[NTLUG:Discuss] Is is just me or is Red Hat/CentOs understanding of PAM, auth, etc, just totally insane or what?

thomas at redhat.com thomas at redhat.com
Mon May 14 16:34:41 CDT 2012 

On 05/01/2012 08:46 PM, Christopher Cox wrote:
> Like it or not Red Hat must live. But man... talk about weird.
>
> They have a VERY mixed and inconsistent view of the world.. You can tell
> their are camps at WAR inside of Red Hat, those that want to remove all
> control from the local system admin (because after all, we're dumb) and
> those that still want to give control.. sheesh...

Interesting read on things. Not true, but interesting. I've been at Red 
Hat for about six and a half years, and I have never heard anyone here, 
in engineering or support or field services, say that our customers are 
dumb.

In fact, we rely heavily on our customers and the OSS community of which 
we are a member to help drive innovation and software quality. We are 
very aware that we are beholden to, not some sort of dictators of, the 
community.

> So... they have these tools... but you know the idea of a tool is that
> you sort of WANT people to use it. Right? The tool is authconfig and
> it's variants.

You mean the tool that manages settings for NIS, BIND, WINS, Winbind and 
Active Directory connectivity, Samba, LDAP, certificates, smartcard 
readers, fingerprint readers, kerberos, even hesiod? That authconfig. 
There's a fair amount of complexity to that, and for the vast majority 
of customers, it does the job right. For corner cases, there is usually 
some tweaking to do.

> This authconfig tool OWNS a set of common included PAM configs for auth,
> account, password and session. It controls their generation, any local
> modifications are overwritten by their authconfig tool.
>
> Red Hat uses a myriad of pam modules many of which have overlapping scopes.
>
> It's not that you CAN'T get done what you need to get done on Red Hat...
> it's just a LOT harder. A whole lot harder. Or, you just scrap
> authconfig, remove it's presence from the planet... which again, means
> you can install just about any Linux distro at that point.
 >
> Yuk!

Agreed. PAM is a real Gordian knot. For the vast majority of users, the 
defaults are sane. For those who need to tweak the defaults, it 
certainly can be frustrating.

Do you have a ticket open on what you're trying to accomplish? Rants on 
a local LUG mailing list, while certainly satisfying, don't actually get 
anything done.

> Also, over the years, Red Hat has changed their position on numerous
> items no more than 50 gabillion times (sorry to be technical). That
> means, if you DO figure it out... it will be WRONG with the next Red Hat
> incarnation.... sigh...

As technology and the IT industry changes, of course we'll change 
technologies and strategies. As computing standards, best practices and 
methodologies change, so does the way we build distros. If something is 
not working, we're certainly eager to understand how we can do better.

> Now, I do realize that Red Hat drives (forces, coerces) other distros to
> follow "their way".. it's just the WRONG way folks... it really, really,
> really, really, really, really is....

Coerces? How, pray tell, do we coerce other distros? If, by "coerce," 
you mean "releases more code than any other commercial entity to the 
Linux kernel, glibc, x.org, GNOME, and several other projects," than 
yes, we are certainly coercive. I think most folks would call giving 
away 100% of their code as OSS "being a good community member," though. 
I could be wrong, though.

> IMHO.... there's a LOT of fixing needed at Red Hat.. and while they are
> the "dominant" player (due to IPO in the USA btw... NO OTHER REASON
> folks), if they just got their heads screwed on right, they could make a
> TON more... just saying.

No other reason than an IPO, huh? Couldn't *possibly* be because we're 
used by most of the Fortune 500, we run, for instance, the NYSE trading 
floor and back office ($6 million/second in down time), we're used by 
the Federal Aviation Administration to track the 7000-8000 in US 
airspace at any given time, or because we own world records in 
virtualization, SAP, Oracle, JVM, etc. spaces. Nah, none of that has 
*any* bearing on our success. And, totally, all that contribution to 
upstream that we do? Totally irrelevant.

> I'm not going into detail about what I don't like about their PAM
> stack/authconfig, nss, etc. relationships... just venting a bit looking
> for anyone else that feels the same....

I'd love to help you. Hell, anyone at Red Hat would love to help you. 
We're actually very passionate about solving customer problems. I might 
suggest that you catch more flies with honey than with vinegar, though.

Can you please open a support ticket on this? Feel free to drop me a 
line once you do, and I'll poke it from inside the firewall.

Regards,
-- 
Thomas Cameron, RHCA, RHCSS, RHCDS, RHCVA, RHCX
Chief Architect, Canada and Central US
512-241-0774 office / 512-585-5631 cell
http://people.redhat.com/tcameron/
IRC: choirboy / AIM: rhelguy / Yahoo: rhce_guy /Google+ http://ongpl.us/tdc

More information about the Discuss mailing list