Linux user and password copy between servers with cron script

Question

I have two Red Hat 7 Linux servers that I want to keep user accounts synced. I have a bash script that copies these files between servers:

/etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/subuid /etc/subgid

The script is run from a cron job every 5 minutes on each server, the problem is, how do I make sure only one server runs the script? I was thinking of adding a test into the script running stat on /etc/shadow and if the file modify time is not within the last 5 minutes exit the script. Since the modify time is copied over with the file the second server would also then run the copy script, which I don't want. Is there a better method of doing this?

Add a test on which compares `hostname` output with a constant (so we know which server we running on)? — Nikita Kipriyanov, Feb 06 '21 at 16:29

fuero · Answer 1 · 2021-02-06T17:02:32.677

1

Hi and welcome to ServerFault.

The "shot from the hip" solution I can come up with is: Manage those files remotely.

Whether you use sssd/NIS, a configuration management solution (puppet/ansible/salt/chef/whatever), it doesn't matter much.

The way it's done now is likely to introduce inconsistencies and cause annoying problems to debug, especially if you introduce more boxes into the mix.

Have an external (to the controlled boxes), single source of truth and let it control this information.

The problem is quite a common one, have a look at the other questions as well.

edited Feb 06 '21 at 17:02

answered Feb 06 '21 at 16:57

fuero

9,413
1
35
40

This is all being migrated from AIX to Linux and this is how it was being done on AIX, with a script copying /etc/passwd etc.. The difference now is HA has been introduced into the mix under Linux with pacemaker. The passwords are copied to about a dozen other servers with one of two servers being the control servers where password changes are made. They don't want to use LDAP they want local accounts on each sever. Only one server of the control HA pair should run the copy password script, but if one server is down then the other should run it. – 320f320 Feb 06 '21 at 17:24
LDAP usage doesn't prevent local accounts. And what you describe doesn't rule out a configuration management solution like puppet or ansible. – fuero Feb 06 '21 at 17:29

Linux user and password copy between servers with cron script

1 Answers1