Wow, this is quite the conversation, and one I have may have a few insights into.
We've just migrated our first few systems from a home-grown system that transfers around the /etc/passwd, /etc/group, /etc/auto.direct and /etc/auto.home files. Yes, don't forget to copy your group as well as passwd, shadow, etc. files if you go that way.. to LDAP / Kerberos to a Windows Active Directory.
So.. where to start.
Why not to copy around the files. If your /etc/passwd or shadow files get corrupted, and / is full, you no longer can log in. Shut down, go to single user mode and hope you aren't using the boot authenticator
The biggest problem is latency and determining if your files have been copied securely to the other system, then determining if it's safe to copy them in place.
Next problem. Do you want different root passwords per server? And, are ALL your users allowed to log into ALL the servers? if you are using /etc/passwd copied between, they are all the same. If not, you need to blank out the password or user somehow, or add pam_authz into the mix and mess around with netgroups or other strangeness.
ssh / pam / ldap, etc. question (Jeff.. this is for you).. Use Kerberos. Yup, I really said that. You enable GSSAPIAuthentication in your ssh_config and a few other settings. (I can dig them up if you like). and whamo-bammo, your authentication, even with authorized_keys files comes against the KDC. In my case, the Active Directory, which is also where all of the LDAP data resides. It's pretty slick when you get it working.
The problems with Windows AD and LDAP are pretty simple:
- You need Kerberos to authenticate. LDAP provides info, not authentication.
- You need LDAP to list the user and group data on the host.
- you can also host rpc, services, hosts data, but not automount maps, netgroups or printers.
- Seriously think about SSL. Otherwise, lots of data is clear text.
- If you use SSL, you will need a Certificate Authority installed on your Domain Controller & Global Catalog & AD (makes it LDAP), which is also your KDC (all DC's are a KDC).
- Do NOT put your KDC on the same server as your DNS server. Leaves you open to strange slowness in a failover state. - best option is system 1 is your primary KDC/LDAP/CA & secondary DNS, system 2 is your secondary KDC/LDAP/CA & primary DNS.
- the PreferredServerList is a direct failover list, not a load balanced one. The DefaultServerList is exactly the same. Don't bother with it.
- DES is your ONLY option for passwords in the AD. On the other hand, since you are authenticating with Kerberos against the AD, you can use 127 character passphrases with the who gambit of account policies from the AD group policy.
- You will need either Windows 2003 RC2 installed on your AD server (includes NIS services, RFC2307 compliant POSIX entries, User Name Mapping), or you will need Services for UNIX for Windows version 3.5 installed (which includes the same thing.) As of today, it's harder to find it on Microsoft's web site, but it's still free. You don't need the services turned on, however you DO need the RFC2307 compliant Active Directory Schema extensions to put your LDAP POSIX account data in the AD. It also adds a neat little tab called "UNIX Attributes" to the user, group and host entries.
- Use the MemberOf tab in windows for group membership and then re-map the group memberuid attribute to member, instead of msSFU30PosixMember (otherwise, it tries to use full display names instead of usernames as your group membership..)
- You will need a Proxy User in the AD. You can't ever change the password.
- LDAP provides user and group info. Kerberos provides authentication (who you are). If you are in the AD, and authenticated, you can log into any host..
- pam_authz provides Authorization, that you are allowed. Use the /etc/opt/ldapux/pam_authz.policy file to set up a group with authorized users. This group can be local or in the AD, remember, if you add this, this is for ALL users on the system, including root, so include a local group that is also allowed with root as a member.
- Automounter files will need to be manually updated. I wrote script that parses the output of a "showmount -e $filesever" and builds my automounter maps for me. Enhanced AutoFS is useful for this.
- Still need ShadowPasswords app if you aren't using trusted mode. Easy to add.
List of packages.. (all post QPK Sept 2005):
ENHAUTOFS B.11.11.03 Enhanced AutoFS for better performance and functionality
J4269AA B.04.00.02 LDAP-UX Integration
J5849AA B.11.11.13 PAM-Kerberos and Kerberos Support
KRB5CLIENT C.1.3.5.03 Kerberos V5 Client Version 1.3.5.03
PHCO_28605 1.0 libnss_files cumulative patch
PHCO_30913 1.0 libsec cumulative patch
PHCO_31923 1.0 libc cumulative header file patch
PHCO_33205 1.0 mountall, Dev IDs enabler, iSCSI support
PHCO_33711 1.0 libc cumulative patch
PHKL_33258 1.0 VxFS cumulative patch ;ml_flag race
PHNE_29445 1.0 libnss_dns DNS backend patch
PHSS_33384 1.0 KRB5-Client Version 1.0 cumulative patch
PHCO_28830 1.0 Security man page cumulative.
PHSS_33325 1.0 CDE Base Periodic Patch
ShadowPassword B.11.11.03 HP-UX 11.11 Shadow Password Bundle
Kerberos Doc reference:
A Basic Step-by-Step Summary of Kerberos v.51 Setup on HPUX DocId: PAMKKBAN00000983 Updated: 20050127
This is a wonderful document. The author, Don Isler is a genius and has been of no ending help.
Good luck,
Don
