Showing results for 
Search instead for 
Do you mean 

NIS+ or Kerberos Server

Regular Advisor

NIS+ or Kerberos Server

Hi all:

We are adding more and more HPUX machines to our network and would like a way to centralize UID&GID and login authentification. Having to create a new logon on 40 different boxes is beginning to be a pain and very time consuming. Throwing this open to peoples experiences to find a direction forward.
8 REPLIES
Outstanding Contributor

Re: NIS+ or Kerberos Server

An observation from the KISS (Keep It Simple, Stupid) school of thought:

We originally managed exactly this sort of scenario by copying the passwd file from one server to all the rest. Then we had a brainstorm and decided to give NIS a try. It worked but it was a major pain in the butt. We now copy the password file from one server to all the rest. We use a script that has a simple for loop like this:
HOST=`hostname`
HOSTLIST=`cat /etc/hosts |grep "#unixhost" |awk -F# '{ print $3 }'`
for SERVER in $HOSTLIST
do
if [ $SERVER != $HOST ]
then
echo $SERVER
rcp -p $FILENAME $SERVER:$FILENAME
fi
done

Of course, this requires that your servers be set up in /etc/hosts.equiv and that's an issue if you're security conscious (I guess that makes us security unconscious, huh?)

Anyway, for what it's worth, we chose to keep things simple.

Good luck,
Pete

Pete
Honored Contributor

Re: NIS+ or Kerberos Server

Hi

I assume you are going for these as you want to maintain a reasonably high level of security... (if not then NIS will do the trick)

Any how, I used to work with DCE which used kerbos as the authentication module. It sort of worked OK but it relies heavily on the network being reasonable. The reason why the network needs to be good is that it times the replies and has timeouts. Also ALL the servers need to have the same UTC (as this is used for the timings) so you will need to use NTP (network Time Protocol) running. This means that if you have a development environment that you change the date on, for what ever reason (billing runs, month end report scripts ....) the whole development environment needs to be done in unison. On this note it does not like to go backwards in time so you have to spend quite some time fudging it. The main problems we had were
o Poor network caused authentication failures
o Massive manualy admin of test environment to allow date to be shifted forwards & backwards.

NIS+. I have used NIS+ and it worked fine, however I only used it on a small network of 6-8 machines. I had it running at level 2 (C2 security level). The problems I had were
o Complexity sometimes caused errors to be made
o Occasionally it would freeze on us & be fine again if the NIS+ master was restarted. I think this was down to poor understanding on my part.
I backed out the NIS+ domain in the end as it was just a "user trial"

I've come to the conclusion that security is something you need to be continously tinkering with. So if you are doing it for security reasons then it may be OK, if it is just as you say a consistent UID & GID I would go for a simple NIS solution. Personally I do not like copying password files 'round I know it works but you end up by creating massive loopholes or re-inventing the wheel. (if a user resets their password on a target machine it will be overwritten by the copy latter on)

Have you thought of LDAP... I do not know if it can reach C2 or E2 or BS7799 standards or how well it performs but it is something I have heard of.

Tim
-
Honored Contributor

Re: NIS+ or Kerberos Server

Hi

NIS+ is a lot more complicated to the beginner than NIS. If you have 40+ systems and only wish to do a passwords and ids ... then NIS is the way I would go.

A great book to explain "Managing NFS and NIS " O'Reilly & Associates

ISBN 0-937175-75-7

cheers
John.
Honored Contributor
Acclaimed Contributor

Re: NIS+ or Kerberos Server

At the level of 40 servers, it is definitely time to explore options other than individual maintenance.

I have used NIS for many years and I am very fond of it. NIS+ has a steeper learning curve but is your only option if you are running trusted systems.

I suppose that I would suggest that NIS be chosen for a beginner but NIS+ is not all that difficult to setup.

I have even setup webpages that allow users to change their passwd's using the yppasswd() C function in the case of NIS. I actually coded a replacement for the standard yppasswd command. This allows one to setup very stringent rules for passwd construction even in a NIS world.

The real beauty of NIS/NIS+ comes into play when you also use it to manage things like tcp/udp services as well.

The biggest mistake that I have seen people make is setting up an NIS domain without slave servers.

If it ain't broke, I can fix that.
Regular Advisor

Re: NIS+ or Kerberos Server

NIS+ seems like a good direction to go, but we now have a global WIN2K ADS (Active Directory Services) so I am not considering using the LDAP module of PAM. This would then allow a single signon across NT & UX servers. What do you think? Has anybody done this?
Honored Contributor

Re: NIS+ or Kerberos Server

Sorry, no experience of PAM, but have you ever heard of rdist?
Look at the man page example for a simple way to distribute files to multiple servers, similar to the script shown earlier.
It does require host equivalence.
Steve
Honored Contributor

Re: NIS+ or Kerberos Server

I know there is an LDAP integration guide. (Do a search on LDAP and tick manuals)

http://docs.hp.com/cgi-bin/otsearch/getfile?id=/hpux/onlinedocs/internet/uxint.html&searchterms=LDAP&queryid=20020617-031905

as for "rdist" it utilises .rhosts & hosts.equiv, so if you want a secure environment it really is not what is required. You could write a secure socket loader I suppose?? (just an idea).

Tim
-
//Add this to "OnDomLoad" event