• tools
  • getent
  • sss
• sssd
  • sss_override management
    • check user
    • add user name
    • override the uid
    • override the gid
    • override the home directory
    • override the shell attribute
    • managing the sssd cache
    • remove account
    • backup and restore
    • list all override
  • sssd config
    • other sssd config
  • troubleshooting
• local
  • user
    • subuid & subgid
    • local user management
  • group
    • get group
    • create group
    • modify group
    • manager group users
• tips
  • list account permission
  • check account locale
  • logout
    • view users password properties in linux
    • hash_algorithm
• authentication in RHEL

tools

getent

[!NOTE|label:references:]

• difference between getent passwd <USER> and getent passwd | grep <USER>

• getent passwd <USER> -> checking data in /var/lib/sss/mc/passwd
• getent passwd | grep <USER> -> checking data in /var/lib/sss/pipes/nss

sss

[!NOTE|label:references]

• Chapter 7. SSSD client-side view

  # sss_override
  $ sudo dnf install -y sssd-tools
  

sssd

sss_override management

$ sudo dnf install -y sssd-tools

check user

$ sudo sssctl user-checks <username>
user: marslo
action: acct
service: system-auth

SSSD nss user lookup result:
 - user name: marslo
 - user id: 33637
 - group id: 40048
 - gecos: Marslo Jiao (Marslo Jiao)
 - home directory: /home/marslo
 - shell: /bin/bash

InfoPipe operation failed. Check that SSSD is running and the InfoPipe responder is enabled. Make sure 'ifp' is listed in the 'services' option in sssd.conf.InfoPipe User lookup with [marslo] failed.
testing pam_acct_mgmt

pam_acct_mgmt: Success

PAM Environment:
 - no env -

# or
$ getent passwd -s sss marslo

add user name

$ sudo /usr/sbin/sss_override user-add <username> -n secondary-username

# verification
$ id secondary-username
# display the override
$ sudo /usr/sbin/sss_override user-show user-name

override the uid

# check current uid
$ id -u <username>

# overwride
$ sudo /usr/sbin/sss_override user-add <username> -u <new-uid>
$ sudo /usr/sbin/sss_cache --users
# or
$ sudo /usr/sbin/sss_cache --user <username>
$ sudo systemctl restart sssd

override the gid

# check current gid
$ id -g <username>
# or
$ id -nG <username>
# or
$ sudo lid -g <group_name>

# override
$ sudo /usr/sbin/sss_override user-add <username> -g <new-gid>
$ sudo /usr/sbin/sss_cache --users
$ sudo /usr/sbin/sss_cache --user <username>
$ sudo systemctl restart sssd

override the home directory

# check current home directory
$ getent passwd <username>

# override
$ sudo /usr/sbin/sss_override user-add <username> -h /new/home/directory
$ sudo systemctl restart sssd

override the shell attribute

# check current
$ getent passwd <username>

# override
$ sudo /usr/sbin/sss_override user-add <username> -s /new/shell
$ sudo systemctl restart sssd

# or
$ sudo /usr/sbin/sss_override user-add <username> \
       -h </original/home/directory> \
       -s /bin/bash
$ sudo systemctl restart sssd

managing the sssd cache

# clear the cache and update all records
$ sudo /usr/sbin/sss_cache [-E|--everything]

# clear invalidates cache entries for all user records
$ sudo /usr/sbin/sss_cache [-U|--users]

# clear all cached entries for a particular domain
$ sudo /usr/sbin/sss_cache [-E|--everything] [-d|--domain] <ldap_name>

# purge the records for that specific account and leave the rest of the cache intact
$ sudo /usr/sbin/sss_cache [-u|--user] <username>

# invalidates the cache entry for the specified group
$ sudo /usr/sbin/sss_cache [-g|--group] <groupname>

remove account

$ sudo sss_override user-del [--debug 1..9] <username>
$ sudo /usr/sbin/sss_cache --everything
$ sudo systemctl restart sssd

