[TUHS] YP / NIS / NIS+ / LDAP
gtaylor at tnetconsulting.net
Mon Nov 5 16:08:58 AEST 2018
On 11/04/2018 08:16 PM, Robert Brockway wrote:
> I used NIS a lot in the 90s and early 2000s. I think it continues to be
> underrated. The main gripe people had was lack of security but if all
> of the hosts were in the same security domain anyway it wouldn't matter.
I'd like to hear more about the security issues.
Did NIS(+) ever encrypt it's communications? (I'm not counting things
like IPsec transport.)
I'm fairly certain that it was possible to enumerate the directory or
otherwise scrape most (if not all) of it's contents.
> Integrated very well with NFS on Solaris & Linux for me back in the day.
I was pleasantly surprised at how well Samba+Winbind integrated with
things. Groups and IDs from AD just showed up identical to local
groups. We didn't even need to worry about NetGroups.
> NIS+ is awful. Let us not speak of it again.
Can I ask that you enlighten this grasshopper without saying it's name?
> I did a lot of LDAP around 2007-2010. I got quite good at writing
> filters as we were using for a lot more than juse user auth.
Ya. The LDAP filters are why I tried to avoid just using LDAP against
AD. That and the fact that the Unix passwords were actually a separate
field that could have different values from what the Windows systems used.
> Most installations I'm seeing today auth to AD, which is of course now
I'm curious what "supported" actually means. I think there is
preconfigured LDAP against AD templates, and things like Samba+Winbind.
But all seem to be less native / seamless than NIS.
> In my experience LDAP is preferred in a pure *nix environment these
> days. I've never played much with Kerberos.
Does that mean that the authentication is also done across LDAP? I hope
that it's encrypted LDAP.
> There is another option that is largely ignored...
> Increasingly *nix systems are managed through orchestration tools like
> Puppet or Ansible. One option is to build the user account details from
> an AD or LDAP backend on the orchestration server and write it out
> locally on the *nix boxes. The *nix boxes just auth locally but still
> gain the benefit of dynamically managed users. There are advantages and
> disavantages of this outside the scope of this list.
IMHO that is still local accounts and not centrally manged. It's just
automated deployment. Sort of like the difference of creating a file in
a directory with the GID bit set vs creating the file and then changing
the group after the fact. Similar end result, but totally different
Grant. . . .
unix || die
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 3982 bytes
Desc: S/MIME Cryptographic Signature
More information about the TUHS