Solved

Add a user to linux systems via script

Posted on 2008-10-27
37
337 Views
Last Modified: 2013-12-16
I would like to log into one Linux server, and run a script that will create a new user on 20+ other linux servers, and only have to log in once.
0
Comment
Question by:loftyworm
  • 20
  • 8
  • 4
  • +4
37 Comments
 
LVL 48

Expert Comment

by:Tintin
ID: 22817934
Do you currently use LDAP for the users?
0
 
LVL 11

Author Comment

by:loftyworm
ID: 22818006
no, all users are created locally.  Although, I have integrated the linux VMWare with our Active directory for password authentication.
0
 
LVL 11

Expert Comment

by:jgiordano
ID: 22818020
add all the users to a text file; then -




for i in `cat <text file>`
do
useradd -g <group>  -d /home/$i $i

done
0
 
LVL 11

Author Comment

by:loftyworm
ID: 22818028
@jgiordano
Ty for your reply, but I want to add 1 user to 20+ servers, not 20 users to 1 server, all with one script, so I do not have to log on to each and every server, escalate my prives, run the commands, and log out, 20+ times.
0
 

Expert Comment

by:jmatux
ID: 22818041
perhaps this would help ,

create /etc/password and /etc/shadow strings for the user into temp files

vi /tmp/pass
vi /tmp/shad

transfer the temp files to remote host

cd /tmp
for remhost in `< /path/to/hostlist`
do
    tar cvfp - pass shad | ssh $remhost "cd /tmp; tar xvfp -"
done

append the strings and create home directory as required.

for remhost in `< /path/to/hoslist`
do
    ssh $remhost "hostname; cat /tmp/pass >> /etc/passwd; cat /tmp/shad >> /etc/shadow; cd /home; mkdir -m 755 bpadm; chown usuario usuario; cd /tmp; rm pass shad"
done

I believe it would be something like that
0
 
LVL 29

Expert Comment

by:fosiul01
ID: 22818088
may be there would be some script for your solution

but i just want to say, why are you not copying all user name and password and just past it to different server

http://www.cyberciti.biz/faq/howto-move-migrate-user-accounts-old-to-new-server/

same concept you can apply.

just an idea...
0
 
LVL 40

Assisted Solution

by:omarfarid
omarfarid earned 150 total points
ID: 22818724
you need to useradd via ssh on the remote systems. For that you need to either have trust between your system and the other systems so that they don't prompt you for root password, or you need to use expect to put the password when prompted. Please see:


http://www.experts-exchange.com/Programming/Languages/Scripting/Shell/Q_23682114.html

Here a link on how to make the trust:

http://www.astro.caltech.edu/~mbonati/WIRC/manual/DATARED/setting_up_no-password_ssh.html
http://waelchatila.com/2005/06/06/1118124232757.html
http://www.cvrti.utah.edu/~dustman/no-more-pw-ssh/
0
 
LVL 11

Author Comment

by:loftyworm
ID: 22836881
Thanks Omar, I think this is it.  although, your first link is broken
0
 
LVL 7

Expert Comment

by:macker-
ID: 22837114
Assuming that this is for the routine creation of new users, and you do not want to use LDAP or NIS

Rather than using expect, or an shosts type solution, you can use SSH DSA keys.  Copy your DSA key (`man ssh-keygen`) to each target system, appending to or creating ~/.ssh/authorized_keys2

Once that's in place, you can run ssh-agent to login to pre-authenticate for your DSA key, and will be able to login to all of the systems without being prompted for a password.  From there, you can run useradd as an argument to ssh, in a for loop as described by jmatux:

for remhost in `< /path/to/hoslist`
do
    ssh $remhost "hostname; useradd username -p HASH"
done

"HASH" should be the encrypted password, as listed in the /etc/shadow file.

If you have an exact predefined range of UID's you'll be using for this, you can specify the uid/gid as an argument to useradd; this will simplify any future work, e.g. using NFS mounts for home directories.

If the hosts adhere to a simple pattern, e.g. "server1" thru "server20", then you can further simplify by iterating thru the host numbers.

I would always recommend using 'useradd', rather than manually editing passwd and shadow, useradd will handle failures much more gracefully.
0
 
LVL 11

Author Comment

by:loftyworm
ID: 23131988
Macker-
WONDERFUL!  This is exactly what I am trying to do, my hands are tied in doing other things, and this is my best solution up to this point.  but I have one last issue.  Root is denied ssh logon (on purpose), and my account does not have privelages to create accounts.  I tried adding my user account to the adm group "usermod -G adm ME" but it is still not allowing me to create the accounts:(

How do I allow my account to be able to add/remove/modify user accounts?

