Question: Migrating existing users from one host to another?
Posted by gg234 on Wed 12 Oct 2005 at 11:53
Presently we are migrating from Redhat Linux webserver to a Debian GNU/Linux 3.1 webserver. We need to transfer all the user and passwords across to the new host, so that users can login using their current details.
How do we do this?
One option is copy the shadow and password file and their home directories to the new Debian host. How should we do that?
[ Parent | Reply to this comment ]
About copying user part only of shadow/passwd/group... i use to do it manually, as sometimes uid/gid already exists in the destination server. In that case, it's necesary to change some users uid/gid.
I do it using find / -user username -exec chown -h newid {} \; (notice the "-h").
Regards,
Alex
[ Parent | Reply to this comment ]
- passwd
- shadow
- group
- gshadow
I did this on a "potato-to-sarge" reinstall.
[ Parent | Reply to this comment ]
Let's say you have 2 servers.
server01 is the master (meaning the shadow... will be copied from it)
server02 is the slave
Using grep (or anything), you can copy, let's say all UID >= 1000 and append them to the shadow file on the slave server. This is ok.
But now, when the next "replication" comes, how do you append only _new_ users to the slave.
[ Parent | Reply to this comment ]
I can not see any problems in a one time sort-and-copy of the mentioned files.
If i'm right, there was no question about syncing the userbase all the time, so what kind of "next replication" do you talk about?
For replication there is no way out of having a full identical passwd, etc. or you just use a central LDAP or SQL userbase (pam.ldap - pam.mysql for example)
Cheers
[ Parent | Reply to this comment ]
2. Instead of appending to passwd overwrite /etc/passwd.dynamic
3. cat /etc/passwd.static /etc/passwd.dynamic > /etc/passwd; pwconv
Or write simple perl script. But keeping users in some central directory (like LDAP or NIS) is IMO beter idea.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
But LDAP is a little bit more complicated. But that's also more secure...
If you are newbie, just wanting to have same users on 2-3 servers, use NIS. Else, if you have more afdvanced needs, use LDAP.
Another thing: you say you use these users for squid, not for user auth via SSH.
I don't know Squid well, but I think you can use PAM to auth users in Squid, so it will be possible to use LDAP directly with Squid. You don't need to have users defined at system level (/etc/passwd).
[ Parent | Reply to this comment ]
A better solution is to extract username and gecos info from the older passwd. Once you have gathered that info, you can use it to create users through the adduser command.
All of that can be automated through a simple bash script:
#!/bin/bash
#
# usage: migrate-passwd password-file>
#
# remarks: the password file must be a copy of passwd that contains
# only the entries to be migrated.
#
[ -f $1 ] || exit 1
userlist=$(cat $1)
for entry in $userlist ; do
username=$(echo $entry | cut -d ':' -f 1)
gecos=$(echo $entry | cut -d ':' -f 5)
adduser --disabled-password --gecos "$gecos" "$username" > /dev/null
done
Since the previous script creates accounts with disabled password you must migrate alsothe shadow file. This can be accomplished with another script:
#!/bin/bash
#
# usage: migrate-shadow shadow-like-file>
#
# remarks: the shadow password file must be a copy of passwd that contains
# only the entries to be migrated.
#
[ -f $1 ] || exit 1
userlist=$(cat $1)
elsebranch=
echo -e "BEGIN { FS=\":\" }\n{"
for entry in $userlist ; do
username=$(echo $entry | cut -d ':' -f 1)
encpassword=$(echo $entry | cut -d ':' -f 2)
echo "${elsebranch}if ( \$0 ~ /^$username:/ ) \
printf \"%s:%s:%s:%s:%s:%s:%s:%s:%s\n\",\$1, \
\"$encpassword\", \$3,\$4,\$5,\$6,\$7,\$8,\$9;"
elsebranch="else "
done
echo "else print \$0;"
echo -e "}\nEND {}"
The shadow migration script generates an awk script and prints it to standard output. You can use it to generate a new shadow file on the target debian server: # migrate-shadow my-redhat-shadow-useronly-list > shadow-filter.awk # awk -f shadow-filter.awk /etc/shadow > my-new-shadow-file-with-updated-passMaybe you want also to migrate some group related info and some other databases. You can modify these simple scripts to accomplish any system database migration task.
[ Parent | Reply to this comment ]
[ Parent | Reply to this comment ]
---
stoffell
[ Parent | Reply to this comment ]
---
stoffell
[ Parent | Reply to this comment ]
I recently performed such a migration. Here are the steps I took.
I grabbed the /etc/passwd /etc/group and /etc/shadow and /etc/skel/* from the old system. Edited the passwd file to remove the system users.
Wrote some perl that did the following. Read the passwd file and built a hash with the login as the key. Ran split() every line and filled the hash with $info{$name} {'homedir'} = $line[3]; (for example). Read group and added group info in an array (different entry than the default group). Read the shadow file and added the password hash to %info.
Then it's system() time. Scripted up useradd and usermod + system() on a foreach loop of the %info hash. Opened /etc/shadow and for each user changed the hash. Voila. Users migrated.
[ Parent | Reply to this comment ]