On Mon, Feb 24, 2014 at 11:33 AM, צביקה הרמתי <haramaty.zv...@gmail.com> wrote: > Hi. > After reading about (and a little bit experimenting with) NIS, LDAP and > Kerberos, I concluded that: > - Using NIS is really easy - however, it's too insecure > - Using LDAP is too complicated for my 3-4 servers network > > Many criticize NIS as being insecure; I haven't seen such criticism about > LDAP. > However, as Nico Kadel-Garcia pointed out, "Kerberos (is the) Underlying > authentication technology for most LDAP setups". > > So, if it's a common practice to setup LDAP and then fortify it with > Kerberos; wouldn't it be easier to setup NIS and fortify it with Kerberos?
Not exactly. It's a common practice to use a combined LDAP/Kerberos suite, such as Samba or Active Directory. Same server, usable GUI's to manage the accounts, and plenty of guidelines published on managing them as a unit. It's possible to separate Kerberos *authentication* from other forms of account management. One of my favorites is to combine them: Use a system management tool like CFengine to publish local user accounts, and to set encrypted local passwords. Rely on Kerberos from corporate Active Directory for most authenticatin, but the local passwords for core sysadmins can save your business when the AD or LDAP server goes toes up and no one can log in. > Is this combination possible/feasible? > Anyone can point to some reference about how to achieve that combination? > > Am I missing some drawbacks (except of using an aging technology, that > doesn't co-operate with Windows)? > > Thanks, > Zvika If you want to integrate well with Windows, I highly encourage you to learn and use Samba.