1

I'm implementing a web server with configuration and user files shared over NFS (Amazon EFS) as described here: https://serverfault.com/a/933566/81774

As part of my Apache configuration, I am running websites under different user names using mod_mpm_itk. How can I sync user names between servers without having to bake new user names into the web server AMI.

I'm assuming I can't just move /etc/passwd to NFS, as the server then won't boot without having NFS mounted?

Update based on comments:

There doesn't seem to be a way to load additional files with nsswitch.conf, only to query additional services according to this answer: https://unix.stackexchange.com/a/210587

The downside of an additional service is to introduce additional points of failure.

Is it a feasible option to copy /etc/passwd from NFS when the server starts up and re-read it with pwck as described here https://unix.stackexchange.com/a/102336 ?

jdog
  • 111
  • 4
  • 28
  • 1
    The typical solution to sharing user accounts between systems is to use a centralized directory rather than replicating or sharing (the contents of) `/etc/passwd` files between systems as that file will also need to be present in single user mode. Think AD, LDAP, NIS, sssd etc – HBruijn Apr 09 '19 at 22:52
  • A simple solution could be to add another file to `/etc/nsswitch.conf` and put that file on EFS. Your EFS is probably available early enough that absence of that file should not be a problem. Files may have to be NIS compatible, not sure how to structure these files, but NIS was the very early very way of doing these things, so that may give you additional pointers to get this working. – Berend de Boer Apr 10 '19 at 02:56
  • If files don't work, have a look at using a mysql db: https://gist.github.com/alpacaaa/3196852 – Berend de Boer Apr 10 '19 at 02:58
  • Have you considered using `pam_extrausers` and syncing its user list around regularly? It avoids your accidentally breaking `/etc/passwd` by supplementing it with a separate users file. – roaima Apr 17 '19 at 18:08
  • @roaima it looks like a better option than a play book. Pls provide an answer. From reading man page I cannot see how I add a user to extra users instead of etc/passwd – jdog Apr 18 '19 at 01:25
  • This is what LDAP is for – Timothy Pulliam Apr 18 '19 at 19:44
  • LDAP is something that can break – jdog Apr 18 '19 at 21:22

2 Answers2

1

If you don't want to introduce extra points of failure, you have to create the users locally. This is actually a very decent idea.

While you could copy the passwd file, I would recommend a local ansible playbook or puppet standalone manifest which can create the users locally if they are missing. You can keep the playbook on NFS.

chutz
  • 7,569
  • 1
  • 28
  • 57
1

You could try using pam_extrausers. It uses a separate /etc/passwd style list of user accounts, which supplements the standard authentication regimes. The equivalent files are /var/lib/extrausers/passwd, /var/lib/extrausers/shadow, and /var/lib/extrausers/group.

It would be safer to synchonise this whenever one of its user accounts was updated, leaving /etc/passwd and associated files managed per server.

On Debian-derived systems the package name is libnss-extrausers.

Although this is a PAM module, the configuration is applied in /etc/nsswitch.conf:

passwd:         compat extrausers
group:          compat extrausers
shadow:         compat extrausers

To create entries in these files it seems best to create them on your primary system as local users (none of the standard utilities can manage the entries). Then copy those entries from the existing passwd, shadow and group files to the equivalent ones in /var/lib/extrausers. Remember to fix the permissions on shadow to match the system one.

grep -E '^(user1|user2|user3):' /etc/passwd >/var/lib/extrausers/passwd
grep -E '^(user1|user2|user3):' /etc/shadow >/var/lib/extrausers/shadow
grep -Ew '(user1|user2|user3)'  /etc/group >/var/lib/extrausers/group

chmod u=rw,go=r   /var/lib/extrausers/passwd /var/lib/extrausers/group
chown root:shadow /var/lib/extrausers/shadow
chmod u=rw,g=r,o= /var/lib/extrausers/shadow

ls -l /var/lib/extrausers
total 12
-rw-r--r--  1 root root     21 Apr 18 15:36 group
-rw-r--r--  1 root root     49 Apr 18 15:37 passwd
-rw-r-----  1 root shadow  123 Apr 18 15:37 shadow

You can copy the files around using whatever technique you prefer. I like rsync with root equivalence:

for rhost in remote1 remote2 remote3 ...
do
    rsync -avR /var/lib/extrausers/* "$rhost":/
done
roaima
  • 1,567
  • 13
  • 26