On Fri, Feb 04, Mathias Homann wrote:
Am 2022-02-04 12:32, schrieb Thorsten Kukuk:
Hi,
I think it's time to retire NIS.
I disagree. NIS still works, and does what it is supposed to.
Some of the features don't work anymore since years, and the full client side is only working because we actively have to track down changes in core libraries and have to revert them. Which then introduces security risks, missing or broken features and maintenance burdens for others. And the people impacted by this are much more than the NIS users.
The current code is now over 25 years old, and the protocol had already 25 years ago big drawbacks. Which SUN tried to solve with NIS+, but that wasn't really successful.
Which leads to the problem that the few NIS users run more and more into problems, since NIS doesn't fit anymore together with current network technologies, security requirements and in general modern technologies like Container and k8s.
I can't really confirm that. I have my network here based around a nis+autofs+nfs setup, and everything including "barebone" containers on several hosts and my K3s are playing along just fine.
I heavily doubt that you use NIS inside the containers or K8S for authentication. I'm pretty sure you only use it for the users on your Container Host OS. Ever tried to connect a postfix, roundcube or any other container to NIS for user authentication? It will not work without killing your container network. K8S to my knowledge still has no real UDP support and the socket shortcut for performance reasons will not work in containers. Without this shortcuts, the NIS protocol will open and close many UDP ports very fast...
Additional quite some of the features don't work anymore in most networks or at all and we had to patch several core libraries so that NIS can still work.
RPC itself, the base service, also has many limitations and was never designed for current network technologies and is creating more and more problems today. So the increasing work is not because of bugs in the code, but because the technology around changed incompatible.
My plan is: - drop ypserv from Factory
Not without a replacement, please.
- remove our own changes for NIS from the code - drop ypbind/yp-tools/libnss_nis/... from Factory
And what is going to be the replacement?
A possible replacement is already there since a long time: LDAP. There are several LDAP daemons available on Tumbleweed, and I use a container for my small home network: https://en.opensuse.org/Portal:Container/Image/openldap https://github.com/thkukuk/containers-mailserver/blob/master/openldap/README... It's really simple to add the few users you need. And even much easier to attach a postfix and roundcube container to it for user authentication :) And it's secure. I don't regret to take the little time to learn the LDAP basics and replace NIS at home. Solved many problems.
Will there be something included in Leap/TW that is easy to use? Like, FreeIPA?
Of course, the code will still exist in the network:NIS devel project and continues to stay there, at least as long as it works without major efford. But we will not revert new changes in core libraries only to keep NIS working. And we will of course not patch upstream tools having NIS support like the dhcp server and clients, but you will have to configure this yourself.
So if you are still using NIS, you should think about switching to something more modern and secure, e.g. LDAP.
You mean, run a fullsized IPA server just because I want to hand out a few userIDs and automounter maps?
You don't need an IPA server or anything similar complex and big as NIS replacement. Thorsten
Please provide FreeIPA early enough before dropping NIS.
There are packages in security:idm but I haven't tried them yet.
Cheers MH
-- Mathias Homann Mathias.Homann@openSUSE.org xmpp: lemmy@tuxonline.tech matrix: @mathias:eregion.de irc: [Lemmy] on liberachat and ircnet obs/pmbs: lemmy04 gpg key fingerprint: 8029 2240 F4DD 7776 E7D2 C042 6B8E 029E 13F2 C102
-- Thorsten Kukuk, Distinguished Engineer, Senior Architect SUSE Software Solutions Germany GmbH, Maxfeldstr. 5, 90409 Nuernberg, Germany Managing Director: Ivo Totev (HRB 36809, AG Nürnberg)