NDS2PWD

Script to synchronize /etc/passwd and /etc/shadow with NDS enabled Unix accounts

Purpose:

Currently the ncpfs system do not have a final nss_switch module such as Ldap or NIS to extends the local user's database with "remote " NDS accounts. We have a beta version here.

This program is an Perl script retrieving all members of an NDS group (allowed to log from Linux using the PAM module) and making local /etc/passwd and /etc/shadow in sync with data retrieved from NDS. With default values, accounts with ids <100 or >=-65534 are considered as local and kept in /etc/passwd and /etc/shadow.

The script will also check that Unix ids from NDS are between lower and upper values with no duplicates

NDS passwords are not retrieved from NDS and will be checked at login time by the PAM authentification module.

This program could be run within a cron script, to synchronize local users database with NDS, thus removing the need to the pam_ncp module to autocreate or automodify local users. This will ensure that Unix users will have the same UID regardless of the workstation they are logging (required if Unix homes are on NFS servers).

Unix data are stored in the multistring NDS L attribute (also called Description as used by the PAM pam_auth_ncp module) with the following format:

unix ID	U:xxxx or u:xxxx	required
unix Home	H:/home/login or h:/home/login	required
unix Shell	S:/bin/bash or s:/bin/bash	not required
unix group	G:100 or g:100	not required
unix Gecos	NDS Full Name attribute	not required

They can be edited directly with NWAdmin or with the pam_ncp snapin for NWAdmin, or imported to NDS from a text file using uimport DOS utility

This also solve the problem of ssh remote access to a Linux box, using pam_ncp module when the user never logged in before on that station . Since account does not exist in the local database, ssh fails immediatly without even calling PAM.

Requirements:

ncpfs version 2.2 installed and operational (slist) on the Linux box.

Usage:

usage: ./nds2pwd.pl [options]

-h	Print this help text
-F	Create a script to fix home directories (for usage on NFS home servers)
-G group to scan	(default= LinuxOK.PC)
-T treename	(default= INSA_ROOT)
-d	verbose printing
-U user id	first userid to process (default 100)
-L user id	last userid to process (default 65534)
-n number	Limit ouput to n lines (for testing)

Edit the script to match your NDS:

$DEFTREE="INSA_ROOT";    <-- change this to your NDS tree
$DEFGRP="LinuxOK.PC";	<-- change this to match the user's group allowed to login from Linux

run the script and checks the files /etc/passwd.nds and /etc/shadow.nds

When Ok, uncomment these lines to force the script to overwrite /etc/passwd and /etc/shadow:

# when the script fits your needs, uncomment these 2 lines
#REQUIRED for the fix script to run !
#$OVW_PWD=$ETC_PWD;
#$OVW_SHADOW=$ETC_SHADOW;

add a link to this script in /etc/cron.daily on every Linux workstation having the pam_ncp module active.

When run on the NFS server(s) holding the user's Linux home with -F option , this script will produces a "fix script" to create missing users homes with some initial files from /etc/skel and correct permissions. Here is a sample output for 8 new users members of the group LinuxOK.PC. We created these users with NWdamin, members of LinuxOK and we have added 7 Unix properties using the PAM_NCP snapin; we did not create any home directories on the NFS server and we purposely forgot to set UnixId and Unix home for one user (schehbi)):

[root@pc107-18 nw_utils]# ./nds2pwd.pl -F
 synching local database with NDS members of  group LinuxOK.PC
 processing 1760 members of group LinuxOK.PC
Home directory /cipc/profs/aarara does not exists for aarara [1192]
Home directory /cipc/profs/hlegrine does not exists for hlegrine [1189]
Home directory /cipc/profs/imcgill does not exists for imcgill [1194]
Home directory /cipc/profs/jcarmona does not exists for jcarmona [1190]
Home directory /cipc/profs/lbaillet does not exists for lbaillet [1195]
Home directory /cipc/profs/lgaudiller does not exists for lgaudiller [1193]
Home directory /cipc/profs/sasare does not exists for sasare [1191]
BUG:user schehbi.PC has no or incomplete Unix infos in NDS ->
33 users kept and 1759 users added from 1760 members of LinuxOK.PC.
script to fix 7 homes /tmp/ndsfix.LinuxOK.PC.sh created.

/cipc/xxxx/yyyy is the home directory stored in NDS and used by autofs on every Linux workstation to access the appropriate NFS server and remote directory.

Currently the "fix script" will looks like:

echo "Home directory /cipc/profs/aarara for aarara [1192]"   	<-- Unix UID and home from NDS
mkdir /cipc/profs/aarara					<- make the home
cp -f /etc/skel/.bash* /cipc/profs/aarara			<- copy .bashrc .bash_profile and .bash_logout
chown -R 1192:users /cipc/profs/aarara				<- set permissions
setquota aarara 50000 55000 0 0 -a				<- quota is 50 Mb
quota -v aarara							<- print user's quota
echo aarara > /cipc/profs/aarara/username			<- create a root owned file with user's name
chmod 0711 /cipc/profs/aarara					<- nobody can read, just traverse to reach public_html
echo "Home directory /cipc/profs/hlegrine for hlegrine [1189]"
mkdir /cipc/profs/hlegrine
cp -f /etc/skel/.bash* /cipc/profs/hlegrine
chown -R 1189:users /cipc/profs/hlegrine
setquota hlegrine 50000 55000 0 0 -a
quota -v hlegrine
echo hlegrine > /cipc/profs/hlegrine/username
chmod 0711 /cipc/profs/hlegrine
....

Check it and run with sh /tmp/ndsfix.LinuxOK.PC.sh (replace LinuxOK.C) by the name of your "LinuxOK" group).

Download:

Download

History:

1.02 2002 Nov 16 Patrick Pollet -L (last) option added to keep users with id >=lst (ie nfsnobody !)

1.01 2002 Oct 16 Patrick Pollet -F (fix) option added to create a script in tmp to FIX missing homes

               WARNING: with the -F option, must be run on the NFS server for homes, not on any workstation
                       where local root user has normally no rights to NFS server for homes !!!
                       furthermore it may "saturate autofs" with too many mounted points when testing for existence of homes
               WARNING 2: for the quota settings currently generated in the fix script to work, local /etc/passwd and /etc/shadow
                       must be uptodate ( overwritten with the produced passwd.nds and shadow.nds)

1.00 2002 Sept 10 Patrick Pollet initial release

TODO:

Modify ncpreadprops attribute list to fetch "official NDS8" Unix informations
If the nss_ncp library ever got finalized, get rid of this script ;-)

Vous êtes notre eme visiteur