HPE Community
Operating System - HP-UX
1752282 Members
4626 Online
108786 Solutions
New Discussion

Sync /etc/passwd between 2 SG servers without using LDAP or NIS

 
SOLVED
Go to solution
Rich Fink
Occasional Advisor

‎02-14-2011 02:00 PM

‎02-14-2011 02:00 PM

Sync /etc/passwd between 2 SG servers without using LDAP or NIS

Hi all,

I need to keep the /etc/passwd files in sync between 2 nodes in a Serviceguard cluster, but can’t use NIS or LDAP.

We have ~600 users who currently access our application via SSH login. We’re in the process of migrating to a 2-node Serviceguard cluster, and the users will continue to connect via SSH, only now to the IP address assigned to our SG package instead of a specific server. The problem is that almost all of the users are not employees of our company, they work for the State or County government. So as I understand it, NIS or LDAP aren’t really viable options. We do have a handful of internal users with home directories that are local to each node, whereas all the other users have home dirs that are on the SG package shared Volume Group.

So the big question is, how do we keep the passwd files in sync between the 2 nodes? I’m thinking along the lines of a script that looks to see if the package is on that node, and if so it copies /etc/passwd and /etc/group over to the other system. But the worry there is simultaneous changes and changes getting lost between copies. Also, how will password aging and consecutive incorrect passwords be affected?

I’ve searched the forums and have found several queries that are close to mine, but most answers suggest LDAP/NIS. Thanks in advance for any suggestions/pointers!

-Rich
"UNIX is a user-friendly Operating System .. it's just picky about choosing its friends."
0 Kudos
Reply
3 REPLIES 3
Tim Nelson
Honored Contributor

‎02-14-2011 02:35 PM

‎02-14-2011 02:35 PM

Solution

Re: Sync /etc/passwd between 2 SG servers without using LDAP or NIS

This may not be the "proper" way but..

simply replicate /etc/passwd back and forth between the servers.

warning:
(if something breaks you will not be able to log in)

if you are using "trusted" mode then also tar up and copy /tcb directory.

do some testing with just one non-root entry to get things right.

perhaps only sync userid's over 100 leaving the system ids and root alone.



Reply
Rich Fink
Occasional Advisor

‎02-15-2011 12:42 PM

‎02-15-2011 12:42 PM

Re: Sync /etc/passwd between 2 SG servers without using LDAP or NIS

Thanks Tim.

The systems are not trusted, so no /tcb files to worry about. We do have different root passwords, as well as a few others, so the concept of not copying UID's under 100 is probably how we'll have to go. I just want to make sure we don't miss any password changes or useradds..

Any thoughts on if password aging or consecutive incorrect passwords will be affected?

-Rich
"UNIX is a user-friendly Operating System .. it's just picky about choosing its friends."
0 Kudos
Reply
Bill Hassell
Honored Contributor

‎02-15-2011 04:38 PM

‎02-15-2011 04:38 PM

Re: Sync /etc/passwd between 2 SG servers without using LDAP or NIS

A simple copy will work fine. Since you're not using /tcb (Trusted system), then consecutive bad passwords have no effect -- unless you are using enhanced security or shadow passwords. Then you'll need to copy additional files.


Bill Hassell, sysadmin
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.