Bug 68880 - Wishlist: Loading accounts and passwords.
Summary: Wishlist: Loading accounts and passwords.
Alias: None
Product: Red Hat Linux
Classification: Retired
Component: passwd (Show other bugs)
(Show other bugs)
Version: 7.3
Hardware: i686 Linux
Target Milestone: ---
Assignee: Tomas Mraz
QA Contact: Mike McLean
Keywords: FutureFeature
Depends On:
TreeView+ depends on / blocked
Reported: 2002-07-15 17:04 UTC by David Richards
Modified: 2007-04-18 16:44 UTC (History)
0 users

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-09-08 16:53:38 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

Description David Richards 2002-07-15 17:04:13 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.1a+) Gecko/20020715

Description of problem:
We have 900+ people on each of our servers, and when we build new machines and
upgrade, we need to be able to have a way to load them like the 'ap' command
found on some Unix flavors.  This dumps the accounts, groups and passwords to a
flat file, and then allows you to import then on a new machine.  This could be a
feature of passwd or a command in itself.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Feature not available in current RH product.
2. Man page for 'ap' is below.

Additional info:


  ap -- generate account profile for propagation to other machines


  ap -d [-g ] [ -v ] [ usernames ]

  ap -r -f file [ -o ] [ -v ] [ usernames ]

  ap -u directory [ -o ] [ -v ] [ usernames ]


  ap provides a simple method of propagating user account profiles between

  An account profile entry consists of the user's line from the password file
  followed by all relevant parts of their Protected Password database entry.
  The following Protected Password database fields are irrelevant and are not

  Time of last unsuccessful password change.
  Time of last successful and last unsuccessful login.
  Terminal of last successful and last unsuccessful login.
  Number of consecutive unsuccessful logins.

  ap -d writes an account profile entry to the standard output for each
  username specified. If no usernames are specified, account profiles are
  written for all users listed in the password file.

  The -g (group) option causes ap to include group membership in the account
  profile information that is written out.

  ap -r restores account profile information from the file specified by the
  -f option, which is assumed to be the product of a previous ap -d. If no
  usernames are specified, all the account profiles contained in the file are
  restored; otherwise only the account profiles for the specified users are

  ap -u updates the system with account profile information copied from other
  SCO OpenServer systems. The directory specified is expected to contain the
  /etc/passwd and /tcb/files/auth/?/* files copied from another system. To
  preserve group membership, the /etc/group file may (optionally) also be
  included under the directory. If no usernames are specified, all the
  account profiles contained in the files under the specified directory are
  restored; otherwise only the account profiles for the specified users are

  The -v (verbose) option causes ap to output a message to the standard error
  for each account profile dumped or restored.

  The -o (overwrite) option causes ap to overwrite an existing account profile
  which has the same username and user ID as one being restored. If the -o
  option is not specified a message is output and existing entries are not

  Exit values

  If ap detects a fatal error, it displays an appropriate error message and
  exits with status greater than zero. If no errors are encountered,
  ap exits with status zero.


  To dump the account profiles for users root and guest to a file called
  profiles and display a message after each account profile is dumped:

  ap -dv root guest > profiles

  This file can then be transferred to another machine. To restore the account
  profile for user root, overwriting any existing profile:

  ap -ro -f profiles root

  ==  As different machines may have different System Default values, the same
  profile transferred to another machine may give the user different
  capabilities simply because different default values are picked up for
  fields not present in the user's Protected Password database entry.

  As the file containing the dumped account profile information is used to
  update the password and Protected Password database, it must be protected
  from unauthorized access in the same way the Protected Password database
  entries themselves are protected.


  ap requires the invoking user to be the superuser or have the auth subsystem
  authorization, and have both the chown and execsuid kernel privileges.


          Password file

          Shadow Password file

          Group file

          Protected Password database

          Subsystem Authorizations database

Comment 1 Tomas Mraz 2005-09-08 16:53:38 UTC
This would be really nice to have but it would mean to implement such command
from scratch (I haven't found anything like it with GPL or BSD licenses on web).

It can be workarounded by using LDAP server for storing user accounts or by
tranfering the actual passwd, shadow.... files.

Note You need to log in before you can comment on or make changes to this bug.