49.10. Synchronizing Users and Groups
Synchronization is possibly the module's most powerful feature, but also one of the trickiest to use. It can be used to create users or groups that exist on only one system on all of the other systems in your cluster. This is handy if certain users were created outside of this module on only one host and you want to now make them available on all hosts. It is also useful if a new host is added to the cluster and you want to give it all of the users and groups that the other systems have.
Synchronization, however, can have unexpected and possibly harmful effects if you use it incorrectly. For example, simply synchronizing all users on all hosts would be a bad idea, as it could trigger the creation of system users like uucp and squid on hosts that do not have them. For this reason, you should make use of the Only show what would be done? field to see what the module will do with your synchronization selections before applying them for real.
The synchronization feature will only create new users and groups, not update the details of those that already exist. Neither will it delete users or groups. Instead, it assumes that a mismatch between the users that exist on one system and those that exist on another indicates that users need to be created. The module's other features for editing and deleting users, however, can be used to update users on some systems to match another or delete users that only exist on some systems.
To create users that only exist on some of your systems, follow these steps:
1. | Click on the Synchronize button in the lower-right corner of the module's main page. This will take you to the form shown in Figure 49.4. Figure 49.4. The synchronization form.
|
2. | The Servers to synchronize field determines which systems are checked as part of the process. You can either choose All servers to synchronize every managed system, or choose Selected and select some of the systems in the list. In the latter case, specified users that exist on any system may be added to those chosen. |
3. | The Users to create section lets you specify which users to synchronize. The available options are: All missing users This mode should never be used unless all your systems are running the exact same operating system as it will synchronize all users, including system users like squid and uucp. No users This option tells the module not to synchronize any users and thus does nothing. Only users When this option is chosen, only the users whose names are entered in the adjacent text field will be considered for synchronization. If you know exactly which users need creation, this is the option to use. All except users This option should be used with care (like All missing users), because it synchronizes all users except those listed in the adjacent text field. Users with UID in range This option tells the module to only synchronize users whose UIDs are within the range entered in the adjacent text fields. Users with primary group When this option is chosen, the module will only consider users for synchronization whose primary group matches the group name entered in the field next to it. |
4. | Leave Groups to create set to No groups. |
5. | Change the Only show what would be done? field to Yes, so that you can do a test run first. |
6. | If your systems share home directories with NFS, the Create home directories? and Copy files to home directories? fields can be set to No because the users' directories should already exist. If each system has its own filesystems, however, you should choose Yes instead to force the creation of a new empty directory for each added user. |
7. | To have the new users added to the Samba password file, Squid user list, and so on for each system on which they are created, change the Create user in other modules? field to Yes. Unfortunately, because users' unencrypted passwords are not available when synchronizing, Samba users will not be created properly. |
8. | Hit the Create Users and Groups button. A page listing all of the selected systems and the actions that need to be performed on each (if any) will be displayed. Check to make sure that only what you expect will be done. If a host already has all of the specified users, the message Users and groups are in sync will be displayed. |
9. | Use your browser's back button to return to the synchronization form and change the Only show what would be done? field to No. |
10. | Click on Create Users and Groups again to create the users for real. A page listing the selected systems and the actions that are actually being performed will be displayed, along with any errors that occur. As usual, a failure on one host will not affect the rest. |
Missing groups can be created in almost exactly the same way. The only difference is that you should leave the Users to create field set to No users, but specify the groups to synchronize in the Groups to create section.