(posted to comp.unix.solaris a couple weeks ago. My apologies to anyone
who's seen this before.)

I'm currently dealing with a collection of Solaris 8 servers that have
a very high number of user accounts on them. (over 3,000). In an effort
to streamline some of the account management duties, I'm trying to wrap
common solaris tools such as useradd and usermod in shell scripts.

The problem I'm having arises specifically when trying to add users to
secondary groups. We know that the /etc/group file entries can not be
longer than 512 characters, so in many cases a group spans multiple
entries with the same GID, like this:

sample:*:5000:user1,user2,user2,user3,user4,user5, user6,user7,user8,user9,user10
sample2:*:5000:user10,user11,user12,user13,user14, user15,user16,user17,user18,user19,user20

This is the only way that I know of to deal with the address the 512
character /etc/group limitation.

Problem is that tools like usermod and useradd don't seem to be
compatible with this workaround If I now turn around and try to modify
an account to be in the sample group, I do the following:

# usermod -G sample fchagnon

The command returns with no error. When I check the /etc/group I see
the following result:

sample:*:5000:user1,user2,user2,user3,user4,user5, user6,user7,user8,user9,user10,fchagnon
sample2:*:5000:user10,user11,user12,user13,user14, user15,user16,user17,user18,user19,user20,fchagnon

The tool had added my account (fchagnon) to every group with a matching
GID to sample.

My gut feeling is telling me that I'm working with a userbasde that is
simply beyond the relam of what these tools were written for. Does
anyone know of a solution or workaround for this?

Thanks.

Fred

Words to the wise, "Fred Chagnon" <fchagnon@gmail.com> wrote:

>My gut feeling is telling me that I'm working with a userbasde that is
>simply beyond the relam of what these tools were written for. Does
>anyone know of a solution or workaround for this?

Two thoughts:

One solution would be to go LDAP.

The other one is more of a question: What exactly does useradd do what
you cannot do via a bunch of shell scripts?
--
Claus Dragon <clauskick@mpsahotmail.com>
=(UDIC)=
d++ e++ T--
K1!2!3!456!7!S a27
"Coffee is a mocker. So, I am going to mock."

- Me, lately.

> One solution would be to go LDAP.

I'm with you there, and that is on my radar. The above is a stop-gap to
avoid solution until the LDAP infrastructure is ready.

> The other one is more of a question: What exactly does useradd do what
> you cannot do via a bunch of shell scripts?

I figured it was safer to script a wrapper to the proper Solaris tools
rather than open up a can of worms by sed/awking the groups file. If
that's all I have left as an option, then so be it.

Fred

"Fred Chagnon" <fchagnon@gmail.com> writes:
>> The other one is more of a question: What exactly does useradd do what
>> you cannot do via a bunch of shell scripts?

>I figured it was safer to script a wrapper to the proper Solaris tools
>rather than open up a can of worms by sed/awking the groups file. If
>that's all I have left as an option, then so be it.


One thing that is nice about Unix systems in general, is that there
isn't some sort of magic hiding everything in highly arcane things
that nobody ever documents.

Things that might be blackboxes are usually pretty straightforward,
and behave the way you'd generally expect them to without black magic.

Get the opensolaris source, re-implement in whatever you want, and
your code will act reasonably to what the "system installed" one does.

Sun probably won't introduce some majorily incompatible way of doing
the same thing in the next patch release, unlike some non-unix vendors..

Words to the wise, "Fred Chagnon" <fchagnon@gmail.com> wrote:

>> One solution would be to go LDAP.
>
>I'm with you there, and that is on my radar. The above is a stop-gap to
>avoid solution until the LDAP infrastructure is ready.
>
>> The other one is more of a question: What exactly does useradd do what
>> you cannot do via a bunch of shell scripts?
>
>I figured it was safer to script a wrapper to the proper Solaris tools
>rather than open up a can of worms by sed/awking the groups file. If
>that's all I have left as an option, then so be it.

Provided you watch what you are doing, you should be easily able to do
it in Perl for instance, as well.

Actually, I think that might be much more feasible to do than sed/awk.
Besides, if you want to go LDAP anyhow, you will need some migration
tool of one kind or another sooner or later. So why not better use it
earlier than later.
--
Claus Dragon <clauskick@mpsahotmail.com>
=(UDIC)=
d++ e++ T--
K1!2!3!456!7!S a27
"Coffee is a mocker. So, I am going to mock."

- Me, lately.

> Provided you watch what you are doing, you should be easily able to do
> it in Perl for instance, as well.

Agreed. Thanks for your input however.
I think I'm going to spend sometime with the following perl module:

http://search.cpan.org/~ssnodgra/Unix-ConfigFile-0.06

Failing that, I'll just build my own tools.

Thanks again.

Fred