Page 1 of 2 12 LastLast
Results 1 to 10 of 12

Thread: Upgrading an existing NIS install to Kerberos or NIS+

  1. #1
    Join Date
    Apr 2011
    Beans
    25

    Unhappy Upgrading an existing NIS install to Kerberos or NIS+

    Hey everyone,

    I've been looking through documentation for NIS+ and Kerberos and thought I would ask to hear from people with experience. I have an existing NIS login system with 100+ users. Obviously, I need to upgrade my security. Which of these two would work best to keep my users intact? Or will I have to start over and recreate all these users?

    Thanks in advance!

  2. #2
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    12,426
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: Upgrading an existing NIS install to Kerberos or NIS+

    I thought NIS+ servers were for Solaris only. Is there an NIS+ server for linux?

    There's a thread here (in the last 2 months) with a developed script on using LDAP+Kerberos+NFS to handle the things that NIS did. Think it is in the Server sub-forum.

  3. #3
    Join Date
    Feb 2013
    Beans
    Hidden!

    Re: Upgrading an existing NIS install to Kerberos or NIS+

    You can forget about NIS+. The Linux NIS+ client is unmaintained since like ten years or so. Last time I successfully used it was in Debian Etch around 2008. I coudn't make it work in Debian Lenny and migrated my infrastructure to LDAP then. LDAP, with or without Kerberos, is your only viable option by now. You may find this page on Debian Wiki useful.

    @TheFu: No there never was a NIS+ server for Linux, only NIS+ client.
    Last edited by schragge; January 6th, 2015 at 10:44 AM.

  4. #4
    Join Date
    Apr 2011
    Beans
    25

    Re: Upgrading an existing NIS install to Kerberos or NIS+

    Thank you both for the quick replies! When setting up Kerberos on my server, I assume I will have to recreate all the users. I cannot find any way to port them from NIS to Kerberos. Am I correct in this assumption?

  5. #5
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    12,426
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: Upgrading an existing NIS install to Kerberos or NIS+

    Quote Originally Posted by acpuck1 View Post
    Thank you both for the quick replies! When setting up Kerberos on my server, I assume I will have to recreate all the users. I cannot find any way to port them from NIS to Kerberos. Am I correct in this assumption?
    You need to go from NIS to LDAP. Kerberos provides system-to-system authentication, right?

  6. #6
    Join Date
    Apr 2011
    Beans
    25

    Re: Upgrading an existing NIS install to Kerberos or NIS+

    Well, I don't know much about it so I could be wrong. The specific vulnerability I am trying to fix is if a root user connected to my nis server, creates a user with the same uid as me, they get my file permissions. I think that I need Kerberos for this fix. LDAP is more for authenticating particular machines, right?

  7. #7
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    12,426
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: Upgrading an existing NIS install to Kerberos or NIS+

    Quote Originally Posted by acpuck1 View Post
    Well, I don't know much about it so I could be wrong. The specific vulnerability I am trying to fix is if a root user connected to my nis server, creates a user with the same uid as me, they get my file permissions. I think that I need Kerberos for this fix. LDAP is more for authenticating particular machines, right?
    Uh - no. You are backwards. https://en.wikipedia.org/wiki/Kerberos_%28protocol%29

    NIS is fairly trivial to hack. Bad idea to have used it since around the late-1990s.

  8. #8
    Join Date
    Apr 2011
    Beans
    25

    Re: Upgrading an existing NIS install to Kerberos or NIS+

    I agree, it was a bad idea. I wish I knew better when I was building this system.

    Looks like I'm setting up LDAP on my server then when students are gone for the Summer I am rebuilding with Kerberos ASAP. LDAP should fix my multiple users same uid problem, right?

  9. #9
    Join Date
    Mar 2010
    Location
    Squidbilly-Land
    Beans
    12,426
    Distro
    Lubuntu 14.04 Trusty Tahr

    Re: Upgrading an existing NIS install to Kerberos or NIS+

    Quote Originally Posted by acpuck1 View Post
    I agree, it was a bad idea. I wish I knew better when I was building this system.

    Looks like I'm setting up LDAP on my server then when students are gone for the Summer I am rebuilding with Kerberos ASAP. LDAP should fix my multiple users same uid problem, right?
    Why do the same work twice? LDAP+Kerberos isn't THAT hard and without Kerberos, I don't know that you are any more secure than NIS.

  10. #10
    Join Date
    Apr 2011
    Beans
    25

    Re: Upgrading an existing NIS install to Kerberos or NIS+

    That's a good point. My only worry is losing the NIS users I have and having to recreate since there is such a large number.

    BTW: Thank for taking the time to help someone new to Linux admin.
    Last edited by acpuck1; January 7th, 2015 at 06:28 PM.

Page 1 of 2 12 LastLast

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •