Bug 68880
| Summary: | Wishlist: Loading accounts and passwords. | ||
|---|---|---|---|
| Product: | [Retired] Red Hat Linux | Reporter: | David Richards <drichard> |
| Component: | passwd | Assignee: | Tomas Mraz <tmraz> |
| Status: | CLOSED DEFERRED | QA Contact: | Mike McLean <mikem> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 7.3 | Keywords: | FutureFeature |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | i686 | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | Enhancement | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2005-09-08 16:53:38 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
This would be really nice to have but it would mean to implement such command from scratch (I haven't found anything like it with GPL or BSD licenses on web). It can be workarounded by using LDAP server for storing user accounts or by tranfering the actual passwd, shadow.... files. |
From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1a+) Gecko/20020715 Description of problem: We have 900+ people on each of our servers, and when we build new machines and upgrade, we need to be able to have a way to load them like the 'ap' command found on some Unix flavors. This dumps the accounts, groups and passwords to a flat file, and then allows you to import then on a new machine. This could be a feature of passwd or a command in itself. Version-Release number of selected component (if applicable): How reproducible: Always Steps to Reproduce: 1. Feature not available in current RH product. 2. Man page for 'ap' is below. 3. Additional info: ap(ADM) ******* ____________________________________________________________________________ ap -- generate account profile for propagation to other machines Syntax ====== ap -d [-g ] [ -v ] [ usernames ] ap -r -f file [ -o ] [ -v ] [ usernames ] ap -u directory [ -o ] [ -v ] [ usernames ] Description =========== ap provides a simple method of propagating user account profiles between machines. An account profile entry consists of the user's line from the password file followed by all relevant parts of their Protected Password database entry. The following Protected Password database fields are irrelevant and are not copied: Time of last unsuccessful password change. Time of last successful and last unsuccessful login. Terminal of last successful and last unsuccessful login. Number of consecutive unsuccessful logins. ap -d writes an account profile entry to the standard output for each username specified. If no usernames are specified, account profiles are written for all users listed in the password file. The -g (group) option causes ap to include group membership in the account profile information that is written out. ap -r restores account profile information from the file specified by the -f option, which is assumed to be the product of a previous ap -d. If no usernames are specified, all the account profiles contained in the file are restored; otherwise only the account profiles for the specified users are restored. ap -u updates the system with account profile information copied from other SCO OpenServer systems. The directory specified is expected to contain the /etc/passwd and /tcb/files/auth/?/* files copied from another system. To preserve group membership, the /etc/group file may (optionally) also be included under the directory. If no usernames are specified, all the account profiles contained in the files under the specified directory are restored; otherwise only the account profiles for the specified users are restored. The -v (verbose) option causes ap to output a message to the standard error for each account profile dumped or restored. The -o (overwrite) option causes ap to overwrite an existing account profile which has the same username and user ID as one being restored. If the -o option is not specified a message is output and existing entries are not overwritten. Exit values =========== If ap detects a fatal error, it displays an appropriate error message and exits with status greater than zero. If no errors are encountered, ap exits with status zero. Examples ======== To dump the account profiles for users root and guest to a file called profiles and display a message after each account profile is dumped: ap -dv root guest > profiles This file can then be transferred to another machine. To restore the account profile for user root, overwriting any existing profile: ap -ro -f profiles root Limitations == As different machines may have different System Default values, the same profile transferred to another machine may give the user different capabilities simply because different default values are picked up for fields not present in the user's Protected Password database entry. As the file containing the dumped account profile information is used to update the password and Protected Password database, it must be protected from unauthorized access in the same way the Protected Password database entries themselves are protected. Authorization ============= ap requires the invoking user to be the superuser or have the auth subsystem authorization, and have both the chown and execsuid kernel privileges. Files ===== /etc/passwd Password file /etc/shadow Shadow Password file /etc/group Group file /tcb/files/auth/?/* Protected Password database /etc/auth/subsystems/* Subsystem Authorizations database =========