Advertisement
Inexpensive and reliable 750+ MB/s storage
Fast storage & processing: iSCSI, NFS, SMB/CIFS, clusters for financial, media, HPC, research, virtualization
Weekly Edition
Return to the Press pageSponsored link
Vyatta –
Linux & Open Source
Alternative to Cisco –
Advanced Routing,
Firewall, VPN, QoS..
Free Download ->
| |||||||||||
Introduction to NIS, the Network Information Service (Linux.com)
Linux.com presents
an excerpt from the book Linux Administration Handbook,
Second Edition by
Evi Nemeth, Garth Snyder, and Trent Hein on the topic of NIS.
"NIS, released by Sun in the 1980s, was the first "prime time" administrative database. It was originally called the Sun Yellow Pages, but eventually had to be renamed for legal reasons. NIS commands still begin with the letters yp, so it's hard to forget the original name. NIS was widely adopted among Unix vendors and is supported by every Linux distribution."
(Log in to post comments)
Introduction to NIS, the Network Information Service (Linux.com) Posted Dec 14, 2006 21:15 UTC (Thu) by pphaneuf (subscriber, #23480) [Link] Wasn't NIS killed by LDAP, or did I miss some twist of the plot?
Introduction to NIS, the Network Information Service (Linux.com) Posted Dec 14, 2006 21:31 UTC (Thu) by mgb (subscriber, #3226) [Link] NIS works well in situations where you simply want to replicate Linux account information between systems.
LDAP is more powerful but the additional complexity is not always needed.
Introduction to NIS, the Network Information Service (Linux.com) Posted Dec 14, 2006 21:47 UTC (Thu) by ballombe (subscriber, #9523) [Link] ...and additional CPU requirement.
NIS is traditionnaly used along side NFS to ensure UID/GID consistency across the NFS clients. NIS does not support "shadow" password.
Introduction to NIS, the Network Information Service (Linux.com) Posted Dec 15, 2006 7:55 UTC (Fri) by frankie (subscriber, #13593) [Link] That's wrong at least on Linux. Shadowed password ARE supported. That's untrue for other *nices, so it's unusable in etherogeneous network.
Introduction to NIS, the Network Information Service (Linux.com) Posted Dec 15, 2006 12:37 UTC (Fri) by job (subscriber, #670) [Link] LDAP isn't harder to set up than NIS today, and can run over SSL without problems (a good idea).
Introduction to NIS, the Network Information Service (Linux.com) Posted Dec 15, 2006 14:16 UTC (Fri) by stevef (subscriber, #7712) [Link] winbind has advantages over both NIS and LDAP and can securely use ldap, dce/rpc and kerberos depending on the server type (Samba, Windows, etc.).
It is easy to setup, supported by the install guis of the major distros and winbind can use various types of authentication (ldap is not really an authentication protocol so unless it runs over ssl (slower) it needs to be configured for SASL and Kerberos to handle authentication of the connection). The installed base of security servers that winbind can work with is huge (Samba servers, Windows Domain Controllers, and other LDAP servers is probably an order of magnitude larger than the alternatives).
winbind also can failover if the server goes down and handles caching better than the primitive nss cache that ldap and nis rely on. With the performance improvements made by Jeremy Allison and others, it should outperform many of the alternatives.
winbind can also handle credential refresh and temporary disconnected operation.
Introduction to NIS, the Network Information Service (Linux.com) Posted Dec 15, 2006 14:46 UTC (Fri) by drag (subscriber, #31333) [Link] The nice thing about LDAP is that you can use it for lots of different stuff.
User accounts, telephone numbers, birthdates, etc. All sorts of stuff. Ties into email, ties into bookmarks. Whatever you want.
Do authentication for Webdav also. Setup a revision control system for documents that anybody can use!
Anything you need to have aviable as information to a wide veriaty of programs as information. Anything that is more 'read' then 'write'.
And SSL/TLS is pretty kick ass. Setup your own CA cert and you can use it for lots of different stuff. Setup access controls so that only certain classes of users can access different types of information.
And it can do failover. It would be nuts if it didn't!
And it's not realy very difficult to use at all.
I setup Debian Sarge with OpenSSL, OpenLDAP, and MIT Kerberos in a domain before.
No patches needed, used all Debian packages. It even had compatability software so I could integrate OpenAFS into it.
Now we have things like Fedora Directory services which should be pretty kick-ass.
The big hump is just getting LDAP working in the first place. Most documentation and books assume you have that already. But once it's working then it's not difficult to use.
I don't like Kerberos very much though.
I'd like to setup some sort of PKI, but I don't know were to begin with open source software and what all that realy truly means.
