How to share userids, groups across multiple computers - home office

[James Harris]

Ostensibly simple query: What are the best ways to share userids and
groups across multiple Linux computers in a home or small office
environment?

The use case: I am looking to have files stored on two servers
replicating each other and any user who logs in to a client will get
access to those files with the assigned user and group rights (and same
UID and GID).

Just considering user credentials I've been looking at OpenLDAP but it
seems to get rather complex to get what I would think of as basic
facilities such as having two directory servers (in order to guard
against one failing).

Also, it would appear that a basic facility such as allowing users to
change their own passwords is far from straightforward.

So is LDAP the way to go or are there better approaches?


--
James Harris

[Ralf Fassel]

* James Harris <james.h...@gmail.com>

| Ostensibly simple query: What are the best ways to share userids and
| groups across multiple Linux computers in a home or small office
| environment?

--<snip-snip>--

| So is LDAP the way to go or are there better approaches?

If it's Linux-only, NIS would be another way.

https://en.wikipedia.org/wiki/Network_Information_Service

HTH
R'

[Joe Beanfish]

On Wed, 10 Mar 2021 14:45:19 +0100, Ralf Fassel wrote:

> * James Harris <james.h...@gmail.com>
> | Ostensibly simple query: What are the best ways to share userids and
> | groups across multiple Linux computers in a home or small office
> | environment?

> | The use case: I am looking to have files stored on two servers
> | replicating each other and any user who logs in to a client will get
> | access to those files with the assigned user and group rights (and same
> | UID and GID).

> --<snip-snip>--
> | So is LDAP the way to go or are there better approaches?
>
> If it's Linux-only, NIS would be another way.
>
> https://en.wikipedia.org/wiki/Network_Information_Service
>
> HTH
> R'

Another possibility, since you're cloning between machines anyhow, clone
the password files too. Doesn't involve any extra services or failovers
and may be plenty sufficient for your use case.

[Rich]

Was also going to suggest this. If you have a fairly static setup (a
handful of machines, a handful of users, not much churn) then just
manually cloning the UID/GID's to the small number of machines password
files is likely the simplest way to go.

Now, if James has a lot of churn (add/subtract users and/or machines on
a somewhat regular basis) then setting up something like NIS may be
warranted.

But, in typical Usenet fashion, James also left out any details along
those lines for us to have any real idea of what he is dealing with.

[Jim Jackson]

On 2021-03-10, Joe Beanfish <joebe...@nospam.duh> wrote:
> Another possibility, since you're cloning between machines anyhow, clone
> the password files too. Doesn't involve any extra services or failovers
> and may be plenty sufficient for your use case.

There is a potential problem there for "system" uids - those
traditionally less than 1000

I have a list of users with userids, and make sure those are consistant
across boxes - these are all uids above 1000. But then again I set up
new users manually, not using helper scripts/programs.

I leave uids < 1000 as the system has them set. Not all my systems have
the same distro or version. I've had problems with some services not
liking their "system" uids changing under them - access to files and
directories etc.

[Robert Heller]

At Wed, 10 Mar 2021 14:45:19 +0100 Ralf Fassel <ral...@gmx.de> wrote:

>
> * James Harris <james.h...@gmail.com>
> | Ostensibly simple query: What are the best ways to share userids and
> | groups across multiple Linux computers in a home or small office
> | environment?
> --<snip-snip>--
> | So is LDAP the way to go or are there better approaches?
>
> If it's Linux-only, NIS would be another way.

NIS is relatively not secure... And yes is Linux only. If MS-Windows or
Macs are involved, LDAP might be the way to go.

