11 Jun
2009
11 Jun
'09
4:17 p.m.
On Jun 11, 2009, at 5:00 PM, Gordon JC Pearce wrote:
On Thu, 2009-06-11 at 11:39 -0500, Daniel Seagraves
wrote:
We don't install new machines that often, nor do I have a lot of them.
The central auth system is so I don't have to explain to my end users
how to change their passwords on every server on the network. My
environment has a group of Linux servers providing service to a set of
Windows desktops. (In reality however, I am most likely giving up my
password expiration policy. The users are complaining to the owner
about having to change their password every 60 days, and the owner has
told me if they continue to complain the policy will be abolished. The
burden is on me to abolish the policy myself instead of having him
force it. That makes it look like I "realized the legitimacy of the
user need" instead of simply being forced to give up.)
This issue is new as of the very latest Debian installer. Previously I
was able to elect not to add a local user by cancelling out of the
"create a local user" part of the installer and then going back
through. The second time I would be asked if I wanted to do that. This
option has been removed.
The next line is the important one. All my users
and passwords come
via the network. Root's mail gets sent to another account on another
machine. The installer wants me to make a LOCAL user to sudo and etc
but I want to use my REMOTE for that. For that I do the initial setup
as root and then disable it. If I do things Debian's way I have to set
up root and user passwords, log in as the user, sudo to set up the
machine, make my remote user able to sudo, redirect root's mail, then
remove the local user and hunt through the entire system looking for
anywhere that username may have been referenced and remove it. (or
leave the local user there as a time bomb to come back and kill me
later WHEN (not IF) someone hacks it)
If you're rolling out *that* many boxes that use some sort of common
auth system, you might be better creating a suitably tweaked installer.
That way you have a common image that you push to the box, maybe even
netbooting it, and you don't have to worry about footering around with
the config after - you can even include the packages you want that
aren't installed by default.