NIS contingency plan

Before commiting my clients to NIS, I just want to make something
certain. In case of an emergency (ie. my server goes down.) I want
clients to still be able to login.

I take it NIS clients don't automatically cache the passwd/group files.

I have ubuntu clients, so would the solution be adding a local
user(admin) on each client with sudo writes. In an emergency I can login
with the admin account and add the user/password to the local passwd
file. Would this be the best solution? But then Ill have to remove the
user/pass from the passwd file once the server is up again.
I admit it seems a bit quirky.. surely there is a better option?

"bmgz" <(E-Mail Removed)> wrote in message
news:ddvdnl$7pa$(E-Mail Removed)...

> Before commiting my clients to NIS, I just want to make something
> certain. In case of an emergency (ie. my server goes down.) I want
> clients to still be able to login.
>
> I take it NIS clients don't automatically cache the passwd/group files.

NIS clients work only with the passwd/group maps, not the files.

> I have ubuntu clients, so would the solution be adding a local
> user(admin) on each client with sudo writes. In an emergency I can login
> with the admin account and add the user/password to the local passwd
> file. Would this be the best solution? But then Ill have to remove the
> user/pass from the passwd file once the server is up again.
> I admit it seems a bit quirky.. surely there is a better option?

In /etc/nsswitch.conf, you should have nis before files.

In comp.os.linux.networking bmgz <(E-Mail Removed)>:
> Before commiting my clients to NIS, I just want to make something
> certain. In case of an emergency (ie. my server goes down.) I want
> clients to still be able to login.

You want to read the NIS Howto (www.tldp.org) how to go about
setting up a slave server, which "backups" the master should it
fail.

Good luck

[..]

--
Michael Heiming (X-PGP-Sig > GPG-Key ID: EDD27B94)
mail: echo (E-Mail Removed) | perl -pe 'y/a-z/n-za-m/'
#bofh excuse 55: Plumber mistook routing panel for decorative
wall fixture

In article <ddvdnl$7pa$(E-Mail Removed)>, bmgz <(E-Mail Removed)> wrote:
| Before commiting my clients to NIS, I just want to make something
| certain. In case of an emergency (ie. my server goes down.) I want
| clients to still be able to login.
|
| I take it NIS clients don't automatically cache the passwd/group files.
|
| I have ubuntu clients, so would the solution be adding a local
| user(admin) on each client with sudo writes. In an emergency I can login
| with the admin account and add the user/password to the local passwd
| file. Would this be the best solution? But then Ill have to remove the
| user/pass from the passwd file once the server is up again.
| I admit it seems a bit quirky.. surely there is a better option?

Many systems which support NIS also support a Name Service Cache
Daemon (nscd), which can provide a configurable time to live for
previously looked up passwd entries. The Linux nscd was written by
Thorsten Kukuk of SuSE, who wrote the Linux NIS suite, and Ulrich
Drepper, who wrote the GNU C library for Linux. I know Fedora and (I
expect) SuSE ships with nscd. Any Linux that supports NIS probably
does as well.

I'm not sure that nscd is intended to support normal operations in the
total absence of an NIS server, though. There's no guarantee that an
idle system would make sure to keep all passwd entries pulled into the
cache on any consistent basis. I think ncsd is rather more intended as
a performance optimization, instead.

Fortuantely, NIS was designed to be redundant. You can have one
master NIS server where you make your account changes, and several NIS
slave servers which will receive updates whenever your master NIS
server is updated.

So long as your NIS client system can reach any of your NIS servers,
you'll still be able to login and do everything else as normal.

See Thorsten Kukuk's NIS HOWTO at http://www.tldp.org/HOWTO/NIS-HOWTO/
for details on how to set everything up. You can also see the
O'Reilly book 'Managing NFS and NIS, Second Edition', at
http://www.oreilly.com/catalog/nfs2/ for lots more details and advice
on setting up a redundantly server NIS network.

Take care, however, NIS is the furthest thing from secure networking.
When you run NIS, everyone on your network has the ability to access
the contents of your NIS passwd map, which means that they can try to
crack your password hashes. If you decide you really do need to use
NIS, be *very sure* that you use md5Crypt password hashing instead of
the old-school UNIX Crypt algorithm.

Good luck.

--
-------------------------------------------------------------------------------
Jonathan Abbey (E-Mail Removed)
Applied Research Laboratories The University of Texas at Austin
GPG Key: 71767586 at keyserver pgp.mit.edu, http://www.ganymeta.org/workkey.gpg

"gretchen" <(E-Mail Removed)> writes:

>"bmgz" <(E-Mail Removed)> wrote in message
>news:ddvdnl$7pa$(E-Mail Removed)...

>> Before commiting my clients to NIS, I just want to make something
>> certain. In case of an emergency (ie. my server goes down.) I want
>> clients to still be able to login.
>>
>> I take it NIS clients don't automatically cache the passwd/group files.

>NIS clients work only with the passwd/group maps, not the files.

>> I have ubuntu clients, so would the solution be adding a local
>> user(admin) on each client with sudo writes. In an emergency I can login
>> with the admin account and add the user/password to the local passwd
>> file. Would this be the best solution? But then Ill have to remove the
>> user/pass from the passwd file once the server is up again.
>> I admit it seems a bit quirky.. surely there is a better option?

>In /etc/nsswitch.conf, you should have nis before files.


And then just put in a password file onto each machine now.

I have never been comfortable with nis so I just transport my password
files around to all the machines with one command.

I am not having any progress with NIS. I am pretty stuck somewhere.
Heres the situation:

I have configure the NIS_SERVER as a server and a client(to itself). I
have configured MY_PC as a client.

I can ypcat/ypmatch/ypwhich on the NIS_SERVER & MY_PC and the diagnostic
works fine. When I do something like yppasswd I am told that the
operation was successful. However, when I try login on MY_PC with the
NEW password it won't work, I still have to use the old password.

If I ssh into the NIS_SERVER, I have to use the NEW password.
If I try yppasswd again from MY_PC and asks me for the current password,
I enter the NEW password and I get an error, so I have to use the old
password. WTF?

My maps on the NIS_SERVER are in a separate folder /etc/NIS/ and I have
stippulated this in the Makefile. Nis is updating passwords to
*somewhere* but not the actual user maps it seems..

Any pointers?