SUMMARY: NIS and NIS+

From: Michael Will (Michael_Will@kingcrab.nrl.navy.mil)
Date: Tue May 27 1997 - 06:50:23 CDT


Sorry for the delay on the summary but I was waiting for various people to
reply and get some research done on my own...

The only question I still have left is whether to use Sub-Domains or not?
Basically we control all the machines but I have one central server where
everyone should have an account and the other servers are on a per project
basis. I would like to restrict access, which can be done via netgroups,
but not sure if Sub-Domains will refer to Top-Level Domains. Basicaly I
would like to have a way of keeping passwords the same accross all the
Sub-Domains. Not sure if this is possible? It looks like each Sub_Domian
has it's own /etc/passwd and /etc/hosts which would present a problem.

Thanks to the following people:

Steffen Kluge <kluge@fujitsu.com.au>
Frank Pardo <fpardo@tisny.com>
Dan Brainard <brainard@ihs.com>
Andrew Laden <andrew@sgc.com>
Jim Harmon <jharmon@telecnnct.com>
EG Keizer <keie@cs.vu.nl>
mariel@central.meralco.com.ph

My questions where as follows:

>1. I believe NIS+ is the newer version that is with Solairs 2.5.x?
>2. Can an NIS+ server server older clients such as SunOS and other Solaris
>2.4?
>3. Can you have one Master NIS+ server serving multiple Domain's? My
>question here is we have one central server where everyone has an account
> and then each person is divided into section according to their department.
> It would be nice to have one Master control per site controlling multiple
> divisions? Not sure if that is possible.
> 4. I have heard bad news that NIS+ is more secure then NIS, but still has
> holes? How true is this and how vulnerable?

Answers:

- NIS+ is not a newer version of NIS (synonym for YP), it is a complete
  new architecture.
- NIS+ supports hierarchical structured domains with master and replica
  servers for each subdomain (this is extremely flexible and can get
  quite complicated, though).
- NIS+ has security features whereas NIS has basically none. It's based
  on Secure RPC and uses DES encrypted keys for authentication on a
  per-user basis. It supports read, modify, create and delete privileges
  and differentiates between owners, group members, other authenticated
  users and unauthenticated users. It can provide access control on a
  per-column basis for certain tables (e.g. passwd - password column
  is not generally readable).
- We didn't use NIS and NFS before because of security concerns, we
  are using NIS+ and Secure NFS now.
- Unlike NIS (YP), NIS+ doesn't use simple maps indexed by one column
  (e.g. hosts.by_name) but implements regular database tables, searchable
  by every column.
- With NIS+ you can create your own tables beyond the standard ones.
- NIS+ tools provide an abstraction level similar to what you know from
  filesystems. There are directories and subdirectories in the name
  space, you can use tools like nisls, niscat, nisgrep, etc. On the
  other hand, adding a new user and making him known to NIS+ (you have
  to add a credential and create a Secure RPC key) requires a fair
  amount of manual work (unless you bought the Solstice Admin suite).
- You can define more than one NIS+ administrator (instead of just
  root).
- I haven't found any major bugs yet, but possibly there are some.
- NIS+ resembles in many aspects the distributed name space of
  DECnet/OSI, if this helps you.

----
1. Yes, NIS+ is newer. Also much more complex. Also supported by far
fewer manufacturers. If you use NIS+, you can pretty much forget about
adding non-Sun computers to your network. At least for the next couple
of years.

2. Somewhere in the archives of this list, I remember seeing mention of this topic. As I recall, an NIS+ server can handle NIS clients, but only in a "crippled" NIS-compatible mode, where you lose a lot of the new features that distinguish NIS+ from NIS. You can find the mailing-list archives at:

http://aurora.latech.edu/sunman.html

Our network here is so small that to date we've been able to get by without anything like NIS. When the time comes to install network management software, I'll probably use the freeware package "cfengine". If you're curious, the URL for more information is:

http://www.iu.hioslo.no/~mark/cfengine.html

---- Actually, it's newer with Solaris 2.x, it really wasn't ready for prime time until 2.4. With Solaris 2.5.x you have the option of running as an NIS or NIS+ server, that wasn't the case with 2.4 and earlier. Of course with 2.5 and 2.4 you can run in NIS compatibility mode for mixed (NIS and NIS+) environments such as yours.

You have several options here, The NIS+ server can serve NIS clients, or you can install the NIS+ kit on the SUNOS clients. It's availabel from either the SUN web site or the Solaris 2.x CDs. The Solaris 2.4 clients already have support for NIS or NIS+, so they will work without changes.

You can do that, the root master can/would live at one central site, then have slave or replica masters at each remote site, set up as clients of the root master. Then under the slave masters, you could sub divide the domain even further with slave and replica servers. Each slave server would have information for it's sub-domain, plus knowledge of how to get to the other sub-domains (by going thru the root master).

NIS+ is more secure. But indeed has holes. Often the holes will be in the setup. It is difficult to set up a useable NIS+ with a maximum of security. It is possible to break through NIS+ using methods to crack the DES authentication. I do not think this to be a seriuous threat at the moment. Others have different opinions.

----- RESOURCES:

All About Administering NIS+ Rich Ramsey SunSoft Press (Prentice Hall) ISBN 0-13-068800-2 $36.95 (back in 1994 or so)

Managing NFS and NIS Hal Stern O'Reilly & Associates, Inc. ISBN 0-9-37175-75-7

CD-ROM Training by SUN Educational Services Cousre NO MM-286 Sun Service SunTutor : NIS+ Administration.

-- Michael Will | Voice: (202) 767-0955 Naval Research Lab Code 8140 | Fax: (202) 404-8918 4555 Overlook Ave. SW | E-mail: will@kingcrab.nrl.navy.mil Washington, DC 20375

Key fingerprint = F03F 87F2 4264 8540 AA19 92E9 6F03 D219



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:55 CDT