HPE Community
Operating System - HP-UX
1752815 Members
6021 Online
108789 Solutions
New Discussion юеВ

How to recover Trusted System accounts

 
Kevin (Gonzo) Bushman
Frequent Advisor

тАО02-08-2010 11:11 AM

тАО02-08-2010 11:11 AM

How to recover Trusted System accounts

All,

This may be a SysAdmin101 question, but I've run into this problem at our DR site and have never really figured out a solution that I could rely on.

Situation:

We do regular DR exercises. The DR site has different, but comparably powered systems (we have a PA-RISC Dome here, and we recover on an rp8400). We are running 11.11 in Trusted Mode.

When we go to the DR site, the DR system is set up for me before I get there in UNTRUSTED mode. So one of the things I need to do is recover my accounts.

Problem:

Before I convert the system to Trusted Mode, I recover /etc/passwd, group, /tcb, etc. Then I convert it to Trusted Mode. The problem is that at that point, none of the passwords will work. The accounts are there, but no passwords will work. If I convert BACK to Untrusted Mode, all is find and the passwords work.

Since we are running in Trusted Mode here (and I need to there for security reasons), how do I recover the TCB DB so the passwords will work as they should?

We have our next exercise in a couple of weeks so I'd like to figure this out before we go.

Also, I know that in untrusted mode it only uses the first 8 characters. But since I'm restoring the TCB DB and converting it to Trusted Mode, it SHOULD use the full length passwords, not just the first 8 characters.

What am I missing?

TIA to any that has a suggestion!

-G
If you do nothing else in with your life, make friends with a dog.
0 Kudos
Reply
4 REPLIES 4
Patrick Wallek
Honored Contributor

тАО02-08-2010 11:15 AM

тАО02-08-2010 11:15 AM

Re: How to recover Trusted System accounts

Try converting to trusted mode FIRST and then restoring /etc/passwd, /etc/group, /tcb, etc.

That should work better.

All passwords will be intact and all password aging and lockout information will be as of the last backup.
0 Kudos
Reply
James R. Ferguson
Acclaimed Contributor

тАО02-08-2010 11:16 AM

тАО02-08-2010 11:16 AM

Re: How to recover Trusted System accounts

Hi Kevin:

Why not periodically make an Ignite recovery tape and use that to clone your home image to your recovery site hardware. As long as similar hardware is used, this should provide you a complete look-alike restoration.

Regards!

...JRF...
0 Kudos
Reply
Kevin (Gonzo) Bushman
Frequent Advisor

тАО02-08-2010 11:28 AM

тАО02-08-2010 11:28 AM

Re: How to recover Trusted System accounts

Patrick - That makes sense. And certainly worth a try. I think there was a reason I didn't do it in that order though. I don't remember exactly what that reason was, but I think there was a reason. Maybe I'm just over-analyzing my problem!

JRF- I've thought of that and the problem there is that it's not similar hardware. We are running a Dome here and at the DR site we have an rp8400. Last I checked, you can't use an ignite tape across systems like that. We also have more memory here than at the DR site, not that it matters that much for recovery. But the point is, it is different H/W.

-G
If you do nothing else in with your life, make friends with a dog.
0 Kudos
Reply
Jim Walls
Trusted Contributor

тАО02-09-2010 01:18 PM

тАО02-09-2010 01:18 PM

Re: How to recover Trusted System accounts

If you are able to establish a network connection between the Live and DR hosts, you could run a periodic job out of the DR crontab to synchronise the users.

We do this for two DR systems.

- extract the list of all relevant users on the Live server
- compare with those on the DR server
- reconcile differences (delete users that have disappeared and add any new users) since the last run.
- fix up any password changes by running /usr/sam/lbin/usermod.sam on the DR server using encrypted passwords from the Live server.

We avoid doing any editing of the user data and strictly use the proper interfaces (useradd, userdel, usermod commands) for all account managemnt.

Our scripts are a bit complicated by the fact that one of the Live systems is not Trusted but its DR is! However, the outline process is much the same. In one scenario we establish/maintain a ssh tunnel to get the necessary network plumbed in.
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.