This site is now 100% read-only, and retired.

Adding a user to lots of systems.

Posted by Steve on Thu 6 Apr 2006 at 09:14

In many small and medium sized companies there are a number of servers which have organically grown, with no directory management. I'm curious to know how people would handle adding users in this scenario.

Imagine a situation where you have 50 machines which are running Debian Sarge, and you wish to do two things to each system:

  • Add a new user account.
  • Setup that user such that sudo is available for them.

Doing this one one or two machines is trivial; just ask somebody with an account to ssh into each server and run useradd to add the user, then edit the /etc/sudoers file.

But what if you want to do the same thing for a lot of machines?

Assuming you have no SSH keys which will allow remote root logins from a trusted internal host how would you handle this situation?

I can think of a several different approaches:

Use NIS

NIS is insecure across the internet. Internally on a trusted LAN it is simple, secure enough and and well understood.

It would be possible to designate a single host as a master, then login to each host and set it up to fetch non-system accounts + passwords from the master.

This doesn't help much right now since you still have to login to each host, but it will make things easier in the future if the situation repeats itself.

It also doesn't help modify the sudoer setup.

Setup CFEngine

We've covered using cfengine previously, and like NIS this has pros and cons.

On the downside installing and configuring each host to be a CFEngine "slave" or "node" would require logging into each host. But on the plus side it would allow the subsequent addition of users and configuring sudo to be a trivial operation.

Use rsync

Rsyncing a password + shadow file, and sudoers file too, could be done. But this seems to be fraught with danger if hosts have different system-users available. (e.g. some packages create a local user; and if those packages are installed on only some hosts then issues will arise).

Use a Debian Package

As a long shot .. if each host is setup to automatically download new packages from a central location it would be trivial to add a new-employee.deb package to that repository and ensure it was downloaded by modifying a standard package to depend upon it.

(This is similar to the custom packages I use to configure shell setup, etc on my local machines.)

The postinst section of the package could add a user and setup sudo - although this is not a Debian policy-compliant action.

Each of these approaches has pros and cons, and there are likely to be approaches I've missed.

So my question is : How would you handle this situation?

Personally I would be happy to login to each host once to do some minimal configuration but only if that were never required again. Automation is a wonderful thing and jobs like this do have a habit of recurring more often than you'd like ..

 

 


Re: Adding a user to lots of systems.
Posted by Anonymous (194.47.xx.xx) on Thu 6 Apr 2006 at 09:56
Use NIS and set up IPsec between all machines. This way you can use NFS and still sleep at night, too.

[ Parent ]

Re: Adding a user to lots of systems.
Posted by Steve (212.20.xx.xx) on Thu 6 Apr 2006 at 09:57
[ View Weblogs ]

I'm happy enough using NIS on a trusted LAN even without the use of IPSec.

Although this still doesn't solve the problem of adding the user to the sudoers file ...

Steve

[ Parent ]

Re: Adding a user to lots of systems.
Posted by Anonymous (134.226.xx.xx) on Thu 6 Apr 2006 at 14:25

[ Parent ]

Re: Adding a user to lots of systems.
Posted by Anonymous (195.85.xx.xx) on Thu 6 Apr 2006 at 10:24
I use LDAP with PAM for several years now -- works like a charm

[ Parent ]

Re: Adding a user to lots of systems.
Posted by Anonymous (212.51.xx.xx) on Thu 6 Apr 2006 at 10:30
The answer is definitely LDAP.
It's able to operate over SSL, or if you don't like LDAP-SSL, you can set up a VPN for LDAP (openvpn for example). You can distribute a lot of parameters, like host entries, groups, firewall rules with LDAP, you don't have strict to distribution of users only.

Combined with pam_mkhomedir and extended with cfengine, it would give you infinite power of administration.

