LinuxQuestions.org
Register a domain and help support LQ
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Newbie
User Name
Password
Linux - Newbie This Linux forum is for members that are new to Linux.
Just starting out and have a question? If it is not in the man pages or the how-to's this is the place!

Notices


Reply
  Search this Thread
Old 05-27-2015, 11:20 AM   #1
bitwiseguy
LQ Newbie
 
Registered: Oct 2014
Posts: 5

Rep: Reputation: Disabled
User migration issues


Hello, I'm sort of a novice Linux user and was running into an issue with user migration. I'm trying to migrate users and groups from a RHEL 5.11 install to a CentOS 6.6 install, both systems are 64 bit. Initially I tried to do an rsync of the passwd, shadow, group and gshadow files with no luck. When trying to login with an existing account on the new server I get access denied. I tried to change the password on the new server, but even then it doesn't seem to change the password and I still get access denied. I then tried to tar up the four above files and then extracted them on the new server, but the same issue existed. I also created a new account on the old server, copied all the necessary files over to the new server and still have the same issues. Any ideas what I may be doing wrong or what I can try next? This is getting frustrating!

Thanks!
 
Old 05-27-2015, 01:53 PM   #2
jlinkels
Senior Member
 
Registered: Oct 2003
Location: Bonaire
Distribution: Debian Wheezy/Jessie/Sid, Linux Mint DE
Posts: 4,493

Rep: Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635
There are a few pitfalls in copying the complete password and groups files. Not for the users, but mainly for system accounts. Since service UIDs might be different on the different machines it is likely that services will fail half or complete because of permissions issues.

The same goes for ordinary users. Permissions were set on a numeric UID (like 1001), but the home directory was set on name (like /home/jlinkels). So if jlinkels has a UID of 1005 in the copies password file, he can't access his directory (which was 1001).

I know, because I did the same as you, and at the instant I pressed the <enter> button I realized my mistake.

More information here: http://www.cyberciti.biz/faq/howto-m...to-new-server/ This is a step-by-step instruction, but you might want to do more homework to understand what is behind.

jlinkels
 
Old 05-27-2015, 02:05 PM   #3
bitwiseguy
LQ Newbie
 
Registered: Oct 2014
Posts: 5

Original Poster
Rep: Reputation: Disabled
jlinkels,

Thanks for the response and the additional info. That link is the second way I tried to copy everything over, but maybe I did something wrong the first time so I can give it another shot and see if maybe the second time is the charm?

Thanks!
 
Old 05-27-2015, 02:20 PM   #4
bitwiseguy
LQ Newbie
 
Registered: Oct 2014
Posts: 5

Original Poster
Rep: Reputation: Disabled
So I wonder if before I go through this again if I should clear out or revert back to the original copies of the four files on the new server?

Thanks!
 
Old 05-27-2015, 02:24 PM   #5
bitwiseguy
LQ Newbie
 
Registered: Oct 2014
Posts: 5

Original Poster
Rep: Reputation: Disabled
One thing I forgot about when I used this process initially is that on the old system there isn't a /etc/shadow file, but a /etc/shadow- so I copied that over instead. Could that possibly be causing me some issues too?
 
Old 05-28-2015, 06:08 PM   #6
bitwiseguy
LQ Newbie
 
Registered: Oct 2014
Posts: 5

Original Poster
Rep: Reputation: Disabled
Well, still no luck even with this go around. The one user account still won't login with it's original password, or if I change it's password on the new server. However, there is another account that I used as a test account and I was able to change the password on the new server and login with that. So that's strange that the primary (critical) account is possibly the only one that can't login on the new system. Any ideas on what I can try next?

Thanks!
 
