-
Title
Can I create a unix enabled group with a GID = 0 or a unix enabled user with UID = 0 ? Can I create a group override entry to override to GID 0? -
Description
Can I create a Unix-Enabled group with GID = 0 or a Unix-Enabled user with UID = 0 ? Can I create a group-override to the GID 0?
-
Cause
ID 0 and GID 0 is associated with the root account. Authentication Services will not serve a user or group with a ID of 0 owing to security considerations.
-
Resolution
Managing the root account/group through anywhere else (instead of locally) can create a potential risk of you not being able to log into the system for repair, if a failure happens.
You may set up an AD group/user with an GID/UID of 0, however the group/user will not be pulled into the QAS cache.
Setting up a group override (for a group with GID!=0) to override its GID to 0, will also not work.You can map the root user to an AD account but it is not recommended.
-
Additional Information
---------------------- from man pages [vas.conf] ---------------------------
mapped-root-user = <user principal name>
Default value: noneThe root account is the only account that cannot be mapped through either the user mapping files or through a getpwnam() mapping. This is done for security reasons and to help prevent accidental remapping of the root account. The mapped-root-user option must be used to specify an Active Directory user to use for authentication when someone attempts to log in using the root account. The following example shows how to use the built in Active Directory administrator account to authenticate the root user.
[vas_auth]
mapped-root-user = Administrator@example.com---------------------- from VAS documentation --------------------------------
Mapping the root Account
The root account is the only account that cannot be mapped through the user-mapping file. The root account mapping is specified through the vas.conf file mapped-root-user setting.The mapped-root-user option is set in the vas_auth section, specifying the Active Directory user principal name corresponding to the root user as follows:
[vas_auth]
mapped-root-user = Administrator@example.comWhen using mapped-root-user on AIX, you must configure VASMU on the system line of the root section in /etc/security/user.
-----------------------------------------------------------------------------------------