On Wed, May 08, 2002 at 01:59:01PM +0000, Damian Ohara wrote:
Guys,
We hit this issue years ago with HP-UX/Solaris and now have it with Linux.
Our workaround was to use the concept of system owner - that is - who has the root password.
If the machine owner has root then the machine it isn't allowed in the NIS domain. Access to NFS drives is controlled by exporting to a NIS netgroup to which that machine is not a member.
If the IT dept has the root password for the machine then we add the machine to the NIS domain for password info/netgroup acess and that allows the automounter to mount the homedir of the user logging in. The user no longer has root on the machine.
Not the best but we got used to it :-)
Yup, NIS was designed as a convenience to centralize passwords and other files, not to be a high security directory.
From my limited research on LDAP, it provides much better security, but did not support netgroups last time I checked, so you can't use it to set up NFS group mappings. The ldap libraries were still in a beta state last year, but I haven't checked since then.
You might look into NIS+. I think there are linux clients available, but no server. You would have to upgrade your Sun NIS to NIS+. It looks more involved, but with better security, and I haven't used it. Not a lot of great choices right now unless you take root away from your users. Best Regards, Keith -- LPIC-2, MCSE, N+ Got spam? Get spastic http://spastic.sourceforge.net