Lab4 Oracle Linux 6 User Group Administration

Oracle Linux 6 Boot Camp
Oracle Linux 6 Lab Exercise
Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for
information purposes only, and may not be incorporated into any contract. It is not a
commitment to deliver any material, code, or functionality, and should not be relied
upon in making purchasing decisions.
The development, release, and timing of any features or functionality described for
Oracles products remains at the sole discretion of Oracle.
Oracle Training Materials Usage Agreement

Use of this Site (Site) or Materials constitutes agreement with the following terms
and conditions:
1. Oracle Corporation (Oracle) is pleased to allow its business partner (Partner)
to download and copy the information, documents, and the online training courses
(collectively, Materials") found on this Site. The use of the Materials is restricted to
the non-commercial, internal training of the Partners employees only. The
Materials may not be used for training, promotion, or sales to customers or other
partners or third parties.
2. All the Materials are trademarks of Oracle and are proprietary information of
Oracle. Partner or other third party at no time has any right to resell, redistribute or
create derivative works from the Materials.
3. Oracle disclaims any warranties or representations as to the accuracy or
completeness of any Materials. Materials are provided "as is" without warranty of
any kind, either express or implied, including without limitation warranties of
merchantability, fitness for a particular purpose, and non-infringement.
4. Under no circumstances shall Oracle or the Oracle Authorized Delivery Partner be
liable for any loss, damage, liability or expense incurred or suffered which is claimed
to have resulted from use of this Site of Materials. As a condition of use of the
Materials, Partner agrees to indemnify Oracle from and against any and all actions,
claims, losses, damages, liabilities and expenses (including reasonable attorneys'
fees) arising out of Partners use of the Materials.
5. Reference materials including but not limited to those identified in the Boot Camp
manifest cannot be redistributed in any format without Oracle written consent.
OL 6 Users & Groups Admin Lab 4
Oracle Linux Users and Groups

Administration
V1.0 January 2013
1 Introduction
Participants will gain example-led awareness and understanding of the Linux Users
and Groups Administrative tasks.
With a few basic exercises we will introduce the learner to some ways to perform
Linux Users and Groups creation and administration in Oracle Linux 6. We will also
introduce you to LDAP and NIS authentication options and discuss Pluggable
Authentication Modules (PAM). Upon completion of this lab, participants will have
learned how to do Users and Groups Administration on Oracle Linux 6.
2 Overview
In this lab well be practicing User and Group Administration on Oracle Linux 6.
Well briefly review some of the advanced concepts like LDAP and NIS
Authentication and PAM configuration.
Some of the commands and concepts well review are listed below.
Creating Users and Groups using User Manager GUI Tool

Users and Groups Administration using Command-Line Utilities
Configure Password Aging
Describe LDAP and NIS authentication options (no lab)
Introduction to Pluggable Authentication Modules (PAM) (no lab)
This practice can be accomplished with a single VirtualBox Oracle Linux 6.3
instance. You must have a working instance of Oracle Linux 6.3 running in your
VirtualBox environment to perform this lab.
For Oracle employees and authorized partners only. Do

not distribute to third parties.
2013 Oracle Corporation
OL 6 - Lab 04
Page 2 of 59

3 Pre-requisites
This lab requires the use of the following elements:
A current 64 bit laptop with at least 2GB RAM and 20GB free disk space
Operating system: A 64-bit version of Microsoft Windows, Mac OS X, Linux
or Solaris. Alternatively, a 32-bit host OS installed on a 64-bit CPU with VTx/AMD-V enabled in the BIOS.
Oracle VirtualBox Software 4.2.6 or later (4.2 with Extension Pack installed)
Oracle Linux 6.3 instance running inside VirtualBox:
o VM Image Provided by instructor or downloaded on your own
o Installed in Lab 1 of Oracle Linux 6 Boot camp
The following assumptions have been made regarding the environment where this
lab is being performed:
1. Network connectivity to the Internet is available
2. Your Oracle Linux 6.3 VirtualBox instance has been installed and youve
assigned a normal user/password and a root user password.
a. The recommended user name is student1
b. The recommended password is oracle
c. The recommended root password is oracle
4 VirtualBox lab setup

