From: John Galt (jgalt163@comcast.net)
Date: Mon May 03 2004 - 11:00:50 EDT
Sorry for such a late summary. Unfortunately, I still don't have the
complete answer to my problem, but I do have some information and a
proposed method to accomplish what I want to do.
First, thanks to all who replied. Especially to David Williams who was
working on the same concept in parallel and found some relevant
information. And indirectly to Thomas Leitner who had previously posted a
script that was then modified and forwarded to me by David Williams.
Although some people thought that merely copying the auth.db files ( and
other relevant files) from one system to another "should" work, it did not
work for me.
The official method is to use edauth to export and import between systems.
In it's simplest form, the procedure is:
One the source system:
# edauth -g > edauth.out
Copy edauth.out to the target system ( along with the password file, group
file, etc), then on the target system:
#edauth -s < edauth.out
The above will get the user profiles for all users. Other edauth switches
are need to get the device files, default file, etc (see the script below)
I am still working on the details of my own scripts to accomplish this. My
task is part of an automated disaster recovery plan. I am also planning to
use ssh and scp to accomplish most of the automation.
I have included David's scripts for reference.
Thanks to all.
John
David's scripts:
(Please modify for your specific use before running.)
-------------------------------------------------------------------------
#!/bin/ksh
#
# This file: /scripts/dump_c2.ksh
# Host: u-whmsst1
# Author: David J Williams
# Date: 23/04/04
#
# Description:
#
# Written to dump the enhanced security databases. Note: edauth -gt
# is new to Tru64 V5.1B. -gt dumps the users profile along with
# the templates. Without the -t option only the users are dumped.
# On versions prior to V5.1B, you need to specify the template
# to dump it. Hence my routine to list all in-use templates.
# Unfortunately this method will not dump templates that exist in
# the p database but aren't being used by at least one user.
#
# History:
#
# Vers Date Who Description
# 1.00 23/04/04 DJWilliams Authored
#
#*************************************************************************
#
PATH=$PATH:/sbin:/usr/bin:/usr/local/bin:/scripts:.:/usr/tcb/bin
export PATH
cd /
SAVEDIR="/usr/local/dump_c2"
mkdir -p $SAVEDIR
now=$(date +\%y\%m\%d\%H\%M\%S)
hostname=$(hostname -s)
TGZ="$SAVEDIR/dump_c2.$hostname.$now.tgz"
tarlist="\
etc/passwd \
etc/group \
tmp/d.auth \
tmp/f.auth \
tmp/p.auth \
tmp/t.auth \
tmp/v.auth \
"
edauth -d d -g >tmp/d.auth
edauth -d f -g >tmp/f.auth
edauth -d p -gt >tmp/p.auth 2>/dev/null;exit_status=$?
if [[ $exit_status -ne 0 ]]; then
edauth -d p -g >tmp/p.auth1
for i in $(grep u_template tmp/p.auth1|awk -F"u_template=" '{print
$2}'|awk -F: '{print $1}'|sort -u)
do
edauth -d p -g $i >>tmp/p.auth
done
cat /tmp/p.auth1 >>tmp/p.auth
rm /tmp/p.auth1
fi
edauth -d t -g >tmp/t.auth
edauth -d v -g >tmp/v.auth
tar cf - $tarlist | gzip -9c > $TGZ;exit_status=$?
rm tmp/[dfptv].auth
echo Done
exit $exit_status
----------------------------------------------------------------------------
#!/bin/ksh
#
# This file: /scripts/load_c2.ksh
# Host: u-whmsst1
# Author: David J Williams
# Date: 23/04/04
#
# Description:
#
# Written to load the enhanced security databases from a .tgz created
# by dump_c2.ksh. See dump_c2.ksh for more information
#
# History:
#
# Vers Date Who Description
# 1.00 23/04/04 DJWilliams Authored
#
#*************************************************************************
#
PATH=$PATH:/sbin:/usr/bin:/usr/local/bin:/scripts:.:/usr/tcb/bin
export PATH
cd /
TGZ=$1
if [[ ! -f "$TGZ" ]]; then
echo "Can't find specified file"
echo aborting
exit
else
if [[ $(echo "$TGZ"|grep -c ".tgz$") -eq 0 ]]; then
echo "File specified is not type .tgz"
echo aborting
exit
fi
fi
gunzip -c $TGZ|tar xpvf - ;exit_status=$?
cat tmp/d.auth | edauth -d d -s
cat tmp/f.auth | edauth -d f -s
cat tmp/p.auth | edauth -d p -s
cat tmp/t.auth | edauth -d t -s
cat tmp/v.auth | edauth -d v -s
rm -f etc/passwd.dir etc/passwd.pag tmp/[dfptv].auth
echo Done
exit $exit_status
----------------------------------------------------------------------------
Original Post:
-------------------------------------------------------------------------
Hello All,
I am having trouble migrating the TCB databases from one T64 v51.a system
to another system with the same version. The main difference between the
systems is that the system I am copying the files from is at patch kit 2
and the target system is at patch kit 5.
I have copied over the following files:
/tcb/files/auth.db
/var/tcb/files/auth.db
/etc/auth/system/default
/etc/passwd
/etc/group
I have removed the /etc/passwd.pag and /etc/passwd.dir files and used vipw
after copying the passwd file to recreate the hashed database.
I've verified that the ownership and permissions of all the copied files
matches the originals ( as well as matching the permissions on the source
system).
At this point, I can log in as root so I assume that the /tcb/files/auth.db
is functioning properly.
However, when I log in through telnet as a regular user, I get a message like:
"Can't rewrite protected password entry for user jsmith"
If I try to change a users password, I get a similar message:
"Password not changed: failed to write protected password entry"
I've done this before by simply copying the auth.db files, default, passwd,
and group files and it all worked properly.
What am I missing?
Thanks in advance.
John
This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:49:58 EDT