Introduction to NIS, the Network Information Service (Linux.com) Posted Dec 16, 2006 14:23 UTC (Sat) by joib (guest, #8541) [Link] I think the point the previous poster was trying to make was not that LDAP as such is useless, but that pam_winbind + nss_winbind + winbindd is better than pam_krb5/pam_ldap + nss_ldap + nscd.
Personally, I think a big advantage of pam_ldap is that with the PADL migration tools it's easy to migrate from /etc/{passwd,shadow}. I haven't found anything equivalent for Kerberos nor Samba.
Kerberos is nice, with all the SSO things and NFSv4 authentication, but it's yet another service to admin compared to having everything in ldap.
Introduction to NIS, the Network Information Service (Linux.com) Posted Dec 18, 2006 14:30 UTC (Mon) by drag (subscriber, #31333) [Link] Well SSO is overrated and is a potential security nightmare. It's something that you would generally be better off ignoring until you realy have technical reasons to have it.
But the thing aboutu LDAPS is that in order to protect passwords and such you have to setup some fairly complex ACLs. It's the sort of thing that is error prone.
Also the other primary advantage of kerberos is it totally eliminates the need to ever send passwords over a network.
Also the division of authority is nice. You can have your ldaps server, and your kadmin, and Kdc all on seperate services.
Of course to get all the benifits of using kerberos you actually have all kerberos-aware services.
For instance say you have a ftp server. You can set it up to authenticate using either kerberos pam plugin, or use a kerberos-zed ftp service. Both will work, but using krb5 pam plugin is a disaster for security.
It's the same thing for ssh or webdav or anything else you would want to use.
It took me a while to figure out why this is so, but it's absolutely critical that for any network'd services you have to avoid using PAM like the plague unless your doing the traditional unix security model which each server has it's own special passwords.
And I expect that there is similar issues for LDAPS systems also. You can probably use Ldap to have user accounts on each machine, but it would be a big mistake to use the passwords from a ldap server.. at least if your goal is to increase security. You would have to use unique passwords for each user on each network service.
Why not PAM? Posted Dec 22, 2006 4:57 UTC (Fri) by ldo (subscriber, #40946) [Link] >It took me a while to figure out why this is so, but it's absolutely Why is this so? PAM is pretty much universal among Linux distros nowadays. Isn't it specifically designed to allow custom authentication methods to be simply plugged in, with the applications having to have little or no knowledge of the details? Why should you stay away from it?
Introduction to NIS, the Network Information Service (Linux.com) Posted Dec 16, 2006 20:01 UTC (Sat) by droundy (subscriber, #4559) [Link] Any pointers as to where one can learn how to use LDAP as an NIS replacement?
I've tried looking into it before, but haven't ever come across a description that didn't try to also explain how you could simultaneously use LDAP to do all sorts of other things. All I want is something that can synchronize UIDs and passwords on a homogeneous network of a few linux machines on which I have root (and noone else does).
from an earlier era Posted Dec 15, 2006 9:47 UTC (Fri) by ldo (subscriber, #40946) [Link] Note that NIS and NFS date from an era when the network, and the computers on it, could be trusted. That means that ordinary users could be relied on not to do things that required root access. These days, those assumptions rarely hold true. In this situation, the whole security model that NIS and NFS rely on breaks down.
from an earlier era Posted Dec 15, 2006 17:37 UTC (Fri) by AJWM (subscriber, #15888) [Link] Agreed, but there are some places where the assumptions still hold.
Small private LANs NAT'd and firewalled away from the rest of the internet, for example. Not something I would do company wide, but for small groups or departments within a company, or on my household LAN (four servers and a half-dozen workstations), for example.
Sure, if you're familiar with other solutions they'll work too, but NIS and NFS are pretty easy with relatively low overhead. (And besides, I learned it back in the days when it was still called yellow pages.)
from an earlier era Posted Dec 16, 2006 14:17 UTC (Sat) by joib (guest, #8541) [Link] Yes, it's really nice that NFSv4 has finally addressed this gaping hole in NFS security, with support for Kerberos or PKI authentication and optionally encryption.
Introduction to NIS, the Network Information Service (Linux.com) Posted Dec 15, 2006 15:08 UTC (Fri) by jonabbey (subscriber, #2736) [Link] It is awfully late in the day for people to be picking up NIS de novo, but that doesn't mean it's not still used in a lot of places. We're still running it in our laboratory, in fact, though we spent years developing Ganymede to put an advanced, Active-Directory like front-end in front of our NIS, DNS, and LDAP directory services.
|
|||||||||||