Re: Automation

Hi,

Direct root login is diabled in all my servers. Now how can things be automated in such kind of environment. I made a second user with uid 0 and tried to use that for small tasks like user addition or running of script from one box to multiple but its being denied as the uid 0 is being captured as root's

How can automation be done in such kind of an environment please. Would appreciate any help.

16 REPLIES 16

hi,

i think its better if you use SUDO.

if you like to download it :

http://hpux.connect.org.uk/hppd/hpux/Sysadmin/sudo-1.7.2p1/

mikap

Install sudo on your system and you can do all your system administrator tasks accordingly.

All things excellent are as difficult as they are rare

I already have sudo on my boxes. Please consider the scenario:

I want to create a user on multiple boxes sitting in one server. Now all the others have direct root login disabled. Now how to go about it please.

Similarly in case I want to have output like mirroring information and want to run some script from one server to all...

Hello

I just wanted to underline the fact that

" its being denied as the uid 0 is being captured as root's"

it is the normal behavior of any Unix like SO meaning that any program is looking at the UID not at the user name. This is done by invoking getuid(). Two users with the same UID are treated in the same way.

Horia.

Best regards from Romania,
Horia.

Thanks Horia, I understand that fact now.

Someone please help with the basic problem also

Hello,

Michael already suggested a good approach of the problem.

Once installed sudo, you should play with visudo in order to configure access to the non-root user to the desired programs (/usr/sbin/useradd , whatever your script/scrips are)

man sudo

man visudo.

Best regards
Horia.

Best regards from Romania,
Horia.

Its not just within this server that I want to do things....I want configure a central from where scripting could be done to perform things on several other servers.

Passwordless ssh doesnt help as direct root login is diabled on all the boxes. What else can be done please

>Its not just within this server that I want to do things....I want configure a central

You must create a common user on all your servers that you want to perform the tasks.

let's say you will create the user

maintenance.

On every managed server you must configure sudo for user maintenance to run useradd and

From your station, you can create a script that would perform the same tasks on all servers. This script would

ssh to your 1st server as maintenance,
sudo

ssh to your 2nd server as maintenance and so on...

Best regards,
Horia.

Best regards from Romania,
Horia.

I add a user 'maintenance' and make its entry passwordless in sudoers file.

Now to perform root taska like useradd one must have appropriate permission. Till reaching the other box using ssh, things are fine but as soon as 'sudo useradd..' comes permission denied is being prompted.

Pls read "to run useradd and "

as

"to run useradd and any other commands you need"

Best regards from Romania,
Horia.

Thank you for continous help.It seems you missed some part of my previous post. Please go through again and suggest

> are fine but as soon as 'sudo useradd..' comes permission denied is being prompted.

Let's say:

which useradd
/usr/sbin/useradd

In this case you did something wrong when configure sudo. Review your sudoers (edit the sudoers file only with visudo command!)

Cmnd_Alias PRIV_CMDS = /usr/sbin/useradd, /path_to_yourscript/yourscript

maintenance ALL= NOPASSWD: PRIV_CMDS

Save the file sing :wq command

You can also specify /usr/sbin/ and all your executables from /usr/sbin will be executed by maintenance user.

This should do the job.

Best regards
Horia.

Best regards from Romania,
Horia.

If you have your ssh public keys set up on all of your servers you can use 'ssh' to execute your remote commands without logging in directly. Then you can write your scripts to perform the work you want from on server, i.e. useradd, etc. Just maek sure to use the full path to the commands in your scripts.

Beers,

robert

Time to smoke and joke

Have you taken a look at DSAU? (Distributed Systems Administration Utilites).
It is designed to "fan out" commands to a number of servers.
http://docs.hp.com/en/T2786-90327/T2786-90327.pdf

My house is the bank's, my money the wife's, But my opinions belong to me, not HP!

Hi & How are you?

Playing with SSH and SUDO would require you to log into each system and have setup.

I will need to check "Distributed Systems Administration Utilities"

How about a dirty way of using expect.
Write some 10-15 liners by putting conditions in expect program ( you may switch to uid 0 later within expect program and thats what your system expects to NOT login as uid 0).

Put expect on either HPUX box or find expect in any redhat.

http://hpux.connect.org.uk/hppd/hpux/Tcl/expect-5.43/

p.s. No points for a dirty way.

Chocolates?

Cheers!!

" Let Villagers Be Happy!! "

Can you please provide examples of what you are trying to get done.
SSH access with a sudo implementation will work. Just take some scripting to do it.