Operating System - OpenVMS
1839249 Members
2088 Online
110137 Solutions
New Discussion

Re: Copying users over the nodes

 
SOLVED
Go to solution
Mainak
Advisor

Copying users over the nodes

Could I copy few users from one node to other as I can do it in the same node –
MC AUTHORIZE COPY USERA USERB/UIC=[X,Y]/PASS=***/OWNER=ZZZ

If it is possible could any one let me know the command?
14 REPLIES 14
Ian Miller.
Honored Contributor
Solution

Re: Copying users over the nodes

Assuming they are not in the same cluster (and share the uaf) then I usually reenter the details but I think you could do it from DCL

$ OPEN/READ LOCAL SYSUAF
$ OPEN/READ/WRITE/SHARE REMOTE node::SYSUAF
$ READ/KEY=username LOCAL RECORD
$ WRITE REMOTE RECORD
$ CLOSE LOCAL
$ CLOSE REMOTE
____________________
Purely Personal Opinion
Bart Zorn_1
Trusted Contributor

Re: Copying users over the nodes

I can confirm that the procedure from Ian Miller does work. However, it does not create the usual rights identifier, nor does it grant additional identifiers.

Regards,

Bart Zorn
Mainak
Advisor

Re: Copying users over the nodes

Hi ,

Thanks for the reply..

I need to replicate the rights identifier, and the additional identifiers also. Can I move the SYSUAF.DAT and RIGHTSLIST.DAT FROM OPEN VMS 7.1 on VAX to OPEN VMS 7.3-1 on ALPHA?

Mainak
Ian Miller.
Honored Contributor

Re: Copying users over the nodes

You can copy the files. This sometimes causes issues with accounts created by products. e.g DECnet account passwords have to match the passwords in the DECnet object database.
You can add the identifier for a users UIC value with
ADD/ID/USER=username
in authorize.

Other identifiers - I find it easier to add and grant them. The identifier values can be different on different nodes.
The file structure of RIGHTLIST.DAT is more complicated than SYSUAF so I don't know if doing a similar trick in DCL will work.
____________________
Purely Personal Opinion
Mike Reznak
Trusted Contributor

Re: Copying users over the nodes

Hi,

in older times, not knowing much about record management, I've created some procedures to read output file from $ MCR AUTHORIZE SHOW USER * /FULL and convert it to Authorize commands to create new accounts. Advantage of it is, that you have also Ident. information in this output. Just proxy is missing. You can do it separately.
But you have to have the same UIC for a user and identifiers on all nodes. It's a good practice indeed. Otherwise, SYSUAF.DAT gets a bit messy.
I assume, the same can be done by reading directly from SYSUAF.DAT, NET$PROXY.DAT and RIGHTSLIST.DAT , but didn't do it yet.

Mike
...and I think to myself, what a wonderful world ;o)
Jan van den Ende
Honored Contributor

Re: Copying users over the nodes

Mainak,

Re: Identifiers.

We have long ago learned to add identifiers NOT by just UAF>ADD/ID , but to explicitly give them their value as well.

OLD::UAF>SHO /ID xxx also gives the value, either in UIC format [x,y], or in INTEGER format %Xnnnnnnnn, with nnnnnnnn > %X80000000

New::UAF>ADD/ID xxx /VAL=UIC:[x,y]
where y may be * to specify a groupname ident, in which case the /ATTRIB=RESOURCE will be appropriate.

or

NEW::UAF> ADD/ID xxx /VAL=ID:%Xmmmmmmmm, with %Xmmmmmmmm = %Xnnnnnnnn - %X80000000

This gives two big advantages:
-- A file copy by BACKUP/OWN=ORIG maintains file ownership and access BY NUMERIC VALUE, and so, ONLY if the numeric values are identical, the ownerships and accessibilities are kept consistent
-- If ever in the future those systems are to be integrated, ownerships are protections are already synchronous.
And if you EVER have to merge some systems, you will know what a PITA it can be if they are not!

hth,

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
Galen Tackett
Valued Contributor

Re: Copying users over the nodes

Wouldn't it be nice if we had an application (from HP or the user community) that could assist with merging SYSUAF, RIGHTSLIST, proxies, etc.?

It might not be able to do the entire job for you, but it could perhaps do a good bit of the work and tell about, e.g., conflicts that it can't resolve.

