-
Title
How to override user or group information? -
Description
This article is to explain how to setup user or group overrides and how they are used by the operating system.
-
Resolution
Overriding User Information
You cannot override the local account's uid, gid and shell. To override an Active Directory (AD) account you would use the user-override file that, by default, should be placed: /etc/opt/quest/vas/user-override
It needs to be written in the following format of the following:
Existing Upn: New Name: New UID : New GID : New Gecos : New Home Directory : New ShellFor Example:
jdoe@example.com:john_doe:708:1200:Overridden Gecos:home:/bin/shIf you don't want to change everything, just put the colons in place anyway.
To override the account's UID and GID and shell it would look like the following:
user@example.com:1234:12345::::/bin/kshYou will need to know the User's principal name (UPN) of the account. To find out what the UPN is you can do the following command:
vastool -u host/ attrs <username> userprincipalnameOverriding Group information
You can override group account attributes on the local Unix host. This allows you to use the group information from Active Directory but modify individual attributes on certain hosts as needed. Group overrides are specified in the
/etc/opt/quest/vas/group-override configuration file. Overrides are specified as follows:
DOMAIN\samAccountName:<Group Name>:<GID Number>:<Group Membership>DOMAIN\samAccountName must refer to a valid Active Directory group account. You can omit any of the Unix account fields. If a field is not specified it will get the default value for that group. The group membership field
consists of a comma-separated list of Active Directory user accounts specified in DOMAIN\samAccountName format.Here is some information from /etc/opt/quest/vas/group-override.sample file.
# Adds the local system users bob and localuser to the dbadmins group on this
# host.EXAMPLE\dbadmins:::localuser,bob
# Change the Unix name of the Active Directory group to enggrp on the local
# system.EXAMPLE\Engineering_Group:enggrp::
# Add the Active Directory user tuser@example.com to the group testgrp on this
# Unix host, at the same time overriding the gid of the group to 1500.EXAMPLE\testgrp::1500:tuser@example.com
PLEASE NOTE: When using override the system will know about the overridden names and not the original as the operating system will know about the overridden names only. Therefore when performing NSS calls be sure to use the overridden information and not the actual AD name.
-
Additional Information
On occasion it may be necessary to have both the original account name and the overridden account name visible on the system. To do this you can enable the following option in your vas.conf file: [vasd] user-override-name-allow-original = true