Q. How do I Move or migrate user accounts to from old Linux server a new Cent OS Linux server including mails? This new system a fresh installation.
A. You can migrate users from old Linux server to new Linux sever with standard commands such as tar, awk, scp and others. This is also useful if you are using old Linux distribution such as Redhat 9 or Debian 2.x.
Following files/dirs are required for traditional Linux user management:
* /etc/passwd - contains various pieces of information for each user account
* /etc/shadow - contains the encrypted password information for user's accounts and optional the password aging information.
* /etc/group - defines the groups to which users belong
* /etc/gshadow - group shadow file (contains the encrypted password for group)
* /var/spool/mail - Generally user emails are stored here.
* /home - All Users data is stored here.
You need to backup all of the above files and directories from old server to new Linux server.
Commands to type on old Linux system
First create a tar ball of old uses (old Linux system). Create a directory:
# mkdir /root/move/
Setup UID filter limit:
# export UGIDLIMIT=500
Now copy /etc/passwd accounts to /root/move/passwd.mig using awk to filter out system account (i.e. only copy user accounts)
# awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /etc/passwd > /root/move/passwd.mig
Copy /etc/group file:
# awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /etc/group > /root/move/group.mig
Copy /etc/shadow file:
# awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534) {print $1}' /etc/passwd | tee - |egrep -f - /etc/shadow > /root/move/shadow.mig
Copy /etc/gshadow (rarely used):
# cp /etc/gshadow /root/move/gshadow.mig
Make a backup of /home and /var/spool/mail dirs:
# tar -zcvpf /root/move/home.tar.gz /home
# tar -zcvpf /root/move/mail.tar.gz /var/spool/mail
Where,
- Users that are added to the Linux system always start with UID and GID values of as specified by Linux distribution or set by admin. Limits according to different Linux distro:
- RHEL/CentOS/Fedora Core : Default is 500 and upper limit is 65534 (/etc/libuser.conf).
- Debian and Ubuntu Linux : Default is 1000 and upper limit is 29999 (/etc/adduser.conf).
- You should never ever create any new system user accounts on the newly installed Cent OS Linux. So above awk command filter out UID according to Linux distro.
- export UGIDLIMIT=500 - setup UID start limit for normal user account. Set this value as per your Linux distro.
- awk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /etc/passwd > /root/move/passwd.mig - You need to pass UGIDLIMIT variable to awk using -v option (it assigns value of shell variable UGIDLIMIT to awk program variable LIMIT). Option -F: sets the field separator to : . Finally awk read each line from /etc/passwd, filter out system accounts and generates new file /root/move/passwd.mig. Same logic is applies to rest of awk command.
- tar -zcvpf /root/move/home.tar.gz /home - Make a backup of users /home dir
- tar -zcvpf /root/move/mail.tar.gz /var/spool/mail - Make a backup of users mail dir
Use scp or usb pen or tape to copy /root/move to a new Linux system.
# scp -r /root/move/* user@new.linuxserver.com:/path/to/location
Commands to type on new Linux system
First, make a backup of current users and passwords:
# mkdir /root/newsusers.bak
# cp /etc/passwd /etc/shadow /etc/group /etc/gshadow /root/newsusers.bak
Now restore passwd and other files in /etc/
# cd /path/to/location
# cat passwd.mig >> /etc/passwd
# cat group.mig >> /etc/group
# cat shadow.mig >> /etc/shadow
# /bin/cp gshadow.mig /etc/gshadow
Please note that you must use >> (append) and not > (create) shell redirection.
Now copy and extract home.tar.gz to new server /home
# cd /
# tar -zxvf /path/to/location/home.tar.gz
Now copy and extract mail.tar.gz (Mails) to new server /var/spool/mail
# cd /
# tar -zxvf /path/to/location/mail.tar.gz
Now reboot system; when the Linux comes back, your user accounts will work as they did before on old system:
# reboot
Please note that if you are new to Linux perform above commands in a sandbox environment. Above technique can be used to UNIX to UNIX OR UNIX to Linux account migration. You need to make couple of changes but overall the concept remains the same.
Further readings
- Read man pages of awk, passwd(5), shadow(5), group(5), tar command
Updated for accuracy.
