[Cluster-devel] PAM and NSS for clusters

[Cluster-devel] PAM and NSS for clusters

[Kadlecsik Jozsef]

Hello,

In order to store users in alternate passwd, shadow and group files I have 
written some patches over Linux PAM 1.0.2 and an NSS module.

With these packages one can store the passwd, shadow and group files for 
the cluster users over GFS. We have been using such a setup for more than 
half a year in production. If somebody is interested in, the patches, 
sources and the installation, configuration descriptions are available at

http://www.kfki.hu/~kadlec/sw/cluster/

Best regards,
Jozsef
--
E-mail : kadlec at mail.kfki.hu, kadlec at blackhole.kfki.hu
PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address: KFKI Research Institute for Particle and Nuclear Physics
         H-1525 Budapest 114, POB. 49, Hungary

[Cluster-devel] PAM and NSS for clusters

[Fabio M. Di Nitto]

Hi,

On Mon, 17 Nov 2008, Kadlecsik Jozsef wrote:

> Hello,
>
> In order to store users in alternate passwd, shadow and group files I have
> written some patches over Linux PAM 1.0.2 and an NSS module.
>
> With these packages one can store the passwd, shadow and group files for
> the cluster users over GFS. We have been using such a setup for more than
> half a year in production. If somebody is interested in, the patches,
> sources and the installation, configuration descriptions are available at
>
> http://www.kfki.hu/~kadlec/sw/cluster/

This looks very interesting. Did you consider submitting those patches 
upstream?

I am pretty sure some of them (like PAtch 1) should be accepted right 
away given they fix what could be a bug and reduce your delta in time.

Fabio

--
I'm going to make him an offer he can't refuse.

[Linux-cluster] Re: [Cluster-devel] PAM and NSS for clusters

[Kadlecsik Jozsef]

On Mon, 17 Nov 2008, Fabio M. Di Nitto wrote:

> > http://www.kfki.hu/~kadlec/sw/cluster/
> 
> This looks very interesting. Did you consider submitting those patches
> upstream?
> 
> I am pretty sure some of them (like PAtch 1) should be accepted right away
> given they fix what could be a bug and reduce your delta in time.

I have sent the same "announcement" to pam-list at redhat.com too :-).

(Actually, I had sent patch 1 in September to the PAM mailing list and 
there was no response whatsoever :-(.)

Best regards,
Jozsef
--
E-mail : kadlec at mail.kfki.hu, kadlec at blackhole.kfki.hu
PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address: KFKI Research Institute for Particle and Nuclear Physics
         H-1525 Budapest 114, POB. 49, Hungary

[Linux-cluster] Re: [Cluster-devel] PAM and NSS for clusters

[Lon Hohberger]

On Mon, 2008-11-17 at 15:43 +0100, Fabio M. Di Nitto wrote:
> Hi,
> 
> On Mon, 17 Nov 2008, Kadlecsik Jozsef wrote:

> > http://www.kfki.hu/~kadlec/sw/cluster/

> 
> This looks very interesting. Did you consider submitting those patches 
> upstream?

I agree - it's very cool.  It can't be used for bringing up GFS
(chicken/egg), but for permissions on the file system and such, it looks
pretty good.

What's neat is that you don't need centralized management server(s) :)

> I am pretty sure some of them (like PAtch 1) should be accepted right 
> away given they fix what could be a bug and reduce your delta in time.

0005 looks like it statically defines /etc/cluster_rootdir, but I am
probably reading the patch incorrectly.  I don't know PAM well enough to
answer this question, so I need to ask it anyway:
  
* Is there a way to make the root directory configurable, or are admins
expected to link /etc/cluster_rootdir to /gfs/system (or whatever they
choose)?


