NIS yp compat mode, participating in NIS+ hierarchy, limitations?

NIS yp compat mode, participating in NIS+ hierarchy, limitations?

Post by David G. Bucc » Sat, 16 Mar 2002 04:28:48



Can someone clarify for us ... for some reason we haven't been able to get
crystal clear answers to this, neither from our Sun rep nor on the web ...

If you have a NIS+ root master, what options do you have for your subdomains
that include NIS clients (e.g., SGI boxes, etc.)?  E.g., which of the
following are permitted:

 - subdomain NIS+ master running yp mode?  will this work?
 - subdomain NIS+ replica running yp mode?  will this?

Others?

Basically, we have SGI et al boxes that don't have a NIS+ client, but for
which we don't want to have to replicate user accounts, etc. via scripts,
and don't want to have to do dual account maintenance. Help!
--
David G. Bucci
Software Architect
Lockheed Martin M&DS


What if the Hokey Pokey really
_is_ what it's all about???

 
 
 

NIS yp compat mode, participating in NIS+ hierarchy, limitations?

Post by Mike Mille » Sat, 16 Mar 2002 21:49:50



says...
> Can someone clarify for us ... for some reason we haven't been able to get
> crystal clear answers to this, neither from our Sun rep nor on the web ...

> If you have a NIS+ root master, what options do you have for your subdomains
> that include NIS clients (e.g., SGI boxes, etc.)?  E.g., which of the
> following are permitted:

>  - subdomain NIS+ master running yp mode?  will this work?
>  - subdomain NIS+ replica running yp mode?  will this?

> Others?

> Basically, we have SGI et al boxes that don't have a NIS+ client, but for
> which we don't want to have to replicate user accounts, etc. via scripts,
> and don't want to have to do dual account maintenance. Help!
> --
> David G. Bucci
> Software Architect
> Lockheed Martin M&DS


> What if the Hokey Pokey really
> _is_ what it's all about???

We have two boxes running Digital Unix that are configured to use a NIS+
compatiblity mode server for there YP info. We have a replica running as
the YP server. Takes care of all the items you mentioned. It is not on a
sub-domain though so I don't know if it makes a difference.
--
Mike Miller
If all else fails - READ THE INSTRUCTIONS!
or if you like
"If all else fails - THROW HARDER" Robert Smith(pro bowler)

 
 
 

1. NIS+ in YP-Compat mode: Restrict access to passwd/shadow How?


Content-Transfer-Encoding: 7bit
Content-Type: text/plain; charset=us-ascii

We have a Solaris 2.5.1 NIS+ server running in YP-compatible mode at
security level 2, serving one domain.
The server has a single replica and 5 solaris clients (all 2.5.1)
and a bunch of Linux pc's running NIS (we were unable to run the linux
boxes under NIS+ because the libc seg-faults on every group table lookup.
All YP clients are well-known to the server (in /etc/hosts and hosts.org_dir
NIS+ table)

The problem is that everyone from the outside can dump the passwd.org_dir
table with the encrypted password and every other info.
This has already been used to hack our system and we are already fighting
intruders.
Since NIS+ is the only Information Service system available to us, we do need
it.

I wish to know if it is possible to:

1. limit NIS (YP) access to a specified group of hosts (in fact only those
hosts listed in /etc/hosts) without setting up a firewall.

2. use NIS+ under Linux with large group.org_dir table (> 200 groups, >4000
users, up to 1010 bytes per group entry (due to limitations in the following
Solaris programs: nisaddent, nistbladm, sed, grep, fgrep, egrep)
and with sufficient security (NIS+ only server in secure level 2 w/o YP).

Juergen Meier
Co-Sysadmin


2. POSIX Realtime extensions

3. Setting up NIS+ (in YP compat mode)

4. Sun Sparc Station & Desktop background

5. NIS+ YP compat mode problem

6. First time firewall question

7. NIS+ (compat mode) problem with NIS clients

8. AIX socket broken-ness?

9. 5.X: NIS+ equivalent to NIS compat mode?

10. NIS+ and YP compat w/ SVR4

11. Reasonable nis security between Solaris & Linux (was Re: Is nis (yp) a security worry?

12. NIS, NIS+, named, yp, ...

13. Nis+ and NIS (YP) compatibility