If you already have an instance of Oracle Linux 6.3 installed in VirtualBox or have
already imported the Oracle Linux 6.3 image, you can skip this section and proceed
to the Labs in Section 5. If you need to import the Oracle Linux 6.3 appliance (image
in ova file provided for this training) then complete the steps in this section before
you start with the Labs.
1 - In the VirtualBox
main window choose
File > Import
Appliance

OL 6 - Lab 04
Page 3 of 59

2 - From the Appliance
Import Wizard click the
Open appliance..
button and navigate to
the
Oracle_Linux_6_Bootca
mp.ova file which is the
pre-built Oracle Linux
6.3 VM image you
downloaded or obtained
from the instructor
3 - Navigate to the folder

where you downloaded
or copied the Oracle
Linux 6.3 Prebuilt image
and click Open. The file
is named
Oracle_Linux_6_Bootca
mp.ova.

OL 6 - Lab 04
Page 4 of 59

4 - Choose Next on the
Appliance to import
screen
5 - Confirm the default

settings and choose
Import to begin
importing the virtual
image. If you see a
License Agreement
window, read and accept
the license.
6 - The progress bar will

show the import
progress. Usually looks
slow in the beginning
but this shouldnt take
more than a few
minutes.

OL 6 - Lab 04
Page 5 of 59

7 - Your new image has
been imported and is
ready for use. Select the
Oracle Linux 6
Bootcamp image.
8 - After your image has

finished importing select
it in the VB application
and choose Settings
and review settings.
Once you have reviewed

the settings, you can
select the image and
click the Start button to
boot Oracle Linux 6.
After booting, login as
root user and activate
your network
connection to start using
the image.
The following video demonstrates how to import an appliance:
Importing Oracle Linux VM Appliance Video

OL 6 - Lab 04
Page 6 of 59

5 Lab Exercises
5.1 Creating Users and Groups using User Manager GUI Tool
In this lab, we will learn how to create Users and Groups in Oracle Linux 6 using the
User Manager Tool. The User Manager GUI tool is a simple application that allows
you to view, modify, add, and delete local users and groups.
To start User Manager tool from the command line, you can use system-configusers command:
[root@examplehost /]# system-config-users
Alternatively, you can start this application by selecting the System>Administration->Users and Groups option from the Desktop menu panel. The
screenshot below shows how to start the start the User Tool Manager using the
Desktop panel.

OL 6 - Lab 04
Page 7 of 59
Note that if you run the application as a regular Linux user, the application will
prompt you to authenticate as root user.
Once the User Manager Tool has launched, you should see the following GUI
window. You should be able to see student1 user listed under the Users tab. This
is the user that was created during installation of Oracle Linux 6 along with the
root user.

OL 6 - Lab 04
Page 8 of 59
By default, the Users and Groups listed in the User Manager Application do not
include the system users and groups. If you want to see the system users and
groups, you can click Edit->Preferences and then uncheck the Hide system users
and groups option.
Create a new user by clicking the Add User button in the User Manager Tool. In the
Add New User window, create a user with username as student2 as shown in the
screenshot below. Notice, you can define the login shell for the user in this window.
We will use the default bash shell for this student2 user from the choice list.

OL 6 - Lab 04
Page 9 of 59
In the lower section of the Add New User window, you can decide whether you
want to create a home directory for the user and also the location of the home
directory. Oracle Linux 6 uses a User Private Group (UPG) scheme by default. A User
Private Group is created whenever a new user is added to the system. It has the
same name as the user for which it was created and that user is the only member of
the user private group. User private groups make it safe to set default permissions
for a newly created file or directory, allowing both the user and the group of that
user to make modifications to the file or directory. This helps to make Linux groups
easier to use and manage.
Notice, you can also specify the Group ID (GID) and User ID (UID) manually by
entering a value. By default Oracle Linux and RHEL reserve UIDs and GIDs below
500 for system users and groups. We will assign /home/student2 as the home
directory for student2 user and let the system pick the UID and GID values. Click
the OK button to create the user.

OL 6 - Lab 04
Page 10 of 59
Once the user student2 has been created, you should see it listed under the Users
tab of the application window. Select the student2
Select the student2 user and click the Properties button.

OL 6 - Lab 04
Page 11 of 59
Notice that under Account Info, you can enable account expiration and also lock the