ap(1M)


ap -- dump and load user account profiles

Synopsis

ap -d [ -g ] [ -v ] [ usernames ]

ap -r -f file [ -p password ] [ -o ] [ -v ] [ usernames ]

ap -u directory [ -p password ] [ -o ] [ -v ] [ usernames ]

Description

ap provides a simple method of propagating user account profiles between UnixWare® 7 or 2.1 systems.

The version of ap(ADM) in SCO OpenServer(TM) can also dump account profiles. ap in UnixWare can read such profiles and recreate the associated user accounts on a UnixWare system.

An account profile entry consists of a user's entry from the password file followed by all relevant parts of their I&A (UnixWare) or Protected Password (SCO OpenServer) database entry. The following database fields are irrelevant and are not copied:

ap understands the following options:

-d
Write an account profile entry to the standard output for each username specified. If no usernames are specified, account profiles are written for all users listed in the password file.

-f file
Specify a file containing user profile information created by ap on another system.

-g
Include group membership in the account profile information that is written out by the -d option.

-o
Overwrite an existing account profile which has the same user name and user ID as one being restored. If the -o option is not specified, ap prints a warning message and the existing entries are not overwritten.


NOTE: If the user ID of an account to be restored is currently being aged, ap prints a warning and does not create the account. The -o option cannot be used to override the warning.


-p
Specify a new login password for users whose passwords are longer than 8 characters. The password argument is specified in clear text (unencrypted). Because of differences in the way that SCO OpenServer and UnixWare systems handle long passwords, ap otherwise truncates passwords longer than 8 characters so that they are exactly 8 characters long (13 characters when encrypted). These users must supply only the first 8 characters of their passwords to log in.


NOTE: All migrated users with long passwords will be required to change their password when they first log in, whether or not the -p option was specified.


-r
Create accounts from profile information in the file specified by the -f option. If a list of user names (usernames) is not specified, all the account profiles contained in the file are restored; otherwise, only the account profiles for the specified users are restored.

-u
Update the system with account profile information copied from SCO OpenServer systems. The directory specified is expected to contain the /etc/passwd and /tcb/files/auth/?/* file hierarchies copied or NFS-mounted from an SCO OpenServer system. To preserve group membership, the /etc/group file may (optionally) also be included under the directory. If no user names are specified, all the account profiles contained in the files under the specified directory are restored; otherwise, only the account profiles for the specified users are restored.

-v
Print a message to the standard error for each account profile dumped or restored.

Files

Common files:

/etc/group
group file

/etc/passwd
password file

/etc/shadow
shadow password file
SCO OpenServer only:

/etc/default/accounts
user and group defaults' file

/tcb/files/auth/?/*
Protected Password database

/etc/auth/subsystems/*
Subsystem Authorizations database
UnixWare only:

/etc/default/useradd
user defaults' file

/etc/security/ia/ageduid
aged user ID file

/etc/security/ia/audit
master audit file (if auditing is installed)

/etc/security/ia/index
I&A master index file

/etc/security/ia/master
I&A master database

/etc/security/tcb/privs
system command privilege database

/etc/security/tfm/users/*
user authorizations

/etc/security/tfm/roles/*
administrative role authorizations

Authorization

ap requires the invoking user to be root or to have dacread and dacwrite privileges.

Exit values

If ap detects a fatal error, it displays an appropriate error message and exits with status greater than zero. If no errors are encountered, ap exits with status zero.

References

filepriv(1M), group(4), groupadd(1M), groupdel(1M), groupmod(1M), logins(1M), passwd(4), shadow(4), useradd(1M), userdel(1M), usermod(1M)

Notices

Account profiles dumped on one UnixWare system can only be restored on another UnixWare systems. They cannot be restored to an SCO OpenServer system because UnixWare encrypted passwords are not transferable to SCO OpenServer.

You cannot use the UDK to run the UnixWare 7 version of ap on UnixWare 2.1 because long passwords are only supported in UnixWare 7.

As UnixWare systems may have different system default values, the same profile transferred to another UnixWare system may give the user different capabilities simply because different default values are picked up for fields that are not present in the profile entry for a user.

As the file containing the dumped account profile information is used to update the password and Identification and Authentication (I&A) database, it must be protected from unauthorized access in the same way that entries in the I&A database themselves are protected.

Privileges are not mapped between SCO OpenServer and UnixWare systems, however, some audit events are. Default audit values for AUDIT_MASK in /etc/default/useradd are included in addition to any mapped events when a user profile is restored. The table below shows how events are mapped between SCO OpenServer and UnixWare systems.

