PAM and NSS for clusters

Here you can find my cluster related packages, by which one can (more) easily build up a cluster of machines with users.

The main problem with users in a cluster is how to maintain the Unix user identifiers, i.e. username, password, uid, gid, etc. The standard answer is: use your favourite PAM and NSS modules and store your cluster-wide users in the database belonging to the selected module type. The easily available storage methods are Kerberos, LDAP or some kind of SQL. You cannot find flat file format.

The packages and patches here makes available to use flat files in which you can store the data for the cluster users. The assumption is that the files are available on all machines via the cluster filesystem.

The file formats are the standard Unix passwd, shadow and group file ones. Any PAM- and NSS-aware application can use these files via the modules you can find here.

The sources

PAM

The functionality is implemented in a patched Linux PAM 1.0.2 source. You can find both the patches and a complete patched Linux PAM 1.0.2 source here:

NSS

The NSS module is an almost verbatim copy of the files part of the NSS modules from glibc: nss_cluster_files.tar.bz2.

Installation

Download either the PAM patches and apply them manually on top of the source of Linux PAM 1.0.2 or download the patched version. Download the NSS module source too.

Install the full PAM system and the nss_cluster_files packages from the sources. The PAM system is backward compatible with the original one so you can just drop it in. The nss_cluster_files does not clash with other NSS modules.

Configuration

Create a directory on your cluster filesystem to store the cluster-wide passwd, group and shadow files. Let's say you use the '/gfs/system/' directory as the root of the alternate tree.

  1. Create the required directory '/gfs/system/etc/'.
  2. Create the '/gfs/system/etc/security' directory too for the 'opasswd' file.
  3. Create the symbolic link '/etc/cluster_rootdir' pointing to '/gfs/system'. Both the patched pam_unix and the nss_cluster_files modules work only if '/etc/cluster_rootdir' exists as a symbolic link and points to a directory under which 'etc/passwd', etc. exist.
  4. Fill up '/gfs/system/etc/passwd', '/gfs/system/etc/shadow' and '/gfs/system/etc/group' with the initial user data.
  5. Enable to use the cluster files from PAM by adding the 'cluster' keyword to the "pam_unix" and "pam_cracklib" modules, or adding alternate "pam_unix" and "pam_cracklib" lines. Examples:
  6. Enable to use the cluster files in NSS, in '/etc/nsswitch.conf:
    passwd:         compat cluster_files
    group:          compat cluster_files
    shadow:         compat cluster_files
    

From now on your cluster users are stored in the alternate passwd, shadow and group files under '/gfs/system/etc/'. In order to use adduser/useradd etc, you can remount the '/lib' and '/usr' directories at '/gfs/system/lib', '/gfs/system/usr' and can use a simple wrapper to call 'chroot /gfs/system /usr/sbin/adduser <args>' to create, modify, delete cluster users.

That's it!