Date: Tue, 6 Mar 2001 00:17:55 -0800 From: "Robert L Sowders" <rsowders@usgs.gov> To: "Ted Mittelstaedt" <tedm@toybox.placo.com> Cc: freebsd-questions@freebsd.org Subject: RE: SUN TO BSD Message-ID: <OFBBCF4250.90B761E1-ON88256A07.00297ECB@wr.usgs.gov>
next in thread | raw e-mail | index | archive | help
While I have not had the blessing of a Solaris passwd file that was "out of phase", I do see this as a problem. Pasting the mishmash together in a spreadsheet would lend itself to a quick visual confirmation of a complete "in phase" file. Out of phase, is a good description of Solaris. Now that we have a good file, you must run, pwd_mkdb -C your_file, to check the syntax. If no errors then change the name to master.passwd: cat new_passwd >> /etc/master.passwd and then run, pwd_mkdb -p /etc/master.passwd. This must be done to insure that all the secure and insecure and other files are created correctly, vipw was designed for minor edits of the database, not an entirely new database. But even after all this you still have to create the home dirs, groups, permissions and other user areas. And I don't really like windows all that much. Since this is most readily accomplished with shell scripts and the needed lines to do everything is just a bit extra, why not go the extra couple of inches? If the passwd file is out of phase then pwd_mkdb would signal a problem. or you could #Here is a short awk script to change Solaris passwd to freebsd (system 7) may need to be adjusted for your file YMMV. cat Solaris_passwd | awk -F : '{printf("%s:%s:%s:%s::0:0:%s:%s:%s\n",$1,$2,$3,$4,$5,$6,$7); }' > new_passwd #edit file new_passwd and remove all the system entries, then add it to your existing master.passwd. cat new_passwd >> /etc/master.passwd #now rebuild all the databases and files. pwd_mkdb -p /etc/master.passwd If the above steps complete without error, you should have a working password file. You can force a passwd change at next login by replacing the 6 field 0 with a 1, to get everyone into the MD5 camp. Now you can do a simple cat /etc/master.passwd | cut -d: -f1 > list, and then create a simple "for user in list do" script to make all the user dirs, groups, perms, etc, etc. The most import aspect of all this is to be sure to use pwd_mkdb -p /etc/master.passwd to rebuild all the files, and databases. Once again, the above example is just that "AN EXAMPLE". Do not use it blindly. MAKE YOUR BACKUPS. Have fun, I did. "Ted Mittelstaedt" <tedm@toybox.placo.com> Sent by: owner-freebsd-questions@FreeBSD.ORG 03/05/2001 10:39 PM To: "T. William Wells" <bill@twwells.com> cc: <freebsd-questions@freebsd.org> Subject: RE: SUN TO BSD Hi Bill, I hope you don't mind me CCing the list on the response, I'm doing it in case someone else is scratching their head wondering why I advocated such an odd approach. I've actually done a few of these Slowlaris migrations myself. The first one I did attempt it your way, by constructing this script thingie to do it without the necessity of a manual intervention with a spreadsheet. Well, I was very unhappy to discover this nice little present that Sun left the UNIX administrators that work on Slowlaris - their password tools do NOT check the password files consistency! vipw is the biggest offender, but there's others. The result of this was that I had a Solaris box where the first 300-500 lines between the regular and the shadow file were in phase, then there was a missing entry from the shadow and for a couple hundred more lines they were out of phase, then there were 2 missing entries from the regular and they were out of phase the other direction, etc. Don't ask me how this system worked at all, but it had been running apparently for years in this state! Authentication for all users worked, and the only thing that didn't work was finger - invariably fingering a user would return that the user didn't exist. Of course I figured all this out later, after spending several hours discovering that this even could happen at all. You could imagine what a pissed-off state I was in by then. Since then I don't trust raw Slowlaris password files any further than I can spit a rat, and I always do a visual inspection of all the entries. A spreadsheet is the quickest way to do a visual inspection and can be used to merge the two files. Even going through 10K entries in a spreadsheet shouldn't take more than 15 minutes or so, you don't after all have to read every single line. You might think it's error-prone but your going to have a lot of work to add all the consistency checking into a migration script, and by the time you finish debugging a script to do this my way is a lot quicker. Also, even if you do make up a script to do this, if the script blows the whistle on an inconsistent Slowlaris password file, your still going to have to go digging around in it with vipw to fix the problem. Still, I'd be interested in anything that you do have that's more intelligent than a "grab-n-mash with the assumption that the Slowlaris password files are consistent to start with" Ted Mittelstaedt tedm@toybox.placo.com Author of: The FreeBSD Corporate Networker's Guide Book website: http://www.freebsd-corp-net-guide.com >-----Original Message----- >From: T. William Wells [mailto:bill@twwells.com] >Sent: Monday, March 05, 2001 9:51 PM >To: Ted Mittelstaedt >Subject: Re: SUN TO BSD > > >join, comm, sort, cut, and paste > >This combination of tools will do all the below, *without* the >necessity of manual, and therefor error prone, checking of order >and identity. > >Better yet, it can all be packaged in a script..... > >> In order to migrate the Solaris password file to the FreeBSD system, >> ... > To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message To Unsubscribe: send mail to majordomo@FreeBSD.org with "unsubscribe freebsd-questions" in the body of the message
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?OFBBCF4250.90B761E1-ON88256A07.00297ECB>