nis security

[Guy Van Sanden]

On Tue, 2003-09-09 at 02:15, Tillman Hodgson wrote:
> On Mon, Sep 08, 2003 at 07:02:06PM -0500, Bruce Pea wrote:

<xnip>

> > > I'm a bit biased, however: I use NIS with Kerberos and think it's the
> > > cats pajamas :-)
> > 
> > 
> > Hey Tilman,
> 
> s/l/ll/ :-)
> 
> > This sounds exactly like what we are looking for. Can you point us to any 
> > docs explaining how you do this??
> 
> The rough instructions are fairly simple:
> 
> * Set up Kerberos and ensure you have a working realm
> * Set up NIS, but set all the passwd fields to something that doesn't
>   map to a real password (I like 'krb5', others like '*')
> 
> That's about it. It works because authentication in a Kerberized world
> doesn't check the password field in the NIS maps anyway (or the
> /etc/master.passwd file for that matter). Your non-Kerberos app's will
> break for users that aren't local, but I consider the incentive to
> replace them a benefit :-)

Do you have some links to websites or so that you used to set this up?
I'm very interested in this setup, with the added complication that the
clients are Linux (and Windows using SAMBA), yet the server is FreeBSD
(5.0).

Thanks!

> 
> You can get fancy and make a nice little Makefile to do all kinds of
> maintenance tasks for you (I'm just about finished tying in Mailman into
> the central auth for the rospa.ca domain). You can try some of the
> neater features of NIS (netgroups, etc) or fiddle with the config of
> Kerberos (I like longer ticket lifetimes), but the basic "get it
> working" stuff isn't complicated.



> 
> -T