Authentication Services enabled AD accounts cannot be put in AIX local groups
Authentication Services no longer report users as being members of local groups through its interfaces.The change was due to IBM's documentation as to how our module should work. Therefore, the LAM module and getgrset no longer report users as a member of a local group if /etc/groups is modified with the membership.
This functionality is now included as a configurable option in Authentication Services as of version 4.1.0-21630. This has been logged as Defect number 434922.
To enable the mixing of repositories
See the vastool man pages for further details.
include-local-group-memberships = true
The following command will set this value as well.
To turn it on.
/opt/quest/bin/vastool configure vas aix_vas include-local-group-memberships true
To turn it off.
/opt/quest/bin/vastool configure vas aix_vas include-local-group-memberships false
The full changelog entry is;
* lam: Re-implement the previous behavior removed due to Bug 28308. Now
controlled by a new setting:
include-local-group-memberships = true (default is false)
This means QAS will again include local group memberships in its response
for group memberships request.
Quest Software does not recommend utilizing mixed repositories in the following situation:
• DB2 9.5 FP4 or DB2 9.7 FP1 is installed on AIX
• Transparent Authentication is enabled
• Active Directory user is UNIX enabled
• Active Directory user is manually placed into a local group
In the situation above the user may be denied access to the database when granting access based on group membership.
For additional information please refer to DCR # MR1204142259 when contacting IBM Support. This references a request to investigate why AD users to local groups does not work in all scenarios.
After QAS users have been added to the local groups, QAS users / groups can then be unmerged and the local groups retain their QAS members. See the vastool man pages for further details.
AD users should be put in AD groups and local users should be put into local groups only. They cannot be mixed in the AIX environment.