AIX

Hi

I would like to copy some user policy ( such as login time out , password expired time, number of failed login before user is locked, ... ) from one server to another server. I had copied necessary files ( in /etc and /etc/security ) to new server, but something didn't work.

I guess that I have to reboot server, but I don't want to do that. May I reboot some services in this case, so that all the policy would work ??. If yes, which services ???

Thank for read.

Q: Are the user present on both servers? With same passwd? ( and so hoem directories exist etc...)

I realy hope you have a made backup of these files.

Which files have you copied so far?

I would suggest to copy the /etc/security/login.cfg and
(only) the "default:" Stanza from /etc/security/user.


There is no need to reboot the server.

Regards

If you want to clone a bunch of users, it might be better to use the output from lsuser as root (you get more information) to build a deck of mkuser commands, ensuring that the groups names match in advance.

You would need to keep the UID & GID numbers the same, especially if there is NFS involved or you move data with tar or other methods that put back permissions.

As for copying the password details, this is fraught with danger. You would be best to ensure you get a quiet time and do a big edit to replace the specific passwords and other attributes in /etc/security/passwdone at a time having taken a backup copy first. There is a serious risk that you could leave yourself unable to login to your target server.

You will also need to consider if/how you use ssh keys, remote login and any ftp restrictions that might be in place. There may of course be other software installed or applications that have their own account management too.


Are you wanting to duplicate the whole server by any chance? If so, then mksysb is a better way, although you have to be careful you boot without the network plugged in first time else you will get IP conflicts with the current live server.



Robin

Files I copied to new server ( same OS version )

Code:

/etc/group  
/etc/passwd 
/etc/security/group  
/etc/security/limits  
/etc/security/passwd 
/etc/security/.ids  
/etc/security/environ  
/etc/security/.profile
/etc/security/login.cfg  /
/etc/security/user

OK but what about the users? Their home directories??? the one you see in /etc/passwd... Then you might have mismatches between the content found in the user's .ssh directory ( yes the public keys ... the local keys wont match with the server where you copied...) etc...

Unix does not deal with "policies", there are just (access) rights: read, write and execute. What you are after is spread out over several different portions of the OS software:

login time out if you mean a time of inactivity after which a user is logged out: this is a shell variable, called "TMOUT", which is usually set in /etc/enviroment as a read-only variable. Many security auditors insist on it, but it is idiotic (meaning: it doesn't serve the proposed purpose in any way), it can easily be circumvented and it might even be harmful without any practical gain. My suggestion is not to implement it at all.


password expired time is a property of the user account and you should use the chuser (mkuser for new users) command to set or change it.

number of failed login before user is locked same as above.

No, not at all. Booting loads a new kernel image into memory. Have you changed anything on the kernel? No! Therefore....

The users are created by copying /etc/passwd, but about the home-directories and their contents, ssh-keys and similar information you are absolutely right.

As rbatte1 has already said: ONLY USE THE OS COMMANDS to do things, do not dabble around in configuration files - at least not to achieve ordinary things like creating/changing users and definitely not as long as you are not 1000% sure what you do.

Rule of thumb: if you have to ask how you should not do it at all.

PS: the perhaps cleanest way to implement uniform user accounts across a scenery of systems is to use some system designed for that: Kerberos, LDAP, NIS, NISplus, DCE, X.500, ....

I hope this helps.

bakunin