From owner-freebsd-questions@freebsd.org Sat Mar 14 05:55:43 2020 Return-Path: Delivered-To: freebsd-questions@mailman.nyi.freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1]) by mailman.nyi.freebsd.org (Postfix) with ESMTP id B3F8827810E for ; Sat, 14 Mar 2020 05:55:43 +0000 (UTC) (envelope-from vas@sibptus.ru) Received: from admin.sibptus.ru (admin.sibptus.ru [IPv6:2001:19f0:5001:21dc::10]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 48fWy66NFMz4NPQ for ; Sat, 14 Mar 2020 05:55:42 +0000 (UTC) (envelope-from vas@sibptus.ru) DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sibptus.ru; s=20181118; h=In-Reply-To:Message-ID:Subject:To:From:Date; bh=N2KSGxmf92MyCRwC59Eroffj5ggNveHe3IXl9gqWm14=; b=WlXGObNlouLhJ4u1yc3OhakKD2 WWvzgqPZQIz2SvG/2+XodyPKzMfolY88lpUTFSaXAeJ1aujVf1QfCXltTGGJe1dxa1hAumlK0c2Bc SXm75gKuuHGa9N6MO2jiLJ0atrklEuFBAA+ZSZPMze5x53ZDPJ6rB+R3k1l6mpCdHkzk=; Received: from vas by admin.sibptus.ru with local (Exim 4.93.0.4 (FreeBSD)) (envelope-from ) id 1jCzlt-0007be-Fc for freebsd-questions@freebsd.org; Sat, 14 Mar 2020 12:55:41 +0700 Date: Sat, 14 Mar 2020 12:55:41 +0700 From: Victor Sudakov To: freebsd-questions@freebsd.org Subject: Re: Centralized user/group/whatever management Message-ID: <20200314055541.GF27346@admin.sibptus.ru> References: <20200313091923.GA98495@admin.sibptus.ru> <2F4CA1FD-FB90-4B2E-A2C3-9C009A67A5EE@theory14.net> MIME-Version: 1.0 Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="4f28nU6agdXSinmL" Content-Disposition: inline In-Reply-To: <2F4CA1FD-FB90-4B2E-A2C3-9C009A67A5EE@theory14.net> X-PGP-Key: http://admin.sibptus.ru/~vas/ X-PGP-Fingerprint: 10E3 1171 1273 E007 C2E9 3532 0DA4 F259 9B5E C634 X-Rspamd-Queue-Id: 48fWy66NFMz4NPQ X-Spamd-Bar: -------- Authentication-Results: mx1.freebsd.org; dkim=pass header.d=sibptus.ru header.s=20181118 header.b=WlXGObNl; dmarc=pass (policy=none) header.from=sibptus.ru; spf=pass (mx1.freebsd.org: domain of vas@sibptus.ru designates 2001:19f0:5001:21dc::10 as permitted sender) smtp.mailfrom=vas@sibptus.ru X-Spamd-Result: default: False [-8.45 / 15.00]; ARC_NA(0.00)[]; NEURAL_HAM_MEDIUM(-1.00)[-1.000,0]; R_DKIM_ALLOW(-0.20)[sibptus.ru:s=20181118]; FROM_HAS_DN(0.00)[]; R_SPF_ALLOW(-0.20)[+mx:c]; TO_MATCH_ENVRCPT_ALL(0.00)[]; MIME_GOOD(-0.20)[multipart/signed,text/plain]; TO_DN_NONE(0.00)[]; NEURAL_HAM_LONG(-1.00)[-1.000,0]; RCPT_COUNT_ONE(0.00)[1]; IP_SCORE(-3.35)[ip: (-9.88), ipnet: 2001:19f0:5000::/38(-4.94), asn: 20473(-1.86), country: US(-0.05)]; DKIM_TRACE(0.00)[sibptus.ru:+]; DMARC_POLICY_ALLOW(-0.50)[sibptus.ru,none]; SIGNED_PGP(-2.00)[]; FROM_EQ_ENVFROM(0.00)[]; MIME_TRACE(0.00)[0:+,1:+,2:~]; RCVD_TLS_LAST(0.00)[]; ASN(0.00)[asn:20473, ipnet:2001:19f0:5000::/38, country:US]; RCVD_COUNT_TWO(0.00)[2] X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.29 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 14 Mar 2020 05:55:43 -0000 --4f28nU6agdXSinmL Content-Type: text/plain; charset=us-ascii Content-Disposition: inline Content-Transfer-Encoding: quoted-printable Chris Gordon wrote: >=20 >=20 > > On Mar 13, 2020, at 5:19 AM, Victor Sudakov wrote: > >=20 > > Dear Colleagues, > >=20 > > Do you think there exists a modern solution for centralized user/group/= =2E.. > > management compatible with FreeBSD and Linux? > >=20 > > I have experience using NIS on FreeBSD for many years, but NIS is reall= y very > > dated, not very secure, depends on the NIS servers being reachable all = the > > time, depends on Sun RPC (portmapper, dynamic ports) and has other > > drawbacks. I know this from experience. > >=20 > > Are there any modern solutions for FreeBSD hosts to have at least a com= mon > > user/userid/group/groupid