This site is now 100% read-only, and retired.

Question: Migrating existing users from one host to another?

Posted by gg234 on Wed 12 Oct 2005 at 11:53

Presently we are migrating from Redhat Linux webserver to a Debian GNU/Linux 3.1 webserver. We need to transfer all the user and passwords across to the new host, so that users can login using their current details.

How do we do this?

One option is copy the shadow and password file and their home directories to the new Debian host. How should we do that?

 

 


Re: Question: Migrating existing users from one host to another?
Posted by Anonymous (207.74.xx.xx) on Wed 12 Oct 2005 at 12:30
I use rsync to copy the /etc/passwd /etc/group /etc/shadow file between three debian systems to keep usernames/passwords in sync right now. With this I ONLY make changes to the user accounts on one system and they get duplicated. Users only need /home directories on the email server so it's never been a problem. The other servers do things like squid auth and rsync-ing the files works fine.

[ Parent ]

Re: Question: Migrating existing users from one host to another?
Posted by adumont (80.58.xx.xx) on Thu 13 Oct 2005 at 08:58
You may also have to copy crontab files from cron spool (/var/spool/cron/crontabs in Debian GNU/Linux) if your users use cron.

About copying user part only of shadow/passwd/group... i use to do it manually, as sometimes uid/gid already exists in the destination server. In that case, it's necesary to change some users uid/gid.

I do it using find / -user username -exec chown -h newid {} \; (notice the "-h").

Regards,
Alex

[ Parent ]

Re: Question: Migrating existing users from one host to another?
Posted by gna (212.40.xx.xx) on Wed 12 Oct 2005 at 14:15
[ View Weblogs ]
Be careful to only copy the users part of the following files:
  • passwd
  • shadow
  • group
  • gshadow

I did this on a "potato-to-sarge" reinstall.

[ Parent ]

Re: Question: Migrating existing users from one host to another?
Posted by Anonymous (82.127.xx.xx) on Wed 12 Oct 2005 at 16:15
And how do you "only copy" the users part ? This is something I would really like to do, but...
Let's say you have 2 servers.
server01 is the master (meaning the shadow... will be copied from it)
server02 is the slave
Using grep (or anything), you can copy, let's say all UID >= 1000 and append them to the shadow file on the slave server. This is ok.
But now, when the next "replication" comes, how do you append only _new_ users to the slave.

[ Parent ]

Re: Question: Migrating existing users from one host to another?
Posted by gna (212.40.xx.xx) on Wed 12 Oct 2005 at 16:40
[ View Weblogs ]
The question is about migrating from RedHat to Debian.

I can not see any problems in a one time sort-and-copy of the mentioned files.
If i'm right, there was no question about syncing the userbase all the time, so what kind of "next replication" do you talk about?

For replication there is no way out of having a full identical passwd, etc. or you just use a central LDAP or SQL userbase (pam.ldap - pam.mysql for example)

Cheers

[ Parent ]

Re: Question: Migrating existing users from one host to another?
Posted by Anonymous (212.122.xx.xx) on Wed 12 Oct 2005 at 19:20
1. Get system part of passwd (UID < 1000 and nobody) and save it in /etc/passwd.static
2. Instead of appending to passwd overwrite /etc/passwd.dynamic
3. cat /etc/passwd.static /etc/passwd.dynamic > /etc/passwd; pwconv

Or write simple perl script. But keeping users in some central directory (like LDAP or NIS) is IMO beter idea.

[ Parent ]

Re: Question: Migrating existing users from one host to another?
Posted by Anonymous (67.163.xx.xx) on Wed 12 Oct 2005 at 22:20
i second that, especially if you end up with multiple servers such as a master and a backup. LDAP is what you want, friend.

[ Parent ]

Re: Question: Migrating existing users from one host to another?
Posted by Anonymous (212.254.xx.xx) on Thu 13 Oct 2005 at 08:52
I agree. NIS is *really* easy to setup.
But LDAP is a little bit more complicated. But that's also more secure...
If you are newbie, just wanting to have same users on 2-3 servers, use NIS. Else, if you have more afdvanced needs, use LDAP.