Featured Articles:
- 20 Linux System Monitoring Tools Every SysAdmin Should Know
- 20 Linux Server Hardening Security Tips
- My 10 UNIX Command Line Mistakes
- Linux: 20 Iptables Examples For New SysAdmins
- 25 PHP Security Best Practices For Sys Admins
- The Novice Guide To Buying A Linux Laptop
- 10 Greatest Open Source Software Of 2009
- Top 5 Email Client For Linux, Mac OS X, and Windows Users
- Top 20 OpenSSH Server Best Security Practices
- Top 10 Open Source Web-Based Project Management Software
- Top 5 Linux Video Editor Software
Facebook it - Tweet it - Print it -
{ 63 comments… read them below or add one }
Hi
I followed your instuction on CentOS 4.4. When I reboot I lost my root user and gdm din’t start.
I could login from all user but not root.
Can you help to give me some advices please?
Pordee
You made mistake somewhere. But don’t worry you can login into single user mode (rescue mode) and reset root account password.
http://www.cyberciti.biz/faq/linux-reset-forgotten-root-password/
Great! The following line is probably a typo as I’m assuming you mean to back this up with a copy, otherwise you nuke the password files (probably what happened to nixcraft)
# mv /etc/passwd /etc/shadow /etc/group /etc/gshadow /root/newsusers.bak
# cp /etc/passwd /etc/shadow /etc/group /etc/gshadow /root/newsusers.bak
ssdon,
Typo has been fixed.
Appreciate your feedback.
There is an error in the article. In the step where you back up the passwd, group, shadow, and gshadow files from the new system to the newuser.bak directory, use the cp command, not mv.
In other words, the article should read:
“Commands to type on new Linux system
First, make a backup of current users and passwords:
# mkdir /root/newsusers.bak
# cp /etc/passwd /etc/shadow /etc/group /etc/gshadow /root/newsusers.bak”
Your instructions worked perfectly when migrating accounts from Redhat 4ES to another Redhat 4ES. I added a couple of steps to move all the aliases and aliase folders to the new server. Thanks
Thanks,
I am looking for a payrise after rescuing a dying server. It has worked for me perfectly.
It may sound complicated, however, I am much more happy to do this with Linux than with Mickey$oft O/S’s, in fact, I am much more happy to do ANYTHING with Linux over Windoze!
If you had used LDAP for user accounts, then you wouldn’t have needed to migrate user accounts ….
Also, you could skip the whole tar aspect by just using rsync, e.g. rsync -e ssh -avtP /home/ newserver:/home
Thanks for the howto. This is really close to what I have been looking for. In my particular situation LDAP and NIS do not fit as well as your howto does. Also thanks for the comments of everyone, as they are helpful.
you might wanne consider runing sshfs on your new server, then u can login to the old (if sshd is running) and simply copy the requierd data true fx. mc, and get all the file rights w you…
its fast is simpel, and you only need to have secure shell intstalled on the old box`s to make it work… (and most boxses have… ;)
just a littet advice for the data moving part.
I have a problem, for starters, it look lie I was kind of doing the right thing myself but this blog really helps, thanks. Anyway everything works fine untill I get to the bit where I am extraction all the users data from the home.tar.gz. (kind of important bit) and it fails with text flying up the screen saying “Cannot change ownership to uid 511, gid 511″ and “Cannot mkdir: Permission denied” and ” Cannot open: Permission denied”
obviously I do not have permissions :o(
I am loged in as root and the home directory of the new server has these permissions:
drwxrwxrwx 12 root root 0 Feb 8 19:28 home
I’m not sure how it is possible to obtaim more permissions than that. I have tried with other privilages on the home directory and it still does it.
PLease can someone help me
Many thanks
Phil
Don’t forget about migrating cron jobs.
/var/spool/cron
Anything else we haven’t thought of?
Hi!
I tried your howto, and everything went along great until i rebooted and tried to log on with the users i just copied over. root works fine. The passwords are not accepted, and i cannot change them with passwd. “passwd: Authentication token manipulation error”. Im using fedora core 6.
Please help
Aleks
Nevermind, figured it out :)
Were missing a statement in the shadow file copy thingamabob
hi i am new user in linux i am getting every answer from ur site.you are providing great solution on every problem its being great to refer your site thanks for every thing
Hi,
I have a small query my new system already has couple of user accounts now I want to transfer the user accounts from the old system I have checked both the systems there is no conflicts in UID,GID so shall I go ahead with it.
Subhanjan
Hi,
The things worked beautifully for me.
Thanks to the author.One more thing cant I script the steps that are done by the command awk?
Subhanjan
I was able to migrate the home folders and accounts from RedHad Linx to Fedora but it seems that I cannot log in with the migrated accounts although I am able to see them under USERS. Am I missing anything? Please help.
