C    Interoperating with and Migrating from ULTRIX Systems

This appendix describes some of the issues you may encounter when moving applications and accounts from an ULTRIX system to a Tru64 UNIX system.

C.1    Migration Issues

The following sections describe migration issues you may encounter when moving from ULTRIX to Tru64 UNIX.

C.1.1    Difference in the audgen System Call

Applications built under ULTRIX, that make use of the audgen() system call, do not work on Tru64 UNIX because the Tru64 UNIX version of audgen() takes five parameters instead of three as on ULTRIX. To port these applications, you can take either of the following steps:

• Convert ULTRIX-style usage of audgen() to the OSF-style usage. For example:

  /* ULTRIX */
  audgen(event, tokenmask, param_vector);
  

  becomes:

  /*Tru64 UNIX*/
  audgen(event, tokenmask, param_vector, NULL,NULL);
  

• Link such applications with the following module:

  #include <sys/syscall.h>
  #include <stdio.h>
  audgen(event, tokenp, argp)
  int event;
  char *tokenp;
  char *argp[];
  {
     return(syscall(SYS_audgen, event, tokenp, argp, \
                                                NULL, NULL));
  }
  

C.1.2    Differences in the audcntl Routine

The Tru64 UNIX audcntl() routine takes six parameters instead of five as on ULTRIX. You need to put a zero (0) in the unused parameter.

C.1.3    Changes to the authaudit Routines

If you are moving from ULTRIX MLS+ or a system based on OSF code, several of the audit routines in the code base have been superceded in the Tru64 UNIX operating system by the audgen() and audgenl() routines. The routines are provided only for backward compatibility and will be removed in a future release. The routines are:

audit_security_failure()
audit_no_resource()
audit_auth_entry()
audit_subsystem()
audit_login()
audit_rcmd()
audit_passwd()
audit_lock()
sa_audit_lock()
sa_audit_audit()

The functions of the audit_adjust_mask() routine have been superceded by audcntl().

See Chapter 19 for examples of how to use the audcntl() and audgenl() routines. More information on audgen(), audgenl(), and audcntl() is available in the associated reference pages and the auduit.h file.

C.1.4    Difference in the Authentication Interfaces

The Tru64 UNIX SIA authentication interfaces are different from the ULTRIX interfaces.

C.1.5    Differences in Password Encryption

The Tru64 UNIX system uses a form of password encryption that is different from that used on ULTRIX. An ULTRIX system has three security levels: BSD, UPGRADE, and ENHANCED. A Tru64 UNIX has only two security levels: BASE (equivalent to BSD) and ENHANCED. There is not a direct equivalent to the ULTRIX UPGRADE security level. There are only direct equivalents to BSD and ENHANCED modes. This is because the default Tru64 UNIX ENHANCED password encryption algorithm is compatible with the traditional password encryption, which is not the case for ULTRIX ENHANCED security.

Running the Tru64 UNIX secconfig script leaves the system equivalent to the ULTRIX UPGRADE level; the old password can be used once. The secauthmigrate script uses the ULTRIX ENHANCED password encryption algorithm, which is not compatible with the traditional style password encryption algorithm. If secauthmigrate is going to be used, run the secconfig script before running secauthmigrate.

C.1.6    Trusted Path Unavailable on Tru64 UNIX

The ULTRIX trusted path feature is not available on Tru64 UNIX systems.

C.1.7    Secure Attention Key (SAK) Unavailable on Tru64 UNIX

The ULTRIX secure attention key (SAK) feature is not available on Tru64 UNIX systems.

C.2    Moving ULTRIX Authentication Files to Tru64 UNIX

Users whose records are being transferred must have valid BSD style login records (with the exception of valid password fields) on the ULTRIX system. This can be through NIS as well as a local record in /etc/passwd. (This is checked with the ls -o.) You might want to do an account review, so that only those users who should still have active accounts are moved.

See the secauthmigrate(8) reference page for more information.

C.2.1    Converting Shared Authentication Files

Use the following procedure to convert ULTRIX shared authentication files (BIND/Hesiod) to Tru64 UNIX authentication files:

1. On the ULTRIX system, make a copy of the distributed authentication data as follows:

   # cp -p /var/dss/namedb/src/auth /tmp/auth.hesiod
   

2. Copy the /tmp/auth.hesiod file to the Tru64 UNIX system.

3. If the BSD style profile information for the ULTRIX systems is shared by NIS, it is necessary to copy the /var/dss/namedb/src/passwd file to the Tru64 UNIX system. Add this file to the NIS password maps or append it to the /etc/passwd file.

4. Run the /usr/sbin/secauthmigrate script as follows:

   # /usr/sbin/secauthmigrate auth.hesiod
   

   You should test the script by setting the ROOTDIR environment variable to a temporary location as follows:

   # /usr/bin/env ROOTDIR=/tmp \
          /usr/sbin/secauthmigrate auth.hesiod
   

5. Continue the migration by going to Section C.2.3.

C.2.2    Converting Local Authentication Files

Use the following procedure to convert the ULTRIX files:

1. Because the /etc/auth file is not normally up-to-date, use getauth to obtain the current values from /etc/auth.{pag,dir} as follows:

   
   # umask 077
    
   # getauth > /tmp/auth.local
   

2. Copy the /tmp/auth.local file to the Tru64 UNIX system.

3. Run the /usr/sbin/secauthmigrate script as follows:

   # /usr/sbin/secauthmigrate auth.local
   

   You should test the script using the ROOTDIR environment variable first.

4. Continue the migration by going to Section C.2.3.

C.2.3    After Converting the Authentication Files

If any accounts are left in /tcb/files/auth/<a-z>/<username>:ULT, it is because there was already a protected profile for the user. Use the following procedure to complete the migration:

1. Merge the values as appropriate. Edit the file using a duplicate, copy the new file to /tcb/files/auth/<a-z>/<username>:t,

2. Check to be sure that the base file (/tcb/files/auth/<a-z>/<username>) has not been changed. If it has, merge the change into the /tcb/files/auth/<a-z>/<username>:t file.

3. Rename the /tcb/files/auth/<a-z>/<username>:t file to /tcb/files/auth/<a-z>/<username>.

If a UID is not known, the secauthmigrate script reports that it cannot translate a UID to a name using the following code:

# ls -o /tmp/file

This test is performed on a file owned by the UID in question. It may be necessary to check the contents of /etc/passwd or the NIS setup. If this discrepancy persists, it indicates that there was an orphaned authentication record in the original ULTRIX data.

Once all the records have been converted, review their contents with the dxaccounts program.

C.3    Audit Data Compatibility

The following are compatibility issues between the auditing subsystems on ULTRIX and Tru64 UNIX systems:

• Audit data on a Tru64 UNIX system is not compatible with audit data on an ULTRIX system.

• Audit data generated on an ULTRIX system is read using the audit_tool.ultrix program. See the audit_tool(8) reference page for more information.

• The Tru64 UNIX auditd and the ULTRIX auditd do not communicate with each other.

• The auditd command line is different between ULTRIX and Tru64 UNIX systems. See the auditd(8) reference page for details.

• The auditd access control list, which was found in /etc/auditd_clients on ULTRIX, is found in /etc/sec/auditd_clients on Tru64 UNIX systems.