• or

  # get info
  $ loginctl
  
  # logout
  $ loginctl kill-user <username>
  $ sudo /usr/sbin/sss_cache -u <username>
  $ loginctl terminate-user <username>
  $ sudo pkill -u <username>
  $ systemctl restart sssd
  $ systemctl restart accounts-daemon
  

tricky

• sssd account cannot be deleted

  $ sudo /usr/sbin/sss_cache -u devops
  $ sudo /usr/sbin/sss_cache -E
  $ sudo systemctl restart sssd
  
  # verify
  $ getent passwd devops
  devops:*:41032:10:Service Account-Block-chain:/user/devops:/bin/tcsh
  $ id devops
  uid=41032(devops) gid=10(uucp) groups=10(uucp),0(root),4(adm),1000(marvell),994(docker)
  $ sudo useradd -m -d '/home/devops' -u 1000 -s /bin/bash devops
  useradd: user 'devops' already exists
  
  $ hexdump -C /var/lib/sss/mc/passwd
  00000000  01 00 00 f0 01 00 00 00  01 00 00 00 01 00 00 00  |................|
  00000010  b1 e9 04 d3 80 ff 7f 00  66 66 00 00 c0 cc 0c 00  |........ff......|
  00000020  38 00 00 00 b8 ff 7f 00  20 66 80 00 00 00 00 00  |8....... f......|
  00000030  01 00 00 f0 00 00 00 00  00 00 00 f0 74 00 00 00  |............t...|
  00000040  a7 14 ac 66 00 00 00 00  ff ff ff ff ff ff ff ff  |...f............|
  00000050  70 db 02 00 1c 36 02 00  ff ff ff ff 00 00 00 f0  |p....6..........|
  00000060  10 00 00 00 48 a0 00 00  0a 00 00 00 3c 00 00 00  |....H.......<...|
  00000070  64 65 76 6f 70 73 00 2a  00 53 65 72 76 69 63 65  |devops.*.Service|
  00000080  20 41 63 63 6f 75 6e 74  2d 42 6c 6f 63 6b 2d 63  | Account-Block-c|
  00000090  68 61 69 6e 00 2f 75 73  65 72 2f 64 65 76 6f 70  |hain./user/devop|
  000000a0  73 00 2f 62 69 6e 2f 74  63 73 68 00 ff ff ff ff  |s./bin/tcsh.....|
  000000b0  ff ff ff ff ff ff ff ff  ff ff ff ff ff ff ff ff  |................|
  *
  ......
  

• solution

  [!TIP|label:references:]

  • login to root to execute the following commands; or use any sudo local account, otherwise the sssd account will be unavailable when sssd service is stopped !

  # login to root or any sudo local account
  $ sudo su -
  
  # clean cache
  $ sudo /usr/sbin/sss_cache -u devops
  $ sudo /usr/sbin/sss_cache -E
  $ sudo systemctl restart sssd
  
  # stop sssd service and remove /var/lib/sss/mc/passwd
  $ sudo systemctl stop sssd.service
  $ sudo mv /var/lib/sss/mc/passwd{,.bak}
  
  # create local user
  $ sudo useradd -m -d '/home/devops' -u 1001 -g devops -s /bin/bash devops
  $ id devops
  uid=1001(devops) gid=1001(devops) groups=1001(devops)
  
  # start sssd service
  $ sudo systemctl start sssd.service
  

backup and restore

# export
$ /usr/sbin/sss_override user-export user-export.bak
$ /usr/sbin/sss_override group-export group-export.bak

# restore
$ /usr/sbin/sss_override user-import user-import.bak
$ /usr/sbin/sss_override group-import group-import.bak

list all override

$ /usr/sbin/sss_override user-find

sssd config

# optional
$ yum install -y sssd \
                 realmd \
                 oddjob \
                 oddjob-mkhomedir \
                 adcli \
                 samba-common \
                 samba-common-tools \
                 krb5-workstation \
                 openldap-clients \
                 policycoreutils-python \
                 authselect-compat \
                 ntpdate \
                 ntp
$ authselect select sssd
$ authselect select sssd with-mkhomedir
$ systemctl enable oddjobd.service
$ systemctl start oddjobd.service

$ authconfig --enablesssd \
             --enablesssdauth \
             --enablelocauthorize \
             --enableldap \
             --enableldapauth \
             --ldapserver=ldap://ipaserver.example.com:389 \
             --disableldaptls \
             --ldapbasedn=dc=example,dc=com \
             --enablerfc2307bis \
             --enablemkhomedir \
             --enablecachecreds \
             --update

other sssd config

• config files

• discovery domain

  $ realm discover my.com [--server-software=active-directory]
  my.com
    type: kerberos
    realm-name: MY.COM
    domain-name: my.com
    configured: no
    server-software: active-directory
    client-software: sssd
    required-package: oddjob
    required-package: oddjob-mkhomedir
    required-package: sssd
    required-package: adcli
    required-package: samba-common-tools
  

• join the system

  $ realm join <my.domain> -U <account> [--membership-software=samba] [--verbose] [--install]
  

troubleshooting

• sudo: unable to dlopen /usr/lib/libsss_sudo.so

  [!NOTE|label:issue:]

  sudo: unable to load /usr/lib/x86_64-linux-gnu/libsss_sudo.so: /usr/lib/x86_64-linux-gnu/libsss_sudo.so: cannot open shared object file: No such file or directory
  sudo: unable to initialize SSS source. Is SSSD installed on your machine?
  

  $ sudo apt install libsss-sudo
  

local

user

subuid & subgid

[!NOTE|label:references:]

• Podman
• check subuid and subgid from /etc/subuid and /etc/subgid

# rootless mode
$ sudo usermod --add-subuids 10000-75535 USERNAME
$ sudo usermod --add-subgids 10000-75535 USERNAME

# or
$ echo USERNAME:10000:65536 >> /etc/subuid
$ echo USERNAME:10000:65536 >> /etc/subgid

local user management

useradd

$ useradd -c "comments here" \
          -m \
          -d "/home/devops" \
          -u 1000 \
          -g 1000 \
          -s /bin/bash \
          devops

• or

  $ useradd --comment "comments here" \
            --create-home \
            --home-dir /home/devops \
            --shell /bin/bash \
            --uid 1000 \
            --gid 1000 \
            --user-group devops
            devops
  

• full steps

  $ uid='1000'
  $ gid='1000'
  $ user='devops'
  
  $ mkdir -p /home/${user}
  $ chown -R ${uid}:${gid} /home/${user}
  $ groupadd -g ${gid} ${user}
  $ useradd -c "create user ${user}" \
            -d "/home/${user}" \
            -u ${uid} \
            -g ${gid} \
            -m \
            -s /bin/bash \
            ${user}
  

deluser for ubunut

[!NOTE|label:references:]

• deluser - remove a user from the system
• userdel - delete a user account and group ( if possible )

$ deluser <account> <group>

new user with root uid

[!TIP]

• username: test1
• password: password1

$ /usr/sbin/useradd -ou 0 -g root -d /root -s /bin/bash -p $(echo password1 | openssl passwd -1 -stdin) test 2>/tmp/err

• generate secure password to userwith chpasswd

  $ echo "encryptedpassword" | openssl passwd -1 -stdin
  
  # or
  $ echo "test:$(echo password | openssl passwd -1 -stdin -salt abcde)" | sudo chpasswd -e
  

group

• /etc/group

• /etc/passwd

• /etc/shadow

get group

• list all groups

  $ getent group
  
  # or
  $ getent group <GID|GNAME>
  

• get gid

  $ sudo lid -g <group_name>
  # or
  $ getent group <group_name>
  

create group

create group with random gid

$ sudo groupadd <group_name>

• get available gid

  for error:

  groupadd: GID 'xxxx' already exists
  

  $ gname='mytestgroup'
  $ sudo groupadd ${gname}
  
  $ getent group ${gname} | cut -d: -f3
  # or
  $ sed -nr "s/^${gname}:x:([0-9]+):.*/\1/p" /etc/group
  # or
  $ grep "^${gname}" /etc/group | cut -d: -f3
  
