On Mon, Feb 24, 2014 at 11:33 AM, צביקה הרמתי <[log in to unmask]> wrote:
> Hi.
> After reading about (and a little bit experimenting with) NIS, LDAP and
> Kerberos, I concluded that:
> - Using NIS is really easy - however, it's too insecure
> - Using LDAP is too complicated for my 3-4 servers network
>
> Many criticize NIS as being insecure; I haven't seen such criticism about
> LDAP.
> However, as Nico Kadel-Garcia‏ pointed out, "Kerberos (is the) Underlying
> authentication technology for most LDAP setups".
>
> So, if it's a common practice to setup LDAP and then fortify it with
> Kerberos; wouldn't it be easier to setup NIS and fortify it with Kerberos?

Not exactly. It's a common practice to use a combined LDAP/Kerberos
suite, such as Samba or Active Directory. Same server, usable  GUI's
to manage the accounts, and plenty of guidelines published on managing
them as a unit.

It's possible to separate Kerberos *authentication* from other forms
of account management. One of my favorites is to combine them: Use a
system management tool like CFengine to publish local user accounts,
and to set encrypted local passwords. Rely on Kerberos from corporate
Active Directory for most authenticatin, but the local passwords for
core sysadmins can save your business when the AD or LDAP server goes
toes up and no one can log in.

> Is this combination possible/feasible?
> Anyone can point to some reference about how to achieve that combination?
>
> Am I missing some drawbacks (except of using an aging technology, that
> doesn't co-operate with Windows)?
>
> Thanks,
> Zvika

If you want to integrate well with Windows, I highly encourage you to
learn and use Samba.