When a server is to be replaced, often it is a requirement to migrate all user accounts as it is to the new server, which means that the password on these accounts also should not change.
Before the account migration a brief freeze should be imposed on the server. This means no new accounts are to be created till the migration is completed and tested.
To do the migration I used the “pwunconv” utility and merged the passwd file and shadow file on the source server, then copied it across to the new server.
On the new server also I ran the “pwunconv” utility to merge the passwd and shadow files and then appended the file copied from the old server to it.
On old server
sysadmin@old-server:$ sudo /usr/sbin/pwunconv sysadmin@old-server:$ cp /etc/passwd newpasswd sysadmin@old-server:$ scp newpasswd new-server:.
On new server
- Removing the system accounts of the old-server as the new-server already has its own system accounts.
ajitabhp@new-server:$ vi newpasswd ...... [remove the system accounts]
- Merge the passwd and shadow files and then append the newpasswd to the /etc/passwd file
ajitabhp@new-server:$ sudo /usr/sbin/pwunconv ajitabhp@new-server:$ sudo cat newpasswd >>/etc/passwd
- Change the shell of all users who have /sbin/nologin to /bin/false. This step was required as Debian does not have /sbin/nologin shell, instead it has /bin/false.
ajitabhp@new-server:$ sudo sed -i 's/\/sbin\/nologin/\/bin\/false/' /etc/passwd
- Finally split the /etc/passwd file to /etc/passwd and /etc/shadow files and do a syntax check and then sort the entries on the basis of UIDs
ajitabhp@new-server:$ sudo /usr/sbin/pwconv ajitabhp@new-server:$ sudo /usr/sbin/pwck ajitabhp@new-server:$ sudo /usr/sbin/pwck -s
The syntax check told me that the home directories for all the accounts which I migrated from old-server does not exist. So, I ran this one liner to automatically generate the home directories from the /etc/passwd file, if they dont already exists:
ajitabhp@new-server:~$ grep "/home" /etc/passwd|cut -d: -f1,6|sed -e 's/:/ /'|while read user directory;do if [ ! -d $directory ]; then sudo mkdir $directory;sudo chown $user:users $directory;sudo chmod 755 $directory;fi;done
Another quick run on /usr/sbin/pwck gave the following:
ajitabhp@new-server:~$ sudo /usr/sbin/pwck user news: directory /var/spool/news does not exist user uucp: directory /var/spool/uucp does not exist user www-data: directory /var/www does not exist user list: directory /var/list does not exist user irc: directory /var/run/ircd does not exist user gnats: directory /var/lib/gnats does not exist user nobody: directory /nonexistent does not exist pwck: no changes
This is fine as these are all system accounts.