How to Manage User IDs and Groups on Development AIX/Linux Servers

User IDs and Groups on Development AIX/Linux Servers 

Introduction

Issue View IM Access/Software Management queue is used for user account creation intake. 

This document provides detail step on creating user accounts on the development AIX/Linux systems

 Requirements before proceeding

1. Issue view access
2. Require admin access to imcsm and the following directories on imcsm.

/homecom/nsek/create_id_grp

3. Require admin or sudo access to the target development hosts.
4. Require access to the Active Directory management tool with read only access to the domains.

5. The following hosts require approvals and licenses before accounts can be created.

Issue View Management

1. New requests in Issue View will have status listed as Open and does not have any analyst assignment.

2. Pickup the Issue View ticket by updating the Assigned To dropdown.  Make note of the following.  In this example, we have two AIX hosts and one Linux host.

Employee Name

Employee Role

Host Names

Group Assignment

3.      If any of the aforementioned information is missing, please update the Issue View ticket to request more info from the requestor.

4.      Once all required info is gathered, proceed with next section.

Creating User Accounts

1.      Open Active Directory Users and Computers MMC and look for the user’s account in Active Directory and double click on the user account.

*** Please be advised that we have users from both OFFICE domain and SYSDEV domain, search for user in OFFICE domain first and only search in SYSDEV if user cannot be found in OFFICE domain. ***

2.      Click on the Account tab and make a note for user’s logon name, marked in red.

3.      Logon to IMCSM or WIMCSM and change directory to /homecomm/nsek/create_id_grp.

# cd /homecomm/nsek/create_id_grp

4.      Then issue the following commands to search for user’s first name and last name.

*** Some users might already have an existing account on our systems but might not have the same user logon name as in Active Directory. ***

               # grep -i billy *

               # grep –i gate *

There might be no results, and if there are results, it should look like the following.  Please verify the gecos properties to find out if this user already have accounts on our AIX/Linux systems.

5.      If user already exists on other hosts, re-use the same user id number and user name.

6.      If user does not exist, please check the content of last_id_num.  This file records the last user id number that was used.

   # cat /homecomm/nsek/create_id_grp/last_id_num

   3251

7.      Use the next id number for the user id.  In this case the user id for the new account will be 3251+1 = 3252.

8.      Update the last_id_num file with the new user id number, 3252.  The end result should look like following.

# cat /homecomm/nsek/create_id_grp/last_id_num

3252

9.      Edit the appropriate mkuser scripts createid-<server name>.ksh in /homecomm/nsek/create_id_grp/ folder for record.  In this example, the user account needs to be created on impvcs01 and dmspar01; hence the following files need to be updated.

createid-impvcs01.ksh

         createid-dmspar01.ksh

         createid-faappdv24.ksh

10.  Two different home folder structures are used in our environment.  All default home folders should be /home with the exception of the following hosts, which has home folder of /homecomm.

Dmspar*

Impvcs01

11.  Sample of the mkuser script should look like the following for Billy Gate in the following scenarios.

** DO NOT ASSIGN GROUP “staff” to any new users. **

For creating account on one of the impvcs01 and dmspar* hosts.  The mkuser script should look like the following.

# mkuser id=3252 pgrp=pvcs groups=grampim gecos=’Billy Gate ' home=/homecomm/bgate01  fsize=-1 fsize_hard=-1 bgate01

# ln -s /homecomm/bgate01 /home/bgate01

For creating account on Linux hosts; the mksuer script should look like the following. 

# useradd –u 3252 –g pvcs –G catread –c ’Billy Gate’ –s /bin/ksh –d /home/bgate01 bgate01

12.  If user account is created other hosts, the mkuser script should look like the following.

# mkuser id=3252 pgrp=pvcs groups=catread gecos=’Billy Gate ' home=/home/bgate01  fsize=-1 fsize_hard=-1 bgate01

13.  Copy and Paste the mkuser command and execute on the target server using sudo.  Using dmspar01 as an example, the following scripts need to be executed.

# sudo mkuser id=3252 pgrp=pvcs groups=grampim gecos=’Billy Gate ' home=/homecomm/bgate01  fsize=-1 fsize_hard=-1 bgate01

# sudo ln –s /homecomm/bgate01 /home/bgate01

14.  Once the user account is created, assign a new temporary password for the new user.

AIX

# sudo passwd bgate01      

Linux (Current implementation do not force user to change password at login, hence an additional command is needed)

# sudo passwd bgate01

# sudo chage –d 0 bgate01

15.  Create .rhosts and .netrc file in user’s home directory and change ownership (owned by root:system) and permission (640) and (755) respectively.

# touch .rhosts

# touch .netrc

# chown root:system .rhosts

# chown root:system .netrc

# chmod 640 .rhosts

# chmod 755 .netrc

16.  If accounts are created on any of the following hosts, please notify  to update user list on the spreadsheet License Files file. 

17.  Update Issue View regarding account creation and send user notification along with credentials and hosts those accesses were granted and cc the requester.  Please include an entry within the ticket so you know roughly when the credential was sent to the user.

Create Functional ID

1.      In the event that user requested a functional ID, please take the following into consideration.

Functional ID requires an owner, which will be the primary contact regarding to this account.  So when creating a functional ID please ensure that the user provide information on the owner of this account and this info must be included in the gecos tag within the mkuser script.  For example for functional ID mssvc.

AIX

# mkuser id=3252 pgrp=pvcs groups=grampim gecos=’Functional ID for MS

Server owned by Mark Liu' home=/home/mssvc  fsize=-1 fsize_hard=-1 mssvc

Linux

# useradd –u 3252 –g pvcs –G grampim –c ’Functional ID for MS

Server owned by Mark Liu' –s /bin/ksh –d /home/mssvc mssvc

2.      After the account is created, please issue the following command to make the functional ID to be non-loginable remotely and non-expiry.

