From owner-freebsd-questions@freebsd.org Fri Mar 13 12:53:21 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id 60D0B25F46A for ; Fri, 13 Mar 2020 12:53:21 +0000 (UTC) (envelope-from freebsd@theory14.net) Received: from bacon.theory14.net (bacon.theory14.net [45.55.200.27]) by mx1.freebsd.org (Postfix) with ESMTP id 48f5GR3jMgz3xRY for ; Fri, 13 Mar 2020 12:53:19 +0000 (UTC) (envelope-from freebsd@theory14.net) Received: from remote.theory14.net (remote.theory14.net [72.66.31.190]) by bacon.theory14.net (Postfix) with ESMTPSA id 7667E12602E; Fri, 13 Mar 2020 08:53:13 -0400 (EDT) Received: from grackle.int.theory14.net (grackle.int.theory14.net [192.168.10.52]) by remote.theory14.net (Postfix) with ESMTPS id 34F166642; Fri, 13 Mar 2020 08:53:09 -0400 (EDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=theory14.net; s=mail; t=1584103989; bh=kxDyVhgUUzG2zMyqo0p6tx/+5qWiBbizWXFOhsI9fUs=; h=Subject:From:In-Reply-To:Date:Cc:References:To; b=tqGORDHGTIhraUt9jRnn/i6Uuz8fqDKu1SFda0N3lxTpjoTNRFn+DdtoV+d8yIEr/ ZDzRj/WRXfQpDl4WTbWretO3bHBrRql6BLNBBe+JDgszwDcleNBt5JiPmDevnn0nr1 l3t79a+mScXZdn/qxkfCvhq84oovtE5L/f4tWA88= Content-Type: text/plain; charset=us-ascii Mime-Version: 1.0 (Mac OS X Mail 13.0 \(3608.60.0.2.5\)) Subject: Re: Centralized user/group/whatever management From: Chris Gordon In-Reply-To: <20200313091923.GA98495@admin.sibptus.ru> Date: Fri, 13 Mar 2020 08:53:09 -0400 Cc: freebsd-questions@freebsd.org Content-Transfer-Encoding: quoted-printable Message-Id: <2F4CA1FD-FB90-4B2E-A2C3-9C009A67A5EE@theory14.net> References: <20200313091923.GA98495@admin.sibptus.ru> To: Victor Sudakov X-Mailer: Apple Mail (2.3608.60.0.2.5) X-Rspamd-Queue-Id: 48f5GR3jMgz3xRY X-Spamd-Bar: ++ Authentication-Results: mx1.freebsd.org; dkim=pass header.d=theory14.net header.s=mail header.b=tqGORDHG; dmarc=pass (policy=none) header.from=theory14.net; spf=pass (mx1.freebsd.org: domain of freebsd@theory14.net designates 45.55.200.27 as permitted sender) smtp.mailfrom=freebsd@theory14.net X-Spamd-Result: default: False [2.79 / 15.00]; ARC_NA(0.00)[]; RCVD_VIA_SMTP_AUTH(0.00)[]; R_DKIM_ALLOW(-0.20)[theory14.net:s=mail]; FROM_HAS_DN(0.00)[]; TO_DN_SOME(0.00)[]; R_SPF_ALLOW(-0.20)[+mx]; MV_CASE(0.50)[]; MIME_GOOD(-0.10)[text/plain]; NEURAL_SPAM_MEDIUM(1.00)[0.999,0]; RCVD_COUNT_THREE(0.00)[3]; TO_MATCH_ENVRCPT_SOME(0.00)[]; DKIM_TRACE(0.00)[theory14.net:+]; RCPT_COUNT_TWO(0.00)[2]; DMARC_POLICY_ALLOW(-0.50)[theory14.net,none]; NEURAL_SPAM_LONG(0.94)[0.938,0]; RCVD_NO_TLS_LAST(0.10)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+]; IP_SCORE(1.26)[ipnet: 45.55.192.0/18(4.90), asn: 14061(1.43), country: US(-0.05)]; ASN(0.00)[asn:14061, ipnet:45.55.192.0/18, country:US]; MID_RHS_MATCH_FROM(0.00)[]; RECEIVED_SPAMHAUS_PBL(0.00)[190.31.66.72.khpj7ygk5idzvmvt5x4ziurxhy.zen.dq.spamhaus.net : 127.0.0.10] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 13 Mar 2020 12:53:21 -0000 > On Mar 13, 2020, at 5:19 AM, Victor Sudakov wrote: >=20 > Dear Colleagues, >=20 > Do you think there exists a modern solution for centralized = user/group/... > management compatible with FreeBSD and Linux? >=20 > I have experience using NIS on FreeBSD for many years, but NIS is = really very > dated, not very secure, depends on the NIS servers being reachable all = the > time, depends on Sun RPC (portmapper, dynamic ports) and has other > drawbacks. I know this from experience. >=20 > Are there any modern solutions for FreeBSD hosts to have at least a = common > user/userid/group/groupid database, or maybe even more centralized = goodies? >=20 > I've been told that Linux has FreeIPA, but I think it's not fully > compatible with FreeBSD, and besides security/sssd wants so many > dependencies (even MIT Kerberos as if FreeBSD's built-in Kerberos is = not > good enough). >=20 > Any success stories? LDAP and Kerberos are common solutions for this. There are many ways = you could do this, both or just one of them depending on your specific = needs. You could: - Setup servers yourself. For instance setting up OpenLDAP - Use some "pre-integrated" solutions: - FreeIPA. Underneath, this is just LDAP, Kerberos, DNS, etc. = You don't have to use SSSD to use FreeIPA as an auth source. Not sure = what "features" may or may not be there. - Active Directory. Yes, you could use a Windows solution. = It's fundamentally LDAP, Kerberos, DNS, etc. Note that FreeIPA is an = attempt to re-create AD with Open Source components -- if they state = that or not, it's what it is. - Samba acting as an AD server You could also look at using signed SSH keys. There are some articles = about some of the hyper scale sites doing this to address the failure = points and scalability problems you get with a centralized directory = service. It's on my list to read up on, but I haven't gotten to it yet. Depending on your scale and needs, you could just keep it really simple = and use some automation tool like Ansible, Puppet, Salt, Chef, etc to = add/remove users across all of the machines. =20 There are lots of options with varying degrees of work. It really = depends on your actual requirements and resources (time, etc) to = implement and operate. Chris=