managing user accounts without NIS
Peter Jay Salzman
covenant at dirac.org
Wed Jun 7 23:16:57 PDT 2000
i'm about to configure NIS on our cluster. i'd be very interested in
hearing why your group is moving away from NIS. we have a very
homogeneous 40 node cluster which is pretty secure at the moment.
before continuing with the NIS howto, i'd love to hear your comments. :)
> Date: Wed, 07 Jun 2000 23:12:36 -0500
> From: Chris Greer <cgreer1 at midsouth.rr.com>
> To: Victor Ortega <vor+ at pitt.edu>
> Cc: Beowulf mailing list <beowulf at beowulf.org>
> Subject: Re: managing user accounts without NIS
> We are in the process of migrating away from NIS to an rsync based
> system. We've got some scripts to help manage a centralized password
> system but each machine only gets the specific "political groups" of
> users that are assigned to it. You change password via a web interface.
> I know this has some people probably cringing, I was myself on the idea
> for a while, but the web interface allows us to take things a step
> or two further. We are working on scripts that will also integrate
> into the Novell/NT side of our Lan so that we truly have a single
> account system. The PC side is still in the works, and obviously
> if you are just reading this group for the beowulf aspects this
> isn't important to you, but I deal not only with a beowulf type
> setup from an admin perspective, but we also have 100+ UNIX servers
> of varying flavors not including our 20 node cluster.
> Chris G.
> Another option we used at a previous site was a smart script that would
> gather the password files from all the nodes, figure out if you changed
> it on any of them, update the password map with the changed password,
> and then re-push out the new passowrd map to all of the servers. It
> ran once an hour, so that changes weren't immediate, but were propagated
> in a reasonable time. Of course if you are using a beowulf for high end
> computing, you probably don't want to interrupt things every hour just
> to see if things changed and such.
> I haven't had experience with kerberos, but it might help you. I don't
> know if it can be used in place of the password authentication for user
> accounts though.
> Victor Ortega wrote:
> > I have looked at the archives searching for a good way to manage user
> > accounts on a beowulf cluster. Some people suggested using rsync, but
> > my question is, how? rsync is nothing more than an efficient version
> > of rcp; it doesn't really "synchronize" files--by that I mean that as
> > soon as (or soon after) one file gets modified, the other files get
> > updated. In particular, I want my users to be able to change their
> > passwords or their login shells from any node and have the relevant
> > files in /etc updated on all nodes, without the users having to do
> > anything else on their part (like running some "update" script). I
> > would really rather not write setuid-root wrappers to passwd and chsh,
> > as I don't want to inadvertently introduce a security hole to my
> > system. I have considered writing a PAM module, but I don't think
> > this would cover the chsh case. I also don't want to hack the kernel
> > or the file system to manage user accounts. Any suggestions?
> > Victor
More information about the Beowulf