I'm considering distributing /etc/passwd files, or parts thereof, from a central machine to multiple other machines.
The important part is that all machines identify the same user names with the same UIDs, which is important for security on NFS shared partitions.

However, it is not needed that all users have logins on all machines.

So, my question is how can I trick "ls" and the other utilities in translating user names to UIDs in a consistent way across multiple machines, without having to add users (with or without login) to each machine.

I have tried editing the plain-text /etc/passwd file in a text editor directly (rather than via useradd, which would probably update the /etc/shadow file used for login authentication).

Other, related questions are:
-when is /etc/shadow updated?
-do "ls" and the other utilities use the /etc/passwd file, or it's binary counterpart (/etc/shadow) for the username to UID translations?
-when updating a user's UID via "usermod", does it update the UID in the file ownership bits of the files owned by that user?

you'd use a central user base, on ldap or nis really... you shouldn't be looking to "trick" anything intoo doing anything.

- shadow is updated when you change data stored in it, like a password
- ls doesn't do that, that's the linux glibc subsystems telling the app that directly. the app is given a uid in the case of ls, and it just calls a c function to convert it to a username. how that result is achived is none of ls's business.
- shadow is *NOT* a binary counterpart in any way whatsoever. passwd contains user accounts, shadow contains the passwords for those accounts
- no, you'd do that seperately.

Thanks for the reply, acid kewpie. That's really good to know.

LDAP seems to have a few downsides:
-when the central LDAP machine is down, all logins on other machines are disabled as well.
-some systems have additional services and software installed, like MySql databases, that require a separate user, which does not necessarily have the same UID/username on all systems. Hence, some accounts are machine-specific, whereas others should be made the same on all machines (and can thus be stored centrally).

To overcome the first, I was considering an older approach of distributing (parts) of the /etc/passwd and related files.

Any idea how that c function works internally? Does it actually read and parse the /etc/passwd file?
I suppose the same glibc function is used throughout lots of apps, right?

Just to be sure: the changing of the file ownership (ie just after "usermod" call), can be done via a command like
and repeat that on all local (non-NFS) filesystems.
Does that seem OK to you?

you would not use ldap exclusively. you'd use ldap for the gloabl accounts, and still use passwd files for the local accounts. there no reason whatsoever to need to deviate from standard practises. don't hack anything, there is no need.

Any tips or tutorials on how to set this up?
Can I also use a local DB instead of LDAP?

I have no experience with LDAP, so please be patient with me.

i *really* don't understand this obsession with making things local fo no reason... you want the same credentials across multiple boxes, do it properly, and use ldap or nis+. i'd just say use ldap howto's if it is ldap you use... it's really quite simple, but if you know nothign about ldap then naturally there's a learning curve.