Re: Sparc Solaris NIS client Linux NIS server

Nico Kadel-Garcia wrote:
> "Chris Cox" <ccox_nopenotthis@xxxxxxxxxxx> wrote in message
> news:11ps8mre0vnscca@xxxxxxxxxxxxxxxxxxxxx
>
>>If the number of accounts are small (not in the 10,000's) then
>>managing users with NIS is much simpler than with .. let's say...
>>LDAP. If you have an existing Windows infrastructure, it's
>>fairly trivial to auto create NIS users based on Windows
>>account data and tie the password back to the Windows
>>password server (which may bother Unix purists... but does
>>work.. and if you've got the ugly animal there anyway...
>>might as well use it).
>
> Bullwinkle, that trick *NEVER* works. The NIS stored password information is
> very distinct from the password management used for Windows or even Samba.
> LDAP works much, much better for providing single-source authentication.

Whatever. I do this at multi-million dollar companies for a living.

LDAP is a generic framework... the password field that's there
is for clear text only. Sure people jam hashes into it.. .but
that's a whole other story.

Utimately, I use NIS much like LDAP. It hold account
data. Authentication is a different piece that can be
handled in plethora of ways. I'm just pointing out that
if you've got the dreaded Windows beastie on the network,
might as well use it for the auth piece.

>
>>I've used the technique at a platics production facility
>>with good success. You just add users to the Windows domain
>>(pretty much assumes a single Windows domain) and then
>>they automatically get NIS accounts when they log into
>>Windows the first time... just that the NIS DES
>>encrypted password is nuked (untypable) and the boxes
>>do their auth NTLM style to the Windows password
>>server. Or.. even better, don't use NTLM at all and
>>just load an SSH key which comes off a shared drive
>>in NFS/Samba space (home dirs) at Windows login time and tell them
>>to PuTTY into the client hosts... then they don't
>>have to use a password once they've logged into
>>the Windows client.
>
> Making SSH keys network accessible is..... asking for trouble. It's almost
> as bad as putting a post-it note on your keyboard with your password on it.

Sigh.... You aren't easily satisifed are you? It's as
secure as LDAP... is that ok now?

The point is that you have to assume some things always. Having
a computer in a location where more than one person can
get to it is EQUALLY as insecure... true?

Post-it notes :) You remind me of our security team.


.

Relevant Pages

  • Re: NIS 2002 Pro edition :-)
    ... >>A couple of months back I complained about NIS 2001 not using the Windows ... >>accounts to prevent changes. ... I'm now using NIS 2002 Professional Edition, ... > I tried it but the "by user settings" is not all true. ...
    (comp.security.firewalls)
  • Re: Sparc Solaris NIS client Linux NIS server
    ... > If the number of accounts are small then ... > fairly trivial to auto create NIS users based on Windows ... > the Windows client. ...
    (comp.os.linux.setup)
  • Re: Idiots intro to LDAP - Where?
    ... But, for the life of me, I can't understand LDAP or why it's ... windows and they can be reasonably expected to be built into windows ... use the same authentication mechanisms. ... While you could do that with nis+, nobody really used nis+ as it was a ...
    (comp.os.linux.misc)
  • Re: Idiots intro to LDAP - Where?
    ... But, for the life of me, I can't understand LDAP or why it's ... windows and they can be reasonably expected to be built into windows ... use the same authentication mechanisms. ... While you could do that with nis+, nobody really used nis+ as it was a ...
    (comp.os.linux)
  • Re: Sparc Solaris NIS client Linux NIS server
    ... >>>fairly trivial to auto create NIS users based on Windows ... >> LDAP works much, much better for providing single-source authentication. ... Security is a problem, ...
    (comp.os.linux.setup)