Home » Categories » AIX

Migrating AIX User Environments

Article Number: 91 | Rating: Unrated | Last Updated: Wed, May 30, 2018 11:07 AM

Migrating AIX User Environments

 

February 2016 | by David Tansley

 

Print 0
 
 

Recently we had a requirement to build a new AIX environment in a remote office. Due to the unreliable network pipe between our main operations office and the remote site, building a new AIX host via NIM restore or transferring a mksysb image over the network weren't options. The only viable alternative was to build the AIX host from scratch.

To get started, we mailed the remote office the AIX base ISOs that we needed to load into the VIO server. Once the ISOs were received and loaded, I installed AIX. Now we were ready to tailor build the host. To get the relevant user and group environments created, we made a .tar file from the following files running on one of our current hosts:

1) Passwd and group files.
2) Relevant security files.
3) Audit configuration files (optional).

In addition, we "tarred up" the users' HOME directories for migration:

	/etc/passwd
	/etc/group
	/etc/security/user
	/etc/security/group 
	/etc/security/passwd
	/etc/security/passwd.nm.idx
	/etc/security/passwd_is_idx
	/etc/security/limits
	/etc/security/nvironment

(Note: AIX uses the two idx files for searching by creating index files. However, they're not critical, so don't worry if you don't have them. AIX will work fine without them.)

Finally, we tarred up the audit system. This is especially advantageous for enterprises that have substantially customized their audit configuration.

	/etc/security/audit

In our case, migrating these files and directories was sufficient. We were going from AIX version 5.3 to 6.1. Of course, if you're staying at the same AIX level, it's even easier. Then you can simply tar up these directories:

	/etc/passwd
	/etc/group
	/etc/security

I've taken this approach and it works for me. It's certainly quicker. Any tidying up can be done once the files are untarred on the remote side. This tar command could be used to backup the necessary users environments and accounts:

	tar –cvf users.tar /etc/passwd /etc/group /etc/security

Next, select the HOME directories you want to tar up for specific users. Remember: The system accounts will have already been created with the AIX base install. So select only support users and environment accounts used for applications. For example, to tar users dxtans and jpann to a file called home.tar, I could use:

	tar -cvf home.tar /home/dxtans /home/jpann

Don't be concerned if you tar up more user HOME directories than you require. Again, it can all be tidied up on the remote side.

On the Remote Side

Once the tar files are transferred onto the remote host, you're ready to create the users. First untar the users.tar file:

	tar –xvf users.tar

This will recreate the passwd/group and security files. Now remember this is being untarred onto a brand new AIX base build, so -- assuming you're going to the same AIX version -- overwriting existing users/groups won't matter since they'll already have default UID/GUIDs.

Next, untar the HOME directories:

tar –xvf home.tar

Tidying Up

Now let's tidy up. Confirm you can su to the root account and login as root, using the root passwd from the host you tarred the files up from. Change it if required. Edit /etc/security/user. This file contains user defined roles where individual roles can override the defaults. Change the individual roles as required by using either the chuser command or manually editing the /etc/security/user file. Any users that aren't needed on the remote system can be removed. If the remaining users were previously authenticated via network services, one may want to set them to local authentication initially. Use the chuser SYSTEM=compat registery=files to change them to local, then reset their passwd with chpasswd, perhaps to change it to their login name initially. If the users were previously authenticated via Kerberos or LDAP, simply install the file sets and configure Keberos/LDAP. Then use the chuser command to bring them into NAS.

Next, confirm that the group, passwd and users are present as contained in the previously noted user tar file noted previously. They have been installed are correct and the file content stanzas are consistent with the users created on the host. You'll likely find some user entries in the passwd file, but no relevant group entries in the group files, or visa versa. These are easily fixed. Just remove the user /group you don't want, or have this done automatically through AIX. Run:

	pwdck –n ALL

If any errors are reported, fix them manually or use the pwdck command:

	pwdck –y ALL

Similarly, for the group file, check for errors with the grpck command:

	grpck –n ALL

To fix errors, use:

	grpck –y ALL

Next, check user stanzas with:

	usrck –n ALL

To fix these errors, use:

	usrck –y ALL

User crontabs directories ( /var/spool/cron/crontabs) can also be migrated, though it isn't mandatory. While I've done this for certain user application environments, I certainly bother transferring user email boxes, as these are usually just job outputs.

Transferring large files? Try this

A final tip: When you actually do have to scp a large file over a slow network, be sure to use a low grade cipher as this will save time when decrypting on the remote side. For me, arcfour has produced the fastest scp transfers. Also, specifying that the scp bandwidth is no larger than 1MB should allow you to avoid stalling. To scp a large file called myfile, I'd use:

	scp –c arcfour –L 8192 myfile user@

If you need to build a new AIX machine from scratch but are dealing with poor network performance, get as many of the configuration files across from a running AIX box as possible. It will save you time.
Posted - Wed, May 30, 2018 11:07 AM. This article has been viewed 2162 times.
Filed Under: AIX
0 (0)
Article Rating (No Votes)
Rate this article
Attachments
There are no attachments for this article.
Comments
There are no comments for this article. Be the first to post a comment.
Full Name
Email Address
Security Code Security Code
Related Articles RSS Feed
AIX - How to get network speed and statistic of ethernet adapter in AIX
Viewed 13776 times since Fri, Jun 8, 2018
AIX HOW TO CLONE A ROOTVG USING ALTERNATE DISK INSTALLATION ALTER_DISK_COPY
Viewed 16774 times since Sun, Jun 30, 2019
AIX: How to identify the program listening in the given port
Viewed 2406 times since Mon, Jun 11, 2018
Understanding dump devices sysdumpdev
Viewed 4554 times since Mon, Jul 9, 2018
Convert to Scalable Volume Groups
Viewed 3782 times since Wed, May 30, 2018
AIX: Error code 0516-1339, 0516-1397 0516-792: cannot extendvg with a previous Oracle ASM disk
Viewed 3680 times since Wed, Feb 6, 2019
Creating Normal,Big,Scalable VG on AIX
Viewed 14960 times since Fri, Feb 1, 2019
AIX, Security, System Admin↑ Fix user accounts
Viewed 4696 times since Fri, Apr 19, 2019
Create jfs2 logical volume on AIX
Viewed 4774 times since Thu, Feb 21, 2019
AIX TCP connection status
Viewed 16674 times since Mon, Jul 29, 2019