Home / server / Questions / 962323
Accepted
jdog
Asked: 2019-04-10 13:58:33 +0800 CST

Sync users over NFS

  • 772

I'm implementing a web server with configuration and user files shared over NFS (Amazon EFS) as described here: https://serverfault.com/a/933566/81774

As part of my Apache configuration, I am running websites under different user names using mod_mpm_itk. How can I sync user names between servers without having to bake new user names into the web server AMI.

I'm assuming I can't just move /etc/passwd to NFS, as the server then won't boot without having NFS mounted?

Update based on comments:

There doesn't seem to be a way to load additional files with nsswitch.conf, only to query additional services according to this answer: https://unix.stackexchange.com/a/210587

The downside of an additional service is to introduce additional points of failure.

Is it a feasible option to copy /etc/passwd from NFS when the server starts up and re-read it with pwck as described here https://unix.stackexchange.com/a/102336 ?

nfs

2 Answers

  1. If you don't want to introduce extra points of failure, you have to create the users locally. This is actually a very decent idea.

    While you could copy the passwd file, I would recommend a local ansible playbook or puppet standalone manifest which can create the users locally if they are missing. You can keep the playbook on NFS.

    • 1
  2. Best Answer

    You could try using pam_extrausers. It uses a separate /etc/passwd style list of user accounts, which supplements the standard authentication regimes. The equivalent files are /var/lib/extrausers/passwd, /var/lib/extrausers/shadow, and /var/lib/extrausers/group.

    It would be safer to synchonise this whenever one of its user accounts was updated, leaving /etc/passwd and associated files managed per server.

    On Debian-derived systems the package name is libnss-extrausers.

    Although this is a PAM module, the configuration is applied in /etc/nsswitch.conf:

    passwd:         compat extrausers
group:          compat extrausers
shadow:         compat extrausers

    To create entries in these files it seems best to create them on your primary system as local users (none of the standard utilities can manage the entries). Then copy those entries from the existing passwd, shadow and group files to the equivalent ones in /var/lib/extrausers. Remember to fix the permissions on shadow to match the system one.

    grep -E '^(user1|user2|user3):' /etc/passwd >/var/lib/extrausers/passwd
grep -E '^(user1|user2|user3):' /etc/shadow >/var/lib/extrausers/shadow
grep -Ew '(user1|user2|user3)'  /etc/group >/var/lib/extrausers/group

chmod u=rw,go=r   /var/lib/extrausers/passwd /var/lib/extrausers/group
chown root:shadow /var/lib/extrausers/shadow
chmod u=rw,g=r,o= /var/lib/extrausers/shadow

ls -l /var/lib/extrausers
total 12
-rw-r--r--  1 root root     21 Apr 18 15:36 group
-rw-r--r--  1 root root     49 Apr 18 15:37 passwd
-rw-r-----  1 root shadow  123 Apr 18 15:37 shadow

    You can copy the files around using whatever technique you prefer. I like rsync with root equivalence:

    for rhost in remote1 remote2 remote3 ...
do
    rsync -avR /var/lib/extrausers/* "$rhost":/
done
    • 1