Domains

For a group of Windows 2000 systems to work well together, they should exist in a domain. This requires a Windows 2000 Server system configured as a Domain Controller (DC). Domains are the basis of the Windows 2000 security model.

The basis of Linux’s network security model is NIS, Network Information Service. NIS is a simple text file–based database that is shared with client workstations. Each primary NIS server establishes a domain. Any client workstation wanting to join this domain is allowed to do so, as long as it can set its domain name. To set the domain name, you must use the root user—Linux’s equivalent to an Administrator user. Being part of the domain does not, however, immediately grant you rights that you would otherwise not have. The domain administrator must still add your login to the master NIS password list so that the rest of the systems in the network recognize your presence.

The key difference between NIS and Windows 2000 domains is that the NIS server by itself does not perform authentication the way a DC does. Instead, each host looks up the login and password information from the server and compares it to the user’s entered information. It’s up to the individual application to properly authenticate a user. Thankfully, the code necessary to authenticate a user is very trivial.

Another important difference is that NIS can be used as a general-purpose database and thus hold any kind of information that needs to be shared with the rest of the network. (This usually includes mount tables for NFS and e-mail aliases.) The only limitation is that each NIS map can have only one key, and the database mechanism doesn’t scale well beyond about 20,000 entries. Of course, a site with 20,000 users shouldn’t keep them all in a single NIS domain, anyway!

Neither Windows nor Linux requires use of domains for the base operating system to work. Nevertheless, they are key if you need to maintain a multiuser site with a reasonable level of security.