Tips for finding Knowledge Articles

  • - Enter just a few key words related to your question or problem
  • - Add Key words to refine your search as necessary
  • - Do not use punctuation
  • - Search is not case sensitive
  • - Avoid non-descriptive filler words like "how", "the", "what", etc.
  • - If you do not find what you are looking for the first time,reduce the number of key words you enter and try searching again.
  • - Minimum supported Internet Explorer version is IE9
Home  >
article

KB-0491: How can an AD User get local group membership on AIX?

Centrify DirectControl ,  

12 April,16 at 10:57 AM

Applies to:

Centrify DirectControl 2.x, 3.x on AIX 5.3 and below. 



Question: 

When local Unix/Linux user is migrated into AD, not all the groups the local unix user is a part of locally on the Unix/Linux machines are migrated into AD. On most of the Unix/Linux operating systems this can be achieved by adding the migrated AD User to local group either by editing /etc/group or using an equivalent command which does that. The same cannot be achieved on AIX, why and what can be done to achieve this? 


Answer: 

Older versions of AIX did not had support for PAM and used LAM interface. So Centrify used LAM implementation to be consistent across all old and new versions of AIX. 

Unlike other platforms, AIX behaves differently i.e., On other Unix/Linux platforms, the system cycles through the groups for all repositories(passwd, nis, AD), and merges the groups the user belongs to. Unfortunately, AIX doesn't do merges in the LAM security library, nor do any of the LAM plug-ins attempt to retrieve information from their sister plug-ins. This is a limitation of IBM's LAM interface. 

To answer the question why an AD User cannot be added to local groups here is how AIX LAM works: 

When a user tries to login, /etc/security/user is looked up to find if the user is defined in the file and if SYSTEM variable set; If not then default section's SYSTEM variable value is taken to set the AUTHSTATE for the user(Which is how it works for AD User since the AD User is not found locally on the machine). Once the AUTHSTATE is set the user is authenticated and gets account information only from this registry only (Which is CENTRIFYDC in AD user's scenario). Because of this behavior of LAM, it is not possible to add AD user to local group. 

Now how can this be accomplished: 

Only on AIX whatever the local groups the user is a part of, they need to be duplicated in AD with the same group name and gid. Make AD user's members of the AD group, and local users who are not migrated into AD leave them as members of the local group. 

Here is an example scenario: 

Local users: drew, mike, adam 
Local groups the user is a part of : testers 

Local group information from /etc/group: 
bash-3.00# grep testers /etc/group 
testers:!:202:drew,mike,adam 


Id of local user before migrating: 
bash-3.00# id drew 
uid=210(drew) gid=202(testers) 


-bash-3.00# lsuser drew 
drew id=210 pgrp=testers groups=testers home=/home/drew shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=CENTRIFYDC OR CENTRIFYDC[NOTFOUND] AND (compat) logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles= 


Migrating local user "drew" to AD but do not want his group membership to change: 

AD user: drew 

Create an AD group with same group name and gid as local group "testers". Make "drew" member of group "testers" 

Id of AD user after migrating: 
bash-3.00# id drew 
uid=100514(drew) gid=100514(drew) groups=202(testers) 


bash-3.00# lsuser ALL drew 
sumana id=100514 pgrp=testers groups=testers home=/home/drew shell=/usr/bin/ksh login=true su=true rlogin=true sugroups=ALL tpath=nosak ttys=ALL expires=0 registry=CENTRIFYDC account_locked=false unsuccessful_login_count=0 roles= 


Id of local user: 
bash-3.00# id mike 
uid=517(mike) gid=202(testers) 

bash-3.00# mike id=517 pgrp=testers groups=testers home=/home/mike shell=/usr/bin/ksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=CENTRIFYDC OR CENTRIFYDC[NOTFOUND] AND (compat) logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= fsize=2097151 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 roles=

Still have questions? Click here to log a technical support case, or collaborate with your peers in Centrify's Online Community.