> One last thing: What links do you sugest to read about this matter (NIS) and > what better tools exist for this kind of job?
I don't really have any links, I'm just going by what my experience has been. The NIS security issues are well known, I'm sure a google search will turn up scads of information. NIS is almost the only option though if you require on-the-fly user replication between multiple different kinds of unix hosts. None of the BSDs that I know of have implemented a flexible SYSV-like name service switch yet, (there was a FreeBSD guy who was promising to do it but last I heard there was no public code, I haven't looked at 5.0 yet though) which is pretty much required to start stitching things like LDAP directly to your libc routines. Glibc supports this so its a given for environments that use it. Solaris >= 2.7 supports it *I think* ... its been a while since I dealt with that. Padl software makes both NSS and PAM hooks for LDAP, freely available to the linux community. (Not the best security record sadly, but I'm unaware of any competition.) OS X supports pluggable name services via netinfo (yuck) which work OK in my experience, though NFS was fugly at the time. Generally if you've got an environment that supports it, and you really need unified management[1] of your name services[2] I'd suggest using LDAP, openldap w/TLS provides significantly more security than NIS. [1] unified environments come at a high reliability cost, you've got to provide redundancy fallover services or your network can become unusable in the blink of an eye if something fails. I'd never consider using something like LDAP on a network with less than 5 machines, not for name services anyway. Small tasks can be handled well enough with rsync and ssh and some routine scripts. [2] note when I say name services, I'm not talking about DNS, though the facilities exist to incorporate that into a unified configuration. Personally I'd never use a unified environment for DNS management because doing so tends to create some annoying chicken-or-egg scenarios that newbie admins can easily trip over and cause a mess. I'm not fond of fragile services, which incidently is why I don't run BIND and why I think anyone who does is a fool. There are plenty of good replacements, djbdns, maradns (for those of you who tend and nurture your myopic little hatred of djb like its some kind of 100 year old bonsai), etc. And they don't crash every few days for no reason. -- Jamie Heilman http://audible.transient.net/~jamie/ "You came all this way, without saying squat, and now you're trying to tell me a '56 Chevy can beat a '47 Buick in a dead quarter mile? I liked you better when you weren't saying squat kid." -Buddy
