Migrating Users in Linux

When a server is to be replaced, often it is a requirement to migrate all user accounts as it is to the new server, which means that the password on these accounts also should not change.

Before the account migration a brief freeze should be imposed on the server. This means no new accounts are to be created till the migration is completed and tested.

To do the migration I used the “pwunconv” utility and merged the passwd file and shadow file on the source server, then copied it across to the new server.

On the new server also I ran the “pwunconv” utility to merge the passwd and shadow files and then appended the file copied from the old server to it.
On old server

sysadmin@old-server:$ sudo /usr/sbin/pwunconv
sysadmin@old-server:$ cp /etc/passwd newpasswd
sysadmin@old-server:$ scp newpasswd new-server:.

On new server

  • Removing the system accounts of the old-server as the new-server already has its own system accounts.
    ajitabhp@new-server:$ vi newpasswd
    ......
    [remove the system accounts]
    
  • Merge the passwd and shadow files and then append the newpasswd to the /etc/passwd file
    ajitabhp@new-server:$ sudo /usr/sbin/pwunconv
    ajitabhp@new-server:$ sudo cat newpasswd >>/etc/passwd
    
  • Change the shell of all users who have /sbin/nologin to /bin/false. This step was required as Debian does not have /sbin/nologin shell, instead it has /bin/false.
    ajitabhp@new-server:$ sudo sed -i 's/\/sbin\/nologin/\/bin\/false/' /etc/passwd
    
  • Finally split the /etc/passwd file to /etc/passwd and /etc/shadow files and do a syntax check and then sort the entries on the basis of UIDs
    ajitabhp@new-server:$ sudo /usr/sbin/pwconv
    ajitabhp@new-server:$ sudo /usr/sbin/pwck
    ajitabhp@new-server:$ sudo /usr/sbin/pwck -s
    

The syntax check told me that the home directories for all the accounts which I migrated from old-server does not exist. So, I ran this one liner to automatically generate the home directories from the /etc/passwd file, if they dont already exists:

ajitabhp@new-server:~$ grep "/home" /etc/passwd|cut -d: -f1,6|sed -e 's/:/ /'|while read user directory;do if [ ! -d $directory ]; then sudo mkdir $directory;sudo chown $user:users $directory;sudo chmod 755 $directory;fi;done

Another quick run on /usr/sbin/pwck gave the following:

ajitabhp@new-server:~$ sudo /usr/sbin/pwck
user news: directory /var/spool/news does not exist
user uucp: directory /var/spool/uucp does not exist
user www-data: directory /var/www does not exist
user list: directory /var/list does not exist
user irc: directory /var/run/ircd does not exist
user gnats: directory /var/lib/gnats does not exist
user nobody: directory /nonexistent does not exist
pwck: no changes

This is fine as these are all system accounts.

This entry was posted in FLOSS and tagged . Bookmark the permalink.

Leave a Reply