This appendix describes some of the issues you may encounter when moving applications and accounts from an ULTRIX system to a Digital UNIX system.
The following sections describe migration issues you may encounter when moving from ULTRIX to Digital UNIX.
Applications built under ULTRIX, that make use of the
audgen()
system call, do not work on Digital UNIX because
the Digital UNIX version of
audgen()
takes five parameters instead of three as on ULTRIX.
To port these applications,
you can take either of the following steps:
audgen()
to the OSF-style usage. For example:
/* ULTRIX */ audgen(event, tokenmask, param_vector);
becomes:
/*Digital UNIX*/ audgen(event, tokenmask, param_vector, NULL,NULL);
#include <sys/syscall.h>
#include <stdio.h>
audgen(event, tokenp, argp)
int event;
char *tokenp;
char *argp[];
{
return(syscall(SYS_audgen, event, tokenp, argp, \
NULL, NULL));
}
The Digital UNIX
audcntl()
routine takes six parameters instead of five as on ULTRIX.
You need to
put a zero (0)
in the unused parameter.
If you are moving from ULTRIX MLS+ or a system based on OSF code,
several of the audit routines in the code base have
been superceded in the Digital UNIX operating system by the
audgen()
and
audgenl()
routines.
The routines are provided only for backward
compatibility and will be removed in a future release. The
routines are:
audit_security_failure() audit_no_resource() audit_auth_entry() audit_subsystem() audit_login() audit_rcmd() audit_passwd() audit_lock() sa_audit_lock() sa_audit_audit()
The functions of the
audit_adjust_mask()
routine have been superceded by
audcntl().
See
Chapter 19
for examples of how to use the
audcntl()
and
audgenl()
routines.
More information on
audgen(),
audgenl(),
and
audcntl()
is available in the associated reference pages and the
auduit.h
file.
The Digital UNIX SIA authentication interfaces are different from the ULTRIX interfaces.
The Digital UNIX system uses a form of password encryption that is different from that used on ULTRIX. An ULTRIX system has three security levels: BSD, UPGRADE, and ENHANCED. A Digital UNIX has only two security levels: BASE (equivalent to BSD) and ENHANCED. There is not a direct equivalent to the ULTRIX UPGRADE security level. There are only direct equivalents to BSD and ENHANCED modes. This is because the default Digital UNIX ENHANCED password encryption algorithm is compatible with the traditional password encryption, which is not the case for ULTRIX ENHANCED security.
Running the Digital UNIX
secsetup
script leaves the system equivalent to the ULTRIX UPGRADE
level; the old password can be used once.
The
secauthmigrate
script uses the
ULTRIX ENHANCED password encryption algorithm, which is not compatible
with the traditional style password encryption algorithm.
If
secauthmigrate
is going to be
used,
run the
secsetup
script before running
secauthmigrate.
The ULTRIX trusted path feature is not available on Digital UNIX systems.
The ULTRIX secure attention key (SAK) feature is not available on Digital UNIX systems.
Users whose records are being transferred must have valid
BSD style
login records (with the exception of valid password fields)
on the ULTRIX system.
This can be through NIS as well as a local record in
/etc/passwd.
(This is
checked with
the
ls -o.)
You might want to do an account review, so that only those
users who should still have active accounts are moved.
See the
secauthmigrate(8)
reference page for more information.
Use the following procedure to convert ULTRIX shared authentication files (BIND/Hesiod) to DEC OSF/1 authentication files:
#
cp -p /var/dss/namedb/src/auth /tmp/auth.hesiod
/tmp/auth.hesiod
file to the Digital UNIX system.
/var/dss/namedb/src/passwd
file to the Digital UNIX system.
Add this file
to the NIS password maps or append it to the
/etc/passwd
file.
/usr/sbin/secauthmigrate
script as follows:
#
/usr/sbin/secauthmigrate auth.hesiod
You should test the script by setting the ROOTDIR environment variable to a temporary location as follows:
#
/usr/bin/env ROOTDIR=/tmp /usr/sbin/secauthmigrate auth.hesiod
Use the following procedure to convert the ULTRIX files:
/etc/auth
file is not normally up-to-date, use
getauth
to obtain the current values
from
/etc/auth.{pag,dir}
as follows:
#
umask 077
#
getauth > /tmp/auth.local
/tmp/auth.local
file to the Digital UNIX system.
/usr/sbin/secauthmigrate
script as follows:
#
/usr/sbin/secauthmigrate auth.local
You should test the script using the ROOTDIR environment variable first.
If any accounts are left in
/tcb/files/auth/?/user:ULT, it is because
there was already a protected profile for the user.
Use the following procedure to complete the migration:
/tcb/files/auth/?/user:t,
/tcb/files/auth/?/user) has not been changed.
If it has, merge
the change into the /tcb/files/auth/?/user:t file.
/tcb/files/auth/?/user:t file to
/tcb/files/auth/?/user.
If a UID is not known, the
secauthmigrate
script reports that it cannot translate a UID to
a name using the following code:
#
ls -o /tmp/
file
This test is performed on a file owned by the UID in question.
It
may be necessary to check the contents of
/etc/passwd
or the NIS setup.
If this discrepancy persists, it indicates that there was an
orphaned authentication record in the original ULTRIX data.
Once all the records have been converted,
review their contents with the
dxaccounts
program.
The following are compatibility issues between the auditing subsystems on ULTRIX and Digital UNIX systems:
audit_tool.ultrix
program. See the
audit_tool(8)
reference page for
more information.
auditd
and the ULTRIX
auditd
do not communicate with each other.
auditd
command line is different between ULTRIX and Digital UNIX systems. See the
auditd(8)
reference page for details.
auditd
access control list, which was found in
/etc/auditd_clients
on ULTRIX, is found in
/etc/sec/auditd_clients
on Digital UNIX systems.