Re: [TUHS] YP / NIS / NIS+ / LDAP

[Grant Taylor via TUHS <tuhs@minnie.tuhs.org>]

[-- Attachment #1: Type: text/plain, Size: 2706 bytes --]

On 11/04/2018 08:16 PM, Robert Brockway wrote:
> I used NIS a lot in the 90s and early 2000s.  I think it continues to be 
> underrated.  The main gripe people had was lack of security but if all 
> of the hosts were in the same security domain anyway it wouldn't matter.

I'd like to hear more about the security issues.

Did NIS(+) ever encrypt it's communications?  (I'm not counting things 
like IPsec transport.)

I'm fairly certain that it was possible to enumerate the directory or 
otherwise scrape most (if not all) of it's contents.

> Integrated very well with NFS on Solaris & Linux for me back in the day.

*nod*

I was pleasantly surprised at how well Samba+Winbind integrated with 
things.  Groups and IDs from AD just showed up identical to local 
groups.  We didn't even need to worry about NetGroups.

> NIS+ is awful.  Let us not speak of it again.

Okay.

Can I ask that you enlighten this grasshopper without saying it's name? 
():-)

> I did a lot of LDAP around 2007-2010.  I got quite good at writing 
> filters as we were using for a lot more than juse user auth.

Ya.  The LDAP filters are why I tried to avoid just using LDAP against 
AD.  That and the fact that the Unix passwords were actually a separate 
field that could have different values from what the Windows systems used.

> Most installations I'm seeing today auth to AD, which is of course now 
> supported.

I'm curious what "supported" actually means.  I think there is 
preconfigured LDAP against AD templates, and things like Samba+Winbind. 
But all seem to be less native / seamless than NIS.

> In my experience LDAP is preferred in a pure *nix environment these 
> days. I've never played much with Kerberos.

Does that mean that the authentication is also done across LDAP?  I hope 
that it's encrypted LDAP.

> There is another option that is largely ignored...
> 
> Increasingly *nix systems are managed through orchestration tools like 
> Puppet or Ansible.  One option is to build the user account details from 
> an AD or LDAP backend on the orchestration server and write it out 
> locally on the *nix boxes.  The *nix boxes just auth locally but still 
> gain the benefit of dynamically managed users.  There are advantages and 
> disavantages of this outside the scope of this list.

IMHO that is still local accounts and not centrally manged.  It's just 
automated deployment.  Sort of like the difference of creating a file in 
a directory with the GID bit set vs creating the file and then changing 
the group after the fact.  Similar end result, but totally different 
execution method.



-- 
Grant. . . .
unix || die


[-- Attachment #2: S/MIME Cryptographic Signature --]
[-- Type: application/pkcs7-signature, Size: 3982 bytes --]