Creating Windows Users from an NIS Database Using Microsoft Windows Services for UNIX v3.5
Abstract
This paper presents two sample Korn shell scripts, getusers.ksh and makeusers.ksh. The getusers.ksh script demonstrates the extraction of usernames from a Network Information Service (NIS) database, and makeusers.ksh demonstrates the creation of Windows user accounts from the output file of the first script.
Introduction
Extracting User Names
Create Windows Users
Conclusion
In order to successfully implement Microsoft® Windows® Services for UNIX 3.5 (SFU 3.5) in an environment with a large number of existing NIS users, you need to create the users in the Windows® environment as well. If the existing NIS servers are to continue to provide authentication for UNIX and Linux users, then the available NIS Migration Wizard is not an option to get the users into the Windows environment.
Two sample scripts have been created that demonstrate how an administrator can extract the current list of NIS users into a simple text file and then use that text file to create the users in the Windows environment. The script names are “getusers.ksh
” and “makeusers.ksh
” respectively.
The scripts are written to run in the Korn shell environment. They use features of the Korn shell that will require modification to run in another shell, such as the bash shell. They should, however, work correctly in the Korn shell provided with most versions of UNIX, in the pdksh shell that is available on a wide variety of Linux platforms, and in the ksh shell that is included with SFU 3.5.
Note: These scripts are not intended to be a substitute or replacement for the NIS Data Migration Wizard. The NIS Data Migration Wizard is intended to be used when migrating your NIS Master to Microsoft® Active Directory®. For more information about the NIS Data Migration Wizard, see the SFU 3.5 Help files under Server for NIS.
The getusers.ksh
script is used to extract a list of user names and the comment field associated with the user (which is generally the user’s full name) from the NIS database. The script defaults to extracting only those users whose user ID (UID) is 500 or greater and whose primary group ID (GID) is 100 or greater. Maximum UID and GID is 65532. Both the minimum and maximum values are configurable from the command line.
Place the script in the location of your choice. It should be on a machine that is an NIS client and can be run by any account with sufficient privileges to run ypcat passwd.
Working and output files are written into /tmp.
The default output file for the script is “/tmp/userlist.out”. This is a list of usernames and the comment field associated with them, sorted by UID. Note, however, that the UID is not included in the output file.
As a demonstration script, getusers.ksh
extracts only two fields, though it can be modified to extract additional fields if required.
The getusers.ksh
script has the following syntax:
getusers.ksh [-dh] [-f filespec] [–g n][–G n] [–u n] [–U n]
The options supported are:
-d |
Debug mode. Script is more verbose with this flag enabled. |
-h |
Help – print a short help message |
-f filespec |
specify an output file name and location (the default is /tmp/userlist.out) |
-g |
Minimum GID to extract |
-G |
Maximum GID to extract |
-u |
Minimum UID to extract |
-U |
Maximum UID to extract |
The getusers.ksh
script uses the Korn shell support for functions to divide the script into discrete and self-contained elements. Because a function must be created before it can be used, these functions are all at the beginning of the script.
The functions in the script are:
Usage() |
prints a simple help screen |
Exceptions() |
echoes any error messages and exits |
Parse_cmd() |
handles command line options |
Set_Inits () |
handles initialization of variables |
Set_MinUID () |
sets the Minimum UID |
Set_MinGID () |
sets the Minimum GID |
Set_MaxUID () |
sets the Maximum UID |
Set_MaxGID () |
sets the Maximum GID |
Set_OutFile () |
sets the output file name and location |
Create_tmpfile () |
creates a temporary working file |
Create_awkfile () |
creates the awk command file that actually does the work |
Get_Users () |
queries the NIS database and sorts the users by UID, outputting to the temporary working file |
Print_Vars () |
prints the current value of variables (for debugging) |
Cleanup () |
does cleanup of working files if not in DEBUG mode |
The actual program flow is:
Set initial DEBUG state, based on the shell environment. If the shell environment has the variable DEBUG defined and > 0, then DEBUG will be true. |
Parse command line options.