database, or maybe even more centralized good= ies? > >=20 > > I've been told that Linux has FreeIPA, but I think it's not fully > > compatible with FreeBSD, and besides security/sssd wants so many > > dependencies (even MIT Kerberos as if FreeBSD's built-in Kerberos is not > > good enough). > >=20 > > Any success stories? >=20 > LDAP and Kerberos are common solutions for this. There are many ways you= could do this, both or just one of them depending on your specific needs. = You could: > - Setup servers yourself. For instance setting up OpenLDAP > - Use some "pre-integrated" solutions: > - FreeIPA. Underneath, this is just LDAP, Kerberos, DNS, etc. You don'= t have to use SSSD to use FreeIPA as an auth source. Not sure what "featur= es" may or may not be there. > - Active Directory. Yes, you could use a Windows solution. It's fundam= entally LDAP, Kerberos, DNS, etc. Note that FreeIPA is an attempt to re-cr= eate AD with Open Source components -- if they state that or not, it's what= it is. > - Samba acting as an AD server There is one missing link which was never mentioned in the thread. What's the bridge between nsswitch framework (or some other replacement of getpwent(), getgrent() and friends) to be used with all those LDAP solutions mentioned above? Kerberos is fine of course, when we have a user already. I use FreeBSD's build-in Heimdal a lot for SSH access, SVN access (duh!) and some other things. > You could also look at using signed SSH keys. There are some articles > about some of the hyper scale sites doing this to address the failure > points and scalability problems you get with a centralized directory > service. It's on my list to read up on, but I haven't gotten to it > yet. I did not quite understand how you can use SSH keys to create/delete users and manage group memberships. Could you elaborate or give a link? > Depending on your scale and needs, you could just keep it really > simple and use some automation tool like Ansible, Puppet, Salt, Chef, > etc to add/remove users across all of the machines. =20 The closest thing to what I want is ansible's "user" and "group" modules, I'll certainly consider them if I don't find a solution with a truly centralized user database with instantaneous lookups, like a modern incarnation of NIS. The major drawbacks with the "configuration push" approach have been enumerated in my mail to Daniel Feenberg. Even though ansible can parallel its jobs, the drawbacks still apply. >=20 > There are lots of options with varying degrees of work. It really > depends on your actual requirements and resources (time, etc) to > implement and operate. I was of course interested in modern best practices and personal success stories rather than in "you can implement this or that thing I've read about." If any person who replied in this thread is using a centralized user database, please share what *you* *particularly* use and why. I've already shared mine: I use NIS (yp*) but want to migrate from it, for the reasons I stated in the first mail. --=20 Victor Sudakov, VAS4-RIPE, VAS47-RIPN 2:5005/49@fidonet http://vas.tomsk.ru/ --4f28nU6agdXSinmL Content-Type: application/pgp-signature; name="signature.asc" -----BEGIN PGP SIGNATURE----- iQEcBAEBAgAGBQJebHHdAAoJEA2k8lmbXsY0AXYIALP5c4RbfCEIIO8UWEFCBOby 9oraDiK8ZcbiEw79SlZQT40VfVNHnXxqtrMD9xPRJMRPOd8+nJDZIclJPy/wLVQp ozVFx92ResGrOWw3LhxsSRmP0Kp/3dv2xfvpK+sW13hfhpslS2THk0clLkooPFIH 7r25u/ytp8CwBESC9VShYp1sbMtdoiBwh9CJkncG6xLHI02SCRqNuREitrMm94lc 9Fqessz3zrbwwbvJiUSbAtKb6m8wizBs2ZJfKoji98cB7BNJHCMUtTeFj8YqtuyC eIZacRhb0o2mMyCtFBXDWV7NPKMbqBl/t16lfMwytZPIqv2jFLNKH7jLZ6xGC9A= =ooru -----END PGP SIGNATURE----- --4f28nU6agdXSinmL--