0
 
LVL 40

Expert Comment

by:omarfarid
ID: 23132077
you may use sudo, please see:

http://www.gratisoft.us/sudo/man/sudoers.html
0
 
LVL 11

Author Comment

by:loftyworm
ID: 23132487
If I use sudo, I will have to enter a password :(
My goal is to log into one system, and paste a command like this;

ssh user@server1 "useradd blah"
 ssh user@server2 "useradd blah"
...
 ssh user@server20 "useradd blah"
 
0
 
LVL 48

Expert Comment

by:Tintin
ID: 23132511
You can configure a sudo entry so you don't need a password, eg:

user  ALL= NOPASSWD: /usr/sbin/useradd

then you can use

ssh user@server1 "sudo /usr/sbin/useradd ....."
0
 
LVL 11

Author Comment

by:loftyworm
ID: 23132566
Tintin, can you be more specific please;

edit the sudoers file with
ME  ALL= NOPASSWD: /usr/sbin/useradd

then my script would be like

ssh newguy@server1 "sudo /usr/sbin/useradd ....."

how would this change for removing and modifing users?
0
 
LVL 11

Author Comment

by:loftyworm
ID: 23132574
what does the
ALL = NOPASSWD
refer to?
0
 
LVL 40

Expert Comment

by:omarfarid
ID: 23132660
As Tintin said (and as you may see in the examples in the link) you may allow your user to use the commands without password and hence no need for passwords.
0
 
LVL 48

Expert Comment

by:Tintin
ID: 23133035
To edit the sudoers file, you need to be the root user.

Type in

visudo

and add the following entry

user  ALL= NOPASSWD: /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod

This will allow 'user' to add, delete and modify users.
0
 
LVL 11

Author Comment

by:loftyworm
ID: 23135278
Awesome, I will test this now.

But...

When I start the visudo, I see this;
%winsvr ALL=(ALL)   ALL

I made this entry back in the day and added our user accounts to this group, so my admins could use the sudo command.

Shouldn't this allow me to use the usermod command?  I am a member of the winsvr group


0
How your wiki can always stay up-to-date

Quip doubles as a “living” wiki and a project management tool that evolves with your organization. As you finish projects in Quip, the work remains, easily accessible to all team members, new and old.
- Increase transparency
- Onboard new hires faster
- Access from mobile/offline

 
LVL 11

Author Comment

by:loftyworm
ID: 23135294
ok, I thought maybe I did have privs, and I was not using the full path, so I tried this
/usr/sbin/useradd -u 55555 -g sxtech -c 'Deleteme' -m deleteme
and got this
useradd: unable to lock password file

both when I did it via ssh and on the local system
0
 
LVL 48

Expert Comment

by:Tintin
ID: 23135317
The sudoers entry

%winsvr ALL=(ALL)   ALL

will allow all members of the winsvr group to use sudo for any command, *but* they will have to supply their password.

useradd, userdel and usermod need to be run with root privs, so you need to do

sudo /usr/sbin/useradd -u 55555 -g sxtech -c 'Deleteme' -m deleteme
0
 
LVL 11

Author Comment

by:loftyworm
ID: 23135322
OK, I made the change to visudo for my specific user, and get the same

useradd: unable to lock password file

0
 
LVL 11

Author Comment

by:loftyworm
ID: 23135490
Ahh, let me try this....
0
 
LVL 11

Author Comment

by:loftyworm
ID: 23162285
Ok, I have done this;

I used ssh-keygen to create a key on server 1
I copied the pubilc on to the server2, and renamed it authorized_keys
On both servers I edit visudo to include
ME   ALL= NOPASSWD: /usr/sbin/useradd, /usr/sbin/userdel, /usr/sbin/usermod
%winsvr ALL=(ALL) ALL
ME is a member of winsvr
Logged on locally, I can run the command with no password;
 sudo /usr/sbin/useradd -u 55555 -g sxtech -c 'Deleteme' -m deleteme
I can also run this command with no password from server1
ssh ME@server2 "ls"
BUT
this command is still asking for a password
sudo /usr/sbin/useradd -u 55555 -g sxtech -c 'Deleteme' -m deleteme
0
 
LVL 11

Author Comment

by:loftyworm
ID: 23162387
CORRECTION TO ABOVE:

BUT
this command is still asking for a password
ssh ME@server1 "sudo /usr/sbin/useradd -u 55555 -g sxtech -c 'Deleteme' -m deleteme"
0
 
LVL 48

Expert Comment

by:Tintin
ID: 23165643
Is the above a typo?

Did you specify server2 rather than server1?
0
 
LVL 40

Expert Comment

by:omarfarid
ID: 23166928
it seams that the password is for the ssh login.

can you try to ssh only and see if prompted for the password?
0
 
LVL 11

Author Comment

by:loftyworm
ID: 23186261
@tintin
Yes a typo, from Server 1 to server2
ssh ME@server2 "sudo /usr/sbin/useradd -u 55555 -g sxtech -c 'Deleteme' -m deleteme"
@omarfarid
Yes, ssh with a simple directory listing works with no problem
ssh ME@server2 "ls"
0
 
LVL 48

Expert Comment

by:Tintin
ID: 23186376
What does

sudo ME@server2 "sudo -l"

return?
0
 
LVL 11

Author Comment

by:loftyworm
ID: 23186548
User ME may run the following commands on this host:
    (root) NOPASSWD: /usr/sbin/useradd
    (root) NOPASSWD: /usr/sbin/userdel
    (root) NOPASSWD: /usr/sbin/usermod
    (ALL) ALL


0
 
LVL 48

Expert Comment

by:Tintin
ID: 23186585
Very strange.