AIX

# sudo chuser login=true rlogin=false maxage=0 mssvc

Linux

# sudo chage –M -1 mssvc

# sudo usermod –s /bin/false mssvc

Reset User Account Passwords

3.      Log into the target host that user account resided on.  Check the account lockout status by issuing the following command.

AIX

# sudo lsuser –a account_locked bgate01

Linux

# sudo passwd –S bgate01

4.      If user account is reported to be locked (see below), then please inform the user to get approval from their PM to unlock their account, otherwise proceed with Step 4.

AIX

Bgate01 account_locked=true

Linux

bgate01 LK 2010-11-09 0 99999 14 0 (Password locked.)

5.      If approval is given, please unlock the user account by issuing the following.

AIX

# sudo chuser account_locked=false bgate01

Linux

# sudo passwd –u bgate01

6.      Reset the user’s account by issuing the following commands. 

# sudo passwd <user name>

# sudo passwd bgate01

Changing password for "bgate01"                    

cmanton's New password:

Enter the new password again:

7.      Reset user’s unsuccessful_login_count back to zero by issuing the following.

AIX

# sudo chuser unsuccessful_login_count=0 bgate01

Linux

# sudo faillog –r –u bgate01

8.      Notify the user with the new password. When user first log into the target host, he will be prompted to change the password to a new one.

9.      In the event that user wants a specific password to be set, you will have to remove the change password at login flag on user’s account by issuing the following.  So user will not be prompted to change to new password when login.

AIX

# sudo pwdadm –c bgate01

Linux

No additional commands required.

Creating New Groups

1. Change directory to /homecomm/nsek/create_id_grp.

# cd /homecomm/nsek/create_id_grp

2. Change directory to /homecomm/nsek/create_id_grp.
3. Search for this folder to see if the group already exists.

# grep bclread *

4. The result could look like the following, this means the group bclread already exists on other hosts, therefore make note of the id number 1469.

mkgroup_usr.ksh:mkgroup -A id=1469 bclread

mkgroup_usr.ksh:mkgroup -A id=1469 bclread

mkgroup_usr.ksh:mkgroup -A id=1469 bclread

mkgroup_usr.ksh:mkgroup -A id=1469 bclread

5. If bclread does not exist already, check the content of the last_grp_num.  The file contains the last group id used.

# cat last_grp_num

1814

6. Increment the group ID by 1, therefore the new ID should be 1815 in this case.  Update the new number in file last_grp_num.
7. Edit the appropriate mkgroup scripts in the below list of files.

mkgroup_batch.ksh

mkgroup_adm.ksh

mkgroup_read.ksh

mkgroup_instance.ksh

mkgroup_etl.ksh

mkgroup_usr.ksh

8. For example, creating a group bclread in server opfqa02.  Edit the file mkgroup_user.ksh to include mkgroup –A id=1814 blcread in the opfqa02 section.

#----------------------------#

# opfqa02

#----------------------------#

mkgroup -A id=1258 biouctl

mkgroup -A id=1263 uatread

mkgroup -A id=1814 bclread

9. If the target host is a Linux server, please use the following command.

######################

#faappdv24

######################

groupadd -g 1689 msk

groupadd -g 1690 mskdev

groupadd –g 1814 bclread

10. Log on to the appropriate host and issue the group creation command.

AIX

# sudo mkgroup –A id=1814 bclread

            Linux

# sudo groupadd –g 1814 bclread

Remove Groups

1. To remove an existing group, please issue the following commands.

AIX

                  # sudo rmgroup <group name>

Linux

                  # sudo groupdel <group name>

  Modify User Accounts on AIX

1. To modify user account, such as add/remove groups, enable/disable account can be done through SMITTY.
2. Issue the following command at prompt; you will be prompted to enter your password again. 

# sudo smitty user

3. A sample of the smitty interface looks like following.

4. To grant user additional group memberships, navigate to Change / Show Characteristics of a User.  Enter the user id of the user you would like to update and press Enter.

5. You will be able to replace the group memberships by replacing the current entries within SMITTY.

6. To commit changes, press Enter.  In the event that you would like to cancel the changes you made, press ESC-3.
7. To disable user’s account, you can change the following option to false.

  

Modify User Accounts on Linux

1. To modify user account, such as add/remove groups, enable/disable account the following commands are used in Linux.

Groupadd

Groupdel

Useradd

Userdel

2. To change user’s primary group, use the following.  This will replace the user’s primary group with a new one.

# usermod –g <group name> <user name>

# usermod –g operator bgates01

3. To change secondary group membership for a user, do the following.  This command will replace all secondary groups with the new groups specified.

# usermod –G <group name #1>,<group name #2> <user name>

# usermod –G faadm,fadev bgates01

4. To add additional group membership for a user, do the following.  This command will add additional secondary group to the existing group assignment.

# usermod –a –G <group name #1>,<group name #2> <user name>

# usermod –a –G faadm,fadev bgates01

5. There are two ways to check to see if a user account is locked out.  However these two methods are independent of each other; which mean to check user account status, you will have to use both commands.

# passwd –S <username>

passwd –S bgates01

Bgates01 LK 2010-03-17 0 35 14 0 (Password locked.)

                        # faillog –u <username>

Login       Failures Maximum Latest                                       On

Bgates01          6        5                03/23/10 15:26:30 -0400  ocdt7021058

In the above case, either Password locked or Failure counter is greater than 5 will lock out the account.

Removing Users

1. To remove existing users.  Use the following commands.

AIX

# sudo rmuser <user id>

# sudo rmuser bgate01

      Linux

# sudo userdel <user id>

# sudo userdel bgate01