Keeping users in sync on different boxes (passwd) 1

[ejaggers]

I have 3 RedHat 5.3 boxes, and I would like to create a user on box1 and automatically create users on box2 and 3. This is what I’m thinking:
1. keep a copy of passwd (passwd.bac)
2. find new users using diff passwd passwd.bac
3. get password from shadow file
4. make useradd.sh with only new users
5. if file exist, ftp useradd.sh to box2 and 3 using cron (maybe hourly)
6. execute useradd.sh on b2 & b3 using cron
7. delete all useradd.sh scripts so cron won’t pick them up.
8. cp passwd passwd.bac

Does this sound like a good approach?
Has anyone done anything like this? If so, how?

How can I handle a user being deleted on box 1? Because I believe the diff command will
Cause my code to add the existing user to 2 & 3, which will fail and may be okay. I don’t know how to say, “Tell me what’s in file A that’s not in file B”, but not vice versa. Can the diff command do this?

#!/usr/bin/perl
     use strict;    
     my $passBac   = '/etc/passwd.bac';
     my $passwd    = '/etc/passwd';
     my $shadow    = 'shadow';
     my $ofh       = 'useradd.sh';
     
     open(PASSWD, "$passwd")  or die "can't open $passwd\n";
     open(PASSBAC,"$passBac") or die "can't open $passBac\n";
     open(SHADOW, "$shadow")  or die "can't open $shadow\n";
     
     my (@record) =  split("\n",`diff $passwd $passBac`);
     my %usersAdd;
     foreach (@record) {
         next unless /\:/;
         s/^\W+//;
         my ($user,$x,$uid,$x,$comment) = split(':',$_);
         my  $sp = ' ' x (8 - length($user));
         $usersAdd{$user} = "useradd $user$sp : -u $uid -c \"$comment\" -m";
     }
     close PASSWD;
     close PASSBAC;
          
     my @shadow = <SHADOW>;
     close SHADOW;
     foreach ( @shadow ) {
          my ($user,$passwd) = split(':',$_);
          $usersAdd{$user}  =~ s/:/-p '$passwd'/ if $usersAdd{$user};
     }
     
     if ( keys %usersAdd ) {
          open(OFH,">$ofh");
          #system("cp $passwd $passBac");
     }
     foreach ( sort values %usersAdd ) {
        if ( /:/ ) {
              print "* PW ERROR: $_\n";
        }else{
              print OFH "$_\n";
        }
     }

 

[Annihilannic]

Have you considered setting up NIS or LDAP to handle this automatically? May not be worthwhile for 3 systems, but if your environment will potentially expand in future it would be worth the effort.

GNU diff has all sorts of output format options, but it would be simpler to just look for ">" on the beginning of the line for added users and "<" for those that have been removed (assuming diff passwd.bac passwd).

Personally I would set up SSH keys between the boxes and just run the useradd commands immediately rather than scping and running cron jobs.

Annihilannic.

 

[Annihilannic]

Have you considered how to handle changes? i.e. if a user changes their shell, or the description of their account (a.k.a. GECOS field) is updated, for example?

Annihilannic.

 

[ciman]

If your approach going to be offline, then I would consider using cvs or similar.

 

[ejaggers]

Annihilannic,

Thanks for the tip on < and > to find which file changed. I'm not familiar with NIC or LDAP, and besides, this system is not going to grow. In fact it will be replaced with a windows system in a couple of years. Users won't be changing their accounts.

ciman,

I'm not sure what you mean by offline, but I was think it would run in the cron maybe hourly. I'm not familiar with cvs.

 

[blainepruitt]

I agree with Annihilanic, NIS or LDAP would be more ideal solutions. However if you think your environment will stay small another easy tool to consider is rsync. You can configure a cronjob between the machines to make sure they all stay the same. Just do a manpage on rync or google it and there are plenty of good examples online.

 

[ejaggers]

blainepruitt,

What did you have in mind to use rsync for? Isn't rsync used just to copy files? Are you talking about copying the passwd/shadow files? How can I use rsync to create users on remote boxes?

 

[blainepruitt]

You could use one "central" node to make the changes on and rsync could replicate just the changes the other servers. Rsync at it's most basic level does file copying, but it also can just send deltas based on the number of machines you'd like to set it up with. In essence you'd be creating a poor man's NIS.

Ideally you'd need to copy over your passwd, shadow and group files along with an home dir (ie /export/home, /home). This would allow you to create the user accounts and home dirs from one server and have it replicated over to remote servers.

 

[ejaggers]

blainepruitt,
I think that probably I didn't explain my problem well. I don't want to keep all files on the 3 boxes in sync. I want to create a new user on box1, and have that user automatically created on box2 and box3, so that my user won't have to run useradd 3 times.

Also I want the passwords the same on all 3 boxes.

 

[blainepruitt]

Rsync will allow you to do that. Keep in mind that if you want to create a user you'll need to copy /etc/passwd and possibly /etc/group and if you want their passwords the same you'll need to replicate /etc/shadow. From there they'll need a home directory to login to which is why rsync'ing an /export/home would be essential.

There are of course custom scripts you could write to automate this or use LDAP/NIS, but it all depends on your familiarity with these solutions.

 

[ejaggers]

I don't know how to use rsync, I'm just trying to get the steps down. So let me see if I've got it:

1) user rync to copy /etc/passwd, /etc/shadow,/etc/group. (there' passwd-, shadow-, group-, gshadow, and gshadow- out there also but I don't know what they are for)

2) rync /home to create the user's dir (there is no /export/home).

And this should solve my problem? I assume there's going to be a cron job that runs maybe hourly, with the rsync stuff in it, correct?

 

[blainepruitt]

That sounds correct. You could either run it hourly as a cronjob or you could run it manually after you run your useradd commands. Whichever works better for your particular situation.

 

[Annihilannic]

I'm not sure I agree that rsyncing /home is a good idea... might cause some unwanted surprises for your users unless they're very familiar with the arrangement. You could potentially have complaints like "I changed my .profile on box1 and now I've lost my .profile customisations on box3... what gives!?!"

Annihilannic.

 

[ciman]

As I said offline, I meant that the changes do not have to be made synchronously on all boxes. Using a repository like cvs will let you keep track of the changes. The idea is to make the changes on one box and check them into the repository. You can then use cron to run the check-out command on all boxes. The result is similar to rsync but you also have a history of the changes. I did this a while ago to sync users and configuration files. I also used nfs to share the home directories, but that caused too much trouble.

 

[exsnafu]

why would sharing home dirs via nfs cause too much trouble? we do it across hundreds of servers, again its just about the user understanding the setup but once they do i think most people prefer it... and customizing your .profile for server specific stuff is pretty easy.

i dunno, this seems like an awfully long thread for a problem that is ultimately solved with an openldap instance.. even though its such a small environment, you might find the experience with ldap to be a good one and useful for other projects later on down the road.

 

[mjoyner]

Hehe, I agee long thread. Came into the game late on this one.

NIS for /home and rsync for /etc/passwd.

LDAP best, but dude would struggle with pam setups.

[root@netwatch ~]# yum remove windows
Loaded plugins: fastestmirror
Setting up Remove Process
No Match for argument: windows
No Packages marked for removal

OH YEAH!

 

[TrojanWarBlade]

I don't know how to say, "Tell me what's in file A that's not in file B", but not vice versa. Can the diff command do this?

Try comm



Trojan.

 

[ejaggers]

TrojanWarBlade (Programmer), thanks for the tip.