topic Re: Migrating Certain Users between 2 Trusted Systems in Operating System - HP-UX

Migrating Certain Users between 2 Trusted Systems

NateJones — Tue, 21 Aug 2007 12:52:35 GMT

Greetings,

We have about 35 HP/UX boxes (all trusted), and every so often we need to migrate a client to a new HP box, but we only want to move certain users as the box usually contains at least two clients.

Does anyone have a method or tool of moving users by, say, gid?

The only way I have done it in the past is:

- cut/paste the entries out of the the passwd/group files
- go through /tcb/auth and copy the subdirectory for each user from the old box to the new one.

As you can imagine, this is incredibly time consuming and error prone. :(

Thanks in advance,
Nate

Re: Migrating Certain Users between 2 Trusted Systems

Steven E. Protter — Tue, 21 Aug 2007 13:20:28 GMT

Shalom,

1) Do an Ignite backup of the vg00 on the system before you start.

2) cd /etc

Under here there is either auth/files or files/auth

Your users are arrayed in 26 different folders for the first letter of reach user name.

cd a
scp -p * newsystemhostname:/$PWD
repeat for all letters ACCEPT r

Why not r, because ROOT is in there.

Copy those files one at a time, not including root.

Copy the optional user entries from /etc/passwd and /etc/group on the new system. Take care not to overwrite the system and deamon users.

Restart the target system.

Your users should be functional and transfer correctly.

SEP

Re: Migrating Certain Users between 2 Trusted Systems

NateJones — Tue, 21 Aug 2007 13:55:16 GMT

Thanks Stephen.

I don't see files or auth under /etc. Did you mean /tcb?

The problem with manually copying the entire subdirectories (a, b, c, etc) is that I will get users that I dont want.

I think the best way is going to be to write a script to grep through passwd for every userid matching whatever GID we want, then find each subdirectory in /tcb/files/auth and create a tar file that can be copied to /tcb on the new system.

Re: Migrating Certain Users between 2 Trusted Systems

A. Clay Stephenson — Tue, 21 Aug 2007 14:12:50 GMT

You are on the right track with yout scripting but grep is a terrible choice for matching GID's or logins. For example, grep "20" /etc/passwd would match UID 20, GID 20, GID 200, GID 2000, GID 120, .... Instead use something like

typeset -i GID=20
awk -v gid=${GID} -F ':' '{if (($4 + 0) == (gid + 0)) print $0}' /etc/passwd

which will match only GID 20.

There are some other "gotcha's" as well. You need to make sure that UID 200 on box A is not already in use; ditto for audit id;s, and GID's.

The best way to approach this problem is to implement a unified passwd/group management system such as LDAP so that you only do this in one place and the changes are visible everywhere.

Re: Migrating Certain Users between 2 Trusted Systems

NateJones — Tue, 21 Aug 2007 14:33:35 GMT

Thanks. Yea, I was being somewhat generic with my language. Thanks for the advice though!

As for your gotchas, they have definitely been problems in the past, esp. the duplicate user name! We'll add some logic for that.

Lastly, my knowledge of LDAP is extremely limited, but my understanding is that it can't be used, or at least used effectively or easily, because each HP box is on a completely separate network. Each box can't even see another one.

Re: Migrating Certain Users between 2 Trusted Systems

NateJones — Tue, 21 Aug 2007 18:40:59 GMT

To give a little something back, I've attached 2 perl scripts that one of my guys wrote for me today to transfer particular groups of users from one box to another.

(Remove the .txt extension before you run them on the HP machine.)

HP2PASSWD.pl - On an HP system this script creates an /etc/passwd like file whose location is specified in the script of a client that is also specified in the script that contains the password hash. This file can be imported to an HP Server with the PASSWD2HP.pl script

PASSWD2HP.pl - This script imports the /etc/passwd like files created by the above scripts to an HP system by creating new users and injecting the password hash into their /tcb/files/auth files.

Hopefully these will be helpful to others in my situation.

Nate

Re: Migrating Certain Users between 2 Trusted Systems

NateJones — Tue, 21 Aug 2007 18:47:11 GMT

Couple more things:

1. The first script is read-only, except for creating the output file wherever you choose. The second file, passwd2hp, writes to both /etc/passwd and creates the subdirectories in /tcb/files/auth. I STRONGLY recommend you backup the passwd file and tar up the /tcb/files/auth directory before you run it!

2. One good thing about this script, is that the output of the HP2PASSWD script is a standard passwd file. This is good because another situation we are often in having to transfer users from a non-trusted system to a trusted one. This means the PASSWD2HP script will take either the output from HP2PASSWD OR a non-trusted regular passwd file! This once also very helpful for me.

Nate