Centralized DB of "system" users

Matthew Seaman m.seaman at infracaninophile.co.uk
Sat Dec 13 13:46:18 PST 2008 

Nguyen Tam Chinh wrote:
> On Fri, Dec 12, 2008 at 9:47 PM, Ivan Voras <ivoras at freebsd.org> wrote:
>> Valentin Bud wrote:

>>> If you only have UNIX systems in LAN. But in my case i have Linux + FreeBSD
>>> (server). From the handbook
>>> NIS only works between FBSDs. Am i missing something?
>> You are correct.
>>
> 
> Hmm, I have NIS server on an old Solaris 8 and all clients are Linux
> (I can't use FBSD at work due so far). So it sounds strange if NIS
> works only between FBSDs, something not standard in the
> implementation?
> Anyway, I also vote for the LDAP. Later on when you need to introduce
> new services, LDAP will integrate better. NIS is very specific for
> *nix world.
> 

The problem with NIS between Linux and FreeBSD is the format of the
password database.  FreeBSD uses /etc/master.passwd -- which contains
everything that's in the standard /etc/passwd file and adds the password
hashes and several extra columns to do with password expiry and login
groups.

Linux, and other SysV-alike systems like Solaris have /etc/passwd -- same
as on FreeBSD -- and /etc/shadow: a separate file with password hashes and
various controls for password expiry.  The formats of /etc/master.passwd
and /etc/shadow are incompatible, although (assuming the password hashes
are compatible) it should be a fairly small matter of programming to write
scripts to convert between the two.

In the case where you have a FreeBSD NIS server and Linux clients, it is
perfectly feasible to have the FreeBSD box serve a Linux-style /etc/shadow
database via NIS.  This means users can log in on Linux machines, and I
think it's also not too difficult to make changing passwords over NIS work
(although ICBW), but the client users will not automatically be able to log
into the central (FreeBSD) NIS server.  Some might view this as a /feature/.

Of course, as has been pointed out else-thread, LDAP is the way of the 
future.  It's much more scalable and interoperable between different OSes
than NIS, provides huge amounts of extra functionality and it supports
things like geographically distributed sites all sharing the same password
database but with local users managed from local servers.  (LDAP is a
hierarchical database much like the DNS.  As with the DNS, sub-domains in
the LDAP tree can be delegated off to different servers.  Although that's
pretty advanced usage). Even a basic setup does require a much steeper
learning curve to get it going from scratch than most of the alternatives.

	Cheers,

	Matthew

-- 
Dr Matthew J Seaman MA, D.Phil.                   7 Priory Courtyard
                                                  Flat 3
PGP: http://www.infracaninophile.co.uk/pgpkey     Ramsgate
                                                  Kent, CT11 9PW

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 258 bytes
Desc: OpenPGP digital signature
Url : http://lists.freebsd.org/pipermail/freebsd-questions/attachments/20081213/fa7dfd4f/signature.pgp

More information about the freebsd-questions mailing list