Customizing with debian packages is a good idea, for example, I'd do the security related configuration with the help of an own package.

asdmin at gmail dot com

[ Parent ]

Re: Adding a user to lots of systems.
Posted by alfadir (141.58.xx.xx) on Thu 6 Apr 2006 at 10:35
[ View Weblogs ]

What about LDAP and PAM ? over secure communications. One LDAP server and a LDAP backup server (replica). Creating classes of computers etc. We have something like that but I am not sure how it is setup. I was involved a bit but at the end a someone else set it up.

Had big problems setting up the LDAP/PAM client on my side under Debian, while the SuSE guys almost just checked LDAP in Yast and it was running. No documentation about Debian online for mixed server clients, but at the end I got it working. RedHat server, Debian client.

I have installed LDAP at home to start to do something similar on my small 4 computer network just for kicks but I have not gotten further then apt-get install ldap :)

If anyone has any hints please place a comment :)

I am not sure if LDAP/PAM can be used by sudoers though, but I guess so.

[ Parent ]

Re: Adding a user to lots of systems.
Posted by Anonymous (212.114.xx.xx) on Thu 6 Apr 2006 at 10:56
Ok, LDAP would be the most elegant solution. A faster (and more dirty) solution would be a parallel ssh tool, like http://www.theether.org/pssh/. You type the commands to add the user on one machine and they get executed on all servers.

[ Parent ]

Re: Adding a user to lots of systems.
Posted by hardik (61.95.xx.xx) on Thu 6 Apr 2006 at 11:33

According to me LDAP is the solution. If you have more than one server, use slurpd(replication deamon).
If you want to use your server for centralized authentication(more the 10000 user's, around the world). You can use LDAP with SASL + Referal + slurpd + Pam + nss ldap + nscd + . You can also get the sudo support for the LDAP [1].

This is my admin LDIF, with qmail, samba and sudo spport.
dn: uid=admin,ou=People,dc=foo,dc=com
objectClass: top
objectClass: inetOrgPerson
objectClass: posixAccount
objectClass: qmailUser
objectClass: sambaSamAccount
objectClass: sudoRole
cn: admin
uid: admin
uidNumber: 1000
gidNumber: 1000
userPassword: {SSHA}XXXXXXXXXXXXXXXXXXXXXXXXXXX
sudoUser: admin
sudoHost: ALL
sudoCommand: ALL
sudoCommand: !/bin/sh
homeDirectory: /home/admin
loginShell: /bin/bash
mail: admin@foo.com
mailMessageStore: /home/admin/Maildir/
qmailUID: 1000
qmailGID: 1000
deliveryMode: noforward
accountStatus: active
mailQuotaSize: 0
mailSizeMax: 0
sambaLMPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
sambaNTPassword: XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
sambaAcctFlags: [U          ]
sambaPwdLastSet: 11XXXXXX734
sambaPwdCanChange: 11XXXXXX34
sambaPwdMustChange: 2147483647
sambaSID: S-1-5-21-62781671-XXXXXXXXX-XXXXXXX-3000
sambaPrimaryGroupSID: S-1-5-21-XXXXXXXXX-XXXXXX-3380384210-3001
displayName: foo Server Administrator
gecos: foo Server Administrator
description: foo Server Administrator
sn: admin


[1] http://www.courtesan.com/sudo/readme_ldap.html

Hardik Dalwadi
DeepRoot Linux

[ Parent ]

Re: Adding a user to lots of systems.
Posted by Steve (212.20.xx.xx) on Thu 6 Apr 2006 at 11:36
[ View Weblogs ]

Thanks for that. I'd been deliberately ignoring LDAP as a "heavyweight" solution (although I should have included it in the list).

But now you've shown that LDAP can be used for managing Sudo it is looking more attractive.

Steve

[ Parent ]

Re: Adding a user to lots of systems.
Posted by hardik (61.95.xx.xx) on Thu 6 Apr 2006 at 11:46
If you can find your solution with LDAP+Debian. Please write small articale ont that.

