What are the things involved in setting up a central authentication system, where one server houses all login information used by all other servers on the network? I've heard of NIS and LDAP, but haven't heard much in terms of comparisons other than NIS being outdated and nobody should use it unless to support legacy systems - is this an accurate statement, or is NIS a viable option?

In addition to LDAP and NIS, are there any other viable options?

What else should be considered - e.g. could home directories still be on the clients, or would home directories have to be on the server and shared by NFS?

What about users created for the purpose of chroot-ing, such as in the Chroot-BIND HOWTO? Would the chroot directory have to be on the authenticating server?

Could client machines still have their own user information that in addition to those from the central server?

On the other hand, could client machines be made to have no users of their own and only use users from the central server?

How does SSH tie into this, where users can just authenticate with the central server? Could this work for non-human users, such as "named", "mysql", and other application-users?

Thanks.

If you want a central authentication, it should also be a good idea to centralize the place where the user's directories are stored and mount them through NFS or Samba in the local machines. In my university, they used NIS and LDAP to authenticate the users. As far as I know, the NIS stuff was used for the Linux machines and set-up as a legacy stuff in a global LDAP running on Windows servers.

It seems the modern way to authenticate and reference users through a network is LDAP now. It's a bit more complicated than NIS to set-up (for what I've seen of the two) but it offers more features.
However, if you plan to use exclusively Unix based machines, you may also use NIS (NIS seems to be a Unix only service).

Linux distributions use a system called "PAM" (Pluggable Authentication Modules, see: man pam, man pam.conf) which provides a very flexible "plug-in" system for handling all of the essential authentication tasks.

PAM modules are available for all kinds of authentication purposes, including interfaces to central directory services.

In my experience, you will probably wind up being constrained by what your Windows boxes will accept. Fortunately, no matter what that may turn out to be, Linux should easily handle it. As we well know, Linux is very good at being "in the company of strangers," quietly and efficiently doing its job without seeking to impose its own will upon others... (ahem!)

It is definitely important to use centralized password controls, even for a very small office shop. And it's unfortunate that the whole thing is regarded as mysterious.