Windows AD Account having UNIX Attributes Issues

devUnix · 11-15-2013, 06:29 PM

There is a user account (Windows AD is in place for log-in to Red Hat Linux Servers) having UID 10133, as shown below

Code:

 [root@ric ~]# getent passwd fookming.soo
 fsoo:*:10133:10008:FookMing Soo:/home/fookming.soo:/bin/bash

but it is not showing as existing...

Code:

[root@ric ~]# getent passwd 10133
 <No Output>
 [root@ric ~]# getent group 10133
 <No Output>

However, the GID 10008 resolves to the following group:

Code:

[root@ric ~]# getent group 10008
 gsg-infra-netops:*:10008:fookming.soo,xyz.abc,and-so-on

to which the user is already added and hence the user should be able to access the server "ric".

But he is not able to log-in to it.

On another server where he is able to log-in, I found the followings:

Code:

[root@ny ~]# getent passwd fsoo
fsoo:*:10133:10008:FookMing Soo:/home/fookming.soo:/bin/bash

# getent passwd 10133
fsoo:*:10133:10008:FookMing Soo:/home/fookming.soo:/bin/bash

# getent group 10008
GSG-Infra-Netops:*:10008:........

His username (fsoo) is different there but the UID (10133) is the same.

However, the username fsoo and the associated UID 10133 do not exist on the server ric:

Code:

 [root@ric ~]# getent passwd 10133
 [root@ric ~]# getent passwd fsoo

 [root@ric ~]# getent passwd fookming.soo
 fsoo:*:10133:10008:FookMing Soo:/home/fookming.soo:/bin/bash

I got information from the service desk that they created the Windows AD credentials for this user and the other users belonging to the same group and that their usernames were changed later. The other users have not reported any issues, though.

Now the service desk is asking me if they should change the UID of the user. Would it not affect his directories / files on the other servers where he has access and done work on...?

I just noticed that the same GID / Group Name has different users on the two servers even though they are not local group accounts:

Code:

[root@ny ~]# getent group 10008
 GSG-Infra-Netops:*:10008:soonli.lim,selder,dmifsud,fsoo,kevin.hutchison
 [root@ny ~]# getent passwd fsoo
 fsoo:*:10133:10008:FookMing Soo:/home/fookming.soo:/bin/bash
 [root@ny ~]# grep -i gsg-infra-netops /etc/group
<no Output>
 =====================

 [root@ric ~]# getent group 10008
 gsg-infra-netops:*:10008:fookming.soo,jcook,rhuitenga,kmatlock
 [root@ric ~]# grep -i gsg-infra-netops /etc/group
 [root@ric ~]#

and also that the usernames are different for the same UID 10133 in question.

Ser Olmy · 11-18-2013, 02:42 PM

You're right in that changing the UID would be a monumentally bad idea, as it would indeed cause any files currently belonging to the user to become inaccessible, or worse, end up being owned by another user.

It is possible that the username changes are what's causing the problem, possibly because old information is cached somewhere. However, this does not explain why the getent command returns nothing at all for certain UIDs on one of the servers.

How do you authenticate against AD? Samba/winbind? LDAP? What are the "passwd:" and "group:" entries in /etc/nsswitch.conf on the affected server?

devUnix · 11-19-2013, 04:55 PM

Quote:

Originally Posted by Ser Olmy

How do you authenticate against AD? Samba/winbind? LDAP? What are the "passwd:" and "group:" entries in /etc/nsswitch.conf on the affected server?

Here it is:

Code:

[root@ric ~]# egrep -i "passwd|group" /etc/nsswitch.conf
#passwd:    db files nisplus nis
#group:     db files nisplus nis
passwd:     files sss
group:      files sss
netgroup:   files sss

I think the authentication method is PAM:

Code:

Nov 19 17:53:30 ric sshd[21797]: pam_unix(sshd:session): session opened for user devunix by (uid=0)