>
> https://en.wikipedia.org/wiki/Network_Information_Service
>
> HTH
> R'
>
>

--
Robert Heller -- Cell: 413-658-7953 GV: 978-633-5364
Deepwoods Software -- Custom Software Services
http://www.deepsoft.com/ -- Linux Administration Services
hel...@deepsoft.com -- Webhosting Services

[The Natural Philosopher]

On 10/03/2021 17:51, Robert Heller wrote:
> At Wed, 10 Mar 2021 14:45:19 +0100 Ralf Fassel <ral...@gmx.de> wrote:
>
>>
>> * James Harris <james.h...@gmail.com>
>> | Ostensibly simple query: What are the best ways to share userids and
>> | groups across multiple Linux computers in a home or small office
>> | environment?
>> --<snip-snip>--
>> | So is LDAP the way to go or are there better approaches?
>>
>> If it's Linux-only, NIS would be another way.
>
> NIS is relatively not secure... And yes is Linux only. If MS-Windows or
> Macs are involved, LDAP might be the way to go.
>

If MS-Windows or Macs are involved, suicidemight be the way to go.



--
“Progress is precisely that which rules and regulations did not foresee,”

– Ludwig von Mises

[James Harris]

On 10/03/2021 16:15, Rich wrote:
> Joe Beanfish <joebe...@nospam.duh> wrote:
>> On Wed, 10 Mar 2021 14:45:19 +0100, Ralf Fassel wrote:
>>
>>> * James Harris <james.h...@gmail.com>
>>> | Ostensibly simple query: What are the best ways to share userids and
>>> | groups across multiple Linux computers in a home or small office
>>> | environment?
>>> | The use case: I am looking to have files stored on two servers
>>> | replicating each other and any user who logs in to a client will get
>>> | access to those files with the assigned user and group rights (and same
>>> | UID and GID).
>>> --<snip-snip>--
>>> | So is LDAP the way to go or are there better approaches?
>>>
>>> If it's Linux-only, NIS would be another way.
>>>
>>> https://en.wikipedia.org/wiki/Network_Information_Service

That's interesting. I'd been put off NIS due to comments I'd seen about
NIS+ but as I have been looking in to NIS itself it looks like a good
option for my situation, at least pro tem.

...

>> Another possibility, since you're cloning between machines anyhow, clone
>> the password files too. Doesn't involve any extra services or failovers
>> and may be plenty sufficient for your use case.

I thought about that but wasn't sure whether passwords would be
encrypted with the same algorithm on different machines.

If the salted encrypted passwords in the shadow file are transportable
between machines then it looks feasible.

>
> Was also going to suggest this. If you have a fairly static setup (a
> handful of machines, a handful of users, not much churn) then just
> manually cloning the UID/GID's to the small number of machines password
> files is likely the simplest way to go.

I wouldn't clone entire files but just selected ids. For example, I
might have

uids 0 to 999 for local system use
uids 1000 to 1999 for local users
uids 2000 to 2999 for global users, usable on any machine on the network

As for the updates I see getpwent and putpwent are designed to read and
write such credentials.

https://man7.org/linux/man-pages/man3/getpwent.3.html
https://man7.org/linux/man-pages/man3/putpwent.3.html

Unfortunately, the descriptions are vague and don't say they will work
with shadow files. Nor do they say what to use to read and write group
files. (It may be that they will work with all three of /etc/passwd,
/etc/shadow and /etc/group depending on what is passed as the FILE*
argument but they don't say that.)

>
> Now, if James has a lot of churn (add/subtract users and/or machines on
> a somewhat regular basis) then setting up something like NIS may be
> warranted.
>
> But, in typical Usenet fashion, James also left out any details along
> those lines for us to have any real idea of what he is dealing with.

In this case I didn't want a specific solution but some ideas I could
research further. Don't worry, though, questions which are more specific
may be forthcoming. :-)


--
James Harris

[Richard Kettlewell]

James Harris <james.h...@gmail.com> writes:
> On 10/03/2021 16:15, Rich wrote:
>> Joe Beanfish <joebe...@nospam.duh> wrote:
>>> On Wed, 10 Mar 2021 14:45:19 +0100, Ralf Fassel wrote:
>>>> * James Harris <james.h...@gmail.com>
>>>> | Ostensibly simple query: What are the best ways to share userids and
>>>> | groups across multiple Linux computers in a home or small office
>>>> | environment?
>>>> | The use case: I am looking to have files stored on two servers
>>>> | replicating each other and any user who logs in to a client will get
>>>> | access to those files with the assigned user and group rights (and same
>>>> | UID and GID).

