HPE Community
Operating System - HP-UX
1835221 Members
2507 Online
110078 Solutions
New Discussion

Migrating Certain Users between 2 Trusted Systems

 
SOLVED
Go to solution
NateJones
Occasional Advisor

‎08-21-2007 05:52 AM

‎08-21-2007 05:52 AM

Migrating Certain Users between 2 Trusted Systems

Greetings,

We have about 35 HP/UX boxes (all trusted), and every so often we need to migrate a client to a new HP box, but we only want to move certain users as the box usually contains at least two clients.

Does anyone have a method or tool of moving users by, say, gid?

The only way I have done it in the past is:

- cut/paste the entries out of the the passwd/group files
- go through /tcb/auth and copy the subdirectory for each user from the old box to the new one.

As you can imagine, this is incredibly time consuming and error prone. :(

Thanks in advance,
Nate
0 Kudos
Reply
6 REPLIES 6
Steven E. Protter
Exalted Contributor

‎08-21-2007 06:20 AM

‎08-21-2007 06:20 AM

Solution

Re: Migrating Certain Users between 2 Trusted Systems

Shalom,

1) Do an Ignite backup of the vg00 on the system before you start.

2) cd /etc

Under here there is either auth/files or files/auth

Your users are arrayed in 26 different folders for the first letter of reach user name.

cd a
scp -p * newsystemhostname:/$PWD
repeat for all letters ACCEPT r

Why not r, because ROOT is in there.

Copy those files one at a time, not including root.

Copy the optional user entries from /etc/passwd and /etc/group on the new system. Take care not to overwrite the system and deamon users.

Restart the target system.

Your users should be functional and transfer correctly.

SEP
Steven E Protter
Owner of ISN Corporation
http://isnamerica.com
http://hpuxconsulting.com
Sponsor: http://hpux.ws
Twitter: http://twitter.com/hpuxlinux
Founder http://newdatacloud.com
Reply
NateJones
Occasional Advisor

‎08-21-2007 06:55 AM

‎08-21-2007 06:55 AM

Re: Migrating Certain Users between 2 Trusted Systems

Thanks Stephen.

I don't see files or auth under /etc. Did you mean /tcb?

The problem with manually copying the entire subdirectories (a, b, c, etc) is that I will get users that I dont want.

I think the best way is going to be to write a script to grep through passwd for every userid matching whatever GID we want, then find each subdirectory in /tcb/files/auth and create a tar file that can be copied to /tcb on the new system.
0 Kudos
Reply
A. Clay Stephenson
Acclaimed Contributor

‎08-21-2007 07:12 AM

‎08-21-2007 07:12 AM

Re: Migrating Certain Users between 2 Trusted Systems

You are on the right track with yout scripting but grep is a terrible choice for matching GID's or logins. For example, grep "20" /etc/passwd would match UID 20, GID 20, GID 200, GID 2000, GID 120, .... Instead use something like

typeset -i GID=20
awk -v gid=${GID} -F ':' '{if (($4 + 0) == (gid + 0)) print $0}' /etc/passwd

which will match only GID 20.

There are some other "gotcha's" as well. You need to make sure that UID 200 on box A is not already in use; ditto for audit id;s, and GID's.

The best way to approach this problem is to implement a unified passwd/group management system such as LDAP so that you only do this in one place and the changes are visible everywhere.
If it ain't broke, I can fix that.
Reply
NateJones
Occasional Advisor

‎08-21-2007 07:33 AM

‎08-21-2007 07:33 AM

Re: Migrating Certain Users between 2 Trusted Systems

Thanks. Yea, I was being somewhat generic with my language. Thanks for the advice though!

As for your gotchas, they have definitely been problems in the past, esp. the duplicate user name! We'll add some logic for that.

Lastly, my knowledge of LDAP is extremely limited, but my understanding is that it can't be used, or at least used effectively or easily, because each HP box is on a completely separate network. Each box can't even see another one.
0 Kudos
Reply
NateJones
Occasional Advisor

‎08-21-2007 11:40 AM

‎08-21-2007 11:40 AM

Re: Migrating Certain Users between 2 Trusted Systems

To give a little something back, I've attached 2 perl scripts that one of my guys wrote for me today to transfer particular groups of users from one box to another.

(Remove the .txt extension before you run them on the HP machine.)

HP2PASSWD.pl - On an HP system this script creates an /etc/passwd like file whose location is specified in the script of a client that is also specified in the script that contains the password hash. This file can be imported to an HP Server with the PASSWD2HP.pl script

PASSWD2HP.pl - This script imports the /etc/passwd like files created by the above scripts to an HP system by creating new users and injecting the password hash into their /tcb/files/auth files.

Hopefully these will be helpful to others in my situation.

Nate
0 Kudos
Reply
NateJones
Occasional Advisor

‎08-21-2007 11:47 AM

‎08-21-2007 11:47 AM

Re: Migrating Certain Users between 2 Trusted Systems

Couple more things:

1. The first script is read-only, except for creating the output file wherever you choose. The second file, passwd2hp, writes to both /etc/passwd and creates the subdirectories in /tcb/files/auth. I STRONGLY recommend you backup the passwd file and tar up the /tcb/files/auth directory before you run it!

2. One good thing about this script, is that the output of the HP2PASSWD script is a standard passwd file. This is good because another situation we are often in having to transfer users from a non-trusted system to a trusted one. This means the PASSWD2HP script will take either the output from HP2PASSWD OR a non-trusted regular passwd file! This once also very helpful for me.

Nate
0 Kudos
Reply
The opinions expressed above are the personal opinions of the authors, not of Hewlett Packard Enterprise. By using this site, you accept the Terms of Use and Rules of Participation.