managing user accounts without NIS

Chris Greer cgreer1 at midsouth.rr.com
Wed Jun 7 21:12:36 PDT 2000


We are in the process of migrating away from NIS to an rsync based
system.  We've got some scripts to help manage a centralized password
system but each machine only gets the specific "political groups" of 
users that are assigned to it.  You change password via a web interface.
I know this has some people probably cringing, I was myself on the idea
for a while, but the web interface allows us to take things a step 
or two further.  We are working on scripts that will also integrate
into the Novell/NT side of our Lan so that we truly have a single
account system.   The PC side is still in the works, and obviously
if you are just reading this group for the beowulf aspects this
isn't important to you, but I deal not only with a beowulf type
setup from an admin perspective, but we also have 100+ UNIX servers
of varying flavors not including our 20 node cluster.  

Chris G.

Another option we used at a previous site was a smart script that would
gather the password files from all the nodes, figure out if you changed 
it on any of them, update the password map with the changed password, 
and then re-push out the new passowrd map to all of the servers.  It 
ran once an hour, so that changes weren't immediate, but were propagated
in a reasonable time.  Of course if you are using a beowulf for high end
computing, you probably don't want to interrupt things every hour just
to see if things changed and such.  

I haven't had experience with kerberos, but it might help you.  I don't
know if it can be used in place of the password authentication for user
accounts though.


Victor Ortega wrote:
> 
> I have looked at the archives searching for a good way to manage user
> accounts on a beowulf cluster.  Some people suggested using rsync, but
> my question is, how?  rsync is nothing more than an efficient version
> of rcp; it doesn't really "synchronize" files--by that I mean that as
> soon as (or soon after) one file gets modified, the other files get
> updated.  In particular, I want my users to be able to change their
> passwords or their login shells from any node and have the relevant
> files in /etc updated on all nodes, without the users having to do
> anything else on their part (like running some "update" script).  I
> would really rather not write setuid-root wrappers to passwd and chsh,
> as I don't want to inadvertently introduce a security hole to my
> system.  I have considered writing a PAM module, but I don't think
> this would cover the chsh case.  I also don't want to hack the kernel
> or the file system to manage user accounts.  Any suggestions?
> 
> Victor
> 
> _______________________________________________
> Beowulf mailing list
> Beowulf at beowulf.org
> http://www.beowulf.org/mailman/listinfo/beowulf




More information about the Beowulf mailing list