Centralized User Account Management for Hundreds of RHEL Servers: AD-like Solutions and Automation Techniques


2 views

Managing user accounts across hundreds of RHEL servers presents unique challenges. While local root accounts are necessary for system administration, maintaining consistency becomes impractical at scale. Network user accounts compound this complexity, especially when dealing with employee turnover or permission changes.

Several centralized authentication solutions exist for Linux environments:

  • FreeIPA: Red Hat's identity management solution
  • SSSD with LDAP: Lightweight Directory Access Protocol integration
  • Samba + Winbind: AD integration for Linux systems
  • Puppet/Ansible: Configuration management with user modules

Here's how to set up FreeIPA client on RHEL:

# Install required packages
sudo yum install ipa-client oddjob-mkhomedir

# Join the FreeIPA domain
sudo ipa-client-install --domain=example.com \
--server=ipa.example.com \
--principal=admin@EXAMPLE.COM \
--realm=EXAMPLE.COM \
--enable-dns-updates \
--mkhomedir \
--no-ntp

For local root accounts that can't be centralized, consider this Ansible playbook snippet:

- name: Manage root passwords across servers
  hosts: all
  become: yes
  vars:
    root_password_hash: "$6$rounds=656000$saltvalue$hashedpassword"
  
  tasks:
    - name: Set root password
      user:
        name: root
        password: "{{ root_password_hash }}"

For network users, SSSD configuration provides flexible authentication:

# /etc/sssd/sssd.conf
[sssd]
services = nss, pam
config_file_version = 2
domains = example.com

[domain/example.com]
id_provider = ldap
auth_provider = ldap
ldap_uri = ldap://ldap.example.com
ldap_search_base = dc=example,dc=com
ldap_user_search_base = ou=users,dc=example,dc=com
cache_credentials = True

When implementing centralized authentication:

  • Always use TLS/SSL for directory server connections
  • Implement proper certificate management
  • Set up failover mechanisms for high availability
  • Regularly audit user permissions

Common issues and solutions:

# Check authentication flow:
getent passwd username

# Verify SSSD operation:
systemctl status sssd

# Test LDAP connectivity:
ldapsearch -x -H ldap://server -b "dc=example,dc=com"

Managing user accounts across hundreds of RHEL servers presents unique challenges:

  • Password synchronization nightmares for local root accounts
  • Inconsistent UID/GID assignments across servers
  • Manual provisioning/deprovisioning delays
  • Auditing complexity for compliance requirements

Here are the most robust approaches used in large-scale Linux environments:

1. FreeIPA (Identity Policy Audit)

# On RHEL8/CentOS8:
sudo dnf install -y freeipa-server
sudo ipa-server-install \
  --domain=example.com \
  --realm=EXAMPLE.COM \
  --ds-password=StrongDSPassword \
  --admin-password=StrongAdminPass \
  --hostname=ipa.example.com \
  --setup-dns \
  --auto-forwarders

2. SSSD + Active Directory Integration

For environments with existing Windows AD infrastructure:

# /etc/sssd/sssd.conf snippet:
[sssd]
services = nss, pam, ssh
domains = example.com

[domain/example.com]
id_provider = ad
access_provider = ad
auth_provider = ad
chpass_provider = ad
cache_credentials = True
ldap_id_mapping = True

For local root accounts, consider these approaches:

Centralized sudoers Management

# In /etc/sudoers.d/central_policy
%admin ALL=(ALL) NOPASSWD: ALL
Defaults:root !requiretty
Defaults:%admin !requiretty

SSH Certificate Authority

Replace password-based root access with certificates:

# On CA server:
ssh-keygen -t rsa -b 4096 -f root_ca
# On each host:
echo "TrustedUserCAKeys /etc/ssh/root_ca.pub" >> /etc/ssh/sshd_config

Example Ansible playbook for user management:

---
- name: Manage users across RHEL cluster
  hosts: all
  become: yes
  vars:
    admin_users:
      - name: jsmith
        uid: 5001
        groups: wheel
      - name: mjones
        uid: 5002
        groups: admins

  tasks:
    - name: Ensure admin groups exist
      group:
        name: "{{ item }}"
        state: present
      loop:
        - wheel
        - admins

    - name: Create admin users
      user:
        name: "{{ item.name }}"
        uid: "{{ item.uid }}"
        groups: "{{ item.groups }}"
        append: yes
        shell: /bin/bash
      loop: "{{ admin_users }}"

Essential commands for tracking account activity:

# Last logins across all servers (run from central management node)
for host in $(cat server_list); do
  echo "=== $host ==="
  ssh $host "lastlog"
done

# Check sudo history
ausearch -ts today -m USER_CMD -i | grep sudo