BSD Freak wrote:
[ ... ]
1. Centralised user/password/account management 2. 2-3 file servers running FreeBSD, 1 mail server and 1 VPN gateway
also running FreeBSD
3. Workstations will be 75% FreeBSD and 25% Mac OS X 10.2

Most people I have spoken to automatically say NIS/NFS. Although I know
that NIS/NFS is a tried and true combination, I can't help but feel
there must be a better way to do a modern BSD UNIX environment. As silly
as it may sound I am seriously thinking about running Samba for file
sharing services even though this is a fully UNIX environment.
Reasons for this include excellent performance on FreeBSD and better
security than NFS.
NIS support under MacOS 10.2.{0-2, haven't checked .3 yet) appears to be broken at the moment: specificly the login window doesn't "see" NIS-only users, unless you import them into the local NetInfo database.
See "man niload". It's also possible to use NetInfo as your primary authentication repository, and then use "nidump" to export this to Unix flatfiles-- and then push the flatfiles via rsync, or scp, or NIS.

On the other hand, 10.2's Samba support is very good, and SMB/CIFS handles reopening shares much better than NFS deals with mounts going down. NFS is much lighter in weight, however, and NFS semantics match those of FreeBSD's default filesystem and UFS under the MacOS better than Samba does. By contrast, HFS+ and Samba are case-insensitive, and they are more "seperate independent devices" (ala Windows C:, D:) than Unix'es "all filesystems get mounted under /, and a non-root filesystem's mount point looks very much like any normal directory". I'd probably recommend Samba filesharing for laptops and roaming users; either SMB or NFS for static desktops, depending on what your users are used to or would prefer.

Kerberos will probably take more work to administer and more resources to implement than it is worth for small networks. The token-based authentication and so forth integrates well with other large-scale systems from MIT (and CMU): things where you also need AFS/DFS, Cyrus, etc. In fact, I'd be curious if anyone else had some thoughts on the size of network for which Kerberos is a benefit?

As for LDAP, do you have any junior admins reporting to you? Try delegating the task of setting up an LDAP-based authentication system to one, and see how long it takes before that junior admin is able to reliably demonstrate that he can make LDAP go on a test network of 3-5 machines. Also, the degree to which LDAP authentication is integrated well with the native OS's normal authentication, on most of the platforms I've seen, resembles -CURRENT more than it resembles -STABLE.

As always, your mileage may vary... :-)


To Unsubscribe: send mail to [EMAIL PROTECTED]
with "unsubscribe freebsd-questions" in the body of the message

Reply via email to