On 08/02/2011 01:09 AM, Mike Wright wrote:
> On 08/01/2011 07:41 AM, 夜神 岩男 wrote:
>> I have really been meaning to collect my notes about small/medium office
>> Kerberos/LDAP/NFSv4 setup and write a small series on how to do this
>> without giving up, settling for less (ie. logically unauthenticated
>> Samba or using just LDAP as if it were actually an authentication
>> service and a directory), or jumping off of a bridge.
>>
>> If you run into bad spots, keep asking. If I actually write a how-to
>> about this I'll send you a link. Beware that most of the how-tos out
>> there are pretty out of date, don't take SELinux into account or make
>> other assumptions that don't line up with RPM-based systems (or do
>> boneheaded things like say "Step 1, turn off SELinux").
>>
>
> Thanks for your efforts, Iwao.
>
> Sign me up, too. A link would be *great*.
>
> One of my biggest plaints is that much of the documentation out there
> lacks date and/or version info.
>
> Now that I've got Xen up and going and have more than a few virtual
> machines running it's becoming difficult/awkward to keep track of
> users/passwords, dealing with uid/gid being different for the same users
> on different machines, and especially nfs. Some vms will happily mount
> from one nfs server while others to the same server give me errors, all
> with the same version of the same o/s.
Great need plants great seed, doesn't it? (Whoa! That sort of sounds
like old wisdom! English is fun!)
> (Unfortunately, in order to debug my setup I've resorted to "Step 1",
> which sometimes helps and other times not so much.)
I supposed Step 2 should always be set to "revert Step 1"!
I will put my notes together and make a series out of it -- looking
around the web and in books this sort of thing really *doesn't* seem to
be documented well and stumps a huge number of people who just give up
and assume that good Linux setups are just too hard to bother with. This
is because:
1. The cn=config style of OpenLDAP is undocumented and very confusing
for newcomers
(Initial setup for the first time reliably produces feelings between
simmering-rage-type frustration or the breaking-things-in-the-office
point. Some things the OpenLDAP manual should have in it under
configuration just aren't there, and it makes the manual *feel*
inaccurate though it doesn't actually state anything that is wrong...
which is worse, because it makes it believable *and* wrong instead of
clearly, igorably wrong...)
2. Kerberos seems scary at first and though quite simple to understand
after playing with it a bit, the documentation goes to such length to
"make a hard subject easy" that the reader defaults to the assumption
that it *is* hard -- which is not as true as it may feel.
(...and the part when you decide that you're actually going to switch
authentication over is a little nerve-wracking so some admins just don't
go through with it -- its like the first time you decided to actually
turn SSH password authentication off on a really remote system, but
multiplied by however many systems your servicing raised to the power of
however much your contract is worth)
3. Our users have been trained to expect such shit tech from whatever
contact they had with bad Windows administration in the past that we can
get away with being lazy and not doing things correctly. ("Put it on the
shared drive" comes to mind...)
(The Post-Windows Crutch -- where we continue to not let users
experience seamless networking to the natural degree, where they don't
even realize what terminal they are using because everything is the same
from every station -- because its all the same system if things are
working the way they were originally designed)
4. The interactions between the little team of necessary daemons is so
scantily explained that most admins that get to the point of an actually
complete configuration fail because unthought-of-yet-critical daemons
aren't started. Two of the biggest culprits on Fedora are nscd and nslcd.
(The last sentence above is today's hint -- discovered after seeing what
would happen if a working SL6 setup was pushed directly to a Fedora 14
system. nscd, nslcd weren't even installed with the dependencies for the
setup, and sssd was present in the system but no scripts that require it
(like authconfig-tui) called "chkconfig sssd on" for some reason... Of
course none of these problems produced remotely accurate error messages
any place that the uninitiated would think to look (or at all)...)
5. CA and signed-certificate creation is a fun subject full of myth and
wildly inaccurate or out of date tutorials (or tutorials specific to,
say, FreeBSD or Darwin/OSX, but don't clearly state that). Its confusing
and ill-treated enough that some people give up and just shell out money
for them, even if the certification is strictly internal.
6. NFSv4 and OpenAFS are great tools, but suffer from a lack of accurate
documentation in a similar way to the CA subject. Why is sort of beyond
me, because they are both widely deployed, but only by people who either
paid to learn the magical secrets (and after climbing the learning curve
myself, I have to say this is probably a worthwhile option) or were
burned about the time they understood everything and were too worn out
thinking on the subject to post their notes (I think most of us can
appreciate that feeling after certain experiences).
Blah blah blah. Yes, an in-depth tutorial is sorely needed (really this
calls for another O'Reilly book in my opinion, but you'll have to settle
for whatever I've got spare time for + outdated web resources and...
man/info pages -- haha!).
-Iwao
PS: I've got to finish a magazine article that Akemi Yagi and I are
writing for a Japanese journal out here (she's the main author, not me,
but its hard doing English/Japanese, so this is more time consuming than
usual for me) -- so this will have to wait just a little. I'll post to
the list when I'm done, though, or at least send you folks a private
notice. Not sure that it really applies to everyone here so much as to
warrant plugging my tutorial on-list...
--
users mailing list
users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe or change subscription options:
https://admin.fedoraproject.org/mailman/listinfo/users
Guidelines: http://fedoraproject.org/wiki/Mailing_list_guidelines