Side note:

I wonder if it would get accepted in a distribution ... that would be
neat.  Since it doesn't actually require cluster software itself (just a
shared file system), then it shouldn't be that hard... in theory :/

-- Lon

[Linux-cluster] Re: [Cluster-devel] PAM and NSS for clusters

[Kadlecsik Jozsef]

On Mon, 17 Nov 2008, Lon Hohberger wrote:

> On Mon, 2008-11-17 at 15:43 +0100, Fabio M. Di Nitto wrote:
> > 
> > On Mon, 17 Nov 2008, Kadlecsik Jozsef wrote:
> 
> > > http://www.kfki.hu/~kadlec/sw/cluster/
> 
> > This looks very interesting. Did you consider submitting those patches 
> > upstream?
> 
> I agree - it's very cool.  It can't be used for bringing up GFS
> (chicken/egg), but for permissions on the file system and such, it looks
> pretty good.
> 
> What's neat is that you don't need centralized management server(s) :)

Yes, that's the main point: no need for an additional management system at 
all, the (cluster) filesystem provides it for free.

We fighted a lot with pam-mysql and libnss-mysql at it was a disaster. In 
Debian/Ubuntu there's a libnss-mysql package which's simply broken. 
libnss-mysql-bg is an alternative, but it had problems with zsh and we 
were fed up with the debugging after libnss-mysql. And the whole concept 
is "suboptimal" at the minimum, as a mysql process is forked at every 
NSS/PAM usage. Of course one could install nscd, but it's just a 
workaround. So we came up using the filesystem itself.
 
> > I am pretty sure some of them (like PAtch 1) should be accepted right 
> > away given they fix what could be a bug and reduce your delta in time.
> 
> 0005 looks like it statically defines /etc/cluster_rootdir, but I am
> probably reading the patch incorrectly.  I don't know PAM well enough to
> answer this question, so I need to ask it anyway:
>   
> * Is there a way to make the root directory configurable, or are admins
> expected to link /etc/cluster_rootdir to /gfs/system (or whatever they
> choose)?

That's not a PAM restriction at all but NSS: there is no way to make a 
name service switch module configurable, i.e. to use the same module for 
multiple times, with different parameters: one cannot pass parameters to 
an NSS module. In PAM, it's easy, in NSS it's impossible.

Hm. OK, it's not nicer, but it'd be not hard to change the logic: let 
/etc/cluster_rootdir be a directory and any symlink in that dir could 
point to the root directories of the alternate password files. Thus NSS 
could find them all, without using any parameters.

> I wonder if it would get accepted in a distribution ... that would be
> neat.  Since it doesn't actually require cluster software itself (just a
> shared file system), then it shouldn't be that hard... in theory :/

Best regards,
Jozsef
--
E-mail : kadlec at mail.kfki.hu, kadlec at blackhole.kfki.hu
PGP key: http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address: KFKI Research Institute for Particle and Nuclear Physics
         H-1525 Budapest 114, POB. 49, Hungary

[Cluster-devel] PAM and NSS for clusters

[Mark Hlawatschek]

Hi,

this looks very interesting. I think that a shared /etc/passwd saves a lot of 
trouble with user management in a cluster. 
Another way to get a shared /etc/passwd and /etc/nsswitch.conf is to use a 
shared root cluster. In this case, all configuration files can easily be 
shared in a cluster. You might be interested in having a look at 
http://www.open-sharedroot.org

Best Regards,

Mark
   

On Monday 17 November 2008 15:33:45 Kadlecsik Jozsef wrote:
> Hello,
>
> In order to store users in alternate passwd, shadow and group files I have
> written some patches over Linux PAM 1.0.2 and an NSS module.
>
> With these packages one can store the passwd, shadow and group files for
> the cluster users over GFS. We have been using such a setup for more than
> half a year in production. If somebody is interested in, the patches,
> sources and the installation, configuration descriptions are available at
>
> http://www.kfki.hu/~kadlec/sw/cluster/
>

-- 
Gruss / Regards,

Dipl.-Ing. Mark Hlawatschek
http://www.atix.de/
http://www.open-sharedroot.org/