Centralized DB of "system" users

[Da Rock]

On Sat, 2008-12-13 at 10:08 +0100, Michel Talon wrote:
> Lowell Gilbert wrote:
>    NIS, which stands for Network Information Services, was developed
>    by Sun Microsystems to centralize administration of UNIX
>    (originally SunOS) systems. It has now essentially become an
>    industry standard; all major UNIX like systems (Solaris, HP-UX,
>    AIX(R), Linux, NetBSD, OpenBSD, FreeBSD, etc) support NIS.
> 
> 
> I work i am in a mostly Linux shop managed by NIS. However my machines
> are under FreeBSD and i have no problem getting the NIS info. The only
> gotcha is that, under Linux you have 2 files for passwds /etc/passwd
> and /etc/shadow, while under FreeBSD you have just one
> /etc/master.passwd. So you need to run NIS in compatibility mode on the
> Linux server, so that passwd and shadow are "concatenated". Securitywise
> it is the same since in any case the shadow information flows on the
> wire, ready to be captured by a scannner.
> The main problem with NIS, in my opinion, is that, when the NIS
> server(s) are down (it always occur once or twice a year here), all the
> clients are completely frozen immediately, so if you want high
> availability, better copy the passwd files on each client directly and 
> not use a network server like that. Our previous sysadm had written a
> couple of replication scripts which worked very well this way. The
> present one reverted to NIS with this small inconvenient.
> Replication requires that you only modify passwd files on the server,
> like with NIS, and then, as soon as a modification is detected, files
> are propagated on all clients. This is extremely easy to achieve, and
> *much* more efficient, networkwise than using a thing like NIS or LDAP,
> where each client is constantly polling the server to get information
> about home directories, tilde expansions,etc.
> 

Wouldn't kerberos be a better alternative? One server (maybe a
replicated backup), and all services authenticate with that. Saves
shadow on the wire...