Hi,
I need to maintain a same user/group list on multiples systems. Can we just copy the same passwd and groups file on all machines? If we create a new user on one system then I will need to copy this to all other systems. This is quite cumbersome. Any suggestions?
- CS.
2009/7/29 Carlos Santana neubyr@gmail.com:
I need to maintain a same user/group list on multiples systems. Can we just copy the same passwd and groups file on all machines? If we create a new user on one system then I will need to copy this to all other systems. This is quite cumbersome. Any suggestions?
Go the directory route, OpenLDAP or CentOS Directory Server.
If there was some reason needed to stick with /etc/passwd and /etc/group, use puppet, cfeingine, or some other configuration management system to manage your files.
Seán
Hi,
On Wed, Jul 29, 2009 at 11:13, Carlos Santananeubyr@gmail.com wrote:
I need to maintain a same user/group list on multiples systems. Can we just copy the same passwd and groups file on all machines?
Tipically yes (assuming all systems were freshly installed from scratch and do not have any conflicts), but you will have the problem even you said below:
If we create a new user on one system then I will need to copy this to all other systems. This is quite cumbersome. Any suggestions?
Set up LDAP and use NSS (RPM package named nss_ldap) to get the account information from LDAP.
HTH, Filipe
Carlos Santana wrote:
Hi,
I need to maintain a same user/group list on multiples systems. Can we just copy the same passwd and groups file on all machines? If we create a new user on one system then I will need to copy this to all other systems. This is quite cumbersome. Any suggestions?
the old fashion way of doing this was NIS ... but I'm with everyone else in saying go with LDAP directory services, and further, use a NFS automount for their home directories.
http://fedoranews.org/mediawiki/index.php/How_to_setup_and_maintain_Open LDAP_server_for_your_network
this site has a very good howto on how to get started with ldap and how to migrate existing users in from NIS/passwd+shadow
scping the files around works but unless you use pass-phraseless keys it can be a pain. There is also a /etc/gshadow file to copy.
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of John R Pierce Sent: Wednesday, July 29, 2009 8:39 AM To: CentOS mailing list Subject: Re: [CentOS] etc passwd and groups file
Carlos Santana wrote:
Hi,
I need to maintain a same user/group list on multiples systems. Can we just copy the same passwd and groups file on all machines? If we create a new user on one system then I will need to copy this to all other systems. This is quite cumbersome. Any suggestions?
the old fashion way of doing this was NIS ... but I'm with everyone else
in saying go with LDAP directory services, and further, use a NFS automount for their home directories. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
I intend to install lustre file system on the systems. It does not support LDAP and need to have etc passwd/groups database. All file system clients need to have same passwd and groups so that UID and GID are the same when they contact file system server. So I am not sure, how will I manage this. Any suggestions?
- CS.
On Wed, Jul 29, 2009 at 10:38 AM, John R Piercepierce@hogranch.com wrote:
Carlos Santana wrote:
Hi,
I need to maintain a same user/group list on multiples systems. Can we just copy the same passwd and groups file on all machines? If we create a new user on one system then I will need to copy this to all other systems. This is quite cumbersome. Any suggestions?
the old fashion way of doing this was NIS ... but I'm with everyone else in saying go with LDAP directory services, and further, use a NFS automount for their home directories. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Hi,
On Wed, Jul 29, 2009 at 11:45, Carlos Santananeubyr@gmail.com wrote:
I intend to install lustre file system on the systems. It does not support LDAP and need to have etc passwd/groups database.
Where does that information come from?
Even though Lustre might not support LDAP directly, it should work with NSS which makes the access to the user/group information transparent to applications. Unless an application accesses /etc/passwd directly (which I sincerely doubt Lustre does) it will work with nss_ldap.
HTH, Filipe
Carlos Santana wrote:
I intend to install lustre file system on the systems. It does not support LDAP and need to have etc passwd/groups database. All file system clients need to have same passwd and groups so that UID and GID are the same when they contact file system server. So I am not sure, how will I manage this. Any suggestions?
NIS is the old fashion way, and its not considered particularly secure as it uses IP addresses as authentication, so keep the whole cluster behind a firewall.
with NIS, there is one master system with the yp/passwd and yp/shadow files (as well as groups, hosts, etc), and these are pushed to all the other systems on updates. users on any system would change their password with `yppasswd` command, which pushes the changes to the NIS master.
Pushing passwd, group and shadow files can just be scripted to scp them from one master machine to all the client nodes. an ssh key can be used with the private key only existing on the master node so only it can push out changes (protect it with your life as this has the potential to be a nasty hole) on a regular basis. remove passwd from all slave nodes and replace it with a script that either says to go to the master and change their password there or have it feed their input to the master via an ssh tunnel to have the change made.
