|
| 1 | +nsscache |
| 2 | +======== |
| 3 | + |
| 4 | +The nsscache binary provides an interface to NetAuth that generates |
| 5 | +files suitable for consumption by |
| 6 | +[libnss-cache](https://github.com/google/libnss-cache). This is the |
| 7 | +canonical way to pull network accounts to UNIX derived systems and |
| 8 | +will insulate against NSS failures due to transient network |
| 9 | +partitions. |
| 10 | + |
| 11 | +This binary must be run as root since it will need to write files as |
| 12 | +root and set permissions such that only root can read. Fortunately |
| 13 | +the amount of code in this program is minimal. |
| 14 | + |
| 15 | +Running the binary as root will do the right thing, assuming that you |
| 16 | +have your certificate located at `/etc/netauth.cert` and your |
| 17 | +configuration file at `/etc/netauth.toml`. |
| 18 | + |
| 19 | +Important options from the help output: |
| 20 | + |
| 21 | +``` |
| 22 | + -group-file string |
| 23 | +Group cache to write to (default "/etc/group.cache") |
| 24 | + -homedir string |
| 25 | +Home directory to provide if none is available from NetAuth (default "/tmp/{UID}") |
| 26 | + -indirects |
| 27 | +Include indirect relationships in the group map (default true) |
| 28 | + -min-gid int |
| 29 | +Minimum GID number to accept (default 2000) |
| 30 | + -min-uid int |
| 31 | +Minimum UID number to accept (default 2000) |
| 32 | + -passwd-file string |
| 33 | +Passwd cache to write to (default "/etc/passwd.cache") |
| 34 | + -shadow-file string |
| 35 | +Shadow cache to write to (default "/etc/shadow.cache") |
| 36 | + -shell string |
| 37 | +Default shell to use if none is provided in the directory (default "/bin/nologin") |
| 38 | +``` |
| 39 | + |
| 40 | +Of these, the following are important to understand: |
| 41 | + |
| 42 | + * `--homedir`: The home directory to provide in the passwd map. |
| 43 | + This will perform a string substitution on the string `{UID}` |
| 44 | + which maps to the NetAuth concept of an entity ID. This can be |
| 45 | + useful for specifying where to mount the home directory into. |
| 46 | + * `--shell`: If the shell is not provided by the directory, or if |
| 47 | + the shell provided by the directory does not exist on this system, |
| 48 | + this shell will be provided to the passwd map instead. Choose |
| 49 | + carefully between default security and user friendliness here. |
| 50 | + The secure option is the default, the friendly one is usually |
| 51 | + /bin/bash. |
| 52 | + * `--indirects`: Include indirect memberships in the group map. For |
| 53 | + systems of highly secure nature, you may wish to disable this and |
| 54 | + only include groups that an entity is directly a member of. |
| 55 | + * `--min-gid` and `--min-uid`: These values control the minimum |
| 56 | + numeric group ID and user ID values to map. Values below these |
| 57 | + are dropped from the maps. The defaults should generally be safe, |
| 58 | + but ensure that you don't inadvertently cause a collision with |
| 59 | + local users and groups. |
| 60 | + * `--passwd-file`, `--group-file`, and `--shadow-file`: These files |
| 61 | + point to non default locations for the map files. In general you |
| 62 | + should not modify these unless you have a good reason to do so. |
| 63 | + |
| 64 | +nsscache provides single shot updates to the files. You must run |
| 65 | +nsscache on some sort of job controller if you want to update and pick |
| 66 | +up new values. Choose the update frequency that is right for you. A |
| 67 | +good default choice if you have no idea what to set here is 15 |
| 68 | +minutes. This will be slightly annoying to users that have just been |
| 69 | +created in the system, but won't otherwise hammer the NetAuth server. |
0 commit comments