/etc/sync-accounts - configuration file for sync-accounts
/etc/sync-accounts contains the default configuration of the sync-
accounts(8) account synchronisation tool.
The configuration file specifies how to access and update the local
password and group databases, where sync-accounts should log.
It also specifies the list of (remote) sources for account information,
and which accounts and details should be copied from each source to the
OVERALL SYNTAX AND SEMANTICS
The configuration file is parsed as a series of lines. First, leading
and trailing whitespace on each line is removed, and then empty lines,
or lines starting with #, are removed.
Each line is parsed as a directive. The order of directives is
significant; some directives set up information which later directives
The configuration file must contain an end directive; anything after
that point is ignored.
These directives may appear only at the start of the file (before any
other directives), and each directive must appear only once; otherwise,
sync-accounts my behave oddly.
lockpasswd|lockgroup method [details ...]
Specifies how the passwd and group files should be read and/or
locked. See LOCKING METHOD DIRECTIVES below.
Append log messages to filename instead of stdout. Errors still
go to stderr.
Specifies the local password file is in the relevant format: std
is the standard V7 password file (with a SysV-style /etc/shadow
if /etc/shadow exists). bsd is the BSD4.4 master.passwd format,
and should be used only with lockpasswd runvia vipw. The
default is std.
LOCKING METHOD DIRECTIVES
One lockgroup and one lockpasswd directive must be present, in the
global directives at the start of the config file.
The choice of the appropriate directives can be difficult without
special knowledge of the local system. In general, it is best to use
lockpasswd runvia vipw where this is available, as if this works avoids
having to know the names of the lockfiles.
GNU systems (including GNU/Linux and Debian GNU/BSD) typically lock the
group file separately and supply vigr, in which case you should use
Most systems other than GNU do not lock the group file at all (or
assume that all programs which modify the group file will lock the
passwd file), in which case lockgroup none is appropriate.
If vigr or vipw is not available or is known to be broken (eg, because
it does not lock properly), then use link.
lockpasswd|lockgroup runvia program
sync-accounts will reinvoke itself using program, which must
behave like vipw or vigr. sync-accounts will set the EDITOR
environment variable to the path it was invoked with (Perl’s $0)
and put some information for its own use into SYNC_ACCOUNTS_*
environment variables (which will also allow sync-accounts to
tell that it has already been reinvoked via program and should
not do so again).
If both lockpasswd runvia vipw and lockgroup runvia vigr are
specified, then it must be possible and safe for the EDITOR run
by vipw to invoke vigr, as this is what sync-accounts will do.
lockpasswd|lockgroup link suffix|filename
sync-accounts will attempt to lock the passwd or group file by
making a hardlink from the real file to the specified filename.
If suffix|filename starts with a / it is interpreted as a
filename; otherwise it is interpreted as a suffix, to be
appended to the real database filename.
sync-accounts will not attempt to lock the passwd or group files
lockgroup none is appropriate on systems where there is no
separate locking for the group file (either because there is no
proper support for automatic editing of the group file, or
because you’re expected to lock the password file), although in
the absence of vigr it’s inevitable that simultaneous changes to
the group file made by both the human sysadmin and by sync-
accounts will cause problems.
lockpasswd none is very dangerous and should not normally be
used. It will cause data loss if any other tool for changing
password data is used - eg, passwd(1).
Within each source’s section, all of the per-source directives must
appear before any account-selection directives; otherwise sync-accounts
may behave oddly. If a per-source directive is repeated, the last
setting takes effect.
Starts a source’s section. Usually each source will correspond
exactly to one host which is acting as a source of account data.
The host directive resets the per-source parameters to the
defaults. source need not be the source host’s official name in
any sense and is used only for identification. Any source must
be named in only one host directive, or sync-accounts may behave
sync-accounts always fetches account data from sources by
running specified commands on the local host; it does not
contain any network protocols, itself.
command is fed to sh -c and might typically contain something
ssh firstname.lastname@example.org cat /etc/passwd
where the user syncacct on remote.host is in group shadow, or
cat /var/local/sync-accounts/remote.host/passwd where the
file named is copied across using cron.
getpasswd must be specified if user data is to be transferred;
getgroup must be specified if group data is to be transferred.
getshadow should be specified iff getpasswd is specified but the
data from getpasswd does not contain actual password
information, and should emit data in Sys-V shadow password
Specifies the format of the output of getpasswd. std is
standard V7 passwd file format (optionally augmented by the use
of a shadow file fetched with getshadow). bsd is the BSD4.4
master.passwd format (and getshadow should not normally be used
with remoteformat bsd). The default is std.
