bash 脚本使用 awk 或 sed 从 /etc/passwd 引用 $GECOS 的值来提取名字和姓氏

tag-icon tag-icon bash nis freeipa
bash 脚本使用 awk 或 sed 从 /etc/passwd 引用 $GECOS 的值来提取名字和姓氏

红帽有一个示例脚本将用户从 NIS 迁移到 FreeIPA。nis-user.sh看起来像这样:

#!/bin/sh
# $1 is the NIS domain, $2 is the NIS master server
ypcat -d $1 -h $2 passwd > /dev/shm/nis-map.passwd 2>&1

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.passwd) ; do
    IFS=' '
    username=$(echo $line | cut -f1 -d:)
    # Not collecting encrypted password because we need cleartext password
    # to create kerberos key
    uid=$(echo $line | cut -f3 -d:)
    gid=$(echo $line | cut -f4 -d:)
    gecos=$(echo $line | cut -f5 -d:)
    homedir=$(echo $line | cut -f6 -d:)
    shell=$(echo $line | cut -f7 -d:)

    # Now create this entry
    echo passw0rd1 | ipa user-add $username --first=NIS --last=USER \
         --password --gidnumber=$gid --uid=$uid --gecos='$gecos' --homedir=$homedir \
         --shell=$shell
    ipa user-show $username
done

这只是将名字设置为 NIS,将姓氏设置为 USER。我们的/etc/passwd文件包含如下所示的用户:

juser:x:4841:200:Jane Q. User:/home/juser:/bin/tcsh
kuser:x:5761:200:User, K.:/home/kuser:/bin/bash

所以这当然会让事情变得复杂。我得到一个建议,以下内容可以提取名字和姓氏,如果将它们颠倒并用逗号分隔(如 kuser),它将捕获大多数名字。

first=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $1}'
last=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $NF}'

我该如何使用$first$last

为了测试我尝试将变量的结果通过管道传输$gecosawk

first=$(echo $line | cut -f5 -d: | awk '{print $1}':)

awk: cmd. line:1: {print $1}:
awk: cmd. line:1:           ^ syntax error

同样的错误是我尝试仅添加以下行(在该gecos=行之后):

first=$(echo $gecos | awk '{print $1}':)

编辑:啊啊,冒号的位置让我进来了。这有效:

first=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $1}')
last=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/' | awk '{print $NF}')

那么现在进入下一部分......

然后我想采取这个建议,导入使用 CRYPT 哈希的密码,如下所示:

userpassword='{CRYPT}$6$blahblah$moregibberish' testuser

我按照 Rob C 之前的提示进行操作这里这里

不确定这是否重要,但在 /etc/libuser.conf,crypt_style = sha512

在脚本中我添加了:

password1=$(echo $line | cut -f2 -d:)

并在现在创建此条目部分:

--setattr "userpassword='{CRYPT}$password1'"

以下是打开调试时记录的内容:

[Tue Feb 02 22:08:52.541857 2021] [wsgi:error] [pid 16097:tid 16365] [remote x.x.x.x:59726] ipa: INFO: [jsonserver_session] [email protected]: user_add/1('john', givenname='John', sn='Smith', homedirectory='/home/smith', gecos="'John Smith'", loginshell='/bin/tcsh', uidnumber=5319, gidnumber=150, setattr=("userpassword='{CRYPT}the-actual-hash-of-the-password'",), version='2.239'): SUCCESS

那么这似乎{CRYPT}没有被解释吗?我还添加了一些调试:

echo "Password hash value is $password1"

打印的是原始哈希值 sans {CRYPT}

因此,为了在脚本之外进行测试,我添加了一个测试用户:

ipa user-add --first=test --last=user --setattr userpassword='{CRYPT} the-actual-hash-of-the-password' testuser

