Hello all,

I am setting up a cluster, 1 head node and 8 child nodes, in brief I am using ssh keys, MPICH and mounting the master /home on all child nodes.

I have to create each user account on all master and child nodes. Is there a way to only create users "accounts" on the "Master" and all the other child nodes would be aware of the new user.

I had a crazy idea about mounting the "Master" /etc folder on all child nodes then on each child node I would create a "ln -s" link for each of "passwd", "group" and "shadow" to /etc folder.

Thanks

I see no particular reason why that shouldn't work. You'll probably have to hack up some sort of script to handle booting - in case you run into chicken and egg problems about being unable to mount without logging in and being unable to log in without mounting. Maybe you can just mount in an init script to avoid that though.

Usually, clusters and such grow too large to easily support authentication and authorization systems like this. It's simply too hard to manage, because you can't manage it centrally.

For this reason, authentication and authorization are often handled using systems like LDAP, which Microsoft refers to as "Active Directory." There are also more-aggressive systems like Kerberos.

The concept is that you have "directory servers," either masters or slaves, that are scattered around your network. Computers are set up to ask them for answers to questions like these: These systems provide a well-thought-out mechanism by which a computer can securely solicit such a question, and get a trustworthy answer, even when operating on a network that is deemed to be insecure and therefore untrustworthy. Quite an amazing trick.

Your goal, however, is simply to arrange for your computer to take advantage of those "alternate" authentication and authorization mechanisms ... without imposing headaches either upon yourself or upon your applications. Fortunately, Linux provides an elegant solution to that (separate) problem.

Linux systems have a built-in mechanism called PAM ("P"luggable "A"uthentication "M"odules) which is specifically designed to provide the flexibility that's needed here.

1. Applications, like login, "ask PAM" for an answer.
2. PAM is actually a set of rules-files, residing on the local computer, which your computer now applies.
3. In "standard Linux," these rules would cause the computer to consult (say...) the "shadow password-file" to get the answer.
4. On your computers, however, you've installed a different set of PAM-rules... rules that cause your computer to instead consult LDAP, or Kerberos or whatever, to get the answer to the question.
5. The bottom-line is, "login gets his answer," thumbs-up or thumbs-down, just like every single PAM-aware application in your computer is able to do and in exactly the same way. But you, the systems administrator, have complete flexibility to specify, behind the scenes, exactly how that "answer" will be determined. Your actions will apply uniformly to every PAM-aware program, and "they don't have to know and they don't have to care."