How can an AD User get local group membership on AIX?
Centrify DirectControl 2.x, 3.x on AIX 5.3 and below.
When local Unix/Linux user is migrated into AD, not all the groups the local unix user is a part of locally on the Unix/Linux machines are migrated into AD. On most of the Unix/Linux operating systems this can be achieved by adding the migrated AD User to local group either by editing /etc/group or using an equivalent command which does that. The same cannot be achieved on AIX, why and what can be done to achieve this?
Older versions of AIX did not had support for PAM and used LAM interface. So Centrify used LAM implementation to be consistent across all old and new versions of AIX.
Unlike other platforms, AIX behaves differently i.e., On other Unix/Linux platforms, the system cycles through the groups for all repositories(passwd, nis, AD), and merges the groups the user belongs to. Unfortunately, AIX doesn't do merges in the LAM security library, nor do any of the LAM plug-ins attempt to retrieve information from their sister plug-ins. This is a limitation of IBM's LAM interface.
To answer the question why an AD User cannot be added to local groups here is how AIX LAM works:
When a user tries to login, /etc/security/user is looked up to find if the user is defined in the file and if SYSTEM variable set; If not then default section's SYSTEM variable value is taken to set the AUTHSTATE for the user(Which is how it works for AD User since the AD User is not found locally on the machine). Once the AUTHSTATE is set the user is authenticated and gets account information only from this registry only (Which is CENTRIFYDC in AD user's scenario). Because of this behavior of LAM, it is not possible to add AD user to local group.
Now how can this be accomplished:
Only on AIX whatever the local groups the user is a part of, they need to be duplicated in AD with the same group name and gid. Make AD user's members of the AD group, and local users who are not migrated into AD leave them as members of the local group.
Here is an example scenario:
Local users: drew, mike, adam Local groups the user is a part of : testers
Local group information from /etc/group: bash-3.00# grep testers /etc/group testers:!:202:drew,mike,adam
Id of local user before migrating: bash-3.00# id drew uid=210(drew) gid=202(testers)