From owner-freebsd-questions@FreeBSD.ORG  Fri Mar  9 05:08:01 2007
Return-Path: <owner-freebsd-questions@FreeBSD.ORG>
X-Original-To: freebsd-questions@freebsd.org
Delivered-To: freebsd-questions@freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52])
	by hub.freebsd.org (Postfix) with ESMTP id 8083716A400
	for <freebsd-questions@freebsd.org>;
	Fri,  9 Mar 2007 05:08:01 +0000 (UTC)
	(envelope-from youshi10@u.washington.edu)
Received: from mxout4.cac.washington.edu (mxout4.cac.washington.edu
	[140.142.33.19])
	by mx1.freebsd.org (Postfix) with ESMTP id 5B5BC13C4A7
	for <freebsd-questions@freebsd.org>;
	Fri,  9 Mar 2007 05:08:01 +0000 (UTC)
	(envelope-from youshi10@u.washington.edu)
Received: from smtp.washington.edu (smtp.washington.edu [140.142.33.9] (may be
	forged))
	by mxout4.cac.washington.edu (8.13.7+UW06.06/8.13.7+UW06.09) with ESMTP
	id l295808Z004389
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=OK)
	for <freebsd-questions@freebsd.org>; Thu, 8 Mar 2007 21:08:01 -0800
X-Auth-Received: from [192.168.10.41] (c-67-187-172-183.hsd1.ca.comcast.net
	[67.187.172.183]) (authenticated authid=youshi10)
	by smtp.washington.edu (8.13.7+UW06.06/8.13.7+UW06.09) with ESMTP id
	l29580Qo005906
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NOT)
	for <freebsd-questions@freebsd.org>; Thu, 8 Mar 2007 21:08:00 -0800
Message-ID: <45F0EBAF.2070409@u.washington.edu>
Date: Thu, 08 Mar 2007 21:07:59 -0800
From: Garrett Cooper <youshi10@u.washington.edu>
User-Agent: Thunderbird 1.5.0.9 (X11/20070122)
MIME-Version: 1.0
To: freebsd-questions@freebsd.org
References: <45F0D9A7.8000201@enabled.com>	<ba5e78ea0703082013w4bc8d781y52d35ac94329505f@mail.gmail.com>
	<45F0E1CD.1060608@enabled.com>
In-Reply-To: <45F0E1CD.1060608@enabled.com>
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
X-PMX-Version: 5.3.0.289146, Antispam-Engine: 2.5.0.283055,
	Antispam-Data: 2007.3.8.205934
X-Uwash-Spam: Gauge=IIIIIII, Probability=7%, Report='__CT 0, __CTE 0,
	__CT_TEXT_PLAIN 0, __HAS_MSGID 0, __MIME_TEXT_ONLY 0,
	__MIME_VERSION 0, __SANE_MSGID 0, __USER_AGENT 0'
Subject: Re: syncing user passwd information between servers
X-BeenThere: freebsd-questions@freebsd.org
X-Mailman-Version: 2.1.5
Precedence: list
List-Id: User questions <freebsd-questions.freebsd.org>
List-Unsubscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=unsubscribe>
List-Archive: <http://lists.freebsd.org/pipermail/freebsd-questions>
List-Post: <mailto:freebsd-questions@freebsd.org>
List-Help: <mailto:freebsd-questions-request@freebsd.org?subject=help>
List-Subscribe: <http://lists.freebsd.org/mailman/listinfo/freebsd-questions>, 
	<mailto:freebsd-questions-request@freebsd.org?subject=subscribe>
X-List-Received-Date: Fri, 09 Mar 2007 05:08:01 -0000

Noah wrote:
> see more questions below?
> 
> Daniel Marsh wrote:
>> On 3/9/07, Noah <admin2@enabled.com> wrote:
>>>
>>> Hi,
>>>
>>> I am trying to figure out the Best admininstrative way to do the
>>> following:
>>>
>>> We have two FreeBSD 6.2 servers and want to keep the passwd files in
>>> sync so all the same users can log into each machine, their UID's match,
>>> and when the update the password on one machine the other machine gets
>>> the password.  When we add the user to one machine then the other
>>> machine has an additional user too.
>>>
>>> What is the best scheme that we can devise to get this working
>>> technically well?
>>>
>>> Cheers,
>>>
>>
>> A couple of things can be done...
>> The first, and longest existing method would be to use NIS between the 
>> two
>> machines where one machine acts as a server, the other as a client to 
>> that
>> server, if the server goes down, no-one can login. (I havn't 
>> investigated in
>> backup NIS servers as I don't like NIS)
>>
> 
> yeah NIS does not feel like the right direction
> 
> 
>> The other option would be using LDAP (OpenLDAP), you'll install 
>> OpenLDAP on
>> both servers, one will act as a master, the other as a slave, each 
>> machine
>> will login against the ldap database running locally.
>> The master ldap will replicate to the slave to keep any user changes 
>> in tact
>> and up to date.
>> You'll need to install the pam_ldap and nss_ldap ports and may want to 
>> use
>> LDAP Account Manager (runs via PHP on Apache) to manage the user 
>> accounts.
> 
> 
> so the users would not be locked out of the second server if the master 
> LDAP server goes down, right?
> 
> cheers,
> 
> Noah
> 
> 
> 
>>
>> Another option may be to use a versioning system, one machine has a
>> versioning repository, you import /etc/ into the versioning system 
>> (CVS or
>> Subversion), when you make a change on a server to passwd's etc... you
>> commit the change and check it out on the other machine, maybe even 
>> making
>> use of merging changes so if two people, one on each machine, change 
>> their
>> passwords and they both commit you don't lose one of the password 
>> changes.

As was suggested to me about 4-5 months ago (may want to look in the 
archives), the best means to ensure user account info is synced is to 
use NIS (for credentials, like users, groups, NIS domain info, etc) and 
LDAP/Kerberos (authentication, passwords, etc).

-Garrett