How to copy user policy from a server to another one?


 
Thread Tools Search this Thread
Operating Systems AIX How to copy user policy from a server to another one?
# 8  
Old 09-24-2015
As far as "policy" goes, that would only be the so-called default: stanzas in several files in /etc/security.

There are other "policy" related files, also in /etc/security - most of these end in .cfg (e.g., login.cfg).

If you are trying to duplicate users on both servers my preference would be to use LDAP and/or Kerberos (on AIX). Also because I expect you will need to keep the user administration synchronized in both systems.

As to HOWTO copy the configuration/policy files I recommend you read up on AIX Runtime Expert at: https://www-01.ibm.com/support/knowl...artex_main.htm

You should have something like this (for AIX 6.1 at least) installed by default.

Code:
michael@x071:[/home/michael]lslpp -L | grep artex  
  artex.base.rte            6.1.9.45    C     F    AIX Runtime Expert
  artex.base.samples        6.1.9.30    C     F    AIX Runtime Expert sample

Hope this helps.
This User Gave Thanks to MichaelFelt For This Post:
# 9  
Old 09-26-2015
Thanks guys for your help

It seems that copying all these files doesn't make everything works. Something works, but something doesn't, such as the login time out as bakunin said, I have to set the TMOUT variable in /etc/profile ( AIX 5.3 ) manually, or the ssh authentication - also has to be reconfiged again ...

I can only fix which I see. I'm not the person who config the old servers, so I don't know exactly whether everything is OK ot not. Maybe next time I'll use "clone rootvg", it would cost a lot of time ( because of the number of servers ), but it could ensure that everything's OK.
# 10  
Old 09-26-2015
Quote:
Originally Posted by bobochacha29
I can only fix which I see. I'm not the person who config the old servers, so I don't know exactly whether everything is OK ot not.
Exactly this is the main problem: you never can be sure if you have found the last problem.

Quote:
Originally Posted by bobochacha29
Maybe next time I'll use "clone rootvg", it would cost a lot of time ( because of the number of servers ), but it could ensure that everything's OK.
This - take an mksysb and restore it - will make sure absolutely everything: users, print queues, groups, cron entries and whatever you can think of is copied. If you have several of these servers you should take an mksysb for system backups regularly anyway. You can boot a new hardware from this image and (re-)install the competely configured system from that, which will perhaps less time than to install an unconfigured system and then put some (probably incomplete) configuration onto that.

I hope this helps.

bakunin
This User Gave Thanks to bakunin For This Post:
# 11  
Old 09-26-2015
Personally, I have not worked enough with AIX Runtime Expert to give a quick example - but this is one of the things it was intended for - even if it is only to see what the differences are.

Further, as you talk about "old" and "new", in particular not knowing what the old policies were, or why. I would be nervous about copying old, unknown policies because I have no way of knowing whether they are sufficient to meet the demands of today's (security) requirements. Also, as you are probably moving to new hardware - are the performance settings correct for the new environment.

While I can understand that you want to transfer users - and it if concerns many users - taking some time to learn about the tools available on AIX at no additional charge (a few that come to mind are: aixpert (i.e. AIX Security Expert) for hardening, aix runtime expert for applying system profiles, RBAC, Trusted Execution, etc..

imho - you are doing yourself and/or your business/employer a disservice by not looking in to what AIX offers.

I wish you many happy days as a (new) AIX admin!
This User Gave Thanks to MichaelFelt For This Post:
# 12  
Old 09-28-2015
Quote:
Originally Posted by MichaelFelt
Personally, I have not worked enough with AIX Runtime Expert to give a quick example
Maybe I can help Smilie

The directory /etc/security/artex/samples holds a set of xml files with possible system settings which can be managed by artex.
Code:
.svn                       chssysProfile.xml          envProfile.xml             mkuser.defaultProfile.xml  secattrProfile.xml
acctctlProfile.xml         chsubserverProfile.xml     errdemonProfile.xml        namerslvProfile.xml        shconfProfile.xml
aixpertProfile.xml         chuserDBKLDAPProfile.xml   ewlmProfile.xml            nfsProfile.xml             smtctlProfile.xml
all.xml                    chuserDBKfilesProfile.xml  ffdcProfile.xml            nfsoProfile.xml            syscorepathProfile.xml
alogProfile.xml            chuserProfile.xml          filterProfile.xml          nisProfile.xml             sysdumpdevProfile.xml
authProfile.xml            classProfile.xml           gencopyProfile.xml         noProfile.xml              trcctlProfile.xml
authentProfile.xml         coreDBKfilesProfile.xml    iooProfile.xml             probevueProfile.xml        trustchkProfile.xml
chconsProfile.xml          coreProfile.xml            krecoveryProfile.xml       rasoProfile.xml            tsdProfile.xml
chdevProfile.xml           default.xml                login.cfgProfile.xml       roleProfile.xml            viosdevattrProfile.xml
chlicenseProfile.xml       devProfile.xml             lvmoProfile.xml            ruserProfile.xml           vmoProfile.xml
chservicesProfile.xml      dumpctrlProfile.xml        mktcpipProfile.xml         schedoProfile.xml

