[OpenAFS] AFS client over NIS

Paul Blackburn mpb@est.ibm.com
Tue, 19 Feb 2002 08:45:12 +0000

Hongliang Gai,

If you have no dependencies to use NIS then drop it altogether.

AFS does not need NIS and unless you are very careful about
how you configure NIS you can easily end up with a security hole.

I have used a system where we maintained a single master
/afs/@cell/common/etc/passwd and used a crontab job to
merge this with local /etc/passwd on selected client machines.
The merge only took place if the "master" file was newer than
/usr/local/etc/passwd (local replica).

This worked well and had the performance benefit of being
able to lookup /etc/passwd from a local file. It is also robust
because the local file read access is not impacted by network
problems etc.

A question  to ask is: how many login ids do I need on each client?

Generally, it is much easier to place "master" files in /afs
rather than serve them via NIS.

One thing to be careful about: if you are going to have
your list of usernames (from /etc/passwd) openly readable
then you should do regular password cracking to make sure
your users are selecting strong passwords.

I hope this helps.
paul                         http://acm.org/~mpb

Charles Clancy wrote:

>>I'm trying to convert existing Linux users(NIS) to AFS users.
>>Should I disable NIS client on every local machine on which AFS users
>>will login? (suppose NIS server and AFS server are running in same
>>or if NIS client and AFS client can be running in the same local
>>machine,how to set up entries in local /etc/passwd , /etc/shadow and
>>/etc/group files?( here "local" means machines other than AFS and NIS
>AFS does not provide /etc/passwd information (home dir, shell, gecos,
>etc).  You still need to either use NIS, or have local /etc/passwd entries
>for this information.  If you want to use NIS, I'd recommend setting the
>password field in the shadow map to "*NP*", so NIS only provides name
>service and not authentication.  See one of the MANY responses to this
>exact question in the mailing list archive.
>t. charles clancy <> tclancy@uiuc.edu <> www.uiuc.edu/~tclancy
>OpenAFS-info mailing list