5 Nov
2018
5 Nov
'18
7:08 a.m.
On 11/04/2018 08:16 PM, Robert Brockway wrote:
I used NIS a lot in the 90s and early 2000s. I think
it continues to be
underrated. The main gripe people had was lack of security but if all
of the hosts were in the same security domain anyway it wouldn't matter.
I'd like to hear more about the security issues.
Did NIS(+) ever encrypt it's communications? (I'm not counting things
like IPsec transport.)
I'm fairly certain that it was possible to enumerate the directory or
otherwise scrape most (if not all) of it's contents.
Integrated very well with NFS on Solaris & Linux
for me back in the day.
*nod*
I was pleasantly surprised at how well Samba+Winbind integrated with
things. Groups and IDs from AD just showed up identical to local
groups. We didn't even need to worry about NetGroups.
NIS+ is awful. Let us not speak of it again.
Okay.
Can I ask that you enlighten this grasshopper without saying it's name?
():-)
I did a lot of LDAP around 2007-2010. I got quite
good at writing
filters as we were using for a lot more than juse user auth.
Ya. The LDAP filters are why I tried to avoid just using LDAP against
AD. That and the fact that the Unix passwords were actually a separate
field that could have different values from what the Windows systems used.
Most installations I'm seeing today auth to AD,
which is of course now
supported.
I'm curious what "supported" actually means. I think there is
preconfigured LDAP against AD templates, and things like Samba+Winbind.
But all seem to be less native / seamless than NIS.
In my experience LDAP is preferred in a pure *nix
environment these
days. I've never played much with Kerberos.
Does that mean that the authentication is also done across LDAP? I hope
that it's encrypted LDAP.
There is another option that is largely ignored...
Increasingly *nix systems are managed through orchestration tools like
Puppet or Ansible. One option is to build the user account details from
an AD or LDAP backend on the orchestration server and write it out
locally on the *nix boxes. The *nix boxes just auth locally but still
gain the benefit of dynamically managed users. There are advantages and
disavantages of this outside the scope of this list.
IMHO that is still local accounts and not centrally manged. It's just
automated deployment. Sort of like the difference of creating a file in
a directory with the GID bit set vs creating the file and then changing
the group after the fact. Similar end result, but totally different
execution method.
--
Grant. . . .
unix || die