What about when you do

sudo ME@server2 'sudo /usr/sbin/useradd -?'
0
 
LVL 11

Author Comment

by:loftyworm
ID: 23187946
Ok, I miss communicated, let me correct myself;

Command
sudo ME@server2 "sudo -l"
Returns
sudo: ME@Server2: command not found
Command
ssh sxars@vm1.sw.alaska.edu "sudo -l"
Returns
User ME may run the following commands on this host:
    (root) NOPASSWD: /usr/sbin/useradd
    (root) NOPASSWD: /usr/sbin/userdel
    (root) NOPASSWD: /usr/sbin/usermod
    (ALL) ALL
Command
sudo ME@server2 'sudo /usr/sbin/useradd -?'
Returns
sudo: ME@Server2: command not found
Command
ssh ME@server2 'sudo /usr/sbin/useradd -?'
Returns
A password request
and
Password:Supersecretiwillnevertell

/usr/sbin/useradd: invalid option -- ?
usage: useradd  [-u uid [-o]] [-g group] [-G group,...]
                [-d home] [-s shell] [-c comment] [-m [-k template]]
                [-f inactive] [-e expire ] [-p passwd] [-M] [-n] [-r] [-l] name
       useradd  -D [-g group] [-b base] [-s shell]
                [-f inactive] [-e expire ]
0
 
LVL 48

Accepted Solution

by:
Tintin earned 200 total points
ID: 23188319
Bah, sorry for misleading you.  I meant to write ssh instead of sudo.

So just to confirm that


ssh ME@server2 'sudo -l'

returns

User ME may run the following commands on this host:
   (root) NOPASSWD: /usr/sbin/useradd
   (root) NOPASSWD: /usr/sbin/userdel
   (root) NOPASSWD: /usr/sbin/usermod
   (ALL) ALL

and

ssh ME@server2 'sudo /usr/sbin/useradd -?'

prompts you for your sudo password?

0
 
LVL 7

Assisted Solution

by:macker-
macker- earned 150 total points
ID: 23188606
Based on the errors being returned, it sounds like the problem is that sudo itself is not being found.  Try:

ssh ME@server2 "/usr/bin/sudo -l"

Similarly, make sure that sudo does exist, and is in /usr/bin.
0
 
LVL 11

Author Comment

by:loftyworm
ID: 23189158
@tintin
you are correct

@Macker-
the sudo command is working and returning information with
ssh ME@server2 "sudo -l"
and the command
ssh ME@server2 "/usr/bin/sudo -l"
returns the same stuff
0
 
LVL 11

Author Comment

by:loftyworm
ID: 23189178
All,
Is it relevant that these servers are integrated with Active Directory?
They are ESX servers, and have integrated AD authentication.

please remember, I can run this command without being prompted for a password;

ssh ME@server2 "sudo -l"
0
 
LVL 11

Author Comment

by:loftyworm
ID: 23230570
All, I am still stuck here, can anyone help?

0
 
LVL 11

Author Closing Comment

by:loftyworm
ID: 31536968
I have found no solution to this.  I suspect that on a normal nix system this would be fine, but that the AD integration is causing the problem.  I have no solution, and did it all manually :(  Politics preclude more scripting, but there is a vm KB that has a loing script that makes it all very easy with a lot of up front work.
http://kb.vmware.com/selfservice/microsites/search.do?cmd=displayKC&docType=kc&externalId=105-105441xml&sliceId=&docTypeID=DT_COMMUNITIES_1_1&dialogID=15740414&stateId=1%200%2015744159
0

Featured Post

Better Security Awareness With Threat Intelligence

See how one of the leading financial services organizations uses Recorded Future as part of a holistic threat intelligence program to promote security awareness and proactively and efficiently identify threats.

Join & Write a Comment

Suggested Solutions

HOW TO: Install and Configure VMware vSphere Hypervisor 6.5 (ESXi 6.5), Step by Step Tutorial with screenshots. From Download, Checking Media, to Completed Installation.
HOW TO: Upload an ISO image to a VMware datastore for use with VMware vSphere Hypervisor 6.5 (ESXi 6.5) using the vSphere Host Client, and checking its MD5 checksum signature is correct.  It's a good idea to compare checksums, because many installat…
Teach the user how to convert virtaul disk file formats and how to rename virtual machine files on datastores. Open vSphere Web Client: Review VM disk settings: Migrate VM to new datastore with a thick provisioned (lazy zeroed) disk format: Rename a…
Teach the user how to install log collectors and how to configure ESXi 5.5 for remote logging Open console session and mount vCenter Server installer: Install vSphere Core Dump Collector: Install vSphere Syslog Collector: Open vSphere Client: Config…

743 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

15 Experts available now in Live!

Get 1:1 Help Now