I'm trying to set up a working model of a linux computer lab in an effort to get one set up at my high school. Dunno if it'll work but... that's another thread

Anyway, I have a server, and after my first round of research/googling, I got Kerberos set up. I can understand how it works and all that's good, but it seems ther kerberos simply doesn't facilitate full network logins; the users still must have an entry in /etc/passwd. Is this a misconfiguration on my part, or is it actually the case?

Searching here, I stumbled upon this link:
http://www.linuxjournal.com/article/7334

A NIS setup is described there that facilitates network logons. Should I try to get NIS working instead?



Once all that is past, can anyone recommend a method for mounting home directories over the network?
I hesitate to use NFS because someone with a laptop running linux could just connect to the network, mount the share, and get root access to it, or such is my understanding.

With Kerberos, I was looking hard at using AFS, which is a distributed network file system that uses Kerberos for authentication. Using AFS will be difficult if I switch to NIS, it seems, so can someone point me in the right direction?

Thanks in advance, I seem to be in a bit over my head.

This stuff is a bit complex - the Microsoft and Apple implementations hide a lot of the technical workings, which you are manually setting up here. For a small network there are three better solutions than setting up this manually (see below), but to answer your question:

The core of your network identity system is really the directory service. The directory stores records for each user, and may hold information about computers etc. as well. Lots of existing UNIX networks still use NIS, but this is deprecated, and you should use LDAP when you set up a new directory. If you configure a UNIX system to use LDAP then user records may be held in either the /etc/passwd file of the system ("local account") *or* in the LDAP directory ("network account"). You can use LDAP like this without Kerberos. The Kerberos service simply adds a stronger and more convenient security layer.

The LDAP and Kerberos software provided with UNIX-like systems is intended for people who want to configure their own custom setups with their own interfaces. Better options for small networks:

- Thin clients. You create the user account as normal on the server, and users can then use any thin client attached to that server with no extra work. Edubuntu installs and configures everything you need without asking any questions, has extra desktop software specifically to educational use, and may use *any* standard PC as a thin client. Awesome product.

- Samba can allow a Linux system to act as a Windows domain controller. Since every OS has to be Windows-compatible, your Samba service can provide a central set of accounts for anything on your network.

- FreeIPA (very new). Red Hat software that sets LDAP, Kerberos etc. for you, along with graphical interfaces. Currently runs on Fedora or Red Hat Enterprise.

Well, because I'm a large fan of scalability, I'll probably go with the LDAP/Kerberos approach. After googling around a bit for this, I feel like an idiot for not realizing that I'd need LDAP/NIS.

Thanks!