5 Nov
2018
5 Nov
'18
8:27 p.m.
On 11/05/2018 12:24 AM, Mantas Mikulėnas wrote:
There was `ypcat passwd`, wasn't there?
I suppose. I don't have any first hand experience with NIS(+). So I'm
trying to learn vicariously through others before I dive into any end of
pool that is my lab network.
I would say that expecting to just pull password
hashes from the directory
service – using it as nothing more than networked /etc/shadow – is
a bad approach to begin with. Let the client handle authentication via
Kerberos (or via whatever else is apropriate for AD).
I think I naively thought there was some level of detail(s) sent between
the client and the server such that the server would only return the
pertinent information of the user being ypcated. Thus (hopefully)
preventing seeing other people's shadow information.
Could you elaborate on that?
I thought that I'd seen equipment that /only/ used LDAP but had
templates for the query to sidle up to AD's LDAP and things just worked.
I.e. you filled in enough details so that the template could construct
the proper LDAP query.
This obviously is not joined to an AD domain and is really just an LDAP
client. (No Kerberos.)
--
Grant. . . .
unix || die