然后我运行了以下命令并且密码起作用了:

ldapsearch -x -D 'uid=testuser,cn=users,cn=accountsdc=ourdomain,dc=edu' -W

# testuser, users, accounts, ourdomain.edu
dn: uid=testuser,cn=users,cn=accounts,dc=ourdomain,dc=edu
givenName: test
sn: user
uid: testuser
cn: test user
displayName: test user
initials: tu
gecos: test user
krbPrincipalName: [email protected]
objectClass: top
objectClass: person
objectClass: organizationalperson
objectClass: inetorgperson
objectClass: inetuser
objectClass: posixaccount
objectClass: krbprincipalaux
objectClass: krbticketpolicyaux
objectClass: ipaobject
objectClass: ipasshuser
objectClass: fasuser
objectClass: ipaSshGroupOfPubKeys
objectClass: mepOriginEntry
loginShell: /bin/sh
homeDirectory: /home/testuser
mail: [email protected]
krbCanonicalName: [email protected]
ipaUniqueID: 34ee1f48-65d2-11eb-8c33-001ec9ab7ef0
uidNumber: 1520800007
gidNumber: 1520800007
memberOf: cn=ipausers,cn=groups,cn=accounts,dc=ourdomain,dc=edu
krbLastPwdChange: 20210203034524Z
krbPasswordExpiration: 20210504034524Z

# testuser, groups, accounts, ourdomain.edu
dn: cn=testuser,cn=groups,cn=accounts,dc=ourdomain,dc=edu
objectClass: posixgroup
objectClass: ipaobject
objectClass: mepManagedEntry
objectClass: top
cn: testuser
gidNumber: 1520800007
description: User private group for testuser
mepManagedBy: uid=testuser,cn=users,cn=accounts,dc=ourdomain,dc
 =edu
ipaUniqueID: 34f39b4e-65d2-11eb-8c33-001ec9ab7ef0

# search result
search: 2
result: 0 Success

在当前版本中还可以这样做吗?

答案1

2 修复:

--setattr "userpassword={CRYPT}$password1" --gidnumber=$gid

还在设置用户名的脚本顶部用双引号将 echo 命令引起来:

username="$(echo $line | cut -f1 -d:)"

所以最终的脚本应该是这样的:

#!/bin/sh
# $1 is the NIS domain, $2 is the NIS master server
ypcat -d $1 -h $2 passwd > /dev/shm/nis-map.passwd 2>&1

IFS=$'\n'
for line in $(cat /dev/shm/nis-map.passwd) ; do
    IFS=' '
    username="$(echo $line | cut -f1 -d:)"
    # Not collecting encrypted password because we need cleartext password
    # to create kerberos key
    uid=$(echo $line | cut -f3 -d:)
    gid=$(echo $line | cut -f4 -d:)
    gecos=$(echo $line | cut -f5 -d:)
    homedir=$(echo $line | cut -f6 -d:)
    shell=$(echo $line | cut -f7 -d:)

    # Now create this entry
    echo passw0rd1 | ipa user-add $username --first=NIS --last=USER \
         --password --gidnumber=$gid --uid=$uid --gecos='$gecos' --homedir=$homedir \
         --shell=$shell
    ipa user-show $username
done

要处理带有中间名首字母或姓氏、名字的条目,您可以使用以下命令:

# Change Last, First to First Last. (Fill in dummy for empty gecos.)
if [ -z "$gecos" ]; then
firstlast='First Last'
else
firstlast=$(echo $gecos | sed -e 's/\(.*\), \(.*$\)/\2 \1/')
fi

# Extract First and Last into separate variables
first=$(echo $firstlast | awk '/^(\w|[-'\''])+ \w\. / { print $1,
$2; } \
/^(\w|[-'\''])+ (\w|[-'\''])+(
|$)/ {
print $1; }' )
#echo this dollar 1 $1 this is dollar 2 $2
last=$(echo $firstlast | awk 'BEGIN {ORS=" ";} \
/^(\w|[-'\''])+ \w\. / { for (i=3;
i<=NF; i++) print $i; } \
/^(\w|[-'\''])+ (\w|[-'\''])+(
|$)/ {
for (i=2; i<=NF; i++) print $i; }' \
| sed 's/ *$//' )

相关内容