Just a suggestion if anyone's listening who'd like to write it. Given time, I would write it. But like most busy systems staff I seldom have time to work on significant code of my own any more. :-(
Kris Clippeleyr
Honored Contributor

Re: Copying users over the nodes


Re: Galen


Wouldn't it be nice if we had an application (from HP or the user community) that could assist with merging SYSUAF, RIGHTSLIST, proxies, etc.?


I have written such a beast. When I find the time I'll put it (VMSINSTAL kits) on my website ( www.quadratrix.be ).

Regards,
Kris (aka Qkcl)
I'm gonna hit the highway like a battering ram on a silver-black phantom bike...
Mainak
Advisor

Re: Copying users over the nodes

Hi,

I tried to do it from DCL as Ian recomended in the first reply, but getting the following error when trying to write to the remote file-

%DCL-W-TKNOVF, command element is too long - shorten

And actually no record found for the user name at the remote end.

Arch_Muthiah
Honored Contributor

Re: Copying users over the nodes

Mainak,

The format of the SYSUAF.DAT, RIGHTSLIST, and associated files are upward-compatible.

The same basic steps necessary for moving RIGHTSLIST and SYSUAF files to another node are rather similar to the steps involved
in merging these files in an OpenVMS Cluster.

Regarding the new NET$PROXY.DAT file, I hope we have to use syss$system: convert_proxy.exe to convert netproxy.dat to net$proxy.dat

The big task here is that as RIGHTSLIST identifier values and UIC values that end up scattered around the target system must be rationalized to node where you copy.

The lattermost case is resolving the identifier values is the often most difficult part. If you find
that an identifier value (or identifier name) from the source RIGHTSLIST collides with that of an identifier existing on the
target system, you must first determine if the two identifiers perform the same function. In most cases, they will not. If you encounter a collision, changing both of the identifier binary values (or names)involved in the collision to new and unique values can prevent security problems.

In the same way the problem exist with UIC values, as these too tend to be scattered all over the system environment. Like the
binary identifier values, you will find UIC values associated with disks, ACLs, queues, and various other structures.


Archunan
Regards
Archie
Jan van den Ende
Honored Contributor

Re: Copying users over the nodes

Mainak,


I tried to do it from DCL as Ian recomended in the first reply, but getting the following error when trying to write to the remote file-
%DCL-W-TKNOVF, command element is too long - shorten

and
(earlier)
FROM OPEN VMS 7.1 on VAX to OPEN VMS 7.3-1 on ALPHA?


Yeah, that fits.

On pre-V7.3-2 for a standard $ WRITE the max symbol length is 255.

You can overcome this by replacing
$ WRITE REMOTE RECORD
with
$ WRITE /SYMBOL REMOTE RECORD

Success!

Proost.

Have one on me.

jpe
Don't rust yours pelled jacker to fine doll missed aches.
John Gillings
Honored Contributor

Re: Copying users over the nodes

Be careful! There is a lot of scope here for errors and confusion. For example, usernames with duplicate UICs, invalid device, directory & file specifications.

As you've found, playing with UAFs from DCL can exceed DCL token limits. As Jan has pointed out WRITE/SYMBOL should get beyond most of those errors, but not necessarily all (V8.2 extended DCL should help even more).

>We have long ago learned to add
>identifiers NOT by just
>UAF>ADD/ID , but to
>explicitly give them their value as well.

Note that Ian said:

UAF> ADD/IDENT/NAME=name

This will find the UAF record "name", take the UIC value and create the correct identifier. Since it also accepts wild cards, this is a neat way to reconstruct a broken RIGHTSLIST, at least the username identifiers:

UAF> ADD/IDENT/NAME=*

HOWEVER, if the user has been granted any identifiers, ADD/IDENT won't reconstruct the user's rightslist.

> Wouldn't it be nice if we had an
>application (from HP or the user
>community) that could assist with
>merging SYSUAF, RIGHTSLIST, proxies, etc.?

CONVERT and/or MERGE already do a fairly good job of this, except they don't allow adding the new records to an open output file.

On the other hand, the most obvious place to put this capability (especially inter node copies) is in the OpenVMS Management Station.
A crucible of informative mistakes
Ian Miller.
Honored Contributor

Re: Copying users over the nodes

The OpenVMS Management Station
http://www.hp.com/go/openvms/argus

has its good points I suppose but I'm not convinced that managing a VMS system or systems from a windows PC is a good idea. Now if something similar was added to the VMS Cockpit Manager
http://www.emulatorsinternational.com/en/cockpit.htm
that would be differnt :-)
____________________
Purely Personal Opinion
Mainak
Advisor

Re: Copying users over the nodes

Thanks everyone for all the helps.