Hi all, I'm a new (soon to be) netapp owner. Gets setup Friday. We are mostly a Sun shop, and run NIS+ in full security mode for our user authentication, and related naming services. Recently we've been getting Linux boxes and have been happy to find a package that lets them play in an NIS+ world. Now we are getting a Netapp 3020 filer. Should be a big step up for us in terms of storage capability :) But the netapp does not work fully with NIS+. So, we have restarted our NIS+ servers in NIS compatibility mode (the -Y flag). NIS clients can now see our user, group, netgroup, and hosts tables. But because we created our NIS+ tables without the compatibility flag, NIS clients can not see the passwords (even hashed) of users. i.e. ypmatch username passwd returns something like username:*NP*:100:100:a user:/home/username:/usr/bin/bash
Is this going to be a problem? I can't see why the netapp filer would have to know anything about a users password. It seems all it would need is uid, guid, and requesting host name (and assume that the user was properly authenticated on the host making the NFS request). Maybe I'm missing something. If need be I can figure out how to give "nobody" read access to the passwd table, which seems required for full NIS compatibility,but, I'd rather not have to do that if not necessary!
What are others doing for user authentication? It seems NIS+ is going the way of the dodo bird (but slowly I hope). Does the netapp play nicely with LDAP? I know it is supported but I've heard conflicting information about how well it works. What are people out there having good success with?
Thanks David
I had trouble with LDAP on Solaris, even using Sun's LDAP server. Frankly, it kinda sucked about a year ago when I tried it. I'm using NIS+ as well (must be just me and you) and I'm using the netapp and linux clients in -Y compatibility mode.
--- David Knight knight@atmos.albany.edu wrote:
Hi all, I'm a new (soon to be) netapp owner. Gets setup Friday. We are mostly a Sun shop, and run NIS+ in full security mode for our user authentication, and related naming services. Recently we've been getting Linux boxes and have been happy to find a package that lets them play in an NIS+ world. Now we are getting a Netapp 3020 filer. Should be a big step up for us in terms of storage capability :) But the netapp does not work fully with NIS+. So, we have restarted our NIS+ servers in NIS compatibility mode (the -Y flag). NIS clients can now see our user, group, netgroup, and hosts tables. But because we created our NIS+ tables without the compatibility flag, NIS clients can not see the passwords (even hashed) of users. i.e. ypmatch username passwd returns something like username:*NP*:100:100:a user:/home/username:/usr/bin/bash
Is this going to be a problem? I can't see why the netapp filer would have to know anything about a users password. It seems all it would need is uid, guid, and requesting host name (and assume that the user was properly authenticated on the host making the NFS request). Maybe I'm missing something. If need be I can figure out how to give "nobody" read access to the passwd table, which seems required for full NIS compatibility,but, I'd rather not have to do that if not necessary!
What are others doing for user authentication? It seems NIS+ is going the way of the dodo bird (but slowly I hope). Does the netapp play nicely with LDAP? I know it is supported but I've heard conflicting information about how well it works. What are people out there having good success with?
Thanks David
__________________________________________ Yahoo! DSL Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com
We are using NIS+ also, but in compatibility mode, with all clients being able to see passwords to satisfy some legacy requirements. I don't see any reason that the netapp should need to see password fields. It mostly takes advantage of uid/username, gid/groupname, group membership and netgroup membership for access and quota purposes. I think it should work out for you, but if it doesn't, you have some fallback mechanisms such as dumping NIS data to files on the filer, or scripting replication to a seperate authentication server that the filer might support better (NIS, ldap etc).
On Mon, Dec 05, 2005 at 06:33:04PM -0800, Jerry wrote:
I had trouble with LDAP on Solaris, even using Sun's LDAP server. Frankly, it kinda sucked about a year ago when I tried it. I'm using NIS+ as well (must be just me and you) and I'm using the netapp and linux clients in -Y compatibility mode.
--- David Knight knight@atmos.albany.edu wrote:
Hi all, I'm a new (soon to be) netapp owner. Gets setup Friday. We are mostly a Sun shop, and run NIS+ in full security mode for our user authentication, and related naming services. Recently we've been getting Linux boxes and have been happy to find a package that lets them play in an NIS+ world. Now we are getting a Netapp 3020 filer. Should be a big step up for us in terms of storage capability :) But the netapp does not work fully with NIS+. So, we have restarted our NIS+ servers in NIS compatibility mode (the -Y flag). NIS clients can now see our user, group, netgroup, and hosts tables. But because we created our NIS+ tables without the compatibility flag, NIS clients can not see the passwords (even hashed) of users. i.e. ypmatch username passwd returns something like username:*NP*:100:100:a user:/home/username:/usr/bin/bash
Is this going to be a problem? I can't see why the netapp filer would have to know anything about a users password. It seems all it would need is uid, guid, and requesting host name (and assume that the user was properly authenticated on the host making the NFS request). Maybe I'm missing something. If need be I can figure out how to give "nobody" read access to the passwd table, which seems required for full NIS compatibility,but, I'd rather not have to do that if not necessary!
What are others doing for user authentication? It seems NIS+ is going the way of the dodo bird (but slowly I hope). Does the netapp play nicely with LDAP? I know it is supported but I've heard conflicting information about how well it works. What are people out there having good success with?
Thanks David
__________________________________________ Yahoo! DSL ? Something to write home about. Just $16.99/mo. or less. dsl.yahoo.com
-
Adam McDougall -
David Knight -
Jerry