SUMMARY: Another question about NIS v. NIS+

From: Charles Homan [ext 422] (charles@cobra.applix.com)
Date: Fri Nov 15 1996 - 14:31:50 CST


My original question was whether to use NIS or NIS+ in a mixed-vendor environment.

The consensus is: use NIS if you have a mixed environment, and maybe even if you
don't.

Thanks to:

Jim Craven
Rich Kulawiec
Kevin Davidson
Trevor Paquette
Stephen P Richardson

A second question was for a good basic reference for NIS. Rich suggested
"Managing NFS and NIS" book by Hal Stern (published by O'Reilly), and even
got the ISBN number for me [0-937175-75-7]. Thanks Rich! (I was going to
get this anyway, since I haven't found many references I like as much as
the "Nutshell" books, but it's nice to have an outside recommendation.)

Some quick quotes:

"I think that NIS is really your only choice in a heterogenous environment. You
can use NIS+ but you would have to use it's NIS compatibility mode, thereby losing
alot of NIS+ advantages whilst having to cope with a new command set to initialize,
populate and modify system tables."

"I'd say NIS; I think NIS+ isn't ready for prime-time yet, and I think
you have a better chance of integrating NIS with other vendor's Unixes."

"As you have a mix of machines, your only choice is NIS. AFAIK NIS+ is
not (yet ?) available for any other platform. You could run NIS+ in
NIS compatibility mode, of course. Then if NIS+ is ever released for
your other platforms you could switch on the leve1 2 security."

"I still hear alot of headaches about NIS+, especially when installed
in a multi vendor Unix environment."

"For me, two key issues are:
    NIS does not support password aging
    NIS+ is not nearly as widely ported as NIS, thus limiting its utility"

The complete question and answers follow my sig. Thanks again, guys!

Regards,
Charles

*-----------------------*----------------------------------------------------*
| Charles Homan | Real Time Is Right Now! |
| Systems Administrator | Check out Applix Anyware - interactive information |
| Applix, Inc. | access to any user, no matter their location! |
| choman@applix.com | +++ http://www.applix.com +++ |
*-----------------------*----------------------------------------------------*

ORIGINAL QUESTION:

Dear gurus:

Well, having searched the archives, I found lots of questions, but not so many summaries on this topic. The summary I did find that was related was a year and a half old, so there may have been changes since then...

Anyway, I have a mixed net (~70% Solaris, 5% SunOS 4.X, 25% every_other_unix) which has seriously outgrown our homemade update scheme for hosts, passwd, etc. So the first question is: should I go with NIS on everything, or is there a good reason to use NIS+ on the Suns? The other question is: what is a good basic reference for one or both of these schemes? Any help would be much appreciated.

And I _will_ post a summary. :-)

Regards,
Charles

----

REPLIES:

I think that NIS is really your only choice in a heterogenous environment. You can use NIS+ but you would have to use it's NIS compatibility mode, thereby losing alot of NIS+ advantages whilst having to cope with a new command set to initialize, populate and modify system tables.

NIS is bit more secure than it was a few years ago with the addition of securenets, but it is still subject to ip spoofing attacks. Issues such as speed and performance of NIS have not been addressed. NIS+ is a big win if propogating changes to maps to slaves would be much faster. Our maps are compartively small so that NIS+ advantage is quite small.

One other data point is the comparatively large number of posts to comp.unix.solaris regarding NIS+ troubles. Getting the blasted thing to work is a daunting task if one doesn't have a sun support contract.

Just my 2c, hope it helps.

Jim

----

I'd say NIS; I think NIS+ isn't ready for prime-time yet, and I think you have a better chance of integrating NIS+ with other vendor's Unixes.

The "Managing NFS and NIS" book by Hal Stern (published by O'Reilly) is just about the only thing I've ever used to deal with NIS.

Cheers, Rich

----

You're welcome -- BTW, I snagged one additional piece of info for you about the book this morning: the ISBN number is: 0-937175-75-7.

Cheers, Rich

----

If all your machines were Solaris (either 2.4 with all current patches, or 2.5/2.5.1) then I would recommend NIS+. It works well, it's secure, it allows you to delegate responsibilty for table entries to trusted users.

As you have a mix of machines, your only choice is NIS. AFAIK NIS+ is not (yet ?) available for any other platform. You could run NIS+ in NIS compatibility mode, of course. Then if NIS+ is ever released for your other platforms you could switch on the leve1 2 security.

When building your NIS tables for a heterogeneous environment, you need to be very careful. Every vendor has their own standard entries in passwd, services, group and other files. Be very careful when you try and merge them. Making sure all your users have UIDs and GIDs > 100 is a good start. Try and agree on a UID for `nobody', or just leave problematic ones out of your NIS maps. Make sure you *don't* build the NIS maps from real /etc/ files. Make a copy in /var/yp/src, that has none of the system entries (especially root) in it.

If anybody does let you know of NIS+ for other platforms, I'd be very interested in hearing about it; particularly DEC alpha or Linux.

-- |Kevin.Davidson@edinburgh.ac.uk +-+ Centre for Cognitive Science/HCRC, | |tkld@cogsci.ed.ac.uk | | University of Edinburgh, | |+44 (0)131 650 6879 .oOo. | | 2 Buccleuch Place, EH8 9LW. .oOo. | `-------------------------------' `-------------------------------------------'

----

IMHO, if you were a Solairs ONLY shop then by all means go with NIS+. If you are Solaris and SunOS, go with NIS+ with NIS compatibility. If you are Solaris + SunOS + another Unix.. stick with NIS (Until other vendors implement NIS+, if ever...)

I still hear alot of headaches about NIS+, especially when installed in a multi vendor Unix environment. .... -- Name:Trevor Paquette |Minerva Network ServiCenters|Work:(403) 543-2355 EMail:TrevorPaquette@nsci.net|600, 777 8th Ave SW | Fax:(403) 290-8400 WWW:http://www.nsci.net |Calgary, Ab, Canada |ICBM:51'05"N/114'01"W Team Leader - Unix Systems |T2P 3R5 |Mind:In the Rockies..

----

For me, two key issues are:

NIS does not support password aging NIS+ is not nearly as widely ported as NIS, thus limiting its utility .... -- Regards, Stephen



This archive was generated by hypermail 2.1.2 : Fri Sep 28 2001 - 23:11:15 CDT