Another thing: you say you use these users for squid, not for user auth via SSH.
I don't know Squid well, but I think you can use PAM to auth users in Squid, so it will be possible to use LDAP directly with Squid. You don't need to have users defined at system level (/etc/passwd).

[ Parent ]

Re: Question: Migrating existing users from one host to another?
Posted by perx76 (213.174.xx.xx) on Thu 13 Oct 2005 at 10:11
Making a plain copy of passwd & shadow user entries its a poor solution and may conflicts with debian policy rules about uids.

A better solution is to extract username and gecos info from the older passwd. Once you have gathered that info, you can use it to create users through the adduser command.
All of that can be automated through a simple bash script:

#!/bin/bash
#
# usage:   migrate-passwd password-file>
#
# remarks: the password file must be a copy of passwd that contains
#          only the entries to be migrated.
#          

[ -f $1 ] || exit 1

userlist=$(cat $1)

for entry in $userlist ; do
        username=$(echo $entry | cut -d ':' -f 1)
        gecos=$(echo $entry | cut -d ':' -f 5)
        adduser --disabled-password --gecos "$gecos" "$username" > /dev/null
done
Since the previous script creates accounts with disabled password you must migrate alsothe shadow file. This can be accomplished with another script:
#!/bin/bash
#
# usage: migrate-shadow shadow-like-file>
#
# remarks: the shadow password file must be a copy of passwd that contains
#          only the entries to be migrated.
#

[ -f $1 ] || exit 1

userlist=$(cat $1)
elsebranch=

echo -e "BEGIN { FS=\":\" }\n{"

for entry in $userlist ; do
        username=$(echo $entry | cut -d ':' -f 1)
        encpassword=$(echo $entry | cut -d ':' -f 2)
        echo "${elsebranch}if ( \$0 ~ /^$username:/ ) \
                printf \"%s:%s:%s:%s:%s:%s:%s:%s:%s\n\",\$1, \
                \"$encpassword\", \$3,\$4,\$5,\$6,\$7,\$8,\$9;"
        elsebranch="else "
done

echo "else print \$0;"
echo -e "}\nEND {}"
The shadow migration script generates an awk script and prints it to standard output. You can use it to generate a new shadow file on the target debian server:

# migrate-shadow my-redhat-shadow-useronly-list > shadow-filter.awk

# awk -f shadow-filter.awk /etc/shadow > my-new-shadow-file-with-updated-pass

Maybe you want also to migrate some group related info and some other databases. You can modify these simple scripts to accomplish any system database migration task.

[ Parent ]

Re: Question: Migrating existing users from one host to another?
Posted by Anonymous (213.164.xx.xx) on Thu 13 Oct 2005 at 10:17

[ Parent ]

Re: Question: Migrating existing users from one host to another?
Posted by stoffell (81.164.xx.xx) on Thu 13 Oct 2005 at 18:41
Great, I have seen this before a few years ago, nice to see it still exists! Haven't tried it yet..

---
stoffell

[ Parent ]

Re: Question: Migrating existing users from one host to another?
Posted by stoffell (81.164.xx.xx) on Thu 13 Oct 2005 at 18:44
I had the same issue a few days ago. Just started reinstalling a 'new' Debian box, copied over the data (mysql/html/..) and re-created the FTP users (the only users needed are ftp users) with myftpadmin. (used to be a project on freshmeat, doesn't seem to exist anymore) That way I can easily create users in mysql and I only have virtual users. (using proftpd-mysql)
---
stoffell

[ Parent ]

Re: Question: Migrating existing users from one host to another?
Posted by Anonymous (80.100.xx.xx) on Fri 14 Oct 2005 at 11:57
Use Perl :)

I recently performed such a migration. Here are the steps I took.

I grabbed the /etc/passwd /etc/group and /etc/shadow and /etc/skel/* from the old system. Edited the passwd file to remove the system users.

Wrote some perl that did the following. Read the passwd file and built a hash with the login as the key. Ran split() every line and filled the hash with $info{$name} {'homedir'} = $line[3]; (for example). Read group and added group info in an array (different entry than the default group). Read the shadow file and added the password hash to %info.

Then it's system() time. Scripted up useradd and usermod + system() on a foreach loop of the %info hash. Opened /etc/shadow and for each user changed the hash. Voila. Users migrated.

[ Parent ]