How can I keep user acccounts consistent across multiple machines?

Question

I now have a Raspberry Pi which runs Debian Wheezy. I have a couple machines (4 physical, 2 virtual) sitting here and I would like to unify the user accounts on those machines.

The machines I run have the following Debian derivatives installed on them:

Debian Wheezy (armhf)
Debian Stable (amd64)
Debian Unstable (amd64)
Ubuntu 14.04 (amd64)

How could I get the user accounts set up on all machines equally? I want that the name, the long name, password and the UID are consistent.

In the future, I would like to unify other parts of the configuration, maybe

HTCondor
Mountpoints (Samba)
/etc/apt/sources.list
Unattended Updates

Since I use different Ubuntu and Debian variants, the sources.list will differ a bit, but it will be the same on each distribution.

What would be a good approach to this?

@Ramesh Would that mean that the users can only log in when there is a network connection? — Martin Ueding, Jul 06 '14 at 19:49
Yeah. You might need the network connection for ldap to work. But it saves you the pain of setting up users in all the machines. — Ramesh, Jul 06 '14 at 20:00
Is there one machine that is always on and accessible through the network? Is there one machine that is always on and accessible when you want to change your password? — Gilles 'SO- stop being evil', Jul 06 '14 at 22:59
@Patrick, thanks. That's new to me. @queueoverflow, As Patrick suggests, you can have offline ldap as well. — Ramesh, Jul 07 '14 at 00:37

phemmer · Accepted Answer · 2021-01-24T03:51:32.667

You basically have 2 options.

Use the local authentication system of each machine, and push out credential changes to all of them.
Use a centralized authentication server.

1. Synchronized local authentication

There are multiple products which accomplish this easily. Puppet, Chef, Ansible, and Salt are a few of the more common ones. All these tools fall under what is known as "Configuration Management".

Basically you would have a repository in which you define your authentication credentials as code. The "code" would be as simple as a directive which specifies the username, and hashed password. You'd then sync this code out to all your machines, and run whatever CM tool you chose. The CM tool would then update the local authentication credentials of each user (also creating the user if necessary).

Since you said you want to do other types of configuration as well, this might be the more appropriate solution.

2. Centralized authentication

The most common form of centralized authentication is LDAP. Running an LDAP server might seem daunting, but there are some good packaged solutions such as FreeIPA which make it easily manageable.

Now one of your first thoughts might be: "I want authentication to work even if the central server is down". This is easily accomplished by using SSSD. When a user first logs into a server, SSSD consults LDAP (or kerberos if employed), and if the credentials are valid, it caches them on the local machine. If the LDAP server is not available, it falls back to using its cache. Thus as long as a user has logged in once, they will be able to continue to log in if LDAP is unavailable.

3. Combination of the two

You could also use a combination of the two solutions. This is very common in large scale enterprise environments, but can be employed small scale as well. Basically you'd have a centralized authentication server, and you would use a CM tool to configure the clients to use it.

Thank you very much, that should give me enough starting points! :-) — Martin Ueding, Jul 07 '14 at 16:14

How can I keep user acccounts consistent across multiple machines?

1 Answers1

1. Synchronized local authentication

2. Centralized authentication

3. Combination of the two