The only question I still have left is whether to use Sub-Domains or not?
Basically we control all the machines but I have one central server where
everyone should have an account and the other servers are on a per project
basis. I would like to restrict access, which can be done via netgroups,
but not sure if Sub-Domains will refer to Top-Level Domains. Basicaly I
would like to have a way of keeping passwords the same accross all the
Sub-Domains. Not sure if this is possible? It looks like each Sub_Domian
has it's own /etc/passwd and /etc/hosts which would present a problem.
Thanks to the following people:
Steffen Kluge <kluge@fujitsu.com.au>
Frank Pardo <fpardo@tisny.com>
Dan Brainard <brainard@ihs.com>
Andrew Laden <andrew@sgc.com>
Jim Harmon <jharmon@telecnnct.com>
EG Keizer <keie@cs.vu.nl>
mariel@central.meralco.com.ph
My questions where as follows:
>1. I believe NIS+ is the newer version that is with Solairs 2.5.x?
>2. Can an NIS+ server server older clients such as SunOS and other Solaris
>2.4?
>3. Can you have one Master NIS+ server serving multiple Domain's? My
>question here is we have one central server where everyone has an account
> and then each person is divided into section according to their department.
> It would be nice to have one Master control per site controlling multiple
> divisions? Not sure if that is possible.
> 4. I have heard bad news that NIS+ is more secure then NIS, but still has
> holes? How true is this and how vulnerable?
Answers:
- NIS+ is not a newer version of NIS (synonym for YP), it is a complete
new architecture.
- NIS+ supports hierarchical structured domains with master and replica
servers for each subdomain (this is extremely flexible and can get
quite complicated, though).
- NIS+ has security features whereas NIS has basically none. It's based
on Secure RPC and uses DES encrypted keys for authentication on a
per-user basis. It supports read, modify, create and delete privileges
and differentiates between owners, group members, other authenticated
users and unauthenticated users. It can provide access control on a
per-column basis for certain tables (e.g. passwd - password column
is not generally readable).
- We didn't use NIS and NFS before because of security concerns, we
are using NIS+ and Secure NFS now.
- Unlike NIS (YP), NIS+ doesn't use simple maps indexed by one column
(e.g. hosts.by_name) but implements regular database tables, searchable
by every column.
- With NIS+ you can create your own tables beyond the standard ones.
- NIS+ tools provide an abstraction level similar to what you know from
filesystems. There are directories and subdirectories in the name
space, you can use tools like nisls, niscat, nisgrep, etc. On the
other hand, adding a new user and making him known to NIS+ (you have
to add a credential and create a Secure RPC key) requires a fair
amount of manual work (unless you bought the Solstice Admin suite).
- You can define more than one NIS+ administrator (instead of just
root).
- I haven't found any major bugs yet, but possibly there are some.
- NIS+ resembles in many aspects the distributed name space of
DECnet/OSI, if this helps you.
----
1. Yes, NIS+ is newer. Also much more complex. Also supported by far
fewer manufacturers. If you use NIS+, you can pretty much forget about
adding non-Sun computers to your network. At least for the next couple
of years.
2. Somewhere in the archives of this list, I remember seeing mention of
this topic. As I recall, an NIS+ server can handle NIS clients, but only
in a "crippled" NIS-compatible mode, where you lose a lot of the new
features that distinguish NIS+ from NIS. You can find the mailing-list
archives at:
http://aurora.latech.edu/sunman.html
Our network here is so small that to date we've been able to get by
without anything like NIS. When the time comes to install network
management software, I'll probably use the freeware package "cfengine".
If you're curious, the URL for more information is:
http://www.iu.hioslo.no/~mark/cfengine.html
----
Actually, it's newer with Solaris 2.x, it really wasn't ready for prime
time until 2.4. With Solaris 2.5.x you have the option of running as an
NIS or NIS+ server, that wasn't the case with 2.4 and earlier. Of course
with 2.5 and 2.4 you can run in NIS compatibility mode for mixed (NIS
and NIS+) environments such as yours.
You have several options here, The NIS+ server can serve NIS clients, or
you can install the NIS+ kit on the SUNOS clients. It's availabel from
either the SUN web site or the Solaris 2.x CDs. The Solaris 2.4 clients
already have support for NIS or NIS+, so they will work without changes.
You can do that, the root master can/would live at one central site,
then have slave or replica masters at each remote site, set up as
clients of the root master. Then under the slave masters, you could sub
divide the domain even further with slave and replica servers. Each
slave server would have information for it's sub-domain, plus knowledge
of how to get to the other sub-domains (by going thru the root master).
NIS+ is more secure. But indeed has holes. Often the holes will be in the
setup. It is difficult to set up a useable NIS+ with a maximum of
security. It is possible to break through NIS+ using methods to crack
the DES authentication. I do not think this to be a seriuous threat at
the moment. Others have different opinions.
-----
RESOURCES:
All About Administering NIS+
Rich Ramsey
SunSoft Press (Prentice Hall)
ISBN 0-13-068800-2
$36.95 (back in 1994 or so)
Managing NFS and NIS
Hal Stern
O'Reilly & Associates, Inc.
ISBN 0-9-37175-75-7
CD-ROM Training by SUN
Educational Services Cousre NO MM-286 Sun Service
SunTutor : NIS+ Administration.
-- Michael Will | Voice: (202) 767-0955 Naval Research Lab Code 8140 | Fax: (202) 404-8918 4555 Overlook Ave. SW | E-mail: will@kingcrab.nrl.navy.mil Washington, DC 20375Key fingerprint = F03F 87F2 4264 8540 AA19 92E9 6F03 D219