In a home environment I keep users & groups in sync completely
manually. There’s only a handful of computers and a fixed small set of
people; NIS/LDAP or automated syncing isn’t worth the effort.

I might reach a different conclusion in a small office...

>>> Another possibility, since you're cloning between machines anyhow, clone
>>> the password files too. Doesn't involve any extra services or failovers
>>> and may be plenty sufficient for your use case.
>
> I thought about that but wasn't sure whether passwords would be
> encrypted with the same algorithm on different machines.
>
> If the salted encrypted passwords in the shadow file are transportable
> between machines then it looks feasible.

Depends on the endpoints. New algorithms are only rarely introduced and
there’s a certain amount of cross-platform commonality. Syncing between
(say) two modern Linux machines shouldn’t be a problem.

[...]

> As for the updates I see getpwent and putpwent are designed to read
> and write such credentials.
>
> https://man7.org/linux/man-pages/man3/getpwent.3.html
> https://man7.org/linux/man-pages/man3/putpwent.3.html
>
> Unfortunately, the descriptions are vague and don't say they will work
> with shadow files. Nor do they say what to use to read and write group
> files. (It may be that they will work with all three of /etc/passwd,
> /etc/shadow and /etc/group depending on what is passed as the FILE*
> argument but they don't say that.)

There are parallel getsp... and getgr... interfaces for shadow and group
files.

--
https://www.greenend.org.uk/rjk/

[Rich]

James Harris <james.h...@gmail.com> wrote:
> On 10/03/2021 16:15, Rich wrote:
>> Joe Beanfish <joebe...@nospam.duh> wrote:
>>> Another possibility, since you're cloning between machines anyhow,
>>> clone the password files too. Doesn't involve any extra services
>>> or failovers and may be plenty sufficient for your use case.
>
> I thought about that but wasn't sure whether passwords would be
> encrypted with the same algorithm on different machines.

Unless you are running an anchient distro (as in 1995 vintage) then no.
The encrypted data in the shadow file includes a prefix indicating
which hash was used, so they are 'transportable' to different machines.

> If the salted encrypted passwords in the shadow file are transportable
> between machines then it looks feasible.

They are, at least as long as you are not trying to transport to a
circa 1995 vintage install.

>> Was also going to suggest this. If you have a fairly static setup (a
>> handful of machines, a handful of users, not much churn) then just
>> manually cloning the UID/GID's to the small number of machines password
>> files is likely the simplest way to go.
>
> I wouldn't clone entire files but just selected ids. For example, I
> might have
>
> uids 0 to 999 for local system use
> uids 1000 to 1999 for local users
> uids 2000 to 2999 for global users, usable on any machine on the network
>
> As for the updates I see getpwent and putpwent are designed to read and
> write such credentials.
>
> https://man7.org/linux/man-pages/man3/getpwent.3.html
> https://man7.org/linux/man-pages/man3/putpwent.3.html
>
> Unfortunately, the descriptions are vague and don't say they will work
> with shadow files.

If you want to write C code to do this (as opposed to a quick script)
then you'll want to look at shadow(3) as well.

> Nor do they say what to use to read and write group files.

This is why learning the local man command, instead of browsing html
versions, is good. "man -a -w group" returns
"/usr/man/man5/group.5.gz". "man group" opens this man page, which at
the bottom crossreferences to getgrent(3). "man getgrent" returns the
man page of the C library functions for handling group files.

>> Now, if James has a lot of churn (add/subtract users and/or machines on
>> a somewhat regular basis) then setting up something like NIS may be
>> warranted.
>>
>> But, in typical Usenet fashion, James also left out any details along
>> those lines for us to have any real idea of what he is dealing with.
>
> In this case I didn't want a specific solution but some ideas I could
> research further. Don't worry, though, questions which are more specific
> may be forthcoming. :-)

I didn't ask for a 'solition' -- I said you left out details of what
you wanted to do. I.e., how many machines total. How many different
users. How often do new users get added. How often do old users get
expired (removed). I.e., operational details.