The following command/example save the settings of the login.cfg on the current server.
Code:
artexget -q -r -f xml /etc/security/artex/samples/login.cfgProfile.xml >/tmp/current.login.cfgProfile.xml

To restore these settings (copy the newly created file to another server and) run the following command:
Code:
artexset -l all /tmp/current.login.cfgProfile.xml

There is also a all.xml profile which contains all artex managed settings. This profile can be used to copy over the whole system settings inclusive of all known users and groups.

Regards
This User Gave Thanks to -=XrAy=- For This Post:
# 13  
Old 09-28-2015
This AIX runtime expert seems to be well worth a close inspection. Good job, -=XrAy=-!

bakunin
# 14  
Old 09-28-2015
Thank you very much bakunin,

we use Artex to compare the current system settings against initial saved settings.
This helps if something no longer work as expected and alleged no one has touched your system. Smilie

Code:
artexdiff -r -q -c -f txt  /tmp/nfsoProfile.xml

/tmp/nfsoProfile.xml | System Values
nfsoParam:nfs_use_reserved_ports 0 | 1

In this case '0' is the old and '1' the new value for nfs_use_reserved_ports.

Regards
Login or Register to Ask a Question

Previous Thread | Next Thread

8 More Discussions You Might Find Interesting

1. Shell Programming and Scripting

How to scp File from root user in one server to say crt user in another server and avoid password?

Can someone help in writing some script through which I can transfer file (scp) from root user in abc server to crt user in hfg server and can give the crt user password in script itself so that it doesn't prompt me every time for password (4 Replies)
Discussion started by: Moon1234
4 Replies

2. Shell Programming and Scripting

Shell script to copy a file from one server to anther server and execute the binary

Hi , Is there any script to copy a files (weblogic bianary + silent.xml ) from one server (linux) to another servers and then execute the copy file. We want to copy a file on multiple servers and run the installation. Thanks (1 Reply)
Discussion started by: Nawrajesh
1 Replies

3. Linux

User Account Policy

Hi, i have the following config in the system-auth files auth required /lib/security/$ISA/pam_env.so auth sufficient /lib/security/$ISA/pam_unix.so likeauth nullok auth required /lib/security/$ISA/pam_deny.so account required ... (2 Replies)
Discussion started by: yprudent
2 Replies

4. Shell Programming and Scripting

Copy folder and files from unix server to linux server

We would be migrating unix solaries to Linux redhat. Basically source is unix and target is linux. i would like to copy entire file system unix/source/* to target linux/souce/* but target linux has only folder setup so what ever files copied need to be placed in the linux server with same... (8 Replies)
Discussion started by: balajikalai
8 Replies

5. Ubuntu

User and Password Policy

Hi linux expert, i would like to create a script for listing all user with there password policy. It should be in the following format: Last password change : Sep 19, 2011 Password expires : never Password inactive : never Account... (2 Replies)
Discussion started by: yprudent
2 Replies

6. Solaris

password policy for new user

hi folk, i try to setup a new password policy for our solaris box user, below are the /etc/default/passwd/, but then when i tried to create a user, it didn't ask for numeric character, and the new password also didn't ask for special characters. # useradd testing # passwd testing New... (7 Replies)
Discussion started by: dehetoxic
7 Replies

7. Solaris

how to assign group policy to user in solaris

hi, how to assign group policy to user in solaris (1 Reply)
Discussion started by: meet2muneer
1 Replies

8. Shell Programming and Scripting

copy files from remote server (B) to target server (A)?

Hi All, what is the comand to log off the remote server? I have 2 servers A, B. I need to find all files older than 7 days on server B and copy over to server A. My logic is: login the remote server: ================= ssh hostB cd /data/test find . -mtime -7 -ls | awk '{print... (4 Replies)
Discussion started by: Beginer0705
4 Replies
Login or Register to Ask a Question