[NTLUG:Discuss] Kerberos and Linux

[Patrick R. Michaud]

On Sat, Jan 28, 2006 at 04:59:49PM -0600, Chris Cox wrote:
> Leroy Tennison wrote:
> > Before I do a lot of research for nothing, can kerberos not only be an
> > authentication system for Linux but also provide local uid/gid's for the
> > system?  What I'm looking for is something like what LDAP can do where
> > the local system doesn't have to have a user ID in order for someone to
> > log in.  I'm trying to get to a more centralized approach to user/group
> > management like the PC NOSes have.  Thanks for your input.  Other secure
> > alternatives would be worth hearing about as well.
> ...
> One of the things I like about NIS is its simplicity and
> it's ubiquitous nature in the Unix world.  However, it
> only scales to about 5,000 or so users (without some
> "smart" partitioning).  For larger than that, I'd use some
> form of LDAP.
> 
> My personal opinion of LDAP is that it has its own
> share of headaches, especially in a heterogenous
> environment.  And LDAP wasn't designed to be secure.

In one of my previous jobs I administered a site (2,000 accounts)
where we used OpenLDAP as the central database for some 200+
client machines.  It worked fine, but we ended up writing our own front
ends to create accounts and maintain passwords through LDAP.  
Of course, this was circa 2000, so the available tools for managing
accounts via LDAP may have improved by now.

The other downside at the time was that the clients were constantly
making queries of the LDAP server for *every* little thing ("ls -l"
hits the server), and our LDAP server had trouble keeping up 
with the load.  Again, this may have simply been because LDAP
was relatively new at the time.  But in order to cope with
the performance issues, I wrote a script that exported the
user account information from LDAP into an NIS map and smbpasswd
file, and then the clients would use NIS (or Samba) to authenticate.
It was a bit messy, but it worked.

Pm