You told us you had a NAS. You left out the other details above.
That's not enough info for us to reliably suggest reasonable routes of
attack.

[Ralf Fassel]

* James Harris <james.h...@gmail.com>

| >>> | So is LDAP the way to go or are there better approaches?
| >>>
| >>> If it's Linux-only, NIS would be another way.
| >>>
| >>> https://en.wikipedia.org/wiki/Network_Information_Service
>
| That's interesting. I'd been put off NIS due to comments I'd seen
| about NIS+ but as I have been looking in to NIS itself it looks like a
| good option for my situation, at least pro tem.

My understanding is that plain ol' NIS is ok in protected environments
where you can trust all clients. I remember administering it was a
no-brainer, since you just need to start the NIS server and set it in
the clients. No separate user management etc., just set the NIS domain
name and server, add a '+:' in /etc/passwd and related files, et voila.

If you work in an environment where you need the security offered by
NIS+ (which I honestly don't know anything about), I would rather spend
the time learning LDAP.

HTH
R'

[Joe Beanfish]

On Thu, 11 Mar 2021 11:36:53 +0000, Rich wrote:

> James Harris <james.h...@gmail.com> wrote:
>> On 10/03/2021 16:15, Rich wrote:
>>> Joe Beanfish <joebe...@nospam.duh> wrote:
>>>> Another possibility, since you're cloning between machines anyhow,
>>>> clone the password files too. Doesn't involve any extra services
>>>> or failovers and may be plenty sufficient for your use case.
>>
>> I thought about that but wasn't sure whether passwords would be
>> encrypted with the same algorithm on different machines.
>
> Unless you are running an anchient distro (as in 1995 vintage) then no.
> The encrypted data in the shadow file includes a prefix indicating
> which hash was used, so they are 'transportable' to different machines.

The encrypted passwords are forward compatible. Old passwords will work
on newer systems. Newer passwords may not work on older systems that
don't know a possibly newer encryption. So, for cloning users in a
non-homogeneous environment you should clone from oldest to newer ones.

[Rich]

Yes, that is a fair, generally applicable statement.

The OP, however, may be unlikely to be running anything old enough such
that the order of cloning will matter at all.

[7EN]

On Wed, 10 Mar 2021 18:13:43 +0000, The Natural Philosopher
<t...@invalid.invalid> wrote:

>On 10/03/2021 17:51, Robert Heller wrote:
>> At Wed, 10 Mar 2021 14:45:19 +0100 Ralf Fassel <ral...@gmx.de> wrote:
>>
>>>
>>> * James Harris <james.h...@gmail.com>
>>> | Ostensibly simple query: What are the best ways to share userids and
>>> | groups across multiple Linux computers in a home or small office
>>> | environment?
>>> --<snip-snip>--
>>> | So is LDAP the way to go or are there better approaches?
>>>
>>> If it's Linux-only, NIS would be another way.
>>
>> NIS is relatively not secure... And yes is Linux only. If MS-Windows or
>> Macs are involved, LDAP might be the way to go.
>>

>If MS-Windows or Macs are involved, suicide might be the way to go.

Agreed. They want to totally negate all reasonable security
measures here. If this was 1989 I'd say "so what ?", but
those days are long long gone.

Some work-arounds JUST AIN'T SAFE in the modern
predatory environment.

Now you CAN set up SAMBA so a named share on all
machines point to a folder on ONE of the boxes (or
a 3rd-party box). You can re-direct services too in
several ways - might have to tweak local firewalls
or the router to do it neatly. However the more
complicated, the more ways it can go wrong (and
the more ways you leave it exposed to the Bad Guys).

This weeks Giant Hack of MS Exchange Server ought
to give pause if last months similar hack of remote
server management software didn't. Making it too
easy for YOU also makes it too easy for THEM.

I have some people who desperately wanted to
migrate to Exchange Server - ah the fun, the perks,
the "normality" ... last week :-)