How can I keep user acccounts consistent across multiple machines?

I now have a Raspberry Pi which runs Debian Wheezy. I have a couple machines (4 physical, 2 virtual) sitting here and I would like to unify the user accounts on those machines.

The machines I run have the following Debian derivatives installed on them:

  • Debian Wheezy (armhf)
  • Debian Stable (amd64)
  • Debian Unstable (amd64)
  • Ubuntu 14.04 (amd64)

How could I get the user accounts set up on all machines equally? I want that the name, the long name, password and the UID are consistent.

In the future, I would like to unify other parts of the configuration, maybe

  • HTCondor
  • Mountpoints (Samba)
  • /etc/apt/sources.list
  • Unattended Updates

Since I use different Ubuntu and Debian variants, the sources.list will differ a bit, but it will be the same on each distribution.

What would be a good approach to this?

Asked By: Martin Ueding


You basically have 2 options.

  1. Use the local authentication system of each machine, and push out credential changes to all of them.
  2. Use a centralized authentication server.

1. Synchronized local authentication

There are multiple products which accomplish this easily. Puppet, Chef, Ansible, and Salt are a few of the more common ones. All these tools fall under what is known as "Configuration Management".

Basically you would have a repository in which you define your authentication credentials as code. The "code" would be as simple as a directive which specifies the username, and hashed password. You’d then sync this code out to all your machines, and run whatever CM tool you chose. The CM tool would then update the local authentication credentials of each user (also creating the user if necessary).

Since you said you want to do other types of configuration as well, this might be the more appropriate solution.

2. Centralized authentication

The most common form of centralized authentication is LDAP. Running an LDAP server might seem daunting, but there are some good packaged solutions such as FreeIPA which make it easily manageable.

Now one of your first thoughts might be: "I want authentication to work even if the central server is down". This is easily accomplished by using SSSD. When a user first logs into a server, SSSD consults LDAP (or kerberos if employed), and if the credentials are valid, it caches them on the local machine. If the LDAP server is not available, it falls back to using its cache. Thus as long as a user has logged in once, they will be able to continue to log in if LDAP is unavailable.

3. Combination of the two

You could also use a combination of the two solutions. This is very common in large scale enterprise environments, but can be employed small scale as well. Basically you’d have a centralized authentication server, and you would use a CM tool to configure the clients to use it.

Answered By: phemmer
Categories: Answers Tags:
Answers are sorted by their score. The answer accepted by the question owner as the best is marked with
at the top-right corner.