![](https://seccdn.libravatar.org/avatar/9fe7324b963d268ec9106ffd7bd24d4e.jpg?s=120&d=mm&r=g)
On Mon, 03 Apr 2000, Kevin Jackson wrote:
I have 1 Linux server which is working fine. I want to add another Linux server as part of the same domain. Is it possible to set it up so that if I logged onto either of them, either will authenticate... or do I have to set up users on the second machine seperately?
I know that you can use NIS (the yp* stuff) to provide a single login across multiple Linux boxes. I also know that the comments on NIS in "Maximum Linux Security" can be summarized in two words - the first of them has four letters, and the second one is No. Be VERY VERY careful about security if you do this. Don't include your firewall in your NIS domain, and don't give your firewall any software that it would allow it to share its drives or mount drives shared from other machines. (Come to think of it, that's probably a good idea anyway... the less your firewall does, the fewer possible security holes in it.) Samba *may* be able to do the same thing, I'm not sure. This security book is substantially less emphatic about Samba than about NIS, but there have been some security issues.
What is the best way to take advantage of 2 Linux servers? (Apart from having apache, et al on 1 and file/samba, say on another)
That depends: why do you want two servers? No, I am NOT suggesting that there is anything wrong with it. Rather, there are probably several dozen good reasons, and the proper answer to your question depends on exactly what reasons you have. Here are a few of the common reasons for multiple servers: * Development / quality assurance / production environments * Too much work for one box * Differing security requirements of groups within the organization * Differing security requirements of functions (e.g. you hardly ever let anyone log in to your firewall for anything) * Logical division of work groups - data may not be confidential, but it's irrelevant to other groups * Public (exposed, possibly even sacrificial) access versus internal access * Redundancy for data protection or even fail-over recovery * Protected environment "owned" by the vendor of a proprietary system, within your network environment * Proprietary system requires underlying software different from your shop's norms A suggestion from experience: your second server should be an obsolete box. Maybe a 486. (Make sure it has a healthy disk drive though. Small is okay, but healthy.) On it put your DHCP server, your internal domain name server (bind can be configured as a true domain name server for your domain, rather than just as a cacheing server), and your master security server (if such exists). Any other functions that are similarly essential for the operation of the network. And very little else. Then, in its nameserver set an entry for the master security server (same machine), for the default router (your firewall?), for *each* database within your database servers, and for *each* other service. In your scripts, configurations, and programs, never refer to any service by either the name, or the ip address, of the machine it's on; instead, refer to it by its own name in the name server. That way, if you move a service from one machine to another, you only have one place you have to change the address, and the services you didn't move aren't messed up. And since there is so little on that obsolete box, you will rarely need to mess with it. But because it's obsolete, you won't be tempted to put more onto it. System security by keeping your fingers out of the clockwork. -- To unsubscribe send e-mail to suse-linux-e-unsubscribe@suse.com For additional commands send e-mail to suse-linux-e-help@suse.com Also check the FAQ at http://www.suse.com/Support/Doku/FAQ/