512 --enablenis --nisdomain=XXX \
>   --nisserver=nis1.XXX.com,nis2.XXX.com  --useshadow --enablekrb5 \
>   --krb5realm=XXX.COM --krb5kdc=ldap.XXX.com --krb5adminserver>
ldap.XXX.com
>
> The /etc/nsswitch.conf file looks like this:
>
>   passwd:     files nis
>   shadow:     files nis
>   group:      files nis
>
> The NIS services are provided by the Windows Domain controllers using
> Windows
> Unix Services (or something similarly named).  This allows anyone that?s in
> the NIS database to log into any CentOS system with their Windows username
> and password.  Home directories are automounted from a big NAS box (and are
> also available on Windows).  This all works great most of the time.
>  However,
> if the network or the NIS server goes down, the CentOS system just hangs.
>
> For CentOS 7 I'd like to make the systems more robust to network
failures.
> I could create local accounts (I believe there is a way to autocreate an
> account and a home directory upon login), but I'm not sure how to go
about
> it.  This also implies that the home directories will not be shared among
> the systems, so ssh keys will have to be manually copied to the local home
> directories.  Ideally, I'd like to get rid of NIS altogether and use
LDAP
> and Kerberos for everything, but I don't know if that is feasible.  I
> think these are the only services that we currently rely on NIS for:
>
Well, you can just authenticate against AD, it works fine on RHEL 5/6 ..

See your private mail for instructions.

--
Eero