[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [s-x86] synchronizing UID and GID across several Solaris boxes - NIS+?

To: solarisonintel@xxxxxxxxxxx, Ludovic Verdot <ludovic.verdot-atos@xxxxxxxxxxxxxxxxxxxx>
Subject: RE: [s-x86] synchronizing UID and GID across several Solaris boxes - NIS+?
From: Ludovic Verdot <ludovic.verdot@xxxxxxxxxxxxxx>
Date: Tue, 03 Oct 2000 22:41:19 +0100
Delivered-to: mailing list solarisonintel@egroups.com
List-unsubscribe: <mailto:solarisonintel-unsubscribe@egroups.com>
Mailing-list: list solarisonintel@egroups.com; contact solarisonintel-owner@egroups.com
Reply-to: verdot@xxxxxxxxxxxxxxxxxxxxxxxxxxx
Sender: verdot@xxxxxxxxxxxxxx

NIS can be made more secure if you use the ypservers files and the
passwd.adjunct map.  The ypservers file controls which hosts can connect
by
IP address and the passwd.adjunct file stop and process from a port
>1024
from opening the password map.  Whilst neither of these will buy you a
lot
of protection it can buy you some.  You might also be able to do
something
much better by using Vietse Vienemma's secure version of rpcbind to
control
who connects to NIS.

All-in-all LDAP is probably the way forward, it is in Solaris 8, it is
the
core of Active Directory, you can get support for Solaris 6 & 7 via
public
domain PAM modules, so if you have to get to grips with a naming service
I
would spend the time on LDAP, IMHO you'll have to do it in the future
anyway....

-----Original Message-----
From: Larry Beaulieu [mailto:beaulieu@xxxxxxxx]
Sent: Tuesday, October 03, 2000 1:04 AM
To: Justin Kuntz
Cc: solarisonintel@xxxxxxxxxxx
Subject: Re: [s-x86] synchronizing UID and GID across several Solaris
boxes - NIS+?



> What are the methods by which the UID/GIDs can be synchronized across
> several Solaris boxes?  Does your recommendation change if I also need to
> integrated Linux and AIX boxes into the UID/GID fold?  Ideally I would
also
> like authentication (centralized passwords).  Security is not a huge
> priority vs. ease of configuration and ease of use.  However, I'd also
like
> to know the scope of what the more secure solutions involve.  I would
> prefer to stick with a freely available too if possible.
>
> My understanding currently is that for Solaris-only networks, NIS+ is the
> way to go.  But it seems like this is being replaced by LDAP in the
> market... any comments on this assumption?  How can I go about getting
NIS+
> servers and clients setup -- is all the necessary software included in the
> Solaris for Intel v8 Free Binary License program?

	Given the size of the environment you mention I would
	consider NIS instead of NIS+; it also has the advantage
	of allowing you to use a heterogeneous configuration of
	master and slaves.  This is not a secure application;
	anyone sniffing packets can snag the contents of the
	password file you're propogating and there are other
	potential security risks with the necessary daemons.

	For a smaller environment you could use rdist or scp to
	propogate the password and shadow files; scp has fewer
	security risks.  Unlike NIS neither scp or rdist has
	a built-in capability to accept and automagically propogate
	password information back to the master host.

Prev by Date: [s-x86] dns
Next by Date: Re: [s-x86] dns
Previous by thread: Re: [s-x86] Netscape Calendar client on Solaris X86?
Next by thread: Re: [s-x86] Quiz Question
Index(es):
- Date
- Thread