RE: [Samba] Any downsides to using MS Services for Unix NIS server?

--===============0804511335==
Content-Type: multipart/signed; micalg=pgp-sha1;
protocol="application/pgp-signature";
boundary="=-20ZpI06PZy9GcKZ1EtCP"


--=-20ZpI06PZy9GcKZ1EtCP
Content-Type: text/plain
Content-Transfer-Encoding: quoted-printable

On Sat, 2005-12-03 at 23:57 -0800, SAMBA wrote:
> Other than NIS is extremely insecure, and anyone concerned with security
> would not use it. If you are using SFU, just use LDAP/Kerberos instead
> of NIS. You'll get the same results, but with more security.

The main issues with NIS security (compared with unsigned LDAP
connections) is that passwords my be present in the tables. This isn't
the case with the AD implementation anyway (I think you would need to
use Kerberos authentication, as there are no NIS compatible passwords in
AD, to my knowlege). =20

> You don't have to use IDMAP to have GID/UID based on SID. You can
> manually enter it yourself as per design you're your network. Also
> check out PADL NSS/PAM modules. There's also I think some scripts for
> automating migration from NIS to LDAP.

In Samba, IDMAP is the plugin interface for assigning the UID/GID
mappings, and can be backed onto many sources, including attributes in
the AD LDAP server (that would be used by the SFU 3.5 NIS server).

> -----Original Message-----
> From: samba-bounces+letz_samba=3Drealmspace.com@lists.samba.or g
> [mailto:samba-bounces+letz_samba=3Drealmspace.com@lists.samba.or g] On
> Behalf Of Jim Hatfield
> Sent: Friday, November 25, 2005 2:51 AM
> To: samba@lists.samba.org
> Subject: [Samba] Any downsides to using MS Services for Unix NIS server?
>=20
> I have both an AD domain and an existing NIS setup, and would like
> to merge the accounts. It would seem from reading the help files
> that installing Services for Unix on my domain controllers and using
> the AD-integrated NIS server would work well. I wouldn't need to use
> winbind, and I would have not only consistent but predictable ID
> mapping, ie I can ensure that INTERNAL\jhatfield maps to UID 115,
> which is what it is on the existing NIS server.
>=20
> Are there any downsides to doing this - it seems much simpler than
> deploying winbind that I feel there must be a catch!

I think you should be able to use winbindd, which assists with windows
clients (which expect SIDs), while still maintaining your centralised
mapping. See idmap_ad.

Andrew Bartlett

--=20
Andrew Bartlett http://samba.org/~abartlet/
Authentication Developer, Samba Team http://samba.org
Student Network Administrator, Hawker College http://hawkerc.net

--=-20ZpI06PZy9GcKZ1EtCP
Content-Type: application/pgp-signature; name=signature.asc
Content-Description: This is a digitally signed message part

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (GNU/Linux)

iD8DBQBDksN8z4A8Wyi0NrsRAo4iAJ9z7ZVcnT6/gxwn75MMnuL67Mc9tQCgjYMt
a5FSmtE6duj/oIlJyVuZIiw=
=abD6
-----END PGP SIGNATURE-----

--=-20ZpI06PZy9GcKZ1EtCP--


--===============0804511335==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/listinfo/samba
--===============0804511335==--