managing user accounts without NIS

Peter Jay Salzman covenant at dirac.org
Wed Jun 7 23:16:57 PDT 2000


chris,

i'm about to configure NIS on our cluster.   i'd be very interested in
hearing why your group is moving away from NIS.   we have a very
homogeneous 40 node cluster which is pretty secure at the moment.

before continuing with the NIS howto, i'd love to hear your comments.  :)

pete

> Date: Wed, 07 Jun 2000 23:12:36 -0500
> From: Chris Greer <cgreer1 at midsouth.rr.com>
> To: Victor Ortega <vor+ at pitt.edu>
> Cc: Beowulf mailing list <beowulf at beowulf.org>
> Subject: Re: managing user accounts without NIS
> 
> We are in the process of migrating away from NIS to an rsync based
> system.  We've got some scripts to help manage a centralized password
> system but each machine only gets the specific "political groups" of 
> users that are assigned to it.  You change password via a web interface.
> I know this has some people probably cringing, I was myself on the idea
> for a while, but the web interface allows us to take things a step 
> or two further.  We are working on scripts that will also integrate
> into the Novell/NT side of our Lan so that we truly have a single
> account system.   The PC side is still in the works, and obviously
> if you are just reading this group for the beowulf aspects this
> isn't important to you, but I deal not only with a beowulf type
> setup from an admin perspective, but we also have 100+ UNIX servers
> of varying flavors not including our 20 node cluster.  
> 
> Chris G.
> 
> Another option we used at a previous site was a smart script that would
> gather the password files from all the nodes, figure out if you changed 
> it on any of them, update the password map with the changed password, 
> and then re-push out the new passowrd map to all of the servers.  It 
> ran once an hour, so that changes weren't immediate, but were propagated
> in a reasonable time.  Of course if you are using a beowulf for high end
> computing, you probably don't want to interrupt things every hour just
> to see if things changed and such.  
> 
> I haven't had experience with kerberos, but it might help you.  I don't
> know if it can be used in place of the password authentication for user
> accounts though.
> 
> 
> Victor Ortega wrote:
> > 
> > I have looked at the archives searching for a good way to manage user
> > accounts on a beowulf cluster.  Some people suggested using rsync, but
> > my question is, how?  rsync is nothing more than an efficient version
> > of rcp; it doesn't really "synchronize" files--by that I mean that as
> > soon as (or soon after) one file gets modified, the other files get
> > updated.  In particular, I want my users to be able to change their
> > passwords or their login shells from any node and have the relevant
> > files in /etc updated on all nodes, without the users having to do
> > anything else on their part (like running some "update" script).  I
> > would really rather not write setuid-root wrappers to passwd and chsh,
> > as I don't want to inadvertently introduce a security hole to my
> > system.  I have considered writing a PAM module, but I don't think
> > this would cover the chsh case.  I also don't want to hack the kernel
> > or the file system to manage user accounts.  Any suggestions?
> > 
> > Victor





More information about the Beowulf mailing list