linux_wiki:freeipa_audit_user_migration

FreeIPA Audit User Migration

General Information

Audit which user accounts remain to migrate passwords and get kerberos hashed keys in the IPA domain.

Checklist

  • FreeIPA servers already installed/configured.
  • Client systems migrated
  • Now just monitoring user accounts getting their kerberos hashed password keys in the new FreeIPA realm.

The Script

Run on an IPA server to determine which accounts still need kerberos keys.

audit-migration-users.sh
#!/bin/bash
# Name: audit-migration-users.sh
# Description: Audit which user accounts remain to migrate 
#              passwords and get kerberos keys
# Last Updated: 2016-11-25
# Recent Changes:-initial release
################################################################
 
echo -e "This script will determine which users are left to enter their password for a kerberos key."
echo -e "\n>>Continue?[y/n]:\c"
read run_script
 
if [[ ${run_script} != "y" ]]; then
  echo -e "\n>>Will not run the audit. Exiting..."
  exit 1
fi
 
# Log file to store hosts left to migrate
log_file="/root/migration-scripts/audits/user-migration.log"
 
# Clear log file
echo -e "\n>>Clearing log file..."
cat /dev/null > ${log_file}
 
# Build a list of enabled accounts
#- Find all users | grep logins and disabled status lines |
#- If the current line matches "False" (/False/), print the stored username (print USER),
#- next, store the current line's field 3 in the variable USER (USER=$3)
user_list=$(/usr/bin/ipa user-find --sizelimit=0 --all | grep -E "(User login|Account disabled)" | awk '/False/ { print username }; { username=$3 }')
 
total_users=$(echo ${user_list} | wc -w)
 
for user_name in ${user_list}; do
 
  echo -e ">> Checking ${user_name}..."
  # Check to see if the user has a kerberos key
  kerberos_key="$(ipa user-show ${user_name} | awk '/Kerberos keys available/ {print $4}')"
 
  # If False, add to the list of users that still need to migrate their password
  if [[ ${kerberos_key} == "False" ]]; then
    echo -e "--> User does not have kerberos keys, adding to the list: ${user_name}"
    echo ${user_name} >> ${log_file}
  fi
 
done
 
left_to_convert="$(cat ${log_file} | wc -l)"
echo -e "\n--------------------"
echo -e ">> Users enabled left to get kerberos keys: ${left_to_convert}"
echo -e ">> Total enabled users: ${total_users}"
  • linux_wiki/freeipa_audit_user_migration.txt
  • Last modified: 2019/05/25 23:50
  • (external edit)