sync-accounts(5)
NAME
/etc/sync-accounts - configuration file for sync-accounts
DESCRIPTION
/etc/sync-accounts contains the default configuration of the sync- accounts(8) account synchronisation tool. The configuration file specifies how to access and update the local password and group databases, where sync-accounts should log. It also specifies the list of (remote) sources for account information, and which accounts and details should be copied from each source to the local system.
OVERALL SYNTAX AND SEMANTICS
The configuration file is parsed as a series of lines. First, leading and trailing whitespace on each line is removed, and then empty lines, or lines starting with #, are removed. Each line is parsed as a directive. The order of directives is significant; some directives set up information which later directives rely on. The configuration file must contain an end directive; anything after that point is ignored.
GLOBAL DIRECTIVES
These directives may appear only at the start of the file (before any
other directives), and each directive must appear only once; otherwise,
sync-accounts my behave oddly.
lockpasswd|lockgroup method [details ...]
Specifies how the passwd and group files should be read and/or
locked. See LOCKING METHOD DIRECTIVES below.
logfile filename
Append log messages to filename instead of stdout. Errors still
go to stderr.
localformat bsd|std
Specifies the local password file is in the relevant format: std
is the standard V7 password file (with a SysV-style /etc/shadow
if /etc/shadow exists). bsd is the BSD4.4 master.passwd format,
and should be used only with lockpasswd runvia vipw. The
default is std.
LOCKING METHOD DIRECTIVES
One lockgroup and one lockpasswd directive must be present, in the
global directives at the start of the config file.
The choice of the appropriate directives can be difficult without
special knowledge of the local system. In general, it is best to use
lockpasswd runvia vipw where this is available, as if this works avoids
having to know the names of the lockfiles.
GNU systems (including GNU/Linux and Debian GNU/BSD) typically lock the
group file separately and supply vigr, in which case you should use
lockgroup vigr.
Most systems other than GNU do not lock the group file at all (or
assume that all programs which modify the group file will lock the
passwd file), in which case lockgroup none is appropriate.
If vigr or vipw is not available or is known to be broken (eg, because
it does not lock properly), then use link.
lockpasswd|lockgroup runvia program
sync-accounts will reinvoke itself using program, which must
behave like vipw or vigr. sync-accounts will set the EDITOR
environment variable to the path it was invoked with (Perl's $0)
and put some information for its own use into SYNC_ACCOUNTS_*
environment variables (which will also allow sync-accounts to
tell that it has already been reinvoked via program and should
not do so again).
If both lockpasswd runvia vipw and lockgroup runvia vigr are
specified, then it must be possible and safe for the EDITOR run
by vipw to invoke vigr, as this is what sync-accounts will do.
lockpasswd|lockgroup link suffix|filename
sync-accounts will attempt to lock the passwd or group file by
making a hardlink from the real file to the specified filename.
If suffix|filename starts with a / it is interpreted as a
filename; otherwise it is interpreted as a suffix, to be
appended to the real database filename.
lockpasswd|lockgroup none
sync-accounts will not attempt to lock the passwd or group files
at all.
lockgroup none is appropriate on systems where there is no
separate locking for the group file (either because there is no
proper support for automatic editing of the group file, or
because you're expected to lock the password file), although in
the absence of vigr it's inevitable that simultaneous changes to
the group file made by both the human sysadmin and by sync-
accounts will cause problems.
lockpasswd none is very dangerous and should not normally be
used. It will cause data loss if any other tool for changing
password data is used - eg, passwd(1).
PER-SOURCE DIRECTIVES
Within each source's section, all of the per-source directives must
appear before any account-selection directives; otherwise sync-accounts
may behave oddly. If a per-source directive is repeated, the last
setting takes effect.
host source
Starts a source's section. Usually each source will correspond
exactly to one host which is acting as a source of account data.
The host directive resets the per-source parameters to the
defaults. source need not be the source host's official name in
any sense and is used only for identification. Any source must
be named in only one host directive, or sync-accounts may behave
oddly.
getpasswd|getgroup|getshadow command...
sync-accounts always fetches account data from sources by
running specified commands on the local host; it does not
contain any network protocols, itself.
command is fed to sh -c and might typically contain something
like
ssh syncacct@remote.host cat /etc/passwd
where the user syncacct on remote.host is in group shadow, or
cat /var/local/sync-accounts/remote.host/passwd where the
file named is copied across using cron.
getpasswd must be specified if user data is to be transferred;
getgroup must be specified if group data is to be transferred.
getshadow should be specified iff getpasswd is specified but the
data from getpasswd does not contain actual password
information, and should emit data in Sys-V shadow password
format.
remoteformat std|bsd
Specifies the format of the output of getpasswd. std is
standard V7 passwd file format (optionally augmented by the use
of a shadow file fetched with getshadow). bsd is the BSD4.4
master.passwd format (and getshadow should not normally be used
with remoteformat bsd). The default is std.
SYNCHRONISATION SETTINGS
The following directives affect the way that account data is copied.
They may be freely mixed with other directives, and repeated. The
setting in effect is the one set by the last relevant settings
directive before any particular account-selection directive.
uidmin|uidmax value
When an account is to be created locally, a uid/gid will be
chosen which is one higher than the highest currently in use,
except that ids below uidmin or above uidmax are ignored and
will never be used. There is no default.
homebase homebase
When an account is to be created locally, its home directory
will be homebase/username where username is the name of the
account. The default is /home.
[no]sameuid
Specifies whether uids are supposed to match. With sameuid, it
is an error for the uid or gid of a synchronised local account
not to match the corresponding remote account, and new local
accounts will get the remote accounts' ids. The default is
nosameuid.
usergroups | nousergroups | defaultgid gid
Specifies whether local accounts are supposed to have
corresponding groups, or all be part of a particular group. The
default is usergroups.