SCO OpenServer event UnixWare event Description
boot/down init (fixed) startup or shutdown
login login, logoff successful or unsuccessful login attempts
process exec, exit, fork, kill creation or termination of processes
ob_available sem, msg, file_access, mount file, message, semaphore opens and filesystem mounts
ob_map exec program execution
ob_modify open_wr file writes
ob_unavailable sem, msg, file_access, umount file, message, semaphore closes and filesystem unmounts
ob_create sem, msg, file_access file, message and semaphore creation
ob_delete sem, msg, file_access file, message and semaphore terminations
dac_chg dac file, message, semaphore ownership or permission changes
access_denial priv denied permissions
sysadm tfadmin administrative tasks
insuff_priv priv failed tasks due to to insufficient privileges
rsc_denial res_limit resource limits
ipc kill sending signals and messages to processes
proc_mod process effective identity or working directory changes
audit audit (fixed) enable or disable auditing
database - no mapping available
subsystem - no mapping available
privilege tfadmin administrative commands

 +---------------------+---------------------+-------------------------+
 |SCO OpenServer event | UnixWare event      | Description             |
 +---------------------+---------------------+-------------------------+
 |boot/down            |  init (fixed)       | startup or shutdown     |
 +---------------------+---------------------+-------------------------+
 |login                | login, logoff       | successful or           |
 |                     |                     | unsuccessful login      |
 |                     |                     | attempts                |
 +---------------------+---------------------+-------------------------+
 |process              | exec, exit, fork,   | creation or termination |
 |                     | kill                | of processes            |
 +---------------------+---------------------+-------------------------+
 |ob_available         | sem, msg,           | file, message,          |
 |                     | file_access, mount  | semaphore opens and     |
 |                     |                     | filesystem mounts       |
 +---------------------+---------------------+-------------------------+
 |ob_map               | exec                | program execution       |
 +---------------------+---------------------+-------------------------+
 |ob_modify            | open_wr             | file writes             |
 +---------------------+---------------------+-------------------------+
 |ob_unavailable       | sem, msg,           | file, message,          |
 |                     | file_access, umount | semaphore closes and    |
 |                     |                     | filesystem unmounts     |
 +---------------------+---------------------+-------------------------+
 |ob_create            | sem, msg,           | file, message and       |
 |                     | file_access         | semaphore creation      |
 +---------------------+---------------------+-------------------------+
 |ob_delete            | sem, msg,           | file, message and       |
 |                     | file_access         | semaphore terminations  |
 +---------------------+---------------------+-------------------------+
 |dac_chg              | dac                 | file, message,          |
 |                     |                     | semaphore ownership or  |
 |                     |                     | permission changes      |
 +---------------------+---------------------+-------------------------+
 |access_denial        | priv                | denied permissions      |
 +---------------------+---------------------+-------------------------+
 |sysadm               | tfadmin             | administrative tasks    |
 +---------------------+---------------------+-------------------------+
 |insuff_priv          | priv                | failed tasks due to to  |
 |                     |                     | insufficient privileges |
 +---------------------+---------------------+-------------------------+
 |rsc_denial           | res_limit           | resource limits         |
 +---------------------+---------------------+-------------------------+
 |ipc                  | kill                | sending signals and     |
 |                     |                     | messages to processes   |
 +---------------------+---------------------+-------------------------+
 |proc_mod             | process             | effective identity or   |
 |                     |                     | working directory       |
 |                     |                     | changes                 |
 +---------------------+---------------------+-------------------------+
 |audit                | audit (fixed)       | enable or disable       |
 |                     |                     | auditing                |
 +---------------------+---------------------+-------------------------+
 |database             | -                   | no mapping available    |
 +---------------------+---------------------+-------------------------+
 |subsystem            | -                   | no mapping available    |
 +---------------------+---------------------+-------------------------+
 |privilege            | tfadmin             | administrative commands |
 +---------------------+---------------------+-------------------------+

Standards compliance

ap is not part of any currently supported standard; it is an extension of AT&T System V provided by The Santa Cruz Operation, Inc.

Examples

To dump the account profiles for users fred and guest on an SCO OpenServer system to a file called profiles, and display a message after each account profile is dumped:

ap -dv fred guest > profiles.acct

This file can then be transferred to a UnixWare machine.

To restore the account profile for user fred on a UnixWare system, overwriting any existing profile, and substituting the password ``clydenw'' if the existing password is longer than 8 characters:

ap -ro -f profiles.acct -p clydenw fred


© 2004 The SCO Group, Inc. All rights reserved.
UnixWare 7 Release 7.1.4 - 25 April 2004