Summary: Best practices - user accounts setup and administering on 800 systems

From: Jane Rams <>
Date: Wed Aug 18 2004 - 23:04:53 EDT
Sorry for late response. Thanks for all the insightful comments.

Unanimous consensus to handle these many systems is using LDAP. There are some
useful references, included most responses beneath.

***********from Damir Delija**********
Hard problem!

Try to avoid nis and nis+, nis+ is a administrative nightmare and
implemetations amnog vendors are diffrent and buggy.

LDAP is a good choice but can be tricky since amnog all this OS and
machines you can have some really old oses where LDAP / PAMs can not work.
Same is with nis/nis+, once I had freaky nis+ on AIX 4.3.3 SP machine
and it was a horror story and we were incapable of integrating it with
other unixes.

You'll actually have to solve more than one problem
1) chose new tool/method (define what are important features
for your various boxes)

2) find out how to speard it out on 800+ various machines (do
bootstrap of new configutarion)

3) how to keep it under control (packeting and versioning)

CFengine is a great tool
which can help you to automate tasks, because one of the initial
targets was such huge workstation enviroment to be kept in order

expect tools can help also as "automation tools" for initial dispersion
and webmin can be very usefull too.

I expect that you'll have to separate machines into various
domains based on its capabilities (on this class ssh can not work,
this one is LDAP capable, this class can not work with PAM
etc ..) and than  do the job. I suppose somewhere down the road
security will raise as problem so take it into account from start
as system monitoring too.

> What are the best practices - is it good to setup an admin server and
> setup> passwordless root access? Or LDAP setup preferred?

Passwordless root is a not good idea, it can be "emulated"
with ssh key bassed autthentication there is a nice description
with ideas in the snail book
Daniel J. Barrett and Richard E. Silverman
ISBN: 0-596-00011-1
The Secure Shell: The Definitive Guide.

> It has become a nightmare to add/delete lot of admin accounts as the
> number  keep changing.

There were some papers on Linux grids/clusters
but mostly on nis/nis+. There was some
articels in the sysadmin magazine

> Any thoughts??

I hope this helps

it looks like you'll get long hot summer!

PS: there are some good redbooks on LDAP nis/nis+ migration cooperation
Also you can look into A.E Firsh Essential System Admnistration
and Perl for System Administration", by David N. Blank-Edelman, ISBN
for some ideas and recepies.

***********from Damir Delija**********

Alan Pae wrote:
LDAP is the future, if all of your systems will support it,  otherwise
standardize on NIS or NIS+ for the time being.

****Garly Law****
In the long run, LDAP is the way to go.

In the short run, about the only thing supported out-of-the-box on all Unicies
is NIS.

Sun's JES (formerly SunONE) LDAP server can serve up posix login information
for recent releases of Solaris and Linux. Alternatively, you can use the
OpenLDAP / Linux approach and reconfigure Solaris to match ( for

Sun have an LDAP-to-NIS gateway to support those clients that can't do LDAP
natively (eg older Solaris etc). They also have a Active Directory syncing

WinBind from samba is a way to replace both LDAP and NIS for user accounts and
groups with Active Directory. For those older OSes that WinBind can't support,
use the Microsoft Services for Unix NIS server.

There are some fairly good commercial solutions -- although it is surprising
how many of them don't do two-way password sync from the UNIX command line.
One forms part of the Tivoli suite from IBM - I forget the name.

You could, of course, roll your own solution with (a) a master password file
(b)  shadow (c) groups (d) hosts; a system for ensuring the right entries go
on the right machines (shell / grep / sed / awk  / cron); and a system for
pushing them out (rsync, rdist, scp). These files could be maintained as flat
files on master server, or out of a database or an LDAP directory.

My recommendation would be (a) go down the Sun LDAP route and try and shoehorn
the other OSes in - those that fail use the NIS gateway - or - (b) roll your
own solution with rsync and ssh. I've worked in shops that do both; and they
can both be made to work.

***********Christophe Dupre ********

Here's my experience administrating ~100 machines, a mix of Solaris [8|9],
and various flavors of Linux.

1/ For user authentication, use LDAP. That way you can centralize the user
information and creating a new user means updating one central server.
Older servers may not support LDAP out of the box, so special
circumstances might apply. Here we have one older SGI that doesn't have
LDAP support, but is used by only two users, so they have local accounts.

2/ Each machine has a local root password, which is then stored in a safe
and never used again. We use sudo to give limited (or not so limited)
access to root. In the sudo config file, we defined level of access and
assigned each level to a unix group. Then make users part of the group for
the stuff they need.
The sudoers file can be centrally managed through NFS, rdist or any other
For example, we have a backup group that can run all the netbackup command
line tools as root.
To revoke access, just remove the user from the group.
******Christophe Dupre <*******

Baldwin Sung wrote:

I totally prefer LDAP :) No way on passwordless root access.


**** Will Chow*****

Probably the best thing to do is setup LDAP as your
naming/authentication/user account
service and write a couple of customer perl/python scripts to administrate
users. Since LDAP is an open standard it is easy to interface with using
common tools and it is cross-platform. Setting up seperate domains is easy
also and replication is simple.
Since LDAP is easily integrated into existing language/toolsets you can
write simple custom GUIs for the helpdesk people that need to interface
with the system but lack the requisite skillset.
Since there are a variety of LDAP platforms to choose from you're also not
looked into one vendor or platform.
Since Sun has dropped NIS+ and NIS has major scalability and security
flaws LDAP is the way to go.

Setting up LDAP obviously is non-trivial, but then administrating hundreds
of boxes with thousands of accounts with multitudes of NFS automount
maps is non-trivial.

*******Chris Ferry ********
I'd advise
using LDAP w/TLS and PAM.

Make sure you have two ldap servers running replication through an
encrypted tunnel for redundancy.

OpenLDAP is a great opensource LDAP server, I'd advise using it.

*******Chris Ferry ********

----- Original Message -----
From: <>
To: <>
Sent: Monday, August 09, 2004 2:50 PM
Subject: Best practices - user accounts setup and administering on 800 systems

> Trying to figure out a standard way to setup and administer accounts on our
huge env with 800+ unix boxes that include
Solaris/HP-UX/AIX/Linux/Tru64/DG-UX/Irix located all over with local admins
controlling bulk of operations? A group of them user NIS and some others use
NIS+ and a large number use neigther.
> What are the best practices - is it good to setup an admin server and setup
passwordless root access? Or LDAP setup preferred?
> It has become a nightmare to add/delete lot of admin accounts as the number
keep changing.
> Any thoughts??
> Kind Regards
> Jane
sunmanagers mailing list
Received on Wed Aug 18 23:04:44 2004

This archive was generated by hypermail 2.1.8 : Thu Mar 03 2016 - 06:43:36 EST