-=Hardik=-

[ Parent ]

Re: Adding a user to lots of systems.
Posted by asdmin (194.237.xx.xx) on Thu 6 Apr 2006 at 13:49
I've done it already, but I had never wanted to spend 7 days with writing a howto after a 2 days long work ;)
--
D�niel V�s�rhelyi

[ Parent ]

Re: Adding a user to lots of systems.
Posted by kgfullerton (62.252.xx.xx) on Thu 6 Apr 2006 at 15:27
[ View Weblogs ]
I've got a new box that's going to run Xen for my home network - I've already done most of the setup but I'm quite alright to wipe the main drive and setup everything using pam_ldap and write a how-to for the site if anyone's interested?

[ Parent ]

Re: Adding a user to lots of systems.
Posted by Steve (82.41.xx.xx) on Tue 18 Apr 2006 at 23:30
[ View Weblogs ]

An article would certainly be appreciated.

(That goes for pretty much any relevant topic to be honest!)

Steve

[ Parent ]

Re: Adding a user to lots of systems.
Posted by oxtan (80.126.xx.xx) on Thu 6 Apr 2006 at 18:59
[ View Weblogs ]
This site has quite a lot of info concerning debian + ldap: link

[ Parent ]

Re: Adding a user to lots of systems.
Posted by oxtan (80.126.xx.xx) on Thu 6 Apr 2006 at 19:02
[ View Weblogs ]
o, crap, link not working. There, no html tags:

http://www.tom.sfc.keio.ac.jp/~torry/ldap/ldap_en.html

ok, you actually need no tags, the system is smart :)

[ Parent ]

Re: Adding a user to lots of systems.
Posted by simonw (84.45.xx.xx) on Thu 6 Apr 2006 at 17:53
[ View Weblogs ]
Ah - but I want to know how these guys manage their LDAP databases.

All the examples use ldap-utils and the like.

Are they all using customer scripts, or is there some supercool LDAP admin tool that stops it looking like complete voodoo.

All I've ever used OpenLDAP for was a shared address books, and I had to debug the Perl CGI script for updating that.

[ Parent ]

Re: Adding a user to lots of systems.
Posted by oxtan (80.126.xx.xx) on Thu 6 Apr 2006 at 18:27
[ View Weblogs ]
well, a few years back, yes, you would have been right. Today:

* smbldap-tools
* jxplore
* phpldapadmin
* cpu
* or just make your own with perl+ldap, once you understand how a directory works, it really is not very hard (I should know, I am no programmer).

[ Parent ]

Re: Adding a user to lots of systems.
Posted by sphaero (83.160.xx.xx) on Fri 7 Apr 2006 at 07:10
[ View Weblogs ]
ldap account manager

http://lam.sf.net

or just apt-get install ldap-account-manager

[ Parent ]

Re: Adding a user to lots of systems.
Posted by asdmin (195.228.xx.xx) on Fri 7 Apr 2006 at 10:54
You shouldn't forget about ldapvi
(http://www.lichteblau.com/ldapvi.html)!
It's the best for quick modifications (correcting typos etc).
It executes a query, the result is opened in your text editor, you make the changes, after exiting from the editor it produces an ldif from the changes and offers several choices what to do with this ldif (execute on the db, view, save, discard).

Good for experts (quick and straightforward), good for beginners (easy to understand how to produce an ldif) and very useful for the most cases. Of course apt-get install ldapvi is avaible.

--
D�niel V�s�rhelyi

[ Parent ]

Re: Adding a user to lots of systems.
Posted by dkg (216.254.xx.xx) on Mon 10 Apr 2006 at 23:03
[ View Weblogs ]
there's also luma, a python/QT-based GUI tool with a plugin architecture.

[ Parent ]

Re: Adding a user to lots of systems.
Posted by Serge (212.221.xx.xx) on Thu 6 Apr 2006 at 11:47
[ View Weblogs ]
I can't find which program does this trick, but there is one who allows you to log in simultaneously on different host and executing the same command.
Or you could script an ssh adduser command.


