From owner-freebsd-questions@FreeBSD.ORG Sun Dec 14 10:01:31 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id A9104106567D for ; Sun, 14 Dec 2008 10:01:31 +0000 (UTC) (envelope-from rock_on_the_web@comcen.com.au) Received: from mail.unitedinsong.com.au (202-172-126-254.cpe.qld-1.comcen.com.au [202.172.126.254]) by mx1.freebsd.org (Postfix) with ESMTP id 4D6618FC43 for ; Sun, 14 Dec 2008 10:01:31 +0000 (UTC) (envelope-from rock_on_the_web@comcen.com.au) Received: from [192.168.0.199] (unknown [192.168.0.199]) by mail.unitedinsong.com.au (Postfix) with ESMTP id CBE3149DB for ; Sun, 14 Dec 2008 15:16:36 +1000 (EST) From: Da Rock To: freebsd-questions@freebsd.org In-Reply-To: <20081213090822.GA97581@lpthe.jussieu.fr> References: <20081213090822.GA97581@lpthe.jussieu.fr> Content-Type: text/plain Date: Sun, 14 Dec 2008 15:15:54 +1000 Message-Id: <1229231755.18610.102.camel@laptop2.herveybayaustralia.com.au> Mime-Version: 1.0 X-Mailer: Evolution 2.22.3.1 FreeBSD GNOME Team Port Content-Transfer-Encoding: 7bit Subject: Re: Centralized DB of "system" users X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sun, 14 Dec 2008 10:01:31 -0000 On Sat, 2008-12-13 at 10:08 +0100, Michel Talon wrote: > Lowell Gilbert wrote: > NIS, which stands for Network Information Services, was developed > by Sun Microsystems to centralize administration of UNIX > (originally SunOS) systems. It has now essentially become an > industry standard; all major UNIX like systems (Solaris, HP-UX, > AIX(R), Linux, NetBSD, OpenBSD, FreeBSD, etc) support NIS. > > > I work i am in a mostly Linux shop managed by NIS. However my machines > are under FreeBSD and i have no problem getting the NIS info. The only > gotcha is that, under Linux you have 2 files for passwds /etc/passwd > and /etc/shadow, while under FreeBSD you have just one > /etc/master.passwd. So you need to run NIS in compatibility mode on the > Linux server, so that passwd and shadow are "concatenated". Securitywise > it is the same since in any case the shadow information flows on the > wire, ready to be captured by a scannner. > The main problem with NIS, in my opinion, is that, when the NIS > server(s) are down (it always occur once or twice a year here), all the > clients are completely frozen immediately, so if you want high > availability, better copy the passwd files on each client directly and > not use a network server like that. Our previous sysadm had written a > couple of replication scripts which worked very well this way. The > present one reverted to NIS with this small inconvenient. > Replication requires that you only modify passwd files on the server, > like with NIS, and then, as soon as a modification is detected, files > are propagated on all clients. This is extremely easy to achieve, and > *much* more efficient, networkwise than using a thing like NIS or LDAP, > where each client is constantly polling the server to get information > about home directories, tilde expansions,etc. > Wouldn't kerberos be a better alternative? One server (maybe a replicated backup), and all services authenticate with that. Saves shadow on the wire...