-
Title
On AIX AD users added to local groups fail. -
Description
When AD users are added to local groups this does not function as expected.
-
Cause
3rd Party limitation. The operating system does not support mixing group memberships between repositories. (Local and VAS) -
Resolution
RESOLUTION:
The functionality to add QAS users to local groups has been implemented in Authentication Services as of version 4.1.0-21630.
The following KB article gives full details.
https://support.quest.com/kb/90952
How to configure:
1) Check that your systems are configure for LAM authentication: /etc/security/login.cfg
auth_type = STD_AUTH
2) Set the following in vas.conf:
[aix_vas]
include-local-group-memberships = trueIt can be set by running the following or manually:
/opt/quest/bin/vastool configure vas aix_vas include-local-group-memberships true
3) merge the users or user so that they are seen as local and the native user management commands will run.
/opt/quest/bin/vastool merge users
/opt/quest/bin/vastool merge user username
4) Add the user or users to the group using the native commands, for example:
"mkgroup -A localaix"
Modify local or merged user to be part of the local group:
usermod -G localaix aduser
5) make sure AD user is in the local group
vi /etc/group
localaix:!:206:localuser,aduser
6) unmerge the AD users, this will remove them from /etc/passwd
/opt/quest/bin/vastool unmerge users
7) Test that the system sees local and AD users as being in the same group:
groups <username>
id <username>WORKAROUND: (For versions of Authentication Services older than 4.1.0-21630.)
1 - Create Active Directory (AD) group and local group of the same name. This is also refferred to as mirroring in groups.
2 - Then add the put local users in local groups and AD users in AD groups. This will return the correct group membership.