topic Re: UID and GID management across several servers in Operating System - HP-UX

UID and GID management across several servers

Daniel Gutierrez — Tue, 18 May 2004 11:59:58 GMT

Is there a product or way that will allow management of UID's and GID's across several hundred servers? I have run into a case were the same person can have a user ID across many servers and not have the same UID Number, and the User name is in different Groups. If HPUX has a way please pass that on. HPUX 10.20, 11.0 and 11i systems

Re: UID and GID management across several servers

A. Clay Stephenson — Tue, 18 May 2004 12:04:02 GMT

The standard way to handle this in the UNIX world is NIS and this will work across all these OS releases as well as essentially all flavors of UNIX. The downside is that NIS does not meet today's security needs so a better option is LDAP.

Re: UID and GID management across several servers

Sridhar Bhaskarla — Tue, 18 May 2004 12:11:44 GMT

Hi Daniel,

There are sure products that will do the user administration. NIS(insecure), NIS+ and LDAP are most commonly used. Control-SA by BMC is another product that costs $$.

http://www.bmc.com/products/proddocview/0,2832,19052_19429_22855_1587,00.html

However, you will first need to clean up the mess before you can start using any product. You will need to come up with a standard set of uids/gids, sync them up on all the boxes and then use the product to maintain them. It can be quite a bit of work if the UIDs are in use (like generic logins to run the application processes).

-Sri

Re: UID and GID management across several servers

Pete Randall — Tue, 18 May 2004 12:16:12 GMT

Daniel,

We tried NIS and didn't really care for it. We now simply use the same password file on all the different servers, copying it amongst them via NFS. There are probably security concerns with this simplistic approach, but it works for us and didn't cost a dime.

Pete

Re: UID and GID management across several servers

Dani Seely — Tue, 18 May 2004 13:43:28 GMT

Suggest using NIS+

However, if you are concerned about Security, there's a good read at:
http://www.eng.auburn.edu/users/doug/nis.html

Re: UID and GID management across several servers

A. Clay Stephenson — Tue, 18 May 2004 14:15:24 GMT

NIS+ is not available for 10.20. It's more secure than NIS but it too is not long for this world. If you are serious about doing this, again the answer is LDAP, now what's your question?

Re: UID and GID management across several servers

Scott J. Showalter — Tue, 18 May 2004 16:21:35 GMT

I am part of a team that administers hundreds of servers. We also do NOT use NIS. It is too insecure. However, in our workstation environment they do use NIS. ALL users who get accounts on any of our systems, gets enetered into NIS. Then when we create a user on one of our servers we have a home grown app that pulls the UID from NIS and creates the account on the appropriate servers.

However, due to Sarbanes Oxley requirements, we will be migrating to LDAP soon.

Realize that you can't just chnage the UID's to be the same on all of the systems and think that everything is going to work. To change the UID of a user on a system, you will need to search the filesystems to find files owned by that UID and change the ownership to the new UID. This IS going to be a lot of work. But, the sooner you do it, the better. The problem will only get worse over time.

Re: UID and GID management across several servers

Dani Seely — Tue, 18 May 2004 16:36:22 GMT

True. I neglected to state that NIS+ won't be an answer for you on 10.20 systems, only on 11.00 for you.

Scott brings up a good point too, that when a UID changes, the files are left and are identified as owned by the previous UID #. When that UID # gets assigned, if those files aren't changed to the previous owners new UID then you will have a HUGH mess!

Though Pete's suggestion of copying the same passwd file to all of your servers sounds simple, you'll run into this problem of file ownership.

I'll keep looking into this, this is a VERY interesting concepct and concern. By the way, how many servers are you talking about? It would also help if you break it down to how many servers per platform. Thanks!

Re: UID and GID management across several servers

Dani Seely — Tue, 18 May 2004 18:43:19 GMT

Hey Paul,
Thought I'd try to do a little explanation of file permissions. Each digit corresponds
to the permissions for user, group, and other ... respectively.

The umask is subtracted from 777 / 666 to give the permission set.

So, since you have a umask 022, 666-022 leaves 644 (rw-r--r--). As r=4, w=2, x=1,
644 is user rw- (4+2) group r-- (4) others r-- (4).

Hope this adds some clarity.

Re: UID and GID management across several servers

Dani Seely — Tue, 18 May 2004 18:46:37 GMT

SORRY!

While this is good information, I posted it to the wrong subject thread. Oh well, enjoy.

Re: UID and GID management across several servers

Daniel Gutierrez — Wed, 19 May 2004 12:26:44 GMT

Thank you everyone for the help all of this has been so informative. I'm working with a 300+ Server count and 15,000+ user accounts. Based on the feedback I would like to use the /etc/passwd along with LDAP-UX.

Next question I don't know LDAP-UX or where to begin.

Re: UID and GID management across several servers

Dani Seely — Wed, 19 May 2004 13:09:27 GMT

Hey Daniel,
I have not experimented with LDAP-UX, however, there's a REALLY good article that explains LDAP-UX, including topographical layouts at:
http://docs.hp.com/cgi-bin/otsearch/getfile?id=/hpux/onlinedocs/internet/uxint.html&searchterms=LDAP&queryid=20011108-122355

Also, the following link tells you how to purchase support for LDAP-UX (J4269AA LDAP-UX Integration), and a phone number for the HP Advantage Center you can call in lieu of talking with an HP sales representative (800-637-7740).

Here you can obtain information about the product, including an overview, pricing, support level options, and other options.

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J4269AA

Good luck!