grpconv command is used to convert to shadow groups. The grpconv command creates a gshadow from the group and an optionally existing gshadow. Each program acquires the necessary locks before the conversion. pwconv and grpconv command are same. First of all entries in the shadowed file which don’t exist in the main file are removed. Then, the shadowed entries which don’t have the ‘x’ as the password in the main file are being updated. Any of the missing shadowed entries are then added. Finally, the passwords in the main file are being replaced with ‘x’. These programs can be used for the initial conversion as well as to update the shadowed file if the main file is then edited by hand.
Options: The options which apply to the pwconv, pwunconv, grpconv, and grpunconv commands are mentioned below:
--help: This option is used to display help message and exit.
--root CHROOT_DIR: This option is used to apply changes in the CHROOT_DIR directory and use the configuration files from the CHROOT_DIR directory.
Bugs: The errors in the password or group files (like an invalid or duplicate entry) can cause these programs to loop forever or may fail in other strange ways. Please run pwck and grpck to correct any of such errors before converting it to or from shadow passwords or groups.
- The following configuration variable in the /etc/login.defs changes the whole behavior of grpconv:
The maximum members count per group entry. When the maximum is being reached, a new group entry (line) is then started in /etc/group (with the same name, same password, and same GID). The default value is set to 0, meaning that there are no limits in the number of members in the group. This feature (i.e split group) permits to limit the total length of lines in the group file. This is proven useful to make sure that the lines for NIS groups are not larger than 1024 characters. If you need to enforce such a limit, you can use 25.
Note: The split groups may not be supported by all the tools (even in the Shadow toolsuite). You should not use this kind of variable unless you really need it.
- The following configuration variables in the /etc/login.defs changes the behavior of pwconv:
The maximum number of days inside a password may be used. If the password is more older than this, a password change will be forced. If it is not specified, -1 will be assumed by default (which disables the restriction).
The minimum number of days allowed between the password changes. Any password changes attempted sooner than this will be automatically get rejected. If not specified, -1 will be assumed by default (which disables the restriction).
The number of days warning is being given before a password expires. Zero is just like a warning given only upon the day of the expiration, a negative value means that no warning is given. If not specified, no warning will be provided by default.