ap provides a simple method of propagating user account
profiles between UnixWare® 7 or 2.1 systems.
The version of ap(ADM) in SCO OpenServer can also
dump account profiles. ap in UnixWare can read such profiles
and recreate the associated user accounts on a UnixWare system.
An account profile entry consists of a user's entry from the password file
followed by all relevant parts of their I&A (UnixWare) or
Protected Password (SCO OpenServer) database entry.
The following database fields are irrelevant and are not copied:
time of last unsuccessful password change
time of last successful and last unsuccessful login
terminal of last successful and last unsuccessful login
number of consecutive unsuccessful logins
ap understands the following options:
-d
Write an account profile entry to the standard output for each
username specified. If no usernames are specified, account profiles are
written for all users listed in the password file.
-ffile
Specify a file containing user profile information created by
ap on another system.
-g
Include group membership in the account
profile information that is written out by the -d option.
-o
Overwrite an existing account profile
which has the same user name and user ID
as one being restored. If the -o option
is not specified, ap prints a warning message
and the existing entries are not overwritten.
NOTE:
If the user ID of an account to be restored is currently being
aged, ap prints a warning and does not create the account.
The -o option cannot be used to override the warning.
-p
Specify a new
login password for users whose passwords are longer than
8 characters. The password argument is specified
in clear text (unencrypted). Because of differences in the
way that SCO OpenServer and UnixWare systems handle long passwords,
ap otherwise truncates passwords longer than 8 characters
so that they are exactly 8 characters long (13 characters when encrypted).
These users must supply only the first 8 characters of their passwords
to log in.
NOTE:
All migrated users with long passwords will be required to change their
password when they first log in, whether or not the -p option
was specified.
-r
Create accounts from profile information in the file specified by the
-f option.
If a list of user names (usernames) is not specified,
all the account profiles contained in the file are restored;
otherwise, only the account profiles for the specified users are restored.
-u
Update the system with account profile information copied from
SCO OpenServer systems. The directory specified is expected to contain the
/etc/passwd and /tcb/files/auth/?/
file hierarchies copied or NFS-mounted from an SCO OpenServer system.
To preserve group membership, the /etc/group
file may (optionally) also be included under the directory.
If no user names are specified, all the account
profiles contained in the files under the specified directory are restored;
otherwise, only the account profiles for the specified users are restored.
-v
Print a message to the standard error
for each account profile dumped or restored.
Files
Common files:
/etc/group
group file
/etc/passwd
password file
/etc/shadow
shadow password file
SCO OpenServer only:
/etc/default/accounts
user and group defaults' file
/tcb/files/auth/?/
Protected Password database
/etc/auth/subsystems/
Subsystem Authorizations database
UnixWare only:
/etc/default/useradd
user defaults' file
/etc/security/ia/ageduid
aged user ID file
/etc/security/ia/audit
master audit file (if auditing is installed)
/etc/security/ia/index
I&A master index file
/etc/security/ia/master
I&A master database
/etc/security/tcb/privs
system command privilege database
/etc/security/tfm/users/
user authorizations
/etc/security/tfm/roles/
administrative role authorizations
Authorization
ap requires the invoking user to be root
or to have dacread and dacwrite privileges.
Exit values
If ap detects a fatal error,
it displays an appropriate error message and
exits with status greater than zero.
If no errors are encountered, ap exits
with status zero.
Account profiles dumped on one UnixWare system can only be
restored on another UnixWare systems. They cannot be restored
to an SCO OpenServer system because UnixWare encrypted passwords are not
transferable to SCO OpenServer.
You cannot use the UDK to run the UnixWare 7
version of ap on UnixWare 2.1 because
long passwords are only supported in UnixWare 7.
As UnixWare systems may have different system default values, the same
profile transferred to another UnixWare system may give the user different
capabilities simply because different default values are picked up for
fields that are not present in the profile entry for a user.
As the file containing the dumped account profile information is used to
update the password and Identification and Authentication (I&A)
database, it must be protected from unauthorized access in the same way
that entries in the I&A database themselves are protected.
Privileges are not mapped between SCO OpenServer and UnixWare systems,
however, some audit events are. Default audit values for
AUDIT_MASK in /etc/default/useradd
are included in addition to any mapped events when a user profile is
restored. The table below shows how events are mapped between SCO OpenServer
and UnixWare systems.
SCO OpenServer event
UnixWare event
Description
boot/down
init (fixed)
startup or shutdown
login
login, logoff
successful or unsuccessful login attempts
process
exec, exit, fork, kill
creation or termination of processes
ob_available
sem, msg, file_access, mount
file, message, semaphore opens and filesystem mounts
ob_map
exec
program execution
ob_modify
open_wr
file writes
ob_unavailable
sem, msg, file_access, umount
file, message, semaphore closes and filesystem unmounts
ob_create
sem, msg, file_access
file, message and semaphore creation
ob_delete
sem, msg, file_access
file, message and semaphore terminations
dac_chg
dac
file, message, semaphore ownership or permission changes
access_denial
priv
denied permissions
sysadm
tfadmin
administrative tasks
insuff_priv
priv
failed tasks due to to insufficient privileges
rsc_denial
res_limit
resource limits
ipc
kill
sending signals and messages to processes
proc_mod
process
effective identity or working directory changes
audit
audit (fixed)
enable or disable auditing
database
-
no mapping available
subsystem
-
no mapping available
privilege
tfadmin
administrative commands
Standards compliance
ap is not part of any currently supported standard;
it is an extension of AT&T System V provided by The Santa Cruz Operation, Inc.
Examples
To dump the account profiles for users fred
and guest on an SCO OpenServer system to a file called
profiles, and display a message after each account profile is dumped:
ap -dv fred guest > profiles.acct
This file can then be transferred to a UnixWare machine.
To restore the account profile for user fred on a
UnixWare system, overwriting any existing profile, and substituting
the password ``clydenw'' if the existing password is longer than 8
characters: