From owner-freebsd-questions@FreeBSD.ORG Sat Jul 7 18:12:38 2007 Return-Path: X-Original-To: freebsd-questions@freebsd.org Delivered-To: freebsd-questions@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [69.147.83.52]) by hub.freebsd.org (Postfix) with ESMTP id 6052B16A400 for ; Sat, 7 Jul 2007 18:12:38 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from smtp.infracaninophile.co.uk (ns0.infracaninophile.co.uk [81.187.76.162]) by mx1.freebsd.org (Postfix) with ESMTP id 9FD0513C448 for ; Sat, 7 Jul 2007 18:12:37 +0000 (UTC) (envelope-from m.seaman@infracaninophile.co.uk) Received: from happy-idiot-talk.infracaninophile.co.uk (localhost.infracaninophile.co.uk [IPv6:::1]) by smtp.infracaninophile.co.uk (8.14.1/8.14.1) with ESMTP id l67ICKZc080719; Sat, 7 Jul 2007 19:12:21 +0100 (BST) (envelope-from m.seaman@infracaninophile.co.uk) Authentication-Results: smtp.infracaninophile.co.uk from=m.seaman@infracaninophile.co.uk; sender-id=permerror; spf=permerror X-SenderID: Sendmail Sender-ID Filter v0.2.14 smtp.infracaninophile.co.uk l67ICKZc080719 Message-ID: <468FD784.3000807@infracaninophile.co.uk> Date: Sat, 07 Jul 2007 19:12:20 +0100 From: Matthew Seaman Organization: Infracaninophile User-Agent: Thunderbird 2.0.0.4 (X11/20070619) MIME-Version: 1.0 To: Lisa Casey References: <003701c7c0ac$f7a6f350$d5b9bfcf@lisac> In-Reply-To: <003701c7c0ac$f7a6f350$d5b9bfcf@lisac> X-Enigmail-Version: 0.95.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-3.0 (smtp.infracaninophile.co.uk [IPv6:::1]); Sat, 07 Jul 2007 19:12:31 +0100 (BST) X-Virus-Scanned: ClamAV 0.90.3/3607/Fri Jul 6 00:51:19 2007 on happy-idiot-talk.infracaninophile.co.uk X-Virus-Status: Clean X-Spam-Status: No, score=-2.6 required=5.0 tests=AWL,BAYES_00, DKIM_POLICY_SIGNSOME, DKIM_POLICY_TESTING, NO_RELAYS autolearn=ham version=3.2.1 X-Spam-Checker-Version: SpamAssassin 3.2.1 (2007-05-02) on happy-idiot-talk.infracaninophile.co.uk Cc: freebsd-questions@freebsd.org Subject: Re: passwd file and user accounts X-BeenThere: freebsd-questions@freebsd.org X-Mailman-Version: 2.1.5 Precedence: list List-Id: User questions List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Sat, 07 Jul 2007 18:12:38 -0000 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Lisa Casey wrote: > Hi, > > This is probably a stupid question, but I'll ask it anyway... > > I have a Red Hat Linux system I need to get rid of. It is currently > doing e-mail for approximately 700 users and is also doing radius > authentication. I have setup a new FreeBSD computer to take it's place. > I have everything setup now on the FreeBSD computer except for the user > accounts and mailboxes. The mailboxes aren't a problem, I've used tar to > move mailboxes before. > > I suppose I cannot simply copy /etc/passwd, /etc/group and /home from > the Redhat computer to the FreeBSD computer due to the password hash in > /etc/passwd. Am I correct on this? Would it be possible to copy > /etc/passwd then (before the new system goes "live") reset all the > passwords with the passwd command? That might be easier than adding in > close to 700 accounts using adduser. Does anyone have a better idea of > how I might go about doing this? Not a stupid question at all, and you are quite right: you can't just copy /etc/passwd and /etc/group from the Redhat box. /home you can, pretty much, but see below about the necessity to renumber some accounts, and also be aware that if any of your users have locally installed Linux executables or scripts that claim to be run by /bin/sh when they really need /usr/local/bin/bash then they will have problems. You're going to run into a number of problems shifting your user accounts over: i) System level accounts. On FreeBSD these are all the accounts with UID or GID below 1000, plus the 'nobody' account. See /usr/src/etc/master.passwd and /usr/src/etc/group for the list of what is required by the base system, and see /usr/ports/{UIDs,GIDs} for the numbers reserved by the ports system. On Redhat, the boundary between system and user accounts is UID 500. Thus to port your passwd and group database from Redhat to FreeBSD you will need to discard the UIDs and GIDs below 500, substituting the equivalent stuff from the default master.passwd and group files. Also you will almost certainly have to renumber accounts where the UID/GID is between 500 and 1000. That means running chown(1) on the files owned by those accounts. A find command like the following is often useful: find /home -user ${olduid} -print0 | xargs -0 chown -h ${newuid} ii) Password hashes. On Redhat there are two parallel files /etc/passwd and /etc/shadow. It's /etc/shadow which contains the password hashes. On FreeBSD the /etc/passwd file is generated from /etc/master.passwd by stripping out certain of the columns and replacing the password hashes from column 2 with asterisks. The master.passwd(5) man page has all the details. You can just cut and paste the password hashes from column 2 of /etc/shadow into column 2 of /etc/master.passwd. See crypt(3) for more information. If your Redhat system is fairly old and still uses the traditional style DES password hashes you can copy them just the same and they will still work in FreeBSD, but you should force your users to update their passwords when they next log in. DES password hashes are almost trivially crackable nowadays. You can force a password update for an account by setting the 7th column of /etc/master.passwd to the current Unix time (ie. the output of 'date +%s') The other columns of /etc/shadow are all about when passwords were last changed and when they will expire. Those columns have equivalents in FreeBSD's master.passwd but the data formats are different and you can't just copy from one to the other. However, unless you specifically use password ageing you can probably just ignore those fields. Note that a password hash of '!!' is special on Redhat. It means 'account is locked and cannot be logged into' (including by means that do not involve passwords at all, like SSH key based authentication.) The equivalent under FreeBSD is *LOCKED*. It's also quite common for Linux to use /bin/false to mean 'no interactive shell' -- which also works under FreeBSD, but there it is more usual to use /usr/sbin/nologin iii) Shells -- these are almost always found in /bin under Redhat, whereas under FreeBSD some (sh, csh, tcsh) are in /bin but bash, zsh etc. or any other shell installed from ports, will be found in /usr/local/bin. Remember that on FreeBSD you never edit /etc/passwd directly. Instead, edit /etc/master.passwd and then run pwd_mkdb to generate /etc/passwd from /etc/master.passwd and rebuild the pwd.db hashed lookup files. Using vipw(8) will automate that for you, and lock the password file correctly against several people all trying to update it at once, which would usually result in a corrupted password file. You can also use 'mergemaster -p' to ensure you have all the necessary system level accounts in place: something that is rather important as the system won't boot up entirely successfully without. See also pw(8) and adduser(8) for a couple of programmatic interfaces for dealing with user accounts and groups. Cheers, Matthew - -- Dr Matthew J Seaman MA, D.Phil. 7 Priory Courtyard Flat 3 PGP: http://www.infracaninophile.co.uk/pgpkey Ramsgate Kent, CT11 9PW -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4 (FreeBSD) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFGj9eD8Mjk52CukIwRCKUqAJ0Y7Yef9rwfBe7v75BHnFmnpxndzQCfSYsu v+r3w1SRF8bKemeuoMTyoAA= =SAcJ -----END PGP SIGNATURE-----