HPE Community read-only access December 15, 2018
This is a maintenance upgrade. You will be able to read articles and posts, but not post or reply.
Hours:
Dec 15, 4:00 am to 10:00 am UTC
Dec 14, 10:00 pm CST to Dec 15, 4:00 am CST
Dec 14, 8:00 pm PST to Dec 15, 2:00 am PST
Operating System - OpenVMS
cancel
Showing results for 
Search instead for 
Did you mean: 

Easy way to add a users to multiple nodes???

 
Leon Ross
Occasional Contributor

Easy way to add a users to multiple nodes???

Hello,
I am trying to figure out if there is an easy way add a user to multiple nodes networked together using decnet. I don't want to have to copy the sysuaf.dat every time a new user needs to be added. I have about 10 machines and don't really want to manually add the user. Is there anyway to broadcast the command to all nodes at the same time or something along those lines.

I am very new to system administration and OpenVMS. We don't have a system admin here so I took the role :)

Any help would be great.

Leon
8 REPLIES
Robert Gezelter
Honored Contributor

Re: Easy way to add a users to multiple nodes???

Leon,

First, please allow me to welcome you to the ITRC OpenVMS Forum.

While it will need a little bit of scaffolding, one can certainly use the SYSMAN DO command to issue commands on remote systems (in this case to AUTHORIZE, DISKQUOTA, and other programs in turn). This can be automated in a variety of ways, but caution is required to avoid creating a security hazard).

You will also need to keep track of UIC and Identifier allocation in some central place. There is no inherent mechanism for coordinating the UIC and Identifier allocation policies among different machines (other than those in a OpenVMS cluster sharing a single authorization file).

Depending on one's situation, one might also be able to achieve a degree of common authentication among the different systems.

What can be done depends on how sophisticated one needs to be, and what version(s) of OpenVMS one is working with.

My apologies for being somewhat terse, I am writing this in a rush before going into a client meeting.

- Bob Gezelter, http://www.rlgsc.com
Hein van den Heuvel
Honored Contributor

Re: Easy way to add a users to multiple nodes???


Did you manage to keep UIC's in Sync?
Are the (logical) device names available on all target ssystems?
How will you create the user directories?

This may be naive, but I think you can just use RMS remote file access to do the deed.
Then again, maybe password seeds and such will get in the way.
What I would try is something along the lines of (UNTESTED!)


$nodes = "a,b,c" ! Put real node names have
$ access = ""
$if .not.proxies ! coneptual, not actual code
$then
$ read /prompt="Password: " sys$input password

$ access = """" + f$getjpi("","USERNAME")+ " " + password + """
$endif
$ read /prompt="Username to copy" sys$input username
$open/read/share=write uaf sysuaf ! Assumes logical name
$read/key=&username/error=ooops uaf record
$ i = 0
$loop:
$node = f$eleme(i,",",nodes)
$if node.eqs."," then exit
$i = i + 1
$close/nolog uaf
$open/read/write/share=write uaf 'node''access'::sysuaf ! Logical?!
$write/symbol/error=ooops uaf record
$goto loop
$ooops:
$! do somethign with $status
$close/nolog uaf
$exit

Good luck!
Hein.
Hoff
Honored Contributor

Re: Easy way to add a users to multiple nodes???

SYSUAF and RIGHTSLIST and several other pieces are generally paired together; you have to copy all of the files. If you copy just SYSUAF, you can end up with a skewed RIGHTSLIST; you have to be careful with UIC collisions and identifiers. (If you're replicating, you will want to keep entries in synch.) When you add a new user, you also typically add one or sometimes two matching identifiers into RIGHTSLIST automatically.

The usual approach for this sort of application is external authentication via Kerberos or such, where the passwords are maintained in a shared realm. (There are some other protocols supported, but Kerberos is probably the most common.)

Even with Kerberos, there would (still) have to be entries added to each node, using something akin to the ADDUSER tool, either directly or via DECnet task-to-task or other such. (Though remote access via DECnet does have its security exposures.)

http://h71000.www7.hp.com/wizard/wiz_0159.html

Far and away the best solution here often being clustering; all nodes in a cluster are part of the same security domain, and one login typically works anywhere in the cluster. This works across hundreds of kilometers. Ten nodes is easily feasible as a cluster, given sufficient network bandwidth and latency; given 10 Mb Ethernet or better.

Here's some semi-related reading material:
http://64.223.189.234/node/856
http://64.223.189.234/node/169

labadie_1
Honored Contributor

Re: Easy way to add a users to multiple nodes???

Similar to Hein idea, I have already used

$ def sysuaf alpha1::sysuaf
$ ! or, if you do not have Decnet proxies
$ def sysuaf alpha1"user pass"::sys$common:[sysexe]sysuaf.dat
$ mc authorize add joe/pass=joepass

or have a loop, if you have a high number of node

$ list = "alpha1/alpha2/alpha3"
$ cp = 0
$ loop:
$ node = f$elem(cp,"/",list)
$ if node.eqs."/" then exit
$ def sysuaf 'node'::sysuaf
$ mc authorize ...
$ cp = cp + 1
$ goto loop

Of course, this supposes you have already checked the UIC on the remote node

You can too define a Sysman logical name for a group of nodes, and then do
$ mc sysman set env/node=(list1)
do mc authorize...
marsh_1
Honored Contributor

Re: Easy way to add a users to multiple nodes???

leon,

if you are a relative newcomer to vms i would suggest using the openvms management station. you can download it from the hp site.

http://h71000.www7.hp.com/openvms/products/argus/download.html

it involves installing a client on your pc and a server on each of your vms nodes, once installed you can add a new cluster or domain and add your vms nodes to it in the windows gui , connection is by decnet or tcpip. one server will need to be designated the primary server and connection to that must be by tcpip.

you can display individual nodes or all in the domain, then use filtering to tailor your display. if you then highlight the accounts required and make any changes you have the option to apply them individually or to all selected.

do read the installation guide before commencing.
Hoff
Honored Contributor

Re: Easy way to add a users to multiple nodes???

If "define sysuaf 'node'::sysuaf" works here -- and I've been there, and I've used that approach -- it's easier and equally as secure to just lock all your passwords to blank, disable password expiration, and (better) set up a single group-wide privileges login.

The configuration has zero security. Yes, I've used it. Might as well be both honest and most efficient about its use, then.

There's no point in using a complex and management-intensive approach in such an environment, after all. Well, unless you're looking to present security theater, and there are easier ways to achieve that.
Willem Grooters
Honored Contributor

Re: Easy way to add a users to multiple nodes???

Just a question:

Are these machines stand-alone, or clustered? In the latter case: do they have a common system disk? Where do the authorization files reside in that case?

In a VMS cluster you could work - without a problem - with one set of files (SYSUAF, RIGHSLIST and NETPROXY/NET$PROXY (depending on your DECNet version)) if you have all these files on a disk that is accessable to all clustermembers. Directly, or by MSCP (the disk-access protocol used in a cluster)

WG
Willem Grooters
OpenVMS Developer & System Manager
Wim Van den Wyngaert
Honored Contributor

Re: Easy way to add a users to multiple nodes???

We still do it for about 50 stations.

After each modification we copy the files to all nodes that are up.
At boot time, each node will copy the files to be in sync.

The copy = copy to temp file + rename to the real name. If not, the sysuaf becomes unusable when the node is interrupted during the copy.

Wim
Wim