|
Set the values of various variables, either to the default value or one entered at the command line. |
Create the temporary working file used to hold a sorted list of usernames. |
Create an awk |
Extract the users from the NIS database. |
Process the list of users to get only those that meet the minimum and maximum UID and GID values, writing the results out to the output file. |
Clean up any working files, unless DEBUG is true. |
The getusers.ksh
script is a modular script that uses Korn shell functions. This allows it to be modified to meet the needs of your specific environment. One easy change would be to use the script to extract a list of users from /etc/passwd
instead of the NIS database. All that would be required would be to change the “ypcat passd
” command in the Get_Users() function with “cat /etc/passwd.
”
The makeusers.ksh
script is used to create new Windows users in the context of the current Active Directory domain. It must be run in the Interix Korn shell and must be run by a user with sufficient privileges to create users in the domain. By default, this means it must be run in the context of a user who is a member of the Domain Admins group. The script depends on the output file from the getusers.ksh
script (default file name is userlist.out
) or a similar text file created manually.
Place the script in the location of your choice, and place the output file from the getusers.ksh
script in the same location. It should be run on a machine with good connectivity to the Active Directory domain controller. The input file is a list of usernames and the comment field associated with them, sorted by UID, though the UID is not included in the file.
As a demonstration script, makeusers.ksh
takes advantage of only a relatively limited set of fields as it creates the new user. There are additional fields available with the NET USER command, and if additional flexibility is required, there are alternatives to NET USER that could be used. Given that each account gets exactly the same initial password (“InitialCreate”), the accounts are created with the /ACTIVE flag set to NO, preventing interactive logon unless the “-e” flag is specified.
Caution: Creating users with a known password and an enabled account could present a security risk.
The makeusers.ksh
script has the following syntax:
makeusers.ksh [-dhef <filename>]
The options supported are:
-d |
Enable DEBUG (Verbose) mode |
-e |
User accounts are created Active |
-f <infile> |
Input file name (default is: ./userlist.out) |
-h |
Print a short help screen |
The makeusers.ks
h
script uses the Korn shell support for functions to divide the script into discrete and self-contained elements. Because a function must be created before it can be used, these functions are at all at the beginning of the script. The functions in the script are:
Usage() |
prints a simple help screen. |
Exceptions() |
echoes any error messages and exits |
Parse_cmd() |
handles command line options. |
Set_Inits () |
handles initialization of variables. |
Init_Log() |
creates and initializes the log file. |
Set_Inits () |
handles initializing variables. |
Set_Options () |
initializes the options to NET USER that will be used. |
Set_InFile () |
sets the input file name and location. Default value is: “./userlist.txt.” |
Print_Vars () |
prints the current value of variables (for debugging). |
Create_User () |
does the actual work of creating the user. Errors are re-directed to the log file for later verification. |
The actual program flow is:
Set initial DEBUG state, based on the shell environment. If the shell environment has the variable DEBUG defined and > 0, then the script will be run in debug mode regardless of the command line switches used. |
Initialize the log file and close off the errors, redirecting them to the log file. |
Parse command line options.
|
Set the values of various variables, either to the default value or one entered at the command line. |
Create the users. |
Like all such scripts, you can modify makeusers.ksh
to meet the needs of your specific environment. An obvious change would be to set additional options for new users. Be careful, though, as getting the quoting right can be tricky—what works at the command line will not always work as you expect inside a script. Test your changes thoroughly before you actually try to implement them with real users.
The creation of Windows users to match your existing NIS infrastructure would be a tedious and painful process in any organization with more than a few dozen users. But scripting the process makes it simple, straightforward, and highly repeatable. Each new user is created with the same sets of defaults and will match up exactly with their existing NIS user. The getusers.ksh
and makeusers.ksh
scripts are simple sample scripts that create Windows User accounts with the same usernames as existing NIS accounts. They can be used as is or modified as appropriate and necessary for your environment.