[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: authentication question



NIS has several problems. First, the only way I can see to get samba to authenticate via NIS is to convince all the windows clients to send their passwords in the clear. That's bad for two reasons, I have to touch each and every windows client, and the passwords cross the network in the clear. These days that's not acceptable.

Second, NIS sends it's encrypted passwords over the wire. This means that anyone with a sniffer can snag a few and start running dictionary password crackers. NIS+ fixes this, but apparently at a high administrative cost. IPSEC might fix this too. The situation is moot in this case, though as when windows clients send encrypted passwords, they are doing essentially the same thing. And that's the best windows has to offer right now.

--rich

Ryan Golhar wrote:

I would suggest using NIS.  I currently have about 20 linux hosts that
users can use.  All users are authenticated via NIS.  Its pretty easy to
set up and run...

-----
Ryan Golhar
Computational Biologist
The Informatics Institute at
The University of Medicine & Dentistry of NJ

Phone: 973-972-5034
Fax: 973-972-7412
Email: golharam umdnj edu

-----Original Message-----
From: redhat-list-bounces redhat com
[mailto:redhat-list-bounces redhat com] On Behalf Of K. Richard Pixley
Sent: Wednesday, March 17, 2004 7:52 PM
To: General Red Hat Linux discussion list
Subject: authentication question


I'm at a loss for how to do authentication well for a small group of linux machines.

We have several linux hosts, all of which run samba, and all of which should use a single password per user, or at least, a single password change program which changes all passwords. Samba really wants to use a

domain server or to keep it's own password database separate from the unix passwords.

Any suggestions on how to get these all authenticated off the same
database?

The only thing I can see to do is to turn one into a domain controller and have everything else authenticate off that. Are there any other alternatives?

--rich






[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]