HPE Community
Operating System - HP-UX
1825719 Members
2853 Online
109686 Solutions
New Discussion

UID and GID management across several servers

 
SOLVED
Go to solution
Daniel Gutierrez
New Member

‎05-18-2004 04:59 AM

‎05-18-2004 04:59 AM

UID and GID management across several servers

Is there a product or way that will allow management of UID's and GID's across several hundred servers? I have run into a case were the same person can have a user ID across many servers and not have the same UID Number, and the User name is in different Groups. If HPUX has a way please pass that on. HPUX 10.20, 11.0 and 11i systems
0 Kudos
Reply
11 REPLIES 11
A. Clay Stephenson
Acclaimed Contributor

‎05-18-2004 05:04 AM

‎05-18-2004 05:04 AM

Re: UID and GID management across several servers

The standard way to handle this in the UNIX world is NIS and this will work across all these OS releases as well as essentially all flavors of UNIX. The downside is that NIS does not meet today's security needs so a better option is LDAP.
If it ain't broke, I can fix that.
0 Kudos
Reply
Sridhar Bhaskarla
Honored Contributor

‎05-18-2004 05:11 AM

‎05-18-2004 05:11 AM

Re: UID and GID management across several servers

Hi Daniel,

There are sure products that will do the user administration. NIS(insecure), NIS+ and LDAP are most commonly used. Control-SA by BMC is another product that costs $$.

http://www.bmc.com/products/proddocview/0,2832,19052_19429_22855_1587,00.html

However, you will first need to clean up the mess before you can start using any product. You will need to come up with a standard set of uids/gids, sync them up on all the boxes and then use the product to maintain them. It can be quite a bit of work if the UIDs are in use (like generic logins to run the application processes).

-Sri
You may be disappointed if you fail, but you are doomed if you don't try
0 Kudos
Reply
Pete Randall
Outstanding Contributor

‎05-18-2004 05:16 AM

‎05-18-2004 05:16 AM

Re: UID and GID management across several servers

Daniel,

We tried NIS and didn't really care for it. We now simply use the same password file on all the different servers, copying it amongst them via NFS. There are probably security concerns with this simplistic approach, but it works for us and didn't cost a dime.


Pete

Pete
0 Kudos
Reply
Dani Seely
Valued Contributor

‎05-18-2004 06:43 AM

‎05-18-2004 06:43 AM

Re: UID and GID management across several servers

Suggest using NIS+

However, if you are concerned about Security, there's a good read at:
http://www.eng.auburn.edu/users/doug/nis.html
Together We Stand!
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎05-18-2004 07:15 AM

‎05-18-2004 07:15 AM

Re: UID and GID management across several servers

NIS+ is not available for 10.20. It's more secure than NIS but it too is not long for this world. If you are serious about doing this, again the answer is LDAP, now what's your question?
If it ain't broke, I can fix that.
0 Kudos
Reply
Scott J. Showalter
Frequent Advisor

‎05-18-2004 09:21 AM

‎05-18-2004 09:21 AM

Re: UID and GID management across several servers

I am part of a team that administers hundreds of servers. We also do NOT use NIS. It is too insecure. However, in our workstation environment they do use NIS. ALL users who get accounts on any of our systems, gets enetered into NIS. Then when we create a user on one of our servers we have a home grown app that pulls the UID from NIS and creates the account on the appropriate servers.

However, due to Sarbanes Oxley requirements, we will be migrating to LDAP soon.

Realize that you can't just chnage the UID's to be the same on all of the systems and think that everything is going to work. To change the UID of a user on a system, you will need to search the filesystems to find files owned by that UID and change the ownership to the new UID. This IS going to be a lot of work. But, the sooner you do it, the better. The problem will only get worse over time.
In a world without fences, who needs Gates?
Reply
Dani Seely
Valued Contributor

‎05-18-2004 09:36 AM

‎05-18-2004 09:36 AM

Re: UID and GID management across several servers

True. I neglected to state that NIS+ won't be an answer for you on 10.20 systems, only on 11.00 for you.

Scott brings up a good point too, that when a UID changes, the files are left and are identified as owned by the previous UID #. When that UID # gets assigned, if those files aren't changed to the previous owners new UID then you will have a HUGH mess!

Though Pete's suggestion of copying the same passwd file to all of your servers sounds simple, you'll run into this problem of file ownership.

I'll keep looking into this, this is a VERY interesting concepct and concern. By the way, how many servers are you talking about? It would also help if you break it down to how many servers per platform. Thanks!
Together We Stand!
Reply
Dani Seely
Valued Contributor

‎05-18-2004 11:43 AM

‎05-18-2004 11:43 AM

Re: UID and GID management across several servers

Hey Paul,
Thought I'd try to do a little explanation of file permissions. Each digit corresponds
to the permissions for user, group, and other ... respectively.

The umask is subtracted from 777 / 666 to give the permission set.

So, since you have a umask 022, 666-022 leaves 644 (rw-r--r--). As r=4, w=2, x=1,
644 is user rw- (4+2) group r-- (4) others r-- (4).

Hope this adds some clarity.
Together We Stand!
0 Kudos
Reply
Dani Seely
Valued Contributor

‎05-18-2004 11:46 AM

‎05-18-2004 11:46 AM

Re: UID and GID management across several servers

SORRY!

While this is good information, I posted it to the wrong subject thread. Oh well, enjoy.
Together We Stand!
0 Kudos
Reply
Daniel Gutierrez
New Member

‎05-19-2004 05:26 AM

‎05-19-2004 05:26 AM

Re: UID and GID management across several servers

Thank you everyone for the help all of this has been so informative. I'm working with a 300+ Server count and 15,000+ user accounts. Based on the feedback I would like to use the /etc/passwd along with LDAP-UX.

Next question I don't know LDAP-UX or where to begin.
0 Kudos
Reply
Dani Seely
Valued Contributor

‎05-19-2004 06:09 AM

‎05-19-2004 06:09 AM

Solution

Re: UID and GID management across several servers

Hey Daniel,
I have not experimented with LDAP-UX, however, there's a REALLY good article that explains LDAP-UX, including topographical layouts at:
http://docs.hp.com/cgi-bin/otsearch/getfile?id=/hpux/onlinedocs/internet/uxint.html&searchterms=LDAP&queryid=20011108-122355

Also, the following link tells you how to purchase support for LDAP-UX (J4269AA LDAP-UX Integration), and a phone number for the HP Advantage Center you can call in lieu of talking with an HP sales representative (800-637-7740).

Here you can obtain information about the product, including an overview, pricing, support level options, and other options.

http://www.software.hp.com/cgi-bin/swdepot_parser.cgi/cgi/displayProductInfo.pl?productNumber=J4269AA

Good luck!
Together We Stand!
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.