Date: Sat, 15 Feb 2003 12:33:49 -0500 From: Chuck Swiger <cswiger@mac.com> To: FreeBSD Questions <freebsd-questions@FreeBSD.ORG> Cc: BSD Freak <bsd-freak@mbox.com.au> Subject: Re: A modern BSD UNIX workgroup - how would you do it? Message-ID: <3E4E79FD.3050203@mac.com> In-Reply-To: <27c344427c532e.27c532e27c3444@mbox.com.au> References: <27c344427c532e.27c532e27c3444@mbox.com.au>
next in thread | previous in thread | raw e-mail | index | archive | help
BSD Freak wrote:
[ ... ]
> 1. Centralised user/password/account management
> 2. 2-3 file servers running FreeBSD, 1 mail server and 1 VPN gateway
> also running FreeBSD
> 3. Workstations will be 75% FreeBSD and 25% Mac OS X 10.2
>
> Most people I have spoken to automatically say NIS/NFS. Although I know
> that NIS/NFS is a tried and true combination, I can't help but feel
> there must be a better way to do a modern BSD UNIX environment. As silly
> as it may sound I am seriously thinking about running Samba for file
> sharing services even though this is a fully UNIX environment.
> Reasons for this include excellent performance on FreeBSD and better
> security than NFS.
NIS support under MacOS 10.2.{0-2, haven't checked .3 yet) appears to be
broken at the moment: specificly the login window doesn't "see" NIS-only
users, unless you import them into the local NetInfo database.
See "man niload". It's also possible to use NetInfo as your primary
authentication repository, and then use "nidump" to export this to Unix
flatfiles-- and then push the flatfiles via rsync, or scp, or NIS.
On the other hand, 10.2's Samba support is very good, and SMB/CIFS
handles reopening shares much better than NFS deals with mounts going
down. NFS is much lighter in weight, however, and NFS semantics match
those of FreeBSD's default filesystem and UFS under the MacOS better
than Samba does. By contrast, HFS+ and Samba are case-insensitive, and
they are more "seperate independent devices" (ala Windows C:, D:) than
Unix'es "all filesystems get mounted under /, and a non-root
filesystem's mount point looks very much like any normal directory".
I'd probably recommend Samba filesharing for laptops and roaming users;
either SMB or NFS for static desktops, depending on what your users are
used to or would prefer.
Kerberos will probably take more work to administer and more resources
to implement than it is worth for small networks. The token-based
authentication and so forth integrates well with other large-scale
systems from MIT (and CMU): things where you also need AFS/DFS, Cyrus,
etc. In fact, I'd be curious if anyone else had some thoughts on the
size of network for which Kerberos is a benefit?
As for LDAP, do you have any junior admins reporting to you? Try
delegating the task of setting up an LDAP-based authentication system to
one, and see how long it takes before that junior admin is able to
reliably demonstrate that he can make LDAP go on a test network of 3-5
machines. Also, the degree to which LDAP authentication is integrated
well with the native OS's normal authentication, on most of the
platforms I've seen, resembles -CURRENT more than it resembles -STABLE.
As always, your mileage may vary... :-)
-Chuck
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?3E4E79FD.3050203>