--

Serge van Ginderachter


[ Parent ]

Re: Adding a user to lots of systems.
Posted by Steve (212.20.xx.xx) on Thu 6 Apr 2006 at 11:49
[ View Weblogs ]

dsh does this, or pssh mentioned in the comment above.

Steve

[ Parent ]

Re: Adding a user to lots of systems.
Posted by Anonymous (213.217.xx.xx) on Thu 6 Apr 2006 at 16:24
Or cssh aka clusterssh
but i also use ldap. what i am looking for is:
sudo+ldap where user foo can login to machine
bar1 and bar2 but only on machine bar1 he/she can run sudo commands
i already have hostgroups so i only add the user to an other host and then he can also login on the second host

Daniel

[ Parent ]

Re: Adding a user to lots of systems.
Posted by gryman (64.147.xx.xx) on Fri 7 Apr 2006 at 02:41
We use LDAP to authenticate 500 servers. This makes administering passwords and users very simple.

[ Parent ]

Re: Adding a user to lots of systems.
Posted by Anonymous (72.224.xx.xx) on Fri 7 Apr 2006 at 03:55
Like practically everyone else here, I would agree that OpenLDAP is the best possible solution. Since you already seem to have several local authenticating hosts, as long as you ensured that the UIDs were unique, you can just add the account to LDAP and leave the local entry. This works great when you have an application that is running as a certain user (say oracle:dba), if the app account and group are local AND in LDAP then your crons won't fail if the host can't talk to your LDAP server for whatever reason.

[ Parent ]

Re: Adding a user to lots of systems.
Posted by samb (213.106.xx.xx) on Fri 7 Apr 2006 at 08:36

Whilst people are quite correct in suggesting LDAP as a centralised authentication soruce, there are plenty of scenarios where it's not really suitable, for example when you need people to be able to log into the machine locally in a situation where the network is inaccessible.

My solution to adding one user to many machines is to use ClusterSSH. If you've got keys set up on all the machines you're connecting to (and why wouldn't you?) it makes things pretty simple. Sam Bashton
Bashton Ltd - Linux Consultancy

[ Parent ]

Re: Adding a user to lots of systems.
Posted by alfadir (129.69.xx.xx) on Fri 7 Apr 2006 at 10:21
[ View Weblogs ]
This tool can also be used :
http://www.csm.ornl.gov/torc/C3/

It is very useful when dealing with many machines.
Has push and exec functionality. One can specify ranges of machines.
Unfortunatly I do not think there is a Debian package.

[ Parent ]

Re: Adding a user to lots of systems.
Posted by Anonymous (85.1.xx.xx) on Sat 8 Apr 2006 at 13:30

[ Parent ]

Re: Adding a user to lots of systems.
Posted by irishgeek (72.224.xx.xx) on Sat 8 Apr 2006 at 19:11
If you are using LDAP for a centralized authentication source, and you want to still have certain user log in locally when the network is inaccessible (or the host is simply stand alone from the rest of the LDAP managed hosts), just create a marker account in LDAP, add the account locally to the passwd file on you standalone host and you are covered.

And for LDAP management, it looks simple at first, but the best GUI tool I've come across so far is LDAP Browser/Editor (LBE) - http://www-unix.mcs.anl.gov/~gawor/ldap/installation.html

[ Parent ]

Re: Adding a user to lots of systems.
Posted by asdmin (194.237.xx.xx) on Mon 10 Apr 2006 at 16:23
If local authentication is a must in any cases, a local LDAP replica would be a good option. It'll carry all usernames and passwords for all systems - but it isn't more worse than using ClusterSSH and spread out same passwords in an other way.

Daniel


--
D�niel V�s�rhelyi

[ Parent ]

Re: Adding a user to lots of systems.
Posted by Anonymous (24.61.xx.xx) on Sat 8 Apr 2006 at 21:22
We just set up Csync2 on a few boxes we didn't want to manage with our Cfengine setup, and I must say so far I like it alot better than runnning rsync scripts everywhere. This also requires going box to box to setup however.... But once its done its done.

[ Parent ]

Re: Adding a user to lots of systems.
Posted by paulproteus (128.220.xx.xx) on Mon 10 Apr 2006 at 16:24
At JHU ACM , we use LDAP for our user and authentication database. For the sudo question, I would add the user to a UNIX group called sudoable or "admins" and put that group in the sudoers file.

-- Asheesh.

--
/usr/games/fortune|

[ Parent ]

A wrong way...
Posted by Anonymous (66.188.xx.xx) on Tue 11 Apr 2006 at 02:46
Back in 1995 I ran into this type of situation and wrote a small server program I installed on each machine that accepted a very limited set of commands from an admin machine.
The Admin machine was really an internal webserver, that served up user modification pages to the admin staff and stored all user info in a DB. A cron "client" would run every 15 minuets that would send all changes out to the servers.
In practice this completely hand written system worked well, however security wise, maybe not the best of plans. The comunications were encrypted, and the server only responded to admin requests coming from a specific IP, but in retrospect I can think of many cracks that could have been used against this system.
After 2 years use, the company abandoned this system and went with Active Directory, replaceing all their unix machines with windows...

[ Parent ]

Re: Adding a user to lots of systems.
Posted by Anonymous (195.190.xx.xx) on Tue 11 Apr 2006 at 20:25
Simply put, I would use LDAP! Specially if one is administering a school, universty or other larger organisation with significant user turnover.

Lindsey Rockwell
lindseyrockwell@yahoo.se

[ Parent ]

Re: Adding a user to lots of systems.
Posted by Anonymous (66.179.xx.xx) on Wed 12 Apr 2006 at 22:46
How well does ldap scale? In a cluster I've got ~100 machines that all get simultaneous login requests when someone farms a job out to them... NIS just plain hung due to the instantaneous load. How does LDAP behave? My interim solution is libnss-db and a Makefile that explicitly pushes the databases out when they get changed - a kind of NIS-Lite.

On a related tack, why isn't there a web-based auth mechanism? HTTP is the transport of choice these days, why use a specialized protocol like LDAP instead of a simple protocol on top of HTTP?

[ Parent ]

Re: Adding a user to lots of systems.
Posted by dataw0lf (70.103.xx.xx) on Thu 13 Apr 2006 at 17:57
LDAP scales fine. The problems will usually come from nscd, not ldap itself. LDAP and HTTP are completely different. LDAP is way to store and manage users and their information. You're not really using LDAP for authentication; you're using nscd that connects to an slapd server.
--
Lead System Administrator
Aero-Graphics, Inc
http://dataw0lf.org

[ Parent ]

Re: Adding a user to lots of systems.
Posted by Anonymous (192.135.xx.xx) on Wed 19 Apr 2006 at 19:11
NIS or LDAP is the proper way to do this on a LAN. The other methods you describe are hackish and messy. If you don't want to type passwords, you should use kerberos.

[ Parent ]

Re: Adding a user to lots of systems.
Posted by sandholm (65.116.xx.xx) on Mon 24 Apr 2006 at 16:55
I'm surprised that nobody has mentioned "expect".

I wrote some code a long time ago to address the issue of running remote commands on a large collection of hosts, as any user.
The script calls "ssh", handles the password prompting, then performs
the specified "Cmd"; which could be anything... like useradd, or passwd,
whatever...
Here's a basic "expect function" (read TCL), that performs a "remote command"...
PS. please pardon the formatting, my cut-n-paste didn't preserve leading tabs...
================================================================= ==
# procedure to execute a command remotely
# SYNTAX: RemoteCommand "Command" HostName UserName UserPassword
# RETURN: error|ok
# ERRORS: failed login (bad passwrod,bad username)
# bad command.
proc RemoteCommand { Cmd Host User Psw } {
global ERR_IGN
global GLOBAL_TIMEOUT

