passwd_import(8sec) — Maintenance
NAME
passwd_import - Creates registry database entries from group and password files
SYNOPSIS
passwd_import [-c] -d path [-h] [-i] [-o org] [-p password] [-u username] [-v]
OPTIONS
-cRuns in check mode: processes the command, showing all conflicts, but makes no requests for resolution.
-d pathSpecifies the path of the directory containing the foreign password and group files to be imported.
-hDisplays help information.
-iIgnores name conflicts. Names in the registry and the group and password files represent the same identity.
-o orgSpecifies the name of an organization to be assigned to all imported entries. The default organization is none.
-p passwordSpecifies the password for the account with whose privileges passwd_import runs.
-u usernameSpecifies the principal name of the account with whose privileges passwd_import will run. This account must have the privileges to access the registry and add principals, groups, accounts, and organizations, and to add members to groups and organizations. The principal name and password are used to obtain network authentication. If you do not supply them, passwd_import prompts for them, even if you have already performed a network login.
-vRuns in verbose mode, generating a verbose transcript of passwd_import activity.
DESCRIPTION
The passwd_import command is a mechanism for creating registry database entries that are consistent with foreign password and group file entries. Use passwd_import to ensure consistency between DCE and foreign protection mechanisms when you do any of the following:
•Attach DCE node(s) to an existing UNIX network
•Attach UNIX node(s) to a DCE network
•Connect DCE and UNIX networks
If the password and group file entries do not exist in the DCE registry, passwd_import creates them. If there are duplicate entries, passwd_import follows your directions on how to handle them.
The Process
The DCE registry database must exist and be running before you can use passwd_import. If you are simply adding a few DCE nodes to a foreign network, you can create a new, but empty, registry to meet this requirement.
As passwd_import processes, it performs the following steps:
1.It opens the group and password files and establishes a connection to the registry.
2.It compares the group file entries to groups in the registry. If there are no conflicts, it creates groups in the registry corresponding to the groups in the group file.
3.It compares the entries in the password file to principals in the registry. Again, if there are no conflicts, it does the following:
1.Creates principals in the registry corresponding to the entries in the password file.
2.Adds the newly created principals to the appropriate groups.
3.Creates accounts for the newly created principals.
4.It reexamines the group file and adds the principals as members of any addtional groups it finds there.
The changes to the registry are made individually as each step is processed. If you do not specify the organization, the principals are added to the organization none.
Conflicts
During this process, passwd_import can find conflicts in name strings (for example, in the password file: joe 102; in the registry database:joe 555) and in UNIX IDs (for example, in the password file: joe 102; in DCE: carmelita 102). When passwd_import finds a conflict, it prompts for changes to make to the /etc/passwd and /etc/group entries. No changes are made to the registry entries. In other words, all conflicts are resolved in favor of the registry entry.
The -i option specifies that duplicate names are not in conflict but, in fact, represent the same identity. Therefore, when duplicate names arise, no action is necessary. If you do not use the -i option, passwd_import prompts for how to handle the name conflicts.
Resolving Conflicts
The passwd_import command prompts for instructions to resolve the conflicts it finds. You have the following choices:
•You can create an alias to resolve a UNIX ID conflict. This action creates an alias for the registry object in conflict. The passwd_import command assigns this alias the same name as the conflicting entry in the /etc/group or /etc/passwd file. For example, if the entry joe 555 exists in the registry and the entry tim 555 exists in the /etc/passwd file, choosing this option creates the alias tim for joe 555.
•You can generate a new UNIX ID automatically or enter a new one explicitly to resolve a UNIX ID conflict. For example, if there is a conflict between the entry joe 555 in the registry and tim 555 in the /etc/passwd file, you can generate a new UNIX ID for tim.
•You can enter a new name to resolve a name conflict. For example if there is a conflict between the entry joe 555 in the registry and joe 383 in the /etc/passwd file, you can generate a new name for joe 383. This new name will then be added to the registry.
In addition, you are given the option of ignoring the conflict and skipping the entry.
Generally, you should run passwd_import with the -c option. Using the results of this run, you can determine how to handle the conflicts. If there are many conflicts, it may be more efficient to manually edit either the registry or the group and password files to resolve some of them before you run import_passwd.
Registry Database Entries
New registry entries created by passwd_import are assigned the following values:
For Principal and Group Entries:
alias/primaryIf the /etc/passwd file contains two entries with the same UNIX number, passwd_import creates a primary name entry for the first occurrence of the UNIX number and alias entries for each subsequent occurrence.
fullnameA blank string; no full name is added for the entry.
membership list
For new groups only; all principals listed in the group file, and all principals with accounts in the password file with that group.
projlist_okYes (for groups only).
For Account Entries:
Account expiration date
None.
Account_validFalse.
Client flagTrue.
Duplicate certificate flag
False.
Forwardable certificate flag
True.
GecosSame as password file.
Good since date
Time of account creation.
HomedirSame as password file.
Maximum certificate lifetime
Default to registry authentication policy.
Maximum certificate renewable
Default to registry authentication policy.
PasswdRandomly generated. Note that you must modify or reset randomly generated passwords before user authentication is possible.
Passwd_dtmDate and time passwd_import was run.
Passwd_validFalse.
Postdated certificate flag
False.
Proxiable certificate flag
False.
Renewable certificate flag
True.
Server flagTrue.
ShellSame as password file.
TGT authentication flag
True.
RELATED INFORMATION
Commands: rgy_edit(8sec), sec_admin(8sec), secd(8sec).