Simple one-way synchronisation of user password list between servers

linux user-management synchronization

Using a RedHat-derivative distro (CentOS), I'd like to keep the list of regular users (UID over 500), and group (and shadow files) pushed to a backup server.
The sync is only one-way, from the main server to the backup server.

I don't really want to have to deal with LDAP or NIS.
All I need is a simple script that can be run nightly to keep the backup server updated.
The main server can SSH into the backup system.

Any suggestion?

Edit:
Thanks for the suggestions so far but I think I didn't make myself clear enough.
I'm only looking at synchronising normal users whose UID is on or above 500.
System/service users (with UID below 500) may be different on both system.
So you can't just sync the whole files I'm afraid.


You can use awk to extract users/groups with IDs of 500 or greater. I have also taken the liberty of excluding user id 65534, which is often reserved for the "nobody" user (depending on distro; no clue if CentOS does so):

awk -F: '($3>=500) && ($3!=65534)' /etc/passwd > passwd.new
awk -F: '($3>=500) && ($3!=65534)' /etc/group > group.new
awk -F: '($3>=500) && ($3!=65534) {print $1}' /etc/passwd | grep -f - /etc/shadow > shadow.new

Then use rsync, scp, or your file transmission method of choice to copy the files to your backup system. These files can then be appended to the end of a 'clean' passwd, group or shadow file when you need to restore them (ie: default system users/groups only, to prevent unintentional duplications of ID/username).

cat passwd.new >> /etc/passwd
cat group.new >> /etc/group
cat shadow.new >> /etc/shadow

NIS/NIS+ were invented for this exact reason.

But they're kind of ugly and centralized (LDAP/Kerberos/SMB/etc.) authentication is a much much better idea if you can do it. To setup NIS/NIS+ you will need:

Packages:

yp-tools ypbind ypserv portmap

and an /etc/yp.conf with something like:

domain example.org server nis.example.org
ypserver nis.example.org

and then in /etc/sysconfig/network:

NISDOMAIN=example.org

And I got lazy, here's a good howto: http://www.wains.be/index.php/2007/02/28/setting-up-nis-under-centos-4/ that will walk you through it.

Personally for backup I'd just backup the entire /etc/ directory and be done with it. It's only a few megs at most.


use cppw and cpgr:

CPPW(8)                                                                                                                                                      

NAME
       cppw, cpgr - copy with locking the given file to the 
       password or group file

SYNOPSIS<br>
       cppw [-h] [-s] password_file
       cpgr [-h] [-s] group_file

DESCRIPTION
       cppw  and  cpgr will copy, with locking, the given file to
       /etc/passwd and /etc/group, respectively.  With the -s flag, 
       they will copy the shadow versions of those files, 
       /etc/shadow and /etc/gshadow, respectively.

       With the -h flag, the commands display a short help message
       and exit silently.

SEE ALSO
       vipw(8), vigr(8), group(5), passwd(5), shadow(5), gshadow(5)

AUTHOR
       cppw and cpgr were written by Stephen Frost, based on vipw 
       and vigr written by Guy Maor.

Related

403 Forbidden error on Mac OSX - Apache and nginx
Transparent firewall with nftables and VLANs
Secure remote RDP worker prevent file transfer
Getting Xvfb to start upon booting system in Ubuntu Maverick
Good resources to learn about the Windows registry
Managing zone files
How to mount external vfat drive as user?
Keeping user's filesystem persistent across AWS EC2 spot instances
Emails going to Junk for Hotmail recipients [duplicate]
/etc/pam.d/login vs. /etc/pam.d/system-auth
How to reverse proxy with or without trailing slash
Why is my server getting connections from its own IP?