current-users: Re: Question about NIS/Kerberos (kind of off topic).

Subject: Re: Question about NIS/Kerberos (kind of off topic).
To: current-users@NetBSD.ORG, Dave Burgess <burgess@cynjut.neonramp.com>
From: Stephen Brown <sbrown@best.com>
List: current-users
Date: 04/15/1997 16:47:43

> I'm trying to run NIS to get rid of having to maintain a dozen password
> files with duplicate information.  The first net (x.x.20.x) handles the
> NIS stuff OK.  The ypserv runs and everything can see it.  The second
> net (x.x.22.x) can't see the 20.x YP server.  I've played around with
> netmasks, broadcast addresses, everything I can think of.  The equipment
> on the 21.x and 23.x are all on the same ethernet as the 20.x machine,
> and all have x.x.20.255 set as their broadcast address.  They see the
> ypserver just fine.
> 
> Here are the indicators of ignorance:
> 
> 1.  Is it possible to give a ypbind client an explicit ypserv machine
>     addreess instead of using the broadcast network to try and locate
>     one by luck?  I've gotten the machines to the point where, according
>     to tcpdump, they should be communicating.  Problem is, they don't.

What you probably want is the "ypset" command and the "-ypset" option
to "ypbind".  Take a look at the man pages for more detail.

But, using the "-ypset" option is considered dangerous and insecure.
If security is an issue, consider making a server on the 22.x subnet
a "ypslave".  I think all that's needed for this is to set up the
proper directories on the new slave server, add it to the "ypservers"
NIS map on the master server, then start "ypserv" on that system.
You might have to do an initial "ypxfr" of all of the maps, as well.

> 
> 2.  Is this a situation where a different password maintenance / 
>     propogation service might be indicated?
> 
> 3.  Anyone got any other good suggestions?
> 

Although I haven't configured it myself, I think kerberos can be used for
central password database administration.  This supposedly provides a great
deal of security.  Perhaps someone else on the list can chime in here....

Of course, you have to install the additional "domestic" distribution
to be able to use kerberos..

Steve Brown,
sbrown@best.com

> obHookTo-Current:  This only started working with the recent addition of
> Charles'(?)  ypserv code, and was in -current when I started playing with
> it.
> -- 
> Dave Burgess  (The man of a thousand E-Mail addresses)
> *bsd FAQ Maintainer / SysAdmin for the NetBSD system in my spare bedroom
> "Just because something is stupid doesn't mean there isn't someone that 
> doesn't want to do it...."
>