I am very much thankful that I got migration solution of user. How to transfer printer settings of each user from one m/c to another? we have localy connected the printers to thin clients.
Thank you so much. This is beautiful. I’m trying to upgrade to a new physical box, different distro, switch to ldap, and from Samba 2 to Samba 3. All this without messing up the working server. I’ve messed up the new box several times, and your migration page is very helpful in avoiding mistakes during this stage. BTW, I used rsync instead of tar for the home directories.
now i am using centos 3 in a dell server now in that server i am running sendmail squid and iptables ftp now i want to migrate the server in to new dell server running in centos 5
please any one help me on this issue
hi
everyone i have question im a newbie admin can anyone give me advise or help me if how can i backup my old linux email server III to new one or migrate to cent mail..tnx what are the important files to back up for linux suse email server III?
hii,
i followed the procedure above, after all steps. USers password is not getting accepted, what could have went wrong ?
Eliena Andrews
I cut and pasted the commands into an SSH terminal & checked the passwd.mig and shodow.mig to find they were empty!
I double checked the lines and they were correct (values ect.)
Plus I end up with a file called “-” which I’m guessing comes from the “/etc/shadow” line “tee -” (typo maybe?)
Id really like to get this working as it would be quite helpful with my project. My Level is slightly above newbie Admin.
Kev
First of all i just wanna say thank you guys! This is my first time to get into the linux world! ….
I follow the instruction regarding how to’s .. then after rebooting my new centos5 box error message appears:
“The user database cannot be read. The problem is most likely caused by a mismatch between /etc/passwd and /etc/shadow or /etc/group and /etc/shadow. The program will exit now.”
I follow the instructions twice and i got same message error. I dont know how to fix this one. Please help me…
Thanks.
this how to works great :) But now Im stuck i need to migrate from Redhat to Debian the UGIDLIMIT are different on this distros? any advice ?
thanks
Great instructions easy to follow!!! Worked like a charm!! Thanks for making this available – I
have it bookmarked for when I do this again!
RE: Augusto need to migrate from Redhat to Debian the UGIDLIMIT are different on this distros
this advice would be useful for me too. Is it possible to adjust the /etc/passwd and /etc/group files?
Thanks, This was very useful.
I needed to move a couple of system accounts
so did this:
awk -F: '($1 ~ /(tomcat|apache)/)' /etc/passwd > /root/move/passwd.migawk -v LIMIT=$UGIDLIMIT -F: '($3>=LIMIT) && ($3!=65534)' /etc/passwd >> /root/move/passwd.mig
and then couldn’t figure out what the tee gave me and I was moving a set of users not based on UID so did this:
awk -F: '{print $1}' /root/move/passwd.mig |egrep -f - /etc/shadow > /root/move/shadow.migHTH
Fabulous! Routine worked great! Thanks for posting it, saved me a ton of time.
Also – a couple of commands to check out if you are having problems with “User database cannot be read” error: pwconv, grpconv and pwck. Works like a charm – now… :)
OK, I followed instructions… got stuck with users not being able to log in. If instructions were not correct, how do I fix it now?
Excellent! I followed the instructions and did a fresh install of openSuse 11.0 on to 10.3. I have my old /home on a separate partition and didn’t mount it during install because Suse wants an initial user which would have overwritten my original first user (UsId=1000). I installed, logged in as root, deleted the initial user, changed the mount of /home to point to my old /home partition, did the transfer of backed up passwd files etcetera, rebooted and bingo!
My only worry was, when it came to generating the initial user during install, I had a choice of encryption algorithms for the password. Obviously if I’d chosen the wrong one I’d be stuck (though I could probably log in as root and reset the users’ passwords).
So my question is: is it possible to tell what encryption algorithm was used for password storage before starting?
Thanks again for the info.
Alan.
I am wanting to mirror users/groups to from one Ubuntu server to another. I see that Ubuntu starts off with a user with UID 1000 (created with the name you give it in setup), I guess I should not try to migrate this user since it already exists on the destination machine i.e. I should set UGIDLIMIT=1001?
What if one re-runs this action later to update the mirror? Do users gets duplicated cos surely one gets multiple entries for same user in /etc/passwd?
Great Doc. I was able to migrate a CentOS system to a VM.