# set timeout value to GLOBAL_TIMEOUT
set timeout $GLOBAL_TIMEOUT
# turn off user display logging
log_user 0
#log_user 1
# clear BAD password flag
set BAD 0
# start the ssh activity
spawn -noecho ssh -l $User $Host $Cmd
# expect...
expect {
# got a password prompt, send password &
# clear BAD flag, then continue in expect loop.
assword: { send "${Psw}\r"
set BAD 0
log_user 1
exp_continue
}
# got a password-bad message, set BAD flag
# and continue in expect loop (retries).
denied { puts stderr "access denied"
set BAD 1
exp_continue
}
# remote side timed out on us.
timeout { puts stderr "timeout"
}
continue { send "yes\r"
exp_continue
}
# we probably sent a bad hostname
"service not known" { puts stderr "bad host ($Host)"
if { $ERR_IGN == 1 } {
return -code ok
} else {
return -code error
}
}
"Received disconnect" { puts stderr "command error ($Cmd)"
if { $ERR_IGN == 1 } {
return -code ok
} else {
return -code error
}
}
# we probably sent a command that wasn't on
# our PATH.
"command not found" { puts stderr "bad command ($Cmd)"
if { $ERR_IGN == 1 } {
return -code ok
} else {
return -code error
}
}
# we got a shell prompt, must be done...
"$ " { log_user 0
return -code ok
}
# we got an "eof" from the spawned process
# so check our BAD flag to let the caller know
# if we got logged in or not.
eof { #puts stdout "connection closed"
if { $BAD == 0 } {
return -code ok
} else {
if { $ERR_IGN == 1 } {
return -code ok
} else {
return -code error
}
}
}
# do some general cleanup here, always a good SYNC
# method to send a CR or 2.
send "\r"
expect "$ "
return -code ok
}

-===============================================
This should give you a "basic" idea of how it works.

Good Luck!
- Tom

[ Parent ]

Re: Adding a user to lots of systems.
Posted by wouter (87.244.xx.xx) on Thu 27 Apr 2006 at 02:55
Add my voice to the choir of those suggesting LDAP. Anything under 5-10 systems could be done by hand, too, like with a terminal that can send the same output to different terminal windows... But I would think about some directory service from there on. And that just begs for LDAP.

If it's a pretty uniform and relatively safe environment (let's say, a classroom with 'mature' users and identical clients), just running NIS/NFS might do the trick too... perhaps a bit less work initially.

Or have your passwd in CVS. :)

[ Parent ]

Re: Adding a user to lots of systems.
Posted by Anonymous (195.188.xx.xx) on Fri 10 Nov 2006 at 16:17
fanout
its great for executing multiple commands on different systems at once

[ Parent ]

Re: Adding a user to lots of systems.
Posted by nobrowser (75.30.xx.xx) on Wed 17 Aug 2011 at 23:27
Aah, nothing like reviving an ancient thread :-)

LDAP seems to have emerged as the recommendation. I am in this
situation as well and LDAP does seem way overkill. My reading led me to
Hesiod which seems able to do the job a just a thin layer over DNS.

But I haven't done the switch, because what I'd really like is to
synchronize the system user IDs as well (and group IDs of course). I
just hate seeing random numeric IDs when I do ls -l on a net-mounted
directory. So the challenge is not really (or not as much) how to do
the distribution of IDs to multiple machines, but mostly how to stop the
debian package maintainer scripts from doing stupid things:

1. installing the same system user / group with different IDs, and
(especially!)

2. removing system users / groups once installed. Ever. AT ALL!!

My existing approach has been:

1. replace {user,group}add scripts with variants that warn me loudly
about what is happening.

2. keep /etc/{passwd,group} under version control, in a single
repository with a branch for each host, and when the warning in 1 above
is triggered, cherry-pick the diff to the other hosts.

3. replace {user,group}del scripts with variants that do NOTHING. :-)
(The original scripts are still available under a different name so
removing a user manually is not a problem.)

But it is still a chore. Suggestions?

All this because we still don't have a network file system that is
higher-level than NFS but not hopeless overkill like Gluster etc.

[ Parent ]