From owner-freebsd-questions@FreeBSD.ORG Sat Dec 13 21:46:18 2008 Return-Path: Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:4f8:fff6::34]) by hub.freebsd.org (Postfix) with ESMTP id 126381065672 for ; Sat, 13 Dec 2008 21:46:18 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (gate6.infracaninophile.co.uk [IPv6:2001:8b0:151:1::1]) by mx1.freebsd.org (Postfix) with ESMTP id 618488FC17 for ; Sat, 13 Dec 2008 21:46:17 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost [IPv6:::1]) (authenticated bits=0) by smtp.infracaninophile.co.uk (8.14.3/8.14.3) with ESMTP id mBDLk9uU068157; Sat, 13 Dec 2008 21:46:10 GMT (envelope-from m.seaman@infracaninophile.co.uk) X-DKIM: Sendmail DKIM Filter v2.7.2 smtp.infracaninophile.co.uk mBDLk9uU068157 DKIM-Signature: v=1; a=rsa-sha256; c=simple/simple; d=infracaninophile.co.uk; s=200708; t=1229204770; bh=CEN35/XFRtV6IN e10bMQcirCxI+gWNxFstkmC6M7w6o=; h=Message-ID:Date:From:MIME-Version: To:CC:Subject:References:In-Reply-To:Content-Type:Cc:Content-Type: Date:From:In-Reply-To:Message-ID:Mime-Version:References:To; z=Mes sage-ID:=20<49442D1B.4000608@infracaninophile.co.uk>|Date:=20Sat,=2 013=20Dec=202008=2021:46:03=20+0000|From:=20Matthew=20Seaman=20|Organization:=20Infracaninophile|User -Agent:=20Thunderbird=202.0.0.18=20(X11/20081125)|MIME-Version:=201 .0|To:=20Nguyen=20Tam=20Chinh=20|CC:=20freebsd-qu estions@freebsd.org|Subject:=20Re:=20Centralized=20DB=20of=20"syste m"=20users|References:=20<139b44430812112348k5c51072ie771913c982f7c fe@mail.gmail.com>=09<49422A05.6050907@gmail.com>=20=09<20081212120557.V3687@wojtek.tensor.gdynia.pl>=09<9 bbcef730812120426t3c4b8a28q337c8379cd947702@mail.gmail.com>=09<2008 1212141156.E4001@wojtek.tensor.gdynia.pl>=09<139b44430812120527w7b2 2d8a1m860cbf308e4b67c3@mail.gmail.com>=09=20<64b284310812120645m6c5ee122mb0510014343eff3f@mail.gmail.com>| In-Reply-To:=20<64b284310812120645m6c5ee122mb0510014343eff3f@mail.g mail.com>|X-Enigmail-Version:=200.95.6|Content-Type:=20multipart/si gned=3B=20micalg=3Dpgp-sha256=3B=0D=0A=20protocol=3D"application/pg p-signature"=3B=0D=0A=20boundary=3D"------------enigD805165F339D466 B95BA5A42"; b=sFcq4ZnubIkI+N9j8V6129XobgFiwKP0oa6Ur0JLcbaCOgrLbvKsB 4dISKcFDaB1F8FPbIxGWAS8EB2M932xwkTboYJSqNPnWhSDDny5t0D3c6qo/b19XzWZ Xg788RcHK/w6g4RrbJVzN6KsxnUB4yiPEz55LQO8YfhVjNfsBZI= Message-ID: <49442D1B.4000608@infracaninophile.co.uk> Date: Sat, 13 Dec 2008 21:46:03 +0000 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.18 (X11/20081125) MIME-Version: 1.0 To: Nguyen Tam Chinh References: <139b44430812112348k5c51072ie771913c982f7cfe@mail.gmail.com> <49422A05.6050907@gmail.com> <20081212120557.V3687@wojtek.tensor.gdynia.pl> <9bbcef730812120426t3c4b8a28q337c8379cd947702@mail.gmail.com> <20081212141156.E4001@wojtek.tensor.gdynia.pl> <139b44430812120527w7b22d8a1m860cbf308e4b67c3@mail.gmail.com> <64b284310812120645m6c5ee122mb0510014343eff3f@mail.gmail.com> In-Reply-To: <64b284310812120645m6c5ee122mb0510014343eff3f@mail.gmail.com> X-Enigmail-Version: 0.95.6 Content-Type: multipart/signed; micalg=pgp-sha256; protocol="application/pgp-signature"; boundary="------------enigD805165F339D466B95BA5A42" X-Greylist: Sender succeeded SMTP AUTH, not delayed by milter-greylist-4.0.1 (smtp.infracaninophile.co.uk [IPv6:::1]); Sat, 13 Dec 2008 21:46:10 +0000 (GMT) X-Virus-Scanned: ClamAV version 0.94.2, clamav-milter version 