Michael Carmody
2006-Oct-10 03:18 UTC
Individual User Auth without SSH or stand alone passwd file...
Hey All, We have our linux server integrated with our WindowsAD via nss_ldap and pam_ldap and everything is working fine. We are hoping to use rsync to backup user specified directories to the network drives. Now rsync only seems to use auth when using SSH, or when using a static passwd file. Is there a patch or option to allow rsync to user system passwd's ? PAM ? LDAP ? I posted earlier about a [homes] directive to create a module per user, but it seems I would have to create an entry in the rsyncd.conf file for all 200+ users. Is rsync just not up to handling this scale of project manageably ? Anyone have any other ideas ? -Michael Carmody Department of Microbiology and Immunology The University of Melbourne
Bill Uhl
2006-Oct-10 12:03 UTC
Individual User Auth without SSH or stand alone passwd file...
Michael, What if you don't run rsync in daemon mode? From the rsync man page... USING RSYNC-DAEMON FEATURES VIA A REMOTE-SHELL CONNECTION It is sometimes useful to use various features of an rsync daemon (such as named modules) without actually allowing any new socket connections into a system (other than what is already required to allow remote-shell access). Rsync supports connecting to a host using a remote shell and then spawning a single-use "daemon" server that expects to read its config file in the home dir of the remote user. -------- You could set up sshd on the server to accept password logins and accept logins from all of your users. sshd should be able to use pam or whatever password backend your system has set up. Each user might have a ~/.ssh/ dir, if needed. Try to lock down access to the sshd to the local net if you are accepting passwords. You could put a default ~/rsyncd.conf in the users home and have them invoke rsync as a single-use "daemon". You could probably set up the rsyncd.conf in the skel dir for setting up new users. In this mode, you don't need to have rsync do a separate auth. The sshd will restrict the user to whatever their rights are on the server, so they won't access other's files. Since the connection is in the user's context, the files will automatically be owned by the user and will not need to be chown'd. You shouldn't need to set up rsync in the inet daemon as sshd will spawn the rsync on the server on demand. On the windows side, you can create a batch file that will run the appropriate rsync command and back up the files in a user maintained include/exclude file. You could set this up in the scheduler on the windows system as well. While I have not set this up as an end to end system, I have used all of this as different pieces at one time or another and they can all be made to work. It shouldn't be too hard to put the pieces together to provide a system that's relatively simple to maintain. Just FYI... I used to use an rsync patch to use an ldap backend. Because of the nature of password authentication in rsync, it required a separate password from the system password because the rsync password needed to be in plain text. I have not found a copy of a current version of the patch since rsync 2.6.4, I think. I don't know if it is still being maintained. Another alternative to consider... Train your users not to or don't let them keep important files on their workstations. All important files should be kept on the server, where they can be properly protected and backed up. Since windows workstations have a nasty habit of becoming unstable, it is better to consider the workstation build disposable, in case stupid user tricks make a rebuild necessary. With a change in the registry, the user's default 'Documents and Settings' subtree can be directed to a network share on your server. Just a thought... Bill Uhl GreenLight Networks, LLC