Hi,
I am setting up global database for PAM/NSS. Everything is pretty clear (at least I think), except one thing I do not seem to understand. Imagine scenario with two machines using shared database for PAM/NSS purposes and this course of actions:
1. Administrator adds new local user, named, say 'problematic', using adduser command on machine #1. This will create appropriate records in first machine's /etc/passwd and /etc/shadow files. So far so good, we have new local user, who can log in only on the machine #1.
2. Administrator adds new global user with the very same name 'problematic' into global database, shared by both machines. Moreover, he does that from machine #2, so there is no way how to check existence of local user created in the first step (other than checking /etc/passwd file from all machines, which can become little tedious in similar scenario with tens or even hundreds of machines, thus this is not viable solution).

After step 2., we end up with two conflicting users, with completely different passwords - the first local on machine #1 and the second global for all other machines. Depending on /etc/nsswitch.conf, on machine #1, either global user will be shadowed by the local one ('file, shared_database' setting) or vice versa, i.e. local user will be suddenly replaced by the global one ('shared_database, file' setting).

The only solution which I can think of is to add information about existence of all local users from all machines to shared database and check this information prior to adding any global user, refusing to create global user with the same name as already existing local one. However, in order to update such information in global database, 'adduser' command (and all of its friends) needs to be hacked to do so.

This of course includes relatively lot of manual hacking and since it seems to me that it is rather very common problem, I am posting it here in hope I will find someone, who already solved it and who can point me to probably existing, and possibly even well known, solution.

Thanks for help!

.mq.



PS: Just to be complete, I intentionally did not specify 'shared_database', because I think that this problem is applicable to any NSS library, one may use. But since the solution may differ, depending on the used library, I am including this information here. In my particular case, I am planning to use libpam-pgsql/libnss-pgsql (or possibly, but less probably libpam-ldap/libnss-ldap with PostgreSQL backend, but I think it is unnecessarily more work), because I need this database to provide user information also to some other applications, which require it in MySQL/PostgreSQL database.