I see by Lustre's site that is supports MIT kerberos for authentication. this would be better then pushing out shadow, you would still need a tool to push out user id's though, ldap could handle this part as they are typically handled together, and if Lustre recognizes PAM then it should be transparent to it.
A quick google search shows that Googlecode.com has a document suggesting ldap and kerb. http://lustrecluster.googlecode.com/files/LustreHowTo.pdf
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Carlos Santana Sent: Wednesday, July 29, 2009 8:46 AM To: CentOS mailing list Subject: Re: [CentOS] etc passwd and groups file
I intend to install lustre file system on the systems. It does not support LDAP and need to have etc passwd/groups database. All file system clients need to have same passwd and groups so that UID and GID are the same when they contact file system server. So I am not sure, how will I manage this. Any suggestions?
- CS.
On Wed, Jul 29, 2009 at 10:38 AM, John R Piercepierce@hogranch.com wrote:
Carlos Santana wrote:
Hi,
I need to maintain a same user/group list on multiples systems. Can
we
just copy the same passwd and groups file on all machines? If we create a new user on one system then I will need to copy this
to
all other systems. This is quite cumbersome. Any suggestions?
the old fashion way of doing this was NIS ... but I'm with everyone
else
in saying go with LDAP directory services, and further, use a NFS automount for their home directories. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
_______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
Lustre 1.6+ versions do not support LDAP.
Thank you all for sighting different methods. I am exploring them for now. More comments welcome.
- CS.
On Wed, Jul 29, 2009 at 11:07 AM, jacob@aers.ca wrote:
Pushing passwd, group and shadow files can just be scripted to scp them from one master machine to all the client nodes. an ssh key can be used with the private key only existing on the master node so only it can push out changes (protect it with your life as this has the potential to be a nasty hole) on a regular basis. remove passwd from all slave nodes and replace it with a script that either says to go to the master and change their password there or have it feed their input to the master via an ssh tunnel to have the change made.
I see by Lustre's site that is supports MIT kerberos for authentication. this would be better then pushing out shadow, you would still need a tool to push out user id's though, ldap could handle this part as they are typically handled together, and if Lustre recognizes PAM then it should be transparent to it.
A quick google search shows that Googlecode.com has a document suggesting ldap and kerb. http://lustrecluster.googlecode.com/files/LustreHowTo.pdf
-----Original Message----- From: centos-bounces@centos.org [mailto:centos-bounces@centos.org] On Behalf Of Carlos Santana Sent: Wednesday, July 29, 2009 8:46 AM To: CentOS mailing list Subject: Re: [CentOS] etc passwd and groups file
I intend to install lustre file system on the systems. It does not support LDAP and need to have etc passwd/groups database. All file system clients need to have same passwd and groups so that UID and GID are the same when they contact file system server. So I am not sure, how will I manage this. Any suggestions?
CS.
On Wed, Jul 29, 2009 at 10:38 AM, John R Piercepierce@hogranch.com wrote:
Carlos Santana wrote:
Hi,
I need to maintain a same user/group list on multiples systems. Can
we
just copy the same passwd and groups file on all machines? If we create a new user on one system then I will need to copy this
to
all other systems. This is quite cumbersome. Any suggestions?
the old fashion way of doing this was NIS ... but I'm with everyone
else
in saying go with LDAP directory services, and further, use a NFS automount for their home directories. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
On Wed, 2009-07-29 at 10:13 -0500, Carlos Santana wrote:
Hi,
I need to maintain a same user/group list on multiples systems. Can we just copy the same passwd and groups file on all machines?
Don't forget about /etc/shadow.
If we create a new user on one system then I will need to copy this to all other systems. This is quite cumbersome. Any suggestions?
CS.
<snip sig stuff>
At Wed, 29 Jul 2009 10:13:46 -0500 CentOS mailing list centos@centos.org wrote:
Hi,
I need to maintain a same user/group list on multiples systems. Can we just copy the same passwd and groups file on all machines? If we create a new user on one system then I will need to copy this to all other systems. This is quite cumbersome. Any suggestions?
Check out OpenLDAP:
http://www.centos.org/docs/5/html/Deployment_Guide-en-US/ch-ldap.html
CS. _______________________________________________ CentOS mailing list CentOS@centos.org http://lists.centos.org/mailman/listinfo/centos
-
Carlos Santana -
Filipe Brandenburger -
jacob@aers.ca -
John R Pierce -
Robert Heller -
Seán O Sullivan -
William L. Maltby