The following directives affect the way that account data is copied.
They may be freely mixed with other directives, and repeated. The
setting in effect is the one set by the last relevant settings
directive before any particular account-selection directive.
When an account is to be created locally, a uid/gid will be
chosen which is one higher than the highest currently in use,
except that ids below uidmin or above uidmax are ignored and
will never be used. There is no default.
When an account is to be created locally, its home directory
will be homebase/username where username is the name of the
account. The default is /home.
Specifies whether uids are supposed to match. With sameuid, it
is an error for the uid or gid of a synchronised local account
not to match the corresponding remote account, and new local
accounts will get the remote accounts’ ids. The default is
usergroups | nousergroups | defaultgid gid
Specifies whether local accounts are supposed to have
corresponding groups, or all be part of a particular group. The
default is usergroups.
With usergroups, when a new account is created, the
corresponding per-user group will be created as well, and per-
user groups are created for existing accounts if necessary (if
account creation is enabled). If the gid or group name for a
per-user group is already taken for a different group name or
gid this will be logged, and processing of that account will be
inhibited, but it is not a fatal error.
With defaultgid, newly-created accounts will be made a part of
that group, and the groups of existing accounts will be left
With nousergroups, no new accounts can be created, and existing
accounts’ groups will be left alone.
createuser [command] | nocreateuser
Specifies whether accounts found on the remote host should be
created if necessary, and what command to run to do the the rest
of the account setup (eg, creation of home directory, etc.).
The default is nocreateuser.
If createuser is specified without a command then sync-accounts-
createuser is used; the supplied sync-accounts-createuser
program is a reasonable minimal implementation.
With createuser, either sameuid, or both uidmin and uidmax, must
be specified, if accounts are actually to be created.
The command is passed to sh -c. See sync-accounts-createuser(8)
for details of command’s environment and functionality.
group specifies that the membership of the local groups
specified should be adjusted adjusted whenever account data for
any user is copied, so that the account will be a member of the
affected group locally iff the source account it is a member of
the same group on the source host.
The most recently-encountered glob-pattern for a particular
group takes effect. The default is nogroups *.
The glob patterns may contain only alphanumerics, the two glob
metacharacters * ? and four punctuation characters - + . _;
\-quoting and character sets and ranges are not supported.
Local accounts’ shells will, when an account is synchronised, be
set to the remote account’s shell if the same file exists
locally and is executable. Otherwise, this value will be used.
The default is /bin/sh.
These directives specify that the selected accounts are to be
synchronised: that is, the local account data will be unconditionally
overwritten (according to the synchronisation settings) with data from
the current source (according to the most recent host directive).
Any particular local username will only be synchronised once; the
source and settings for first account selection directive which selects
that local username will be used.
When an account is synchronised, the account password, comment field,
and shell will be copied unconditionally. If sameuid is in effect
specified the uid will be checked (or copied, for new accounts).
user username [remote=remoteusername]
Specifies that account data should be copied for local user
username from the remote account remoteusername (or username if
remoteusername is not specified).
Specifies that all remote users whose remote uid is in the given
range are to be synchronised to corresponding user accounts.
(Note that the remote uid will only be copied if sameuid is in
Specifies that data for username is not to be copied, even if
subsequent user or users directives suggest that it should be.
This directive has no effect on sync-accounts. However, it is
used as a placeholder by grab-account: new accounts for creation
are inserted just before addhere. See grab-account(8).
end must appear in the configuration file, usually at the end of the
file. Nothing after it will be read.
The advice about the correct lockpasswd and lockgroup directives is
probably out of date or flatly wrong.
sync-accounts and this manpage are part of the sync-accounts package
which was written by Ian Jackson <email@example.com>. They
are Copyright 1999-2000,2002 Ian Jackson
<firstname.lastname@example.org>, and Copyright 2000-2001 nCipher
The sync-accounts package is free software; you can redistribute it
and/or modify it under the terms of the GNU General Public License as
published by the Free Software Foundation; either version 3, or (at
your option) any later version.
This is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTABILITY or
FITNESS FOR A PARTICULAR PURPOSE. See the GNU General Public License
for more details.
You should have received a copy of the GNU General Public License along
with this program; if not, consult the Free Software Foundation’s
website at www.fsf.org, or the GNU Project website at www.gnu.org.
sync-accounts(8), grab-account(8), sync-accounts-createuser(8),
passwd(5), group(5), shadow(5), master.passwd(5), vipw(8), vigr(8)