4

I'm administrating two ubuntu desktops and one debian server. There are abount ~20 active users on the desktops. A few (5-10) user accounts are added each year and about the same amount become inactive.

I would like to share the user accounts and their respective homes between the two pcs. So far, my plan was to set up some kind of nfs + kerberos (+ldap/nis?), but I think kerberos is overly complicated for this simple purpose. In addition to that, the admin changes every ~2-3 years and I fear that complicated solutions will become unmaintainable for my successors (we are no professionals...).

Is there a way to split up /etc/passwd etc. in different files, so I could store these on the server and copy them to the desktops? Or is there some PAM-module that provides a similar type of "modular" authentication ? (well, except pam_krb5).

What would be the simplest way to achieve that?

dassmann
  • 143
  • 3

1 Answers1

3

You can use a configuration management system to do this. Personally, I use Puppet for this. I have a single /etc/passwd and /etc/shadow file and I have Puppet sync it across all my systems. There is an interesting learning curve with them, but definitely tutorials for doing exactly what you want on their website.

I would, however, definitely recommend using LDAP and Kerberos. I know the learning curve is steep, but the security is really good. I know kerbs can be a burden sometimes, but LDAP would probably be acceptable. I have been meaning to set one up.

Michael Mrozek
  • 91,316
  • 38
  • 238
  • 232
sparticvs
  • 2,689
  • 14
  • 22
  • [Here](http://itand.me/using-puppet-to-manage-users-passwords-and-ss) is how a large organization takes that approach with Puppet and SSH keys. The puppetmaster distributes the local user accounts, ssh settings directory for each user, and sets a password for each user. This can be replicated in just about any config management system, not just Puppet. – Jodie C Nov 11 '12 at 23:41
  • @JodieC that's why I added the URL to the list of config management systems. The Puppet part was about a personal experience. – sparticvs Nov 12 '12 at 00:57
  • The example was meant to complement your answer, I just added the last line to reiterate for the asker's benefit that such an implementation could be done in any config management system. – Jodie C Nov 12 '12 at 04:16
  • Thanks! This is exactly the kind of solution i was looking for! – dassmann Nov 13 '12 at 22:33