From owner-freebsd-questions@FreeBSD.ORG Fri Sep 12 02:35:19 2003 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.FreeBSD.org (mx1.freebsd.org [216.136.204.125]) by hub.freebsd.org (Postfix) with ESMTP id 5A2A016A4BF for ; Fri, 12 Sep 2003 02:35:19 -0700 (PDT) Received: from adicia.telenet-ops.be (adicia.telenet-ops.be [195.130.132.56]) by mx1.FreeBSD.org (Postfix) with ESMTP id 9322143F85 for ; Fri, 12 Sep 2003 02:35:18 -0700 (PDT) (envelope-from n.b@myrealbox.com) Received: from localhost (localhost.localdomain [127.0.0.1]) by adicia.telenet-ops.be (Postfix) with SMTP id 4DDAC37E54; Fri, 12 Sep 2003 11:35:17 +0200 (MEST) Received: from cronos.home.vsb (d5153CAA6.kabel.telenet.be [81.83.202.166]) by adicia.telenet-ops.be (Postfix) with ESMTP id 64E23380C7; Fri, 12 Sep 2003 11:35:16 +0200 (MEST) From: Guy Van Sanden To: Tillman Hodgson In-Reply-To: <20030908181529.P11841@seekingfire.com> References: <200309082359.07548.ajacoutot@lphp.org> <20030908161045.C11841@seekingfire.com> <42065386.1063047726@[192.168.10.11]> <20030908181529.P11841@seekingfire.com> Content-Type: text/plain Message-Id: <1063359316.2838.18.camel@cronos.home.vsb> Mime-Version: 1.0 X-Mailer: Ximian Evolution 1.4.4-1tex Date: Fri, 12 Sep 2003 11:35:16 +0200 Content-Transfer-Encoding: 7bit cc: freebsd-questions@freebsd.org Subject: Re: nis security X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.1 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Fri, 12 Sep 2003 09:35:19 -0000 On Tue, 2003-09-09 at 02:15, Tillman Hodgson wrote: > On Mon, Sep 08, 2003 at 07:02:06PM -0500, Bruce Pea wrote: > > > I'm a bit biased, however: I use NIS with Kerberos and think it's the > > > cats pajamas :-) > > > > > > Hey Tilman, > > s/l/ll/ :-) > > > This sounds exactly like what we are looking for. Can you point us to any > > docs explaining how you do this?? > > The rough instructions are fairly simple: > > * Set up Kerberos and ensure you have a working realm > * Set up NIS, but set all the passwd fields to something that doesn't > map to a real password (I like 'krb5', others like '*') > > That's about it. It works because authentication in a Kerberized world > doesn't check the password field in the NIS maps anyway (or the > /etc/master.passwd file for that matter). Your non-Kerberos app's will > break for users that aren't local, but I consider the incentive to > replace them a benefit :-) Do you have some links to websites or so that you used to set this up? I'm very interested in this setup, with the added complication that the clients are Linux (and Windows using SAMBA), yet the server is FreeBSD (5.0). Thanks! > > You can get fancy and make a nice little Makefile to do all kinds of > maintenance tasks for you (I'm just about finished tying in Mailman into > the central auth for the rospa.ca domain). You can try some of the > neater features of NIS (netgroups, etc) or fiddle with the config of > Kerberos (I like longer ticket lifetimes), but the basic "get it > working" stuff isn't complicated. > > -T