0.94.2 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.8 required=5.0 tests=AWL,BAYES_00,DKIM_SIGNED, DKIM_VERIFIED,NO_RELAYS autolearn=ham version=3.2.5 X-Spam-Checker-Version: SpamAssassin 3.2.5 (2008-06-10) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: Centralized DB of "system" users X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 13 Dec 2008 21:46:18 -0000 This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigD805165F339D466B95BA5A42 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Nguyen Tam Chinh wrote: > On Fri, Dec 12, 2008 at 9:47 PM, Ivan Voras wrote:= >> Valentin Bud wrote: >>> If you only have UNIX systems in LAN. But in my case i have Linux + F= reeBSD >>> (server). From the handbook >>> NIS only works between FBSDs. Am i missing something? >> You are correct. >> >=20 > Hmm, I have NIS server on an old Solaris 8 and all clients are Linux > (I can't use FBSD at work due so far). So it sounds strange if NIS > works only between FBSDs, something not standard in the > implementation? > Anyway, I also vote for the LDAP. Later on when you need to introduce > new services, LDAP will integrate better. NIS is very specific for > *nix world. >=20 The problem with NIS between Linux and FreeBSD is the format of the password database. FreeBSD uses /etc/master.passwd -- which contains everything that's in the standard /etc/passwd file and adds the password hashes and several extra columns to do with password expiry and login groups. Linux, and other SysV-alike systems like Solaris have /etc/passwd -- same= as on FreeBSD -- and /etc/shadow: a separate file with password hashes an= d various controls for password expiry. The formats of /etc/master.passwd and /etc/shadow are incompatible, although (assuming the password hashes are compatible) it should be a fairly small matter of programming to writ= e scripts to convert between the two. In the case where you have a FreeBSD NIS server and Linux clients, it is perfectly feasible to have the FreeBSD box serve a Linux-style /etc/shado= w database via NIS. This means users can log in on Linux machines, and I think it's also not too difficult to make changing passwords over NIS wor= k (although ICBW), but the client users will not automatically be able to l= og into the central (FreeBSD) NIS server. Some might view this as a /featur= e/. Of course, as has been pointed out else-thread, LDAP is the way of the=20 future. It's much more scalable and interoperable between different OSes= than NIS, provides huge amounts of extra functionality and it supports things like geographically distributed sites all sharing the same passwor= d database but with local users managed from local servers. (LDAP is a hierarchical database much like the DNS. As with the DNS, sub-domains in= the LDAP tree can be delegated off to different servers. Although that's= pretty advanced usage). Even a basic setup does require a much steeper learning curve to get it going from scratch than most of the alternatives= =2E Cheers, Matthew --=20 Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW --------------enigD805165F339D466B95BA5A42 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iEYEAREIAAYFAklELSEACgkQ8Mjk52CukIxyXgCfYTi2Patsg7eU5hFT5L8t0upR 5wAAnRSr9ku2jXZDbYfMp3BFInqPH+WV =hZ3j -----END PGP SIGNATURE----- --------------enigD805165F339D466B95BA5A42--