Re: Fix passwd/shadow/group files?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Mon, 2005-07-18 at 01:08 -0500, Les Mikesell wrote:
> This sounds promising.  Is there some way to transition gracefully?
> The AD is being added as a new domain with users moving over
> piecemeal.  At the moment it doesn't have most of the users I
> would need but it should soon.

You can always setup NIS users in SFU that don't exist on the ADS side
yet, then later link them to ADS users as they are created.

> I think long ago I avoided NIS because it had a reputation for
> security issues.

So does Windows.  Microsoft has this marketing paper that compares
"ideal" ADS (which is _never_ implemented for compatibility) to "1980s"
NIS.  It's not even remotely accurate (including the facts on password
hashes).

If you enable null sessions and NTLM (which is basically what you need
_prior_ to 100% Windows Server 2003 with 100% Windows XP Pro clients),
then it is _worse_ than most NIS as implemented today.  Plus you can
avoid many security issues by deploying Kerberos as your authentication.

I've actually been doing a presentation at my local UNIX User's Group on
all the "false security" Microsoft has in its solutions.  I'm currently
covering the SAM tie-in with NTFS, and why Windows domains really exist
(so NTFS doesn't self-destruct without a SAM, long story ;-).

> And I played with an earlier version of SFU and wasn't impressed. The
> current version may be OK.

SFU is less-than-idea.  A much better solution is to have a real
UNIX/Linux network architecture.  But SFU 3.x does the job, especially
when your enterprise IT doesn't know anything but ADS, and forces
everyone to comply.

> OK, if it can make CVS logins automatically track the Windows passwords,

Yepper!  ;->

Anything that needs a UNIX login will work.
And you can limit per-system access with Netgroups.

> that gives me a reason to use it.  The group of people needing CVS
> access is still growing - and soon those people will already have
> AD accounts.

I think everyone here was only trying to help you avoid extra work.  The
small, initial work will go a long way as you have to add users.

Remember, NIS was merely designed over 2 decades ago to distribute local
UNIX files to all systems in its domain.  In reality, old NT 4.0 domains
aren't much different (distribute the SAM and a few other things to all
systems in its domain).


-- 
Bryan J. Smith                                     b.j.smith@xxxxxxxx 
--------------------------------------------------------------------- 
It is mathematically impossible for someone who makes more than you
to be anything but richer than you.  Any tax rate that penalizes them
will also penalize you similarly (to those below you, and then below
them).  Linear algebra, let alone differential calculus or even ele-
mentary concepts of limits, is mutually exclusive with US journalism.
So forget even attempting to explain how tax cuts work.  ;->



[Index of Archives]     [CentOS]     [CentOS Announce]     [CentOS Development]     [CentOS ARM Devel]     [CentOS Docs]     [CentOS Virtualization]     [Carrier Grade Linux]     [Linux Media]     [Asterisk]     [DCCP]     [Netdev]     [Xorg]     [Linux USB]
  Powered by Linux