Migrating AIX User Environments

Migrating AIX User Environments

 

 

 

Recently we had a requirement to build a new AIX environment in a remote office. Due to the unreliable network pipe between our main operations office and the remote site, building a new AIX host via NIM restore or transferring a mksysb image over the network weren't options. The only viable alternative was to build the AIX host from scratch.

To get started, we mailed the remote office the AIX base ISOs that we needed to load into the VIO server. Once the ISOs were received and loaded, I installed AIX. Now we were ready to tailor build the host. To get the relevant user and group environments created, we made a .tar file from the following files running on one of our current hosts:

1) Passwd and group files.
2) Relevant security files.
3) Audit configuration files (optional).

In addition, we "tarred up" the users' HOME directories for migration:

	/etc/passwd
	/etc/group
	/etc/security/user
	/etc/security/group 
	/etc/security/passwd
	/etc/security/passwd.nm.idx
	/etc/security/passwd_is_idx
	/etc/security/limits
	/etc/security/nvironment

(Note: AIX uses the two idx files for searching by creating index files. However, they're not critical, so don't worry if you don't have them. AIX will work fine without them.)

Finally, we tarred up the audit system. This is especially advantageous for enterprises that have substantially customized their audit configuration.

	/etc/security/audit

In our case, migrating these files and directories was sufficient. We were going from AIX version 5.3 to 6.1. Of course, if you're staying at the same AIX level, it's even easier. Then you can simply tar up these directories:

	/etc/passwd
	/etc/group
	/etc/security

I've taken this approach and it works for me. It's certainly quicker. Any tidying up can be done once the files are untarred on the remote side. This tar command could be used to backup the necessary users environments and accounts:

	tar –cvf users.tar /etc/passwd /etc/group /etc/security

Next, select the HOME directories you want to tar up for specific users. Remember: The system accounts will have already been created with the AIX base install. So select only support users and environment accounts used for applications. For example, to tar users dxtans and jpann to a file called home.tar, I could use:

	tar -cvf home.tar /home/dxtans /home/jpann

Don't be concerned if you tar up more user HOME directories than you require. Again, it can all be tidied up on the remote side.

On the Remote Side

Once the tar files are transferred onto the remote host, you're ready to create the users. First untar the users.tar file:

	tar –xvf users.tar

This will recreate the passwd/group and security files. Now remember this is being untarred onto a brand new AIX base build, so -- assuming you're going to the same AIX version -- overwriting existing users/groups won't matter since they'll already have default UID/GUIDs.

Next, untar the HOME directories:

tar –xvf home.tar

Tidying Up

Now let's tidy up. Confirm you can su to the root account and login as root, using the root passwd from the host you tarred the files up from. Change it if required. Edit /etc/security/user. This file contains user defined roles where individual roles can override the defaults. Change the individual roles as required by using either the chuser command or manually editing the /etc/security/user file. Any users that aren't needed on the remote system can be removed. If the remaining users were previously authenticated via network services, one may want to set them to local authentication initially. Use the chuser SYSTEM=compat registery=files to change them to local, then reset their passwd with chpasswd, perhaps to change it to their login name initially. If the users were previously authenticated via Kerberos or LDAP, simply install the file sets and configure Keberos/LDAP. Then use the chuser command to bring them into NAS.

Next, confirm that the group, passwd and users are present as contained in the previously noted user tar file noted previously. They have been installed are correct and the file content stanzas are consistent with the users created on the host. You'll likely find some user entries in the passwd file, but no relevant group entries in the group files, or visa versa. These are easily fixed. Just remove the user /group you don't want, or have this done automatically through AIX. Run:

	pwdck –n ALL

If any errors are reported, fix them manually or use the pwdck command:

	pwdck –y ALL

Similarly, for the group file, check for errors with the grpck command:

	grpck –n ALL

To fix errors, use:

	grpck –y ALL

Next, check user stanzas with:

	usrck –n ALL

To fix these errors, use:

	usrck –y ALL

User crontabs directories ( /var/spool/cron/crontabs) can also be migrated, though it isn't mandatory. While I've done this for certain user application environments, I certainly bother transferring user email boxes, as these are usually just job outputs.

Transferring large files? Try this

A final tip: When you actually do have to scp a large file over a slow network, be sure to use a low grade cipher as this will save time when decrypting on the remote side. For me, arcfour has produced the fastest scp transfers. Also, specifying that the scp bandwidth is no larger than 1MB should allow you to avoid stalling. To scp a large file called myfile, I'd use:

	scp –c arcfour –L 8192 myfile user@ 

If you need to build a new AIX machine from scratch but are dealing with poor network performance, get as many of the configuration files across from a running AIX box as possible. It will save you time.

0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
Installing a Interim Fix (APAR IV16587)
Viewed 2922 times since Tue, Jul 17, 2018
AIX, Security, System Admin↑ Generating random passwords
Viewed 2975 times since Fri, Apr 19, 2019
Calculate hdisk READ / WRITE throughput (sequential IO) from AIX systems
Viewed 2623 times since Thu, Feb 21, 2019
AIX perf how to
Viewed 18737 times since Tue, Aug 14, 2018
How to enable Large Pages for a specific user on AIX?
Viewed 2446 times since Thu, Nov 29, 2018
SSH Essentials: Working with SSH Servers, Clients, and Keys
Viewed 4315 times since Wed, Jun 27, 2018
Firmware Assisted Dump sysdump
Viewed 1975 times since Mon, Jul 16, 2018
Topics: AIX, Networking, System Admin
Viewed 11490 times since Fri, Apr 19, 2019
Create jfs2 logical volume on AIX
Viewed 4774 times since Thu, Feb 21, 2019
How to check VLAN ID number on AIX?
Viewed 13352 times since Mon, May 28, 2018