Two Question's.
Q1 Can Kerberos/Advanced security work for us based on the following
NIS distribution method.
We currently have a mix of Digital Unix Systems, Ultrix, Sun Solaris
systems, SGI IRIX systems and NT systems(both Alpha and Intel based) and
some Novell systems. We use NIS and DNS as follows:
/etc/svc.conf
-------------
aliases=local,yp
group=local,yp
hosts=local,bind
netgroup=local,yp
networks=local,yp
passwd=local,yp
protocols=local,yp
rpc=local,yp
services=local,yp
SECLEVEL=BSD # for backwards compatibility ONLY
currently with an Ultrix system as the server and 3 Digital Unix boxes as
secondaries. We use NIS because it gives us the granularity to allow
certain netgroups access to certain hosts eg
/etc/passwd
-----------
root:password:0:1:system PRIVILEGED account:/:/bin/csh
nobody:*Nologin:65534:65534:anonymous NFS user:/:
.
.
-:
+_at_allstaff::::::/local/bin/tcsh
+_at_research::::::/local/bin/tcsh
.
.
+::::::/usr/local/bin/accessdenied
To get the necessary security for passwords we use some PD software called
npasswd which does most of what we want eg 8 character passwords,
dictionary checked with at least a single numeric, capital or punctuation
character. This does not however provide the physical security ie
unencrypted passwords are transferred over the LAN and are thus prone to
sniffers.
Q2 NIS to NT
Can we use NIS to supply this same information to NT servers? We would
like to lock up our labs from a login/password point of view but we'd like
to make this consistent across campus.
We have identified that 65% of out LAN bandwidth is at time taken by a
process call MSBrowse. After discussion with Microsoft the solution is
identified as the following.
The solution recommended by Microsoft is to
- have a fully implemented Domain structure
- have only MSoft TCPIP installed as the network protocol on all
networked IBM-Clone desktop system
Being an academic setup we need a method that allows our Unix password
server to communicate with the NT Advanced Server (NTAS) Primary Domain
Controller (PDC) to control User authentication and User modification of
password information usin NIS.
Currently we are evaluating Intergraph but it does not actually use the
servers to verify/modify passwords. It requires a copy of the NIS files to
be copied to the NT server. This would cause a real synchronization
problem.
I was wondering if anyone has nay alternatives or experience they could
share on this issue ?
Received on Wed Jul 31 1996 - 03:47:19 NZST