Red Hat LINUX VIRTUAL SERVER 4.6 - ADMINISTRATION Manuale di Installazione Scaricare il pdf (Pagina 257)

Chapter 13. Miscellaneous tasks 237

13.10.1 Recommendations for centralizing home directories

In December of 2009, the topic of how to set up a common home directory came up on the

linux-390 list server. The following post by Patrick Spinler is copied, with permission, as it

may be helpful to you:

“NFSv3 is not known for it's security. Consider the use of the NFS option root_squash, along

with limiting the list of hosts who can connect to your home share. Only export home

directories to hosts which you control, remember that anyone who has root on their box (e.g.

a developer workstation) can impersonate any user to NFS. Here's the relevant /etc/exports

line we use:

/export/unixdata/homedirs \

@hgrp_autohome_admin(rw,no_root_squash,insecure,sync) \

@hgrp_autohome_hosts(rw,root_squash,insecure,sync)

I look forward to going to NFSv4 with kerberos authentication, but we're not there yet.

Regarding automount maps in LDAP, this works very well for us with one exception. The

problem is that there's a significant number of automount map schemas out there, and

different OS's (and different revisions of OS's) use different ones. As we are a fairly

heterogeneous environment, I found it near impossible to keep a master map in LDAP. Right

now we're just keeping a /etc/auto.master or /etc/auto_master on each host.

In order to make the individual map entries work heterogeneously, I had to add several object

classes and a few redundant attributes to each entry. Here's what my home directory

automount map entry looks like:

# ap00375, auto_home, unix.example.com

dn: automountKey=ap00375,automountMapName=auto_home,dc=unix,dc=example,dc=com

automountInformation: linux01.example.com:/vol/vol2/unixhomes-5gb/75/ap00375

cn: ap00375

automountKey: ap00375

objectClass: automount

objectClass: nisNetId

objectClass: top

Regarding heterogeneous clients, we found AIX in particular to be the hardest of our clients to

configure, and Linux the easiest. Insure on AIX that you have the latest available LDAP client

package from IBM. Also be aware that AIX wants to use it's extended LDAP schema rather

than RFC2307, and wants full write access to the LDAP servers from every AIX client.

Despite that, it will work with RFC2307 and read only access. Solaris, like Linux, has an

option to not use an LDAP proxy account at all via anonymous binding, but I never got Solaris

anonymous binding to work.

I recommend making LDAP use TLS or SSL on the wire, in order to keep clear-text

passwords from flying about. Both AIX and Solaris require the server public SSL certificates

to be loaded on every client to do LDAP over TLS or SSL. Linux can be configured to ignore

authenticating the LDAP servers' certificates and proceed with TLS/SSL anyway - this is

convenient, but does open the possibility of man in the middle attacks. In our environment this

isn't a big deal, but it might be in yours.

1 2 ... 252 253 254 255 256 257 258 259 260 261 262 ... 295 296

Commenti su questo manuale

Nessun commento

Red Hat LINUX VIRTUAL SERVER 4.6 - ADMINISTRATION Manuale di Installazione Pagina 257

Commenti su questo manuale

Prodotti e manuali riguardandi Software di system management Red Hat LINUX VIRTUAL SERVER 4.6 - ADMINISTRATION