Re: NIS or NIS + setup

From: Nico Kadel-Garcia (nkadel@bellatlantic.net)
Date: 01/10/03 

From: "Nico Kadel-Garcia" <nkadel@bellatlantic.net>
Date: Fri, 10 Jan 2003 07:10:08 GMT

"Chris Cox" <ccox_nopenotthis@airmail.net> wrote in message
news:413FCADDE080BAE6.46A16F699C362ABD.6C119970466EEB0F@lp.airnews.net...
> Nico Kadel-Garcia wrote:
> > "sandra" <sandra@ccuec.unicamp.br> wrote in message
> > news:3E1C60D3.601E72A9@ccuec.unicamp.br...
> >
> >>Hi ALL,
> >>
> >> I wonder if NIS+ development on Linux is realy stopped. And if
> >>someone out there has any clue to give me about athoner software
> >>that could substitute NIS/NIS+ function.
> >> Thanks a lot.
> >
> >
> > Only if we're lucky: NIS has had a lot of issues for a long time, and
> > they've never gotten better, only more complicated.
>
> You need to be more specific. My guess is that you are referring
> to weaknesses in the security. NIS isn't great, NIS+ isn't great
> either (but makes you think it is). There are some automounter
> limitations with Linux, but in general, nothing you just have
> to have. NFS (not NIS) performance still needs some improvement,
> but it does seem to function reasonably.

NIS=No Internal Security
NFS=No Fucking Security

In particular, NFS in most configurations allows the user to become root
locally, then su to become the other use and gain access to that user's
files.

NIS has horrid issues with poor implementations and subtle incompatibilities
between systems breaking things at awkward moments. (Linux, Tru64, SunOS and
Solaris [ which really were distinct operating systems due to the large
differences in fundamental packeges between them]: cross-platform has been
fun, and convincing stodgy old-timers to use the more flexible and
compatible Linux servers was non-trivial)

> > LDAP is your friend.
> >
> >
>
> Lack of management interfaces and numerous interoperability issues
> make cross platform LDAP a bit difficult currently, but we all
> believe that will get better with time. I haven't seen too
> many cross platform signon systems using LDAP that weren't
> difficult to setup and maintain.

As opposed to maintaining the cross-platform support for NIS or NFS to our
dreaded Windows colleages, or getting group. And I genuinely challenge you
to name good management interface for NIS.

> If you want to include Windows 2000 (and the Windows clients),
> I'd have Windows 2000 manage the users and use samba
> and pam_smb for authentication (together with NIS on Linux).

I've proposed it and done test cases. Unfortunately, getting some
proprietary Windoze compatible tools to deal with Samba as a PDC was
non-trivial. *Japanese* Windoze was a deal breaker, bloody Unicode based
login tools with proprietary keyboard interfaces that *LIE* about what
they're sending.....

> This will work across Solaris, HPUX, Linux and AIX (Note: AIX
> 4 requires a special modified pam_smb that works with its pluggable
> authentication framework). This way accounts only have
> to be created/destroyed under Windows (the NIS ones will
> only operate if there is a valid user under the Windows
> domain). Note: I'm not talking about using winbindd.
>
> I'd also avoid cross posting to so many newsgroups .. hint.

I was following up. Feel free to reset Follup-to....