From owner-freebsd-questions  Thu May 21 18:56:53 1998
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
Received: (from majordom@localhost)
          by hub.freebsd.org (8.8.8/8.8.8) id SAA27670
          for freebsd-questions-outgoing; Thu, 21 May 1998 18:56:53 -0700 (PDT)
          (envelope-from owner-freebsd-questions@FreeBSD.ORG)
Received: from mailc.telia.com (root@mailc.telia.com [194.22.190.4])
          by hub.freebsd.org (8.8.8/8.8.8) with ESMTP id SAA27633
          for <questions@freebsd.org>; Thu, 21 May 1998 18:56:31 -0700 (PDT)
          (envelope-from girgen@partitur.se)
Received: from d1o29.telia.com (root@d1o29.telia.com [194.236.214.241])
	by mailc.telia.com (8.8.8/8.8.8) with ESMTP id DAA29295
	for <questions@freebsd.org>; Fri, 22 May 1998 03:56:17 +0200 (MET DST)
Received: from partitur.se (t2o29p91.telia.com [194.236.214.211])
	by d1o29.telia.com (8.8.8/8.8.5) with ESMTP id DAA27677
	for <questions@freebsd.org>; Fri, 22 May 1998 03:56:15 +0200 (MET DST)
Message-ID: <3564DB13.2255D537@partitur.se>
Date: Fri, 22 May 1998 03:55:31 +0200
From: Palle Girgensohn <girgen@partitur.se>
Organization: Partitur
X-Mailer: Mozilla 4.05 [en] (X11; I; FreeBSD 2.2.6-STABLE i386)
MIME-Version: 1.0
To: questions@FreeBSD.ORG
Subject: distributed passwords?
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: owner-freebsd-questions@FreeBSD.ORG
Precedence: bulk
X-Loop: FreeBSD.ORG

Hello!

We have a mixed bunch of computers (FreeBSD, Solaris, Macs, Windows). 

On the servers (FreeBSD, of course) we run netatalk and samba for
windows and mac users. Lots of stuff is nfs mounted for the unix
workstations. 

Now, we are considering a way to distribute passwords. NIS is one way to
go, but it's rather insecure, right? The other way would be Kerberos. (A
third way would be to automatically copy password files around. )

I'd like to hear your opinions! With Kerberos, I guess I get a lot of
trouble with the mac and windows clients? Also, programs that are not
kerberized will need to authenticate without kerberos. Will this require
a sparate password database for traditional authentications?

I would love to go with Kerberos if I knew that if wouldn't give me
problems. I know almost for certain that it will :(

NIS seems fine, but need at least a package filtering router (IPFW?) to
be any bit secure, I guess. Maybe that goes for both... NIS will not
give me the client problems, since it uses traditional logins.

Experiences? Recommendations?

To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message