Old 05-28-2015, 07:27 PM   #7
jlinkels
Senior Member
 
Registered: Oct 2003
Location: Bonaire
Distribution: Debian Wheezy/Jessie/Sid, Linux Mint DE
Posts: 4,493

Rep: Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635Reputation: 635
Unfortunately I know how to f* things up, but not how to cure them. Well, not really but for this one I don't. I hope someone else comes along.

jlinkels
 
Old 05-28-2015, 09:47 PM   #8
btmiller
Senior Member
 
Registered: May 2004
Location: In the DC 'burbs
Distribution: Arch, Scientific Linux, Debian, Ubuntu
Posts: 4,275

Rep: Reputation: 370Reputation: 370Reputation: 370Reputation: 370
Try manually copying the passwd, shadow, and group entries for just that one account (usually Red Hat will create a group for each user account by default). Once you've done so, please run:

Code:
id <username>
on each machine (replace <username> with the name of the user). Make sure they give identical results. Also, be sure that the shadow file is readable only by root (permissions 0400 or -r-------). Then try to login as the new user *from the console*, and if that works then try remote login (e.g. via ssh). If the "id" command returns the same values but login fails, carefully check the password hash (second column in the shadow file). If they're the same, check /var/log/secure for errors during the login, and post them here if you need help interpreting them.

Good luck!
 
Old 05-30-2015, 07:50 AM   #9
jpollard
Senior Member
 
Registered: Dec 2012
Location: Washington DC area
Distribution: Fedora, CentOS, Slackware
Posts: 4,604

Rep: Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241Reputation: 1241
One of the problems you may be seeing is caused by SELinux. The security labels on files are a binary number - and the two systems do have some differences, as the security labels get regenerated (new labels added, old ones modified...) and the numbers do not have to match.

In addition to the UID/GID usage changing (they change again with RHEL 7/CentOS 7).

One issue that can happen is that UID assignements to system services usually expand. Just replacing the /etc/passwd, /etc/shadow, and /etc/group files is not enough - the system UIDs/GIDs of the target must be preserved.

In RHEL 7, there are a fair number of new ones - things assigned for saslauth (UID 499, GID 76 in RHEL 6) become UID 499, GID 76. New services exist (such as gnome-initial-setup: uid 982, gid 973; sanlock: uid 179, gid 179; dockerroot: uid 979, gid 979) have to be maintained or the system will not be able to update itself properly.

In the case of SELinux a "restorecon /etc/passwd /etc/group /etc/shadow" should do.

But to properly migrate users is a bit more work:

1. ensure the users existing UID/GID and name does not conflict with the new system (user names tend not to conflict, but sometimes test accounts might). Also verify that the security flags used in the /etc/shadow file have not changed definitions...

2. extract the user account entries from the old passed/shadow/group files, update any necessary UID/GID/security entries.

3. append the extracted entries to the new system /etc/passwd /etc/shadow /etc/group files.

Now to the issue of the users files .... The security labels HAVE changed... And the UID/GID values sometimes need to be changed (RHEL 7 starts users uid/gid values at 1000).

4. Users will not have access to their home directory until the UID/GID match the /etc/passwd files, and the SELinux security labels need to be updated too. Using find to replace UID/GID values over the entire home filesystem works... Doing a restorecon -R /home works for the security labels, even if it is a bit slow. And be careful if you have a lot of users. I have had to deal with things like the old UID being changed to a new UID, but the new UID happened to also be used by the old system for a different user. This isn't usually a problem if you are just adding 500 to the uid/gid though... but it depends on HOW you add that 500 and how many users you are dealing with.

Oh, and you DID make backups first, right?

PS, I did leave something out... Sometimes (not in your case though) the password encryption form changes... and you have to manually reset the passwords before a user can login.

Last edited by jpollard; 05-30-2015 at 07:55 AM. Reason: added PS
 
Old 05-31-2015, 03:19 AM   #10
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.8, Centos 5.10
Posts: 17,241

Rep: Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325Reputation: 2325
This
Quote:
there isn't a /etc/shadow file, but a /etc/shadow-
is worrying; the latter is the backup file made when the original is changed; you should definitely have the original file...
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
Aix - Linux Scripts Migration Issues kumarancs Linux - Newbie 4 09-07-2011 12:50 PM
Linux to *BSD migration. FS issues. Gavin Harper Linux - Server 2 04-14-2011 12:19 AM
LDAP user to NIS user migration JATA01 Linux - Server 1 08-03-2010 07:58 PM
LXer: Those Pesky Migration Issues LXer Syndicated Linux News 0 03-23-2010 09:50 PM
Gentoo 2.4 - 2.6 migration issues Atreyou40 Linux - Kernel 2 07-01-2006 07:16 PM


All times are GMT -5. The time now is 06:40 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration