tools
getent
[!NOTE|label:references:]
getent passwd <USER> -> checking data in /var/lib/sss/mc/passwd
getent passwd | grep <USER> -> checking data in /var/lib/sss/pipes/nss
sss
[!NOTE|label:references]
Copy # sss_override
$ sudo dnf install -y sssd-tools sss_override management
Copy $ sudo dnf install -y sssd-tools check user
Copy $ sudo sssctl user-checks <username>
user: marslo
action: acct
service: system-auth
SSSD nss user lookup result:
- user name: marslo
- user id: 33637
- group id: 40048
- gecos: Marslo Jiao (Marslo Jiao)
- home directory: /home/marslo
- shell: /bin/bash
InfoPipe operation failed. Check that SSSD is running and the InfoPipe responder is enabled. Make sure 'ifp' is listed in the 'services' option in sssd.conf.InfoPipe User lookup with [marslo] failed.
testing pam_acct_mgmt
pam_acct_mgmt: Success
PAM Environment:
- no env -
# or
$ getent passwd -s sss marslo add user name
Copy $ sudo /usr/sbin/sss_override user-add <username> -n secondary-username
# verification
$ id secondary-username
# display the override
$ sudo /usr/sbin/sss_override user-show user-name override the uid
Copy # check current uid
$ id -u <username>
# overwride
$ sudo /usr/sbin/sss_override user-add <username> -u <new-uid>
$ sudo /usr/sbin/sss_cache --users
# or
$ sudo /usr/sbin/sss_cache --user <username>
$ sudo systemctl restart sssd override the gid
Copy # check current gid
$ id -g <username>
# or
$ id -nG <username>
# or
$ sudo lid -g <group_name>
# override
$ sudo /usr/sbin/sss_override user-add <username> -g <new-gid>
$ sudo /usr/sbin/sss_cache --users
$ sudo /usr/sbin/sss_cache --user <username>
$ sudo systemctl restart sssd override the home directory
Copy # check current home directory
$ getent passwd <username>
# override
$ sudo /usr/sbin/sss_override user-add <username> -h /new/home/directory
$ sudo systemctl restart sssd override the shell attribute
Copy # check current
$ getent passwd <username>
# override
$ sudo /usr/sbin/sss_override user-add <username> -s /new/shell
$ sudo systemctl restart sssd
# or
$ sudo /usr/sbin/sss_override user-add <username> \
-h </original/home/directory> \
-s /bin/bash
$ sudo systemctl restart sssd
Copy # clear the cache and update all records
$ sudo /usr/sbin/sss_cache [-E|--everything]
# clear invalidates cache entries for all user records
$ sudo /usr/sbin/sss_cache [-U|--users]
# clear all cached entries for a particular domain
$ sudo /usr/sbin/sss_cache [-E|--everything] [-d|--domain] <ldap_name>
# purge the records for that specific account and leave the rest of the cache intact
$ sudo /usr/sbin/sss_cache [-u|--user] <username>
# invalidates the cache entry for the specified group
$ sudo /usr/sbin/sss_cache [-g|--group] <groupname> remove account
Copy $ sudo sss_override user-del [--debug 1..9] <username>
$ sudo /usr/sbin/sss_cache --everything
$ sudo systemctl restart sssd or
Copy # get info
$ loginctl
# logout
$ loginctl kill-user <username>
$ sudo /usr/sbin/sss_cache -u <username>
$ loginctl terminate-user <username>
$ sudo pkill -u <username>
$ systemctl restart sssd
$ systemctl restart accounts-daemon tricky
sssd account cannot be deleted
Copy $ sudo /usr/sbin/sss_cache -u devops
$ sudo /usr/sbin/sss_cache -E
$ sudo systemctl restart sssd
# verify
$ getent passwd devops
devops:*:41032:10:Service Account-Block-chain:/user/devops:/bin/tcsh
$ id devops
uid=41032(devops) gid=10(uucp) groups=10(uucp),0(root),4(adm),1000(marvell),994(docker)
$ sudo useradd -m -d '/home/devops' -u 1000 -s /bin/bash devops
useradd: user 'devops' already exists
$ hexdump -C /var/lib/sss/mc/passwd
00000000 01 00 00 f0 01 00 00 00 01 00 00 00 01 00 00 00 |................|
00000010 b1 e9 04 d3 80 ff 7f 00 66 66 00 00 c0 cc 0c 00 |........ff......|
00000020 38 00 00 00 b8 ff 7f 00 20 66 80 00 00 00 00 00 |8....... f......|
00000030 01 00 00 f0 00 00 00 00 00 00 00 f0 74 00 00 00 |............t...|
00000040 a7 14 ac 66 00 00 00 00 ff ff ff ff ff ff ff ff |...f............|
00000050 70 db 02 00 1c 36 02 00 ff ff ff ff 00 00 00 f0 |p....6..........|
00000060 10 00 00 00 48 a0 00 00 0a 00 00 00 3c 00 00 00 |....H.......<...|
00000070 64 65 76 6f 70 73 00 2a 00 53 65 72 76 69 63 65 |devops.*.Service|
00000080 20 41 63 63 6f 75 6e 74 2d 42 6c 6f 63 6b 2d 63 | Account-Block-c|
00000090 68 61 69 6e 00 2f 75 73 65 72 2f 64 65 76 6f 70 |hain./user/devop|
000000a0 73 00 2f 62 69 6e 2f 74 63 73 68 00 ff ff ff ff |s./bin/tcsh.....|
000000b0 ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff ff |................|
*
...... solution
[!TIP|label:references:]
login to root to execute the following commands; or use any sudo local account, otherwise the sssd account will be unavailable when sssd service is stopped !
Copy # login to root or any sudo local account
$ sudo su -
# clean cache
$ sudo /usr/sbin/sss_cache -u devops
$ sudo /usr/sbin/sss_cache -E
$ sudo systemctl restart sssd
# stop sssd service and remove /var/lib/sss/mc/passwd
$ sudo systemctl stop sssd.service
$ sudo mv /var/lib/sss/mc/passwd{,.bak}
# create local user
$ sudo useradd -m -d '/home/devops' -u 1001 -g devops -s /bin/bash devops
$ id devops
uid=1001(devops) gid=1001(devops) groups=1001(devops)
# start sssd service
$ sudo systemctl start sssd.service backup and restore
Copy # export
$ /usr/sbin/sss_override user-export user-export.bak
$ /usr/sbin/sss_override group-export group-export.bak
# restore
$ /usr/sbin/sss_override user-import user-import.bak
$ /usr/sbin/sss_override group-import group-import.bak list all override
Copy $ /usr/sbin/sss_override user-find
Copy # optional
$ yum install -y sssd \
realmd \
oddjob \
oddjob-mkhomedir \
adcli \
samba-common \
samba-common-tools \
krb5-workstation \
openldap-clients \
policycoreutils-python \
authselect-compat \
ntpdate \
ntp
$ authselect select sssd
$ authselect select sssd with-mkhomedir
$ systemctl enable oddjobd.service
$ systemctl start oddjobd.service
$ authconfig --enablesssd \
--enablesssdauth \
--enablelocauthorize \
--enableldap \
--enableldapauth \
--ldapserver=ldap://ipaserver.example.com:389 \
--disableldaptls \
--ldapbasedn=dc=example,dc=com \
--enablerfc2307bis \
--enablemkhomedir \
--enablecachecreds \
--update other sssd config
Name Service Switch (NSS) configuration file
automount utility can mount and unmount NFS
/etc/security/access.conf
local login access control table
discovery domain
Copy $ realm discover my.com [--server-software=active-directory]
my.com
type: kerberos
realm-name: MY.COM
domain-name: my.com
configured: no
server-software: active-directory
client-software: sssd
required-package: oddjob
required-package: oddjob-mkhomedir
required-package: sssd
required-package: adcli
required-package: samba-common-tools join the system
Copy $ realm join <my.domain> -U <account> [--membership-software=samba] [--verbose] [--install] troubleshooting
sudo: unable to dlopen /usr/lib/libsss_sudo.so
[!NOTE|label:issue:]
Copy sudo: unable to load /usr/lib/x86_64-linux-gnu/libsss_sudo.so: /usr/lib/x86_64-linux-gnu/libsss_sudo.so: cannot open shared object file: No such file or directory
sudo: unable to initialize SSS source. Is SSSD installed on your machine?
Copy $ sudo apt install libsss-sudo local
user
subuid & subgid
[!NOTE|label:references:]
check subuid and subgid from /etc/subuid and /etc/subgid
Copy # rootless mode
$ sudo usermod --add-subuids 10000-75535 USERNAME
$ sudo usermod --add-subgids 10000-75535 USERNAME
# or
$ echo USERNAME:10000:65536 >> /etc/subuid
$ echo USERNAME:10000:65536 >> /etc/subgid local user management
useradd
Copy $ useradd -c "comments here" \
-m \
-d "/home/devops" \
-u 1000 \
-g 1000 \
-s /bin/bash \
devops or
Copy $ useradd --comment "comments here" \
--create-home \
--home-dir /home/devops \
--shell /bin/bash \
--uid 1000 \
--gid 1000 \
--user-group devops
devops full steps
Copy $ uid='1000'
$ gid='1000'
$ user='devops'
$ mkdir -p /home/${user}
$ chown -R ${uid}:${gid} /home/${user}
$ groupadd -g ${gid} ${user}
$ useradd -c "create user ${user}" \
-d "/home/${user}" \
-u ${uid} \
-g ${gid} \
-m \
-s /bin/bash \
${user} deluser for ubunut
[!NOTE|label:references:]
deluser - remove a user from the system
userdel - delete a user account and group ( if possible )
Copy $ deluser <account> <group> new user with root uid
[!TIP]
Copy $ /usr/sbin/useradd -ou 0 -g root -d /root -s /bin/bash -p $(echo password1 | openssl passwd -1 -stdin) test 2>/tmp/err group
get group
get gid
Copy $ sudo lid -g <group_name>
# or
$ getent group <group_name> create group
create group with random gid
Copy $ sudo groupadd <group_name>
Copy $ gname='mytestgroup'
$ sudo groupadd ${gname}
$ getent group ${gname} | cut -d: -f3
# or
$ sed -nr "s/^${gname}:x:([0-9]+):.*/\1/p" /etc/group
# or
$ grep "^${gname}" /etc/group | cut -d: -f3
# and finally remove the group
$ sudo groupdel ${gname} create group with particular gid
Copy $ sudo groupadd -g <gid> <group_name> create group with existing gid
[!TIP]
Copy -o (--non-unique) option the groupadd command allows you to create a group with non-unique GID troubleshooting
issue:
Copy /usr/bin/id: cannot find name for group ID xxxx solution
Copy $ groupadd --gid <GID> <GROUP_NAME>
Copy $ sudo groupadd -o -g <new_gid> <group_name> create group with password
Copy $ groupadd -p secretpassword writers add system group
[!NOTE|label:-r or --system ]
Copy $ groupadd -r hardwareteam
$ groupadd --system hardwareteam modify group
[!NOTE|label:references:]
Copy $ sudo groupmod -o -g <gid> <group_name>
# change file mode
$ find / -gid OLD_GID ! -type l -exec chgrp NEW_GID {} \; groupmod: group 'xxx' does not exist in /etc/group
Copy $ getent group 994
gl3:*:994:
# check available GID
$ getent group 1994
# modify GID
$ sudo groupmod -o -g 1994 gl3
groupmod: group 'gl3' does not exist in /etc/group
$ sudo echo 'gl3:*:994:' >> /etc/group
$ grep gl3 /etc/group
gl3:*:994:
$ sudo groupmod -o -g 1994 gl3
$ sudo groupmod -o -g 994 docker
# verify
$ getent group docker
docker:x:994:marslo,devops
$ getent group gl3
gl3:*:1994: manager group users
add user into group
Copy $ sudo usermod -a -G adm,root,docker,wheel devops
$ sudo usermod -a -G sudo devops
Copy $ gpasswd -d <account> <group>
# or ubuntu
$ sudo deluser <account> <group> tips
list account permission
Copy $ sudo -l -U marslo
User marslo may run the following commands on kuberentes-01:
(ALL) NOPASSWD: ALL
(ALL) NOPASSWD: /usr/bin/su - devops check account locale
[!NOTE|label:references:]
Copy $ sudo su -l -c locale marslo
LANG=en_US.UTF-8
LC_CTYPE="en_US.UTF-8"
LC_NUMERIC="en_US.UTF-8"
LC_TIME="en_US.UTF-8"
LC_COLLATE="en_US.UTF-8"
LC_MONETARY="en_US.UTF-8"
LC_MESSAGES="en_US.UTF-8"
LC_PAPER="en_US.UTF-8"
LC_NAME="en_US.UTF-8"
LC_ADDRESS="en_US.UTF-8"
LC_TELEPHONE="en_US.UTF-8"
LC_MEASUREMENT="en_US.UTF-8"
LC_IDENTIFICATION="en_US.UTF-8"
LC_ALL=en_US.UTF-8 logout
Copy $ pkill -KILL -u ${useranme} or
Copy $ who -uH
NAME LINE TIME IDLE PID COMMENT
devops pts/0 2022-06-14 05:44 00:17 41455 (192.168.1.1)
marslo pts/1 2022-06-14 05:58 . 50162 (192.168.1.1)
$ sudo kill 41455
$ who -uH
NAME LINE TIME IDLE PID COMMENT
marslo pts/1 2022-06-14 05:58 . 50162 (192.168.1.1) or : loginctl
Copy # get login details
$ loginctl
# logout
$ loginctl kill-user <username>
Copy $ chage -l marslo
Last password change : Mar 09, 2022
Password expires : never
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 99999
Number of days of warning before password expires : 7 authentication in RHEL
[!NOTE|label:references:]
Copy $ sudo dnf install -y oddjob-mkhomedir
$ sudo systemctl enable --now oddjobd.service
$ sudo authconfig --enablemkhomedir --update
$ sudo authselect select sssd with-mkhomedir --force Last updated 4 months ago