With usergroups, when a new account is created, the
corresponding per-user group will be created as well, and per-
user groups are created for existing accounts if necessary (if
account creation is enabled). If the gid or group name for a
per-user group is already taken for a different group name or
gid this will be logged, and processing of that account will be
inhibited, but it is not a fatal error.
With defaultgid, newly-created accounts will be made a part of
that group, and the groups of existing accounts will be left
alone.
With nousergroups, no new accounts can be created, and existing
accounts' groups will be left alone.
createuser [command] | nocreateuser
Specifies whether accounts found on the remote host should be
created if necessary, and what command to run to do the the rest
of the account setup (eg, creation of home directory, etc.).
The default is nocreateuser.
If createuser is specified without a command then sync-accounts-
createuser is used; the supplied sync-accounts-createuser
program is a reasonable minimal implementation.
With createuser, either sameuid, or both uidmin and uidmax, must
be specified, if accounts are actually to be created.
The command is passed to sh -c. See sync-accounts-createuser(8)
for details of command's environment and functionality.
group|nogroup glob-pattern
group specifies that the membership of the local groups
specified should be adjusted adjusted whenever account data for
any user is copied, so that the account will be a member of the
affected group locally iff the source account it is a member of
the same group on the source host.
The most recently-encountered glob-pattern for a particular
group takes effect. The default is nogroups *.
The glob patterns may contain only alphanumerics, the two glob
metacharacters * ? and four punctuation characters - + . _;
\-quoting and character sets and ranges are not supported.
defaultshell pathname
Local accounts' shells will, when an account is synchronised, be
set to the remote account's shell if the same file exists
locally and is executable. Otherwise, this value will be used.
The default is /bin/sh.
ACCOUNT SELECTION
These directives specify that the selected accounts are to be
synchronised: that is, the local account data will be unconditionally
overwritten (according to the synchronisation settings) with data from
the current source (according to the most recent host directive).
Any particular local username will only be synchronised once; the
source and settings for first account selection directive which selects
that local username will be used.
When an account is synchronised, the account password, comment field,
and shell will be copied unconditionally. If sameuid is in effect
specified the uid will be checked (or copied, for new accounts).
user username [remote=remoteusername]
Specifies that account data should be copied for local user
username from the remote account remoteusername (or username if
remoteusername is not specified).
users ruidmin-ruidmax
Specifies that all remote users whose remote uid is in the given
range are to be synchronised to corresponding user accounts.
(Note that the remote uid will only be copied if sameuid is in
effect.)
nouser username
Specifies that data for username is not to be copied, even if
subsequent user or users directives suggest that it should be.
addhere
This directive has no effect on sync-accounts. However, it is
used as a placeholder by grab-account: new accounts for creation
are inserted just before addhere. See grab-account(8).
FINAL DIRECTIVE
end must appear in the configuration file, usually at the end of the
file. Nothing after it will be read.
BUGS
The advice about the correct lockpasswd and lockgroup directives is probably out of date or flatly wrong.
AUTHOR
sync-accounts and this manpage are part of the sync-accounts package which was written by Ian Jackson <ian@chiark.greenend.org.uk>. They are Copyright 1999-2000,2002 Ian Jackson <ian@davenant.greenend.org.uk>, and Copyright 2000-2001 nCipher Corporation Ltd. The sync-accounts package is free software; you can redistribute it and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; either version 3, or (at your option) any later version. This is distributed in the hope that it will be useful, but WITHOUT ANY WARRANTY; without even the implied warranty of MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License for more details. You should have received a copy of the GNU General Public License along with this program; if not, consult the Free Software Foundation's website at www.fsf.org, or the GNU Project website at www.gnu.org.
SEE ALSO
sync-accounts(8), grab-account(8), sync-accounts-createuser(8), passwd(5), group(5), shadow(5), master.passwd(5), vipw(8), vigr(8)
Opportunity
Personal Opportunity - Free software gives you access to billions of dollars of software at no cost. Use this software for your business, personal use or to develop a profitable skill. Access to source code provides access to a level of capabilities/information that companies protect though copyrights. Open source is a core component of the Internet and it is available to you. Leverage the billions of dollars in resources and capabilities to build a career, establish a business or change the world. The potential is endless for those who understand the opportunity.
Business Opportunity - Goldman Sachs, IBM and countless large corporations are leveraging open source to reduce costs, develop products and increase their bottom lines. Learn what these companies know about open source and how open source can give you the advantage.
Free Software
Free Software provides computer programs and capabilities at no cost but more importantly, it provides the freedom to run, edit, contribute to, and share the software. The importance of free software is a matter of access, not price. Software at no cost is a benefit but ownership rights to the software and source code is far more significant.
Free Office Software - The Libre Office suite provides top desktop productivity tools for free. This includes, a word processor, spreadsheet, presentation engine, drawing and flowcharting, database and math applications. Libre Office is available for Linux or Windows.
Free Books
The Free Books Library is a collection of thousands of the most popular public domain books in an online readable format. The collection includes great classical literature and more recent works where the U.S. copyright has expired. These books are yours to read and use without restrictions.
Source Code - Want to change a program or know how it works? Open Source provides the source code for its programs so that anyone can use, modify or learn how to write those programs themselves. Visit the GNU source code repositories to download the source.
Education
Study at Harvard, Stanford or MIT - Open edX provides free online courses from Harvard, MIT, Columbia, UC Berkeley and other top Universities. Hundreds of courses for almost all major subjects and course levels. Open edx also offers some paid courses and selected certifications.
Linux Manual Pages - A man or manual page is a form of software documentation found on Linux/Unix operating systems. Topics covered include computer programs (including library and system calls), formal standards and conventions, and even abstract concepts.
