Migrating AIX User Environments
Migrating AIX User Environments
Recently we had a requirement to build a new AIX environment in a remote office. Due to the unreliable network pipe between our main operations office and the remote site, building a new AIX host via NIM restore or transferring a mksysb image over the network weren't options. The only viable alternative was to build the AIX host from scratch.
To get started, we mailed the remote office the AIX base ISOs that we needed to load into the VIO server. Once the ISOs were received and loaded, I installed AIX. Now we were ready to tailor build the host. To get the relevant user and group environments created, we made a .tar file from the following files running on one of our current hosts:
1) Passwd and group files.
2) Relevant security files.
3) Audit configuration files (optional).
In addition, we "tarred up" the users' HOME directories for migration:
/etc/passwd /etc/group /etc/security/user /etc/security/group /etc/security/passwd /etc/security/passwd.nm.idx /etc/security/passwd_is_idx /etc/security/limits /etc/security/nvironment
(Note: AIX uses the two idx files for searching by creating index files. However, they're not critical, so don't worry if you don't have them. AIX will work fine without them.)
Finally, we tarred up the audit system. This is especially advantageous for enterprises that have substantially customized their audit configuration.
In our case, migrating these files and directories was sufficient. We were going from AIX version 5.3 to 6.1. Of course, if you're staying at the same AIX level, it's even easier. Then you can simply tar up these directories:
/etc/passwd /etc/group /etc/security
I've taken this approach and it works for me. It's certainly quicker. Any tidying up can be done once the files are untarred on the remote side. This tar command could be used to backup the necessary users environments and accounts:
tar –cvf users.tar /etc/passwd /etc/group /etc/security
Next, select the HOME directories you want to tar up for specific users. Remember: The system accounts will have already been created with the AIX base install. So select only support users and environment accounts used for applications. For example, to tar users dxtans and jpann to a file called home.tar, I could use:
tar -cvf home.tar /home/dxtans /home/jpann
Don't be concerned if you tar up more user HOME directories than you require. Again, it can all be tidied up on the remote side.
On the Remote Side
Once the tar files are transferred onto the remote host, you're ready to create the users. First untar the users.tar file:
tar –xvf users.tar
This will recreate the passwd/group and security files. Now remember this is being untarred onto a brand new AIX base build, so -- assuming you're going to the same AIX version -- overwriting existing users/groups won't matter since they'll already have default UID/GUIDs.
Next, untar the HOME directories:
tar –xvf home.tar
Now let's tidy up. Confirm you can su to the root account and login as root, using the root passwd from the host you tarred the files up from. Change it if required. Edit /etc/security/user. This file contains user defined roles where individual roles can override the defaults. Change the individual roles as required by using either the chuser command or manually editing the /etc/security/user file. Any users that aren't needed on the remote system can be removed. If the remaining users were previously authenticated via network services, one may want to set them to local authentication initially. Use the chuser SYSTEM=compat registery=files to change them to local, then reset their passwd with chpasswd, perhaps to change it to their login name initially. If the users were previously authenticated via Kerberos or LDAP, simply install the file sets and configure Keberos/LDAP. Then use the chuser command to bring them into NAS.
Next, confirm that the group, passwd and users are present as contained in the previously noted user tar file noted previously. They have been installed are correct and the file content stanzas are consistent with the users created on the host. You'll likely find some user entries in the passwd file, but no relevant group entries in the group files, or visa versa. These are easily fixed. Just remove the user /group you don't want, or have this done automatically through AIX. Run:
pwdck –n ALL
If any errors are reported, fix them manually or use the pwdck command:
pwdck –y ALL
Similarly, for the group file, check for errors with the grpck command:
grpck –n ALL
To fix errors, use:
grpck –y ALL
Next, check user stanzas with:
usrck –n ALL
To fix these errors, use:
usrck –y ALL
User crontabs directories ( /var/spool/cron/crontabs) can also be migrated, though it isn't mandatory. While I've done this for certain user application environments, I certainly bother transferring user email boxes, as these are usually just job outputs.
Transferring large files? Try this
A final tip: When you actually do have to scp a large file over a slow network, be sure to use a low grade cipher as this will save time when decrypting on the remote side. For me, arcfour has produced the fastest scp transfers. Also, specifying that the scp bandwidth is no larger than 1MB should allow you to avoid stalling. To scp a large file called myfile, I'd use:
scp –c arcfour –L 8192 myfile user@
If you need to build a new AIX machine from scratch but are dealing with poor network performance, get as many of the configuration files across from a running AIX box as possible. It will save you time.