Separting System and People Accounts

It is common to centrally manage computer accounts for system/service functions and people. Organizations might use LDAP or AD. Systems administrators might use a configuration management tool.

A trick I have used more than once is to cache all account data everywhere. Copying user and group (but not password) data out of LDAP into local files means that a buggy directory does not impact operations. If necessary, it is easy to continue to push password authentication directly to the directory service and automate updating the copies.

This is done using Linux’s nsswitch framework and combing authentication sources. Nsswitch is very common but the trick uses less commonly known libraries: nssdb, libnss-extrausers, and nss-altfiles.

Why not just munge /etc/{password,group} with more lines? That is works but these files can be minorly different across systems with different roles making munging just ugh.

The mentioned nsswitch services allow you to keep your system/service accounts in the standard /etc/{password,group} and put other accounts into a second location that can be controlled by a different process. People can be copied out of LDAP or AD and cached in files or you might keep such data in a git repository and deployed via Ansible or Puppet.

On Debian, using libnss-extrausers is easy:

apt install -y libnss-extrausers
echo "testuser:x:10000:10000::/home/testuser:/usr/bin/bash" > /var/lib/extrausers/passwd
echo "testuser:x:10000:" > /var/lib/extrausers/group
touch /var/lib/extrausers/shadow
chmod 000 /var/lib/extrausers/shadow

Ensure the passwd, shadow, and group lines in /etc/nsswitch.conf resemble:

passwd: files extrausers
group: files extrausers
shadow: files

Now see if your new user exists:

id testuser
getent passwd testuser
getent -s files passwd testuser
getent -s extrausers passwd testuser

Going this far is usually enough for letting a user log in via SSH with a key but you will want to review your PAM configuration for authenticating users.

Usefule links:

• nss-altfiles
• ClearLinux.org note about separate files
• libnss-extrausers
• AUR package for libnss-extrausers
• AUR build script
• ServerFault thread
• Stack Exchange thread
• pam_extrausers
• nss_db standalone project
• glibc NSS configuration file
• glibc nssdb Makefile
• glibc nssdb source code