On 11/05/2018 12:24 AM, Mantas Mikulėnas wrote:
> There was `ypcat passwd`, wasn't there?

I suppose.  I don't have any first hand experience with NIS(+).  So I'm 
trying to learn vicariously through others before I dive into any end of 
pool that is my lab network.

> I would say that expecting to just pull password hashes from the directory 
> service – using it as nothing more than networked /etc/shadow – is 
> a bad approach to begin with. Let the client handle authentication via 
> Kerberos (or via whatever else is apropriate for AD).

I think I naively thought there was some level of detail(s) sent between 
the client and the server such that the server would only return the 
pertinent information of the user being ypcated.  Thus (hopefully) 
preventing seeing other people's shadow information.

> Could you elaborate on that?

I thought that I'd seen equipment that /only/ used LDAP but had 
templates for the query to sidle up to AD's LDAP and things just worked. 
  I.e. you filled in enough details so that the template could construct 
the proper LDAP query.

This obviously is not joined to an AD domain and is really just an LDAP 
client.  (No Kerberos.)



-- 
Grant. . . .
unix || die