C    Interoperating with and Migrating from ULTRIX Systems

This appendix describes some of the issues you may encounter when moving applications and accounts from an ULTRIX system to a Digital UNIX system.

C.1    Migration Issues

The following sections describe migration issues you may encounter when moving from ULTRIX to Digital UNIX.

C.1.1    Difference in the audgen System Call

Applications built under ULTRIX, that make use of the audgen() system call, do not work on Digital UNIX because the Digital UNIX version of audgen() takes five parameters instead of three as on ULTRIX. To port these applications, you can take either of the following steps:

• Convert ULTRIX-style usage of audgen() to the OSF-style usage. For example:

  /* ULTRIX */
  audgen(event, tokenmask, param_vector);
  

  becomes:

  /*Digital UNIX*/
  audgen(event, tokenmask, param_vector, NULL,NULL);
  

• Link such applications with the following module:

  #include <sys/syscall.h>
  #include <stdio.h>
  audgen(event, tokenp, argp)
  int event;
  char *tokenp;
  char *argp[];
  {
     return(syscall(SYS_audgen, event, tokenp, argp, \
                                                NULL, NULL));
  }
  

C.1.2    Differences in the audcntl Routine

The Digital UNIX audcntl() routine takes six parameters instead of five as on ULTRIX. You need to put a zero (0) in the unused parameter.

C.1.3    Changes to the authaudit Routines

If you are moving from ULTRIX MLS+ or a system based on OSF code, several of the audit routines in the code base have been superceded in the Digital UNIX operating system by the audgen() and audgenl() routines. The routines are provided only for backward compatibility and will be removed in a future release. The routines are:

audit_security_failure()
audit_no_resource()
audit_auth_entry()
audit_subsystem()
audit_login()
audit_rcmd()
audit_passwd()
audit_lock()
sa_audit_lock()
sa_audit_audit()

The functions of the audit_adjust_mask() routine have been superceded by audcntl().

See Chapter 19 for examples of how to use the audcntl() and audgenl() routines. More information on audgen(), audgenl(), and audcntl() is available in the associated reference pages and the auduit.h file.

C.1.4    Difference in the Authentication Interfaces

The Digital UNIX SIA authentication interfaces are different from the ULTRIX interfaces.

C.1.5    Differences in Password Encryption

The Digital UNIX system uses a form of password encryption that is different from that used on ULTRIX. An ULTRIX system has three security levels: BSD, UPGRADE, and ENHANCED. A Digital UNIX has only two security levels: BASE (equivalent to BSD) and ENHANCED. There is not a direct equivalent to the ULTRIX UPGRADE security level. There are only direct equivalents to BSD and ENHANCED modes. This is because the default Digital UNIX ENHANCED password encryption algorithm is compatible with the traditional password encryption, which is not the case for ULTRIX ENHANCED security.

Running the Digital UNIX secsetup script leaves the system equivalent to the ULTRIX UPGRADE level; the old password can be used once. The secauthmigrate script uses the ULTRIX ENHANCED password encryption algorithm, which is not compatible with the traditional style password encryption algorithm. If secauthmigrate is going to be used, run the secsetup script before running secauthmigrate.

C.1.6    Trusted Path Unavailable on Digital UNIX

The ULTRIX trusted path feature is not available on Digital UNIX systems.

C.1.7    Secure Attention Key (SAK) Unavailable on Digital UNIX

The ULTRIX secure attention key (SAK) feature is not available on Digital UNIX systems.

C.2    Moving ULTRIX Authentication Files to Digital UNIX

Users whose records are being transferred must have valid BSD style login records (with the exception of valid password fields) on the ULTRIX system. This can be through NIS as well as a local record in /etc/passwd. (This is checked with the ls -o.) You might want to do an account review, so that only those users who should still have active accounts are moved.

See the secauthmigrate(8) reference page for more information.

C.2.1    Converting Shared Authentication Files

Use the following procedure to convert ULTRIX shared authentication files (BIND/Hesiod) to DEC OSF/1 authentication files:

1. On the ULTRIX system, make a copy of the distributed authentication data as follows:

   #  cp -p /var/dss/namedb/src/auth /tmp/auth.hesiod
   

2. Copy the /tmp/auth.hesiod file to the Digital UNIX system.

3. If the BSD style profile information for the ULTRIX systems is shared by NIS, it is necessary to copy the /var/dss/namedb/src/passwd file to the Digital UNIX system. Add this file to the NIS password maps or append it to the /etc/passwd file.

4. Run the /usr/sbin/secauthmigrate script as follows:

   #  /usr/sbin/secauthmigrate auth.hesiod
   

   You should test the script by setting the ROOTDIR environment variable to a temporary location as follows:

   #  /usr/bin/env ROOTDIR=/tmp /usr/sbin/secauthmigrate auth.hesiod
   

5. Continue the migration by going to Section C.2.3.

C.2.2    Converting Local Authentication Files

Use the following procedure to convert the ULTRIX files:

1. Because the /etc/auth file is not normally up-to-date, use getauth to obtain the current values from /etc/auth.{pag,dir} as follows:

   #  umask 077
   #  getauth > /tmp/auth.local
   

2. Copy the /tmp/auth.local file to the Digital UNIX system.

3. Run the /usr/sbin/secauthmigrate script as follows:

   #  /usr/sbin/secauthmigrate auth.local
   

   You should test the script using the ROOTDIR environment variable first.

4. Continue the migration by going to Section C.2.3.

C.2.3    After Converting the Authentication Files

If any accounts are left in /tcb/files/auth/?/user:ULT, it is because there was already a protected profile for the user. Use the following procedure to complete the migration:

1. Merge the values as appropriate. Edit the file using a duplicate, copy the new file to /tcb/files/auth/?/user:t,

2. Check to be sure that the base file (/tcb/files/auth/?/user) has not been changed. If it has, merge the change into the /tcb/files/auth/?/user:t file.

3. Rename the /tcb/files/auth/?/user:t file to /tcb/files/auth/?/user.

If a UID is not known, the secauthmigrate script reports that it cannot translate a UID to a name using the following code:

#  ls -o /tmp/ file

This test is performed on a file owned by the UID in question. It may be necessary to check the contents of /etc/passwd or the NIS setup. If this discrepancy persists, it indicates that there was an orphaned authentication record in the original ULTRIX data.

Once all the records have been converted, review their contents with the dxaccounts program.

C.3    Audit Data Compatibility

The following are compatibility issues between the auditing subsystems on ULTRIX and Digital UNIX systems:

• Audit data on a Digital UNIX system is not compatible with audit data on an ULTRIX system.

• Audit data generated on an ULTRIX system is read using the audit_tool.ultrix program. See the audit_tool(8) reference page for more information.

• The Digital UNIX auditd and the ULTRIX auditd do not communicate with each other.

• The auditd command line is different between ULTRIX and Digital UNIX systems. See the auditd(8) reference page for details.

• The auditd access control list, which was found in /etc/auditd_clients on ULTRIX, is found in /etc/sec/auditd_clients on Digital UNIX systems.