  # and finally remove the group
  $ sudo groupdel ${gname}
  

create group with particular gid

$ sudo groupadd -g <gid> <group_name>

create group with existing gid

[!TIP]

-o (--non-unique) option the groupadd command allows you to create a group with non-unique GID

troubleshooting

• issue:

  /usr/bin/id: cannot find name for group ID xxxx
  

• solution

  $ groupadd --gid <GID> <GROUP_NAME>
  

$ sudo groupadd -o -g <new_gid> <group_name>

• create group with password

  $ groupadd -p secretpassword writers
  

• add system group

  [!NOTE|label:-r or --system]

  $ groupadd -r hardwareteam
  $ groupadd --system hardwareteam
  

modify group

[!NOTE|label:references:]

• Change gid of a specific group

$ sudo groupmod -o -g <gid> <group_name>

# change file mode
$ find / -gid OLD_GID ! -type l -exec chgrp NEW_GID {} \;

• groupmod: group 'xxx' does not exist in /etc/group

  $ getent group 994
  gl3:*:994:
  
  # check available GID
  $ getent group 1994
  
  # modify GID
  $ sudo groupmod -o -g 1994 gl3
  groupmod: group 'gl3' does not exist in /etc/group
  $ sudo echo 'gl3:*:994:' >> /etc/group
  $ grep gl3 /etc/group
  gl3:*:994:
  
  $ sudo groupmod -o -g 1994 gl3
  $ sudo groupmod -o -g 994 docker
  
  # verify
  $ getent group docker
  docker:x:994:marslo,devops
  $ getent group gl3
  gl3:*:1994:
  

manager group users

• add user into group

  $ sudo usermod -a -G adm,root,docker,wheel devops
  $ sudo usermod -a -G sudo devops
  

• remove user from group

  • How to Add or Remove a User from a Group in Linux

  $ gpasswd -d <account> <group>
  
  # or ubuntu
  $ sudo deluser <account> <group>
  

tips

list account permission

$ sudo -l -U marslo
User marslo may run the following commands on kuberentes-01:
    (ALL) NOPASSWD: ALL
    (ALL) NOPASSWD: /usr/bin/su - devops

check account locale

[!NOTE|label:references:]

• * iMarslo: check and set locale

$ sudo su -l -c locale marslo
LANG=en_US.UTF-8
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US.UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=en_US.UTF-8

logout

$ pkill -KILL -u ${useranme}

• or

  $ who -uH
  NAME     LINE         TIME             IDLE          PID COMMENT
  devops   pts/0        2022-06-14 05:44 00:17       41455 (192.168.1.1)
  marslo   pts/1        2022-06-14 05:58   .         50162 (192.168.1.1)
  $ sudo kill  41455
  $ who -uH
  NAME     LINE         TIME             IDLE          PID COMMENT
  marslo   pts/1        2022-06-14 05:58   .         50162 (192.168.1.1)
  

• or : loginctl

  # get login details
  $ loginctl
  
  # logout
  $ loginctl kill-user <username>
  

view users password properties in linux

$ chage -l marslo
Last password change      : Mar 09, 2022
Password expires          : never
Password inactive         : never
Account expires           : never
Minimum number of days between password change    : 0
Maximum number of days between password change    : 99999
Number of days of warning before password expires : 7

hash_algorithm

authentication in RHEL

[!NOTE|label:references:]

• Configuring authentication and authorization in RHEL

$ sudo dnf install -y oddjob-mkhomedir
$ sudo systemctl enable --now oddjobd.service

$ sudo authconfig --enablemkhomedir --update
$ sudo authselect select sssd with-mkhomedir --force