[NTLUG:Discuss] Red Hat as a NIS client help!

Chris Cox cjcox at acm.org
Tue Jun 16 08:49:57 CDT 2009 

On Mon, 2009-06-15 at 16:28 -0500, Chris Cox wrote:
> Solution (it's a BAD one... but this is what you have to do):

So... why is Red Hat's old style pam_unix.so module parameter technique
wrong?

Well, for one thing, it means that Red Hat plays favorites.  That is, it
means that Red Hat tends to resist change UNLESS it is something they
authored.  Better solutions have been out there for AT LEAST SEVEN
YEARS.  Wow.  Anyway...

The reason why this "solution" is not sufficient is that you CAN have
local accounts in addition to network accounts.  So, you may want DES
(in my case to make NIS/YP portable across NON Red Hat systems) for
those network accounts, however, when you change the password for a
LOCAL account, you probably want to use the best platform specific hash
possible (which unfortunately on Red Hat, the best they can do is MD5
today, though they've got some SHA variant support coming... might be
there in RHEL5, not sure... just as long as it's not anything that BSD
supports... right Red Hat?).

Red Hat engineers remind a lot of Sun (you know, the dead company).
They have become VERY arrogant in their approach to everything.  I
certainly do NOT mind their long winded explanations about why THEIR way
is the "best" way... I find those essays to be very interesting.  I just
think making THEIR way the ONLY way is contrary to the ideas of
interoperability and the freedom I enjoy as a Systems Administrator.

So... Red Hat... lighten up.  READ what others say.  You are NOT the
sole source of ideas or truth.  Nuff said.

I now understand why when I tell people how well our infrastructure
works (Novell's SLES handles our infrastructure).. I understand why our
other sites are struggling... mainly because they use Red Hat or CentOS.
I can see why things don't seem to work right... NOT saying it can't be
fixed (e.g the less than perfect work around presented here), but now I
know why people still tout Solaris, AIX and even HPUX.

So... I'm just going to say it.  If you have a MULTI platform/OS
network.  I cannot recommend Red Hat today for your interoperable
infrastructure platform of choice.  It's just too antagonistic to other
OS vendors/versions.


> 
> Change /etc/pam.d/system-auth
> 
> password    sufficient    pam_unix.so md5 shadow nis nullok
> try_first_pass use_authtok
> 
> Remove the md5 option to pam_unix.so
> 
> Sigh.... not loving Red Hat AT ALL right now.

More information about the Discuss mailing list