From: "Mantas Mikulėnas" <grawity@gmail.com>
To: gtaylor@tnetconsulting.net
Cc: tuhs@minnie.tuhs.org
Subject: Re: [TUHS] YP / NIS / NIS+ / LDAP
Date: Mon, 5 Nov 2018 09:24:24 +0200 [thread overview]
Message-ID: <CAPWNY8WqB0fO=a_sNq5NezO7xh3-c4iO3gyoFUZXk5e7=v179w@mail.gmail.com> (raw)
In-Reply-To: <c710dafc-9edc-cd29-3aeb-dc0fa6badeff@spamtrap.tnetconsulting.net>
On Mon, Nov 5, 2018 at 9:19 AM Grant Taylor via TUHS
<tuhs@minnie.tuhs.org> wrote:
>
> On 11/04/2018 08:16 PM, Robert Brockway wrote:
> > I used NIS a lot in the 90s and early 2000s. I think it continues to be
> > underrated. The main gripe people had was lack of security but if all
> > of the hosts were in the same security domain anyway it wouldn't matter.
>
> I'd like to hear more about the security issues.
>
> Did NIS(+) ever encrypt it's communications? (I'm not counting things
> like IPsec transport.)
>
> I'm fairly certain that it was possible to enumerate the directory or
> otherwise scrape most (if not all) of it's contents.
There was `ypcat passwd`, wasn't there?
> > I did a lot of LDAP around 2007-2010. I got quite good at writing
> > filters as we were using for a lot more than juse user auth.
>
> Ya. The LDAP filters are why I tried to avoid just using LDAP against
> AD. That and the fact that the Unix passwords were actually a separate
> field that could have different values from what the Windows systems used.
I would say that expecting to just pull password hashes from the
directory service – using it as nothing more than networked
/etc/shadow – is a bad approach to begin with. Let the client handle
authentication via Kerberos (or via whatever else is apropriate for
AD).
> > Most installations I'm seeing today auth to AD, which is of course now
> > supported.
>
> I'm curious what "supported" actually means. I think there is
> preconfigured LDAP against AD templates, and things like Samba+Winbind.
> But all seem to be less native / seamless than NIS.
Could you elaborate on that?
> > In my experience LDAP is preferred in a pure *nix environment these
> > days. I've never played much with Kerberos.
>
> Does that mean that the authentication is also done across LDAP? I hope
> that it's encrypted LDAP.
Standard TLS.
--
Mantas Mikulėnas
next prev parent reply other threads:[~2018-11-05 8:50 UTC|newest]
Thread overview: 64+ messages / expand[flat|nested] mbox.gz Atom feed top
2018-11-04 20:51 Grant Taylor via TUHS
2018-11-04 21:46 ` Ben Greenfield via TUHS
2018-11-04 22:45 ` Arthur Krewat
2018-11-04 22:58 ` Mantas Mikulėnas
2018-11-04 23:49 ` Warner Losh
2018-11-05 3:16 ` Robert Brockway
2018-11-05 6:08 ` Grant Taylor via TUHS
2018-11-05 7:24 ` Mantas Mikulėnas [this message]
2018-11-05 7:33 ` Mantas Mikulėnas
2018-11-05 16:12 ` Arthur Krewat
2018-11-05 19:32 ` Grant Taylor via TUHS
2018-11-05 22:43 ` Arthur Krewat
2018-11-06 5:25 ` Grant Taylor via TUHS
2018-11-06 16:50 ` Arthur Krewat
2018-11-06 19:43 ` Grant Taylor via TUHS
2018-11-05 19:27 ` Grant Taylor via TUHS
2018-11-05 19:36 ` Grant Taylor via TUHS
2018-11-05 21:36 ` Mantas Mikulėnas
2018-11-05 23:12 ` Grant Taylor via TUHS
2018-11-05 21:43 ` Ben Greenfield via TUHS
2018-11-06 4:58 ` Grant Taylor via TUHS
2018-11-06 12:59 ` Ben Greenfield via TUHS
2018-11-06 6:53 ` Mantas Mikulėnas
2018-11-06 13:21 ` Ben Greenfield via TUHS
2018-11-06 13:44 ` Mantas Mikulėnas
2018-11-06 14:00 ` Ben Greenfield via TUHS
2018-11-06 13:46 ` Mantas Mikulėnas
2018-11-05 22:34 ` Dan Cross
2018-11-06 5:24 ` Grant Taylor via TUHS
2018-11-06 7:07 ` Mantas Mikulėnas
2018-11-06 17:30 ` Grant Taylor via TUHS
2018-11-06 19:58 ` Mantas Mikulėnas
2018-11-06 22:24 ` Dan Cross
2018-11-07 0:35 ` Grant Taylor via TUHS
2018-11-07 11:37 ` Pete Turnbull
2018-11-07 17:30 ` Grant Taylor via TUHS
2018-11-07 22:01 ` Dave Horsfall
2018-11-08 1:48 ` Dave Horsfall
2018-11-07 23:00 ` Pete Turnbull
2018-11-07 1:03 ` Pete Turnbull
2018-11-06 12:54 ` Ben Greenfield via TUHS
2018-11-05 20:10 ` Dave Horsfall
2018-11-05 3:49 ` Larry McVoy
2018-11-05 6:12 ` Grant Taylor via TUHS
2018-11-05 19:58 ` Dave Horsfall
2018-11-05 22:53 ` Grant Taylor via TUHS
2018-11-06 1:28 ` Dave Horsfall
2018-11-05 15:44 ` Larry McVoy
2018-11-05 18:38 ` arnold
2018-11-05 19:04 ` Larry McVoy
2018-11-05 21:21 ` Noel Hunt
2018-11-07 8:58 ` arnold
2018-11-07 14:05 ` arnold
2018-11-05 20:48 ` A. P. Garcia
2018-11-05 23:07 ` Grant Taylor via TUHS
2018-11-06 1:46 ` Dan Cross
2018-11-06 5:32 ` Grant Taylor via TUHS
2018-11-06 22:29 ` Dan Cross
2018-11-07 0:40 ` Grant Taylor via TUHS
2018-11-07 1:38 ` Arthur Krewat
2018-11-06 3:03 ` Robert Brockway
2018-11-06 5:03 ` David Arnold
2018-11-06 5:34 ` Grant Taylor via TUHS
2018-11-06 23:59 Norman Wilson
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to='CAPWNY8WqB0fO=a_sNq5NezO7xh3-c4iO3gyoFUZXk5e7=v179w@mail.gmail.com' \
--to=grawity@gmail.com \
--cc=gtaylor@tnetconsulting.net \
--cc=tuhs@minnie.tuhs.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).