It sounds like libc6 has real shadow support for NIS built in. (From the debian docs in the "nis" package). This network will be behind a fairly heavy-duty firewall. Would this (shadow password support) provide adequate security?