My $0.02: For those who are concerned about UID’s and GID’s…
…you can change UID’s and GID’s on the old system before migration using:
groupmod -g (newgid) groupname
usermod -g (newgid) username OR usermod -G (newgid) username
(‘g’ changes the initial group or ‘G’ to add an additional group membership)
Make a backup of the old files first and then change the group GID then change any appropriate users attached to those groups if necessary. Test to make sure all is well. You can do this preemptively if you are going to from a system that starts custom groups at 500 to one that starts custom groups at 1000 or if you don’t want any UID/GID conflicts with your target system. Be the superuser and it would also be prudent to make the changes while none of the users are attached.
Feel free to pick this post apart.
Very very helpful. I’m going to be needing to do this soon and didn’t really know how to proceed. Thanks!
KP
Your FAQ fails to copy over ‘/etc/passwd-’ as well
in the command:
cp /etc/passwd /etc/shadow /etc/group /etc/gshadow /root/newsusers.bak
should be:
cp /etc/passwd /etc/passwd- /etc/shadow /etc/group /etc/gshadow /root/newsusers.bak
Fantastic instructions. A+++
Thanks.
copied the mbox’s from one unix box and the /etc/passwd and /etc/shadow and it worked perfectly. thanks
Thanks the howto is very useful.But how to migrate the virtual users and domains accounts to a new server
Great instructions, worked well for me
BTW, if I had 2 linux servers, do you think it would be possible to merge the accounts into one of the 2 ?
your cp & awk command is so good
thanks for this small & easy how-to
Worked like a charme
there is something similiar for Solaris ?
@Juan,
Solaris uses the same files /etc/passwd and friends. So it should work with a little modification.
Also check for aliases because a common multiple recipients solution uses that technique
If you use Samba shares; remember to grab /etc/samba/smb.conf, /etc/samba/smbusers, and /etc/samba/smbpasswd
I was getting a “-” file created in /root/move when trying to get the shadow.mig, but I’m not now, and I’m not sure what I did!
If anyone does get the “-” file, add some spaces around the “tee” command and try again… That’s what I did and it went away!
no, wait, I wasn’t looking in the current directory – I actually don’t get rid of the “-” file…
Thanks for this guide, managed to migrate a large webserver without any major problem thanks to you!
Thanks for a great guide.
I have small problem with it.
From some reason the tar commands don’t work under Red Hat Linux.
it did not manage to tar or untar the files.
Do you know how to skip existing files?
I tried -k flag but no success ;/
Everything worked great. All my users & machines show up in User Manager.
However I cannot logon as a user, only root. It says wrong password.
In Ubuntu, I had a problem following these instructions. When the screensaver was locked, you couldn’t unlock the screen without going to “Switch User” and then put in the password there. In addition, half of the time your gdm session would immediately crash and you’d have to log in from scratch again.
The problem was that the “shadow” user wasn’t able to read the /etc/shadow and /etc/gshadow files. The /etc/shadow and the /etc/gshadow files need to be chown’d to root:shadow, and chmod’d to 640 like this:
# chown root:shadow /etc/shadow
# chown root:shadow /etc/gshadow
# chmod 640 /etc/shadow /etc/gshadow
I tried to move account details from SUSE to Fedora/RH and password is not working :(
I
I created account successfully, can login but login take time and gives error:
/usr/bin/xauth: timeout in locking authority file /home/testuser/.Xauthority
Any help?
how to create the another root user and how to change the root ?
how to transfer the files from one root to another root user in same system using ubunto or fedora?
This worked perfect for me migrating users from an old FC3 box to a new Ubuntu 10.04 LTS one. I did run into a problem when I tried to do it a second time. The instructions as they are will result in duplicate entries in the /etc/passwd file. If you want to do this more than once, the *.mig files will need some manual massaging before catting into the destination passwd file. (This may go without saying for most of you, but for me it wasn’t something I thought of ahead of time). I was able to clean it up, but it was a pain.
For the /etc/shadow file, better use following to prevent ambiguous match, say a local account named db will also match system account dbus
# awk -v LIMIT=$UGIDLIMIT -F: ‘($3>=LIMIT) && ($3!=65534) {print $1}’ /etc/passwd | sed -r -e ‘s/(.*)/^\1:/’ | egrep -f – /etc/shadow > /root/move/shadow.mig
It worked perfect from FC 11 to FC 15. Btw, may I add the fact that the host keys must be imported/ecported also. Reason: it is possible to have some users which are using their accounts (SFTP) with the help of an automaitc SFTP client. IN order to keep everything transparent for them, the host keys of the machine must be imported/exported (etc/ssh).
Maybe is better to test it and include it in this tutorial. Btw, the a lot for doing this.
Have a nice weekend.
Paul
cool post;
it save a lot of time man.