Date: Tue, 6 Mar 2001 00:17:55 -0800 From: "Robert L Sowders" <rsowders@usgs.gov> To: "Ted Mittelstaedt" <tedm@toybox.placo.com> Cc: freebsd-questions@freebsd.org Subject: RE: SUN TO BSD Message-ID: <OFBBCF4250.90B761E1-ON88256A07.00297ECB@wr.usgs.gov>
next in thread | raw e-mail | index | archive | help
While I have not had the blessing of a Solaris passwd file that was "out
of phase", I do see this as a problem. Pasting the mishmash together in a
spreadsheet would lend itself to a quick visual confirmation of a complete
"in phase" file. Out of phase, is a good description of Solaris.
Now that we have a good file, you must run, pwd_mkdb -C your_file, to
check the syntax. If no errors then change the name to master.passwd: cat
new_passwd >> /etc/master.passwd and then run, pwd_mkdb -p
/etc/master.passwd.
This must be done to insure that all the secure and insecure and other
files are created correctly, vipw was designed for minor edits of the
database, not an entirely new database.
But even after all this you still have to create the home dirs, groups,
permissions and other user areas. And I don't really like windows all
that much. Since this is most readily accomplished with shell scripts and
the needed lines to do everything is just a bit extra, why not go the
extra couple of inches? If the passwd file is out of phase then pwd_mkdb
would signal a problem.
or you could
#Here is a short awk script to change Solaris passwd to freebsd (system
7) may need to be adjusted for your file YMMV.
cat Solaris_passwd | awk -F :
'{printf("%s:%s:%s:%s::0:0:%s:%s:%s\n",$1,$2,$3,$4,$5,$6,$7); }' >
new_passwd
#edit file new_passwd and remove all the system entries, then add it to
your existing master.passwd.
cat new_passwd >> /etc/master.passwd
#now rebuild all the databases and files.
pwd_mkdb -p /etc/master.passwd
If the above steps complete without error, you should have a working
password file. You can force a passwd change at next login by replacing
the 6 field 0 with a 1, to get everyone into the MD5 camp.
Now you can do a simple cat /etc/master.passwd | cut -d: -f1 > list, and
then create a simple "for user in list do" script to make all the user
dirs, groups, perms, etc, etc.
The most import aspect of all this is to be sure to use pwd_mkdb -p
/etc/master.passwd to rebuild all the files, and databases.
Once again, the above example is just that "AN EXAMPLE". Do not use it
blindly. MAKE YOUR BACKUPS.
Have fun, I did.
"Ted Mittelstaedt" <tedm@toybox.placo.com>
Sent by: owner-freebsd-questions@FreeBSD.ORG
03/05/2001 10:39 PM
To: "T. William Wells" <bill@twwells.com>
cc: <freebsd-questions@freebsd.org>
Subject: RE: SUN TO BSD
Hi Bill,
I hope you don't mind me CCing the list on the response,
I'm doing it in case someone else is scratching their head
wondering why I advocated such an odd approach.
I've actually done a few of these Slowlaris migrations
myself. The first one I did attempt it your way, by constructing
this script thingie to do it without the necessity of a manual
intervention with a spreadsheet.
Well, I was very unhappy to discover this nice little
present that Sun left the UNIX administrators that work on
Slowlaris - their password tools do NOT check the password
files consistency! vipw is the biggest offender, but there's
others.
The result of this was that I had a Solaris box where the
first 300-500 lines between the regular and the shadow file
were in phase, then there was a missing entry from the shadow
and for a couple hundred more lines they were out of phase,
then there were 2 missing entries from the regular and
they were out of phase the other direction, etc.
Don't ask me how this system worked at all, but it had
been running apparently for years in this state! Authentication
for all users worked, and the only thing that didn't
work was finger - invariably fingering a user would return that
the user didn't exist. Of course I figured all this out later,
after spending several hours discovering that this even could
happen at all. You could imagine what a pissed-off state I
was in by then.
Since then I don't trust raw Slowlaris password files any further
than I can spit a rat, and I always do a visual inspection of
all the entries. A spreadsheet is the quickest way to do a
visual inspection and can be used to merge the two files. Even
going through 10K entries in a spreadsheet shouldn't take more than
15 minutes or so, you don't after all have to read every single line.
You might think it's error-prone but your going to have a
lot of work to add all the consistency checking into a migration
script, and by the time you finish debugging a script to do this
my way is a lot quicker. Also, even if you do make up a script
to do this, if the script blows the whistle on an inconsistent
Slowlaris password file, your still going to have to go digging
around in it with vipw to fix the problem.
Still, I'd be interested in anything that you do have that's
more intelligent than a "grab-n-mash with the assumption that
the Slowlaris password files are consistent to start with"
Ted Mittelstaedt tedm@toybox.placo.com
Author of: The FreeBSD Corporate Networker's Guide
Book website: http://www.freebsd-corp-net-guide.com
>-----Original Message-----
>From: T. William Wells [mailto:bill@twwells.com]
>Sent: Monday, March 05, 2001 9:51 PM
>To: Ted Mittelstaedt
>Subject: Re: SUN TO BSD
>
>
>join, comm, sort, cut, and paste
>
>This combination of tools will do all the below, *without* the
>necessity of manual, and therefor error prone, checking of order
>and identity.
>
>Better yet, it can all be packaged in a script.....
>
>> In order to migrate the Solaris password file to the FreeBSD system,
>> ...
>
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
To Unsubscribe: send mail to majordomo@FreeBSD.org
with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OFBBCF4250.90B761E1-ON88256A07.00297ECB>