Professional Documents
Culture Documents
Creating users 3
Adding users by modifying configuration files 3
Adding user by using useradd 3
Configuration files for user management defaults 4
Creating a user environment 4
id username -> get information about user account, about userid, group membership and
security context.
whoami -> get username of the current user.
su - -> start a login shell. If you start a login shell, all scripts that make up the user environment
are processed.
Note: Most of the password properties can be managed with passwd or chage commands.
Creating users
useradd -> add user account. User account can be added by directly editing /etc/passwd and
/etc/shadow, which is not recommended.
userdel -> remove the user from the system.
userdel -r -> remove user from the system, including the complete user environment.
vipw -> opens /etc/passwd file in an editor and sets appropriate locks on the file to prevent
corruption. It does not check the syntax.
vipw -s -> opens /etc/shadow in an editor and sets appropriate locks on the file to prevent
corruption.
vigr -> opens /etc/group file in an editor and sets appropriate locks on the file to prevent
corruption. /etc/group file in which groups are defined.
home directory -> directory where personal files can be stored (regular accounts) or directory
which contains the working environment (service accounts).
useradd -m -> add a home directory and copy the content of the “skeleton (/etc/skel/)” directory
to the newly created home directory, and apply appropriate permissions on copied files, so that
new user can use and access them.
usermod -> modify user properties. Set all properties of users stored in /etc/passwd and
/etc/shadow, and manage group membership.
usermod -p -> use encrypted password for the new password (not useful, as you need to
encrypt password before adding it).
passwd -> utility to set user’s password.
/etc/default/useradd -> contains some default values that are applied when using useradd.
/etc/login.defs -> login-related variables are set. It relates to setting up the appropriate
environment for new users. Most significant properties that can be set from /etc/login.defs:
● MOTD_FILE: defines the file that is used as “message of the day” file. Messages to be
displayed after the user has successfully logged in to the server.
● ENV_PATH: defines the $PATH variable, a list of directories that should be searched for
executable files after logging in.
● PASS_MAX_DAYS, PASS_MIN_DAYS, and PASS_WARN_AGE: define the default
password expiration properties when creating new users.
● UID_MIN: the first UID to use when creating new users.
● CREATE_HOME: create a home directory for new users.
● USERGROUPS_ENAB: if set to yes, than create a private group for all new users. That
means that a new user has a group with the same name as the user as its default group.
If set to no, all users are made a member of the group users.
chage, passwd -> commands used to change user properties set in /etc/shadow.
passwd -n 30 -w 3 -x 90 linda -> set the password for user linda to a minimal usage
period of 30 days and an expiry after 90 days, where a warning is generated 3 days before
expiry.
chage -E 2015-12-31 bob -> expire the account for user bob on December 31, 2015.
chage –l -> see current password management settings.
vigr -> open an editor interface directly on the /etc/group configuration file. In this file, groups
are defined in four fields per group: group_name:group_passwd:group_ID:members.
● Group name -> name of the group.
● Group password -> feature that is hardly used anymore. A group password can be
used by users that want to join the group on a temporary basis, so that access to files
the group has access to is allowed.
● Group ID -> unique numeric group identification number.
● Members -> contains the names of users that are a member of this group as a
secondary group. It does not show users that are a member of this group as their
primary group.
groupmod -> manage group properties. Use this command to change the name or group ID of
the group. To add group members use usermod.
usermod -aG -> add users to new groups that will be used as their secondary group.
groupmems -g sales -l -> see which users are a member of the group sales. Show users
who are a member of this group as a secondary group assignment, but also users who are a
member of this group as the primary group assignment.
Logging In Through an External Authentication Service
LDAP is used to provide centralized authentication services.
The Lightweight Directory Access Protocol (LDAP) was developed as a protocol to get
information from an X.500 directory service. This service was originally developed as an
address book.
LDAP is an open standard, and many directory services are available that are using LDAP as
their access protocol. Common LDAP solutions are OpenLDAP, FreeIPA (LDAP server
integrated in the Red Hat Identity Management).
LDAP directory servers are organized in a hierarchical, distributed and replicated way:
● hierarchical -> organized like DNS, using domains (in LDAP called containers) to
organize the leaf objects (such as users) in a way that makes sense.
● distributed -> entire database does not have to be available on one single server. The
different containers in the LDAP hierarchy can be spread over multiple servers to make
the information available where it needs to be available. To distribute the information in
the LDAP directory, the directory tree is partitioned into different parts.
● replicated -> multiple copies of one partition can be created.
When users are connecting to LDAP, they need to specify which specific server to access.
When enabling LDAP access, users need to specify which container they are using as their
base environment. This is referred to as the base context. The name of the base context is
always written out as a name that includes the complete path (a fully distinguished name). The
two containers that contain users are therefore dc=sfo,dc=rhatcert,dc=com and
dc=ams,dc=rhatcert,dc=com.
To ensure a base level of security, Transport Layer Security (TLS) certificates are used. These
certificates ensure that the server that LDAP users are authenticating against is verified, and
that user credentials are secured while transported over the network.
To authenticate on an LDAP server, there are two options:
● Password authentication (RHCSA)
● Kerberos authentication (RHCSE)
To set up RHEL7 for LDAP authentication, you need to create a configuration file in which you
define:
● LDAP server
● TLS certificate
● Base LDAP URL (container in LDAP which should be used)
To setup this three different tools can be used:
● authconfig -> command-line utility in which you have to specify all you want to do by
using command-line options.
● authconfig-tui -> menu-driven text user interface that allows you to select options to be
used from a list. Use of this utility is recommended.
● authconfig-gtk -> utility with a GUI, which for that reason can be used from a GUI
environment only.
Depending on which tool you use, a different authentication backend is configured.
● nslcd -> service is configured and started when using autconfig-tui.
● sssd -> service used as backend when authconfig-gtk is used.
When you use authconfig-tui, the nslcd service is configured on your server to connect to the
LDAP service. The nscld service is using a configuration file with the name /etc/nslcd.conf.
If you initialize the connection to the LDAP server using authconfig-gtk, the configuration is
written to sssd. The LDAP-related configuration lines are stored in /etc/sss/sssd.conf file. The
sssd service integrates with the local authentication procedure and redirects all authentication
requests to LDAP.
Note: When you use authconfig-tui, the variable FORCELEGACY=yes is set in
/etc/sysconfig/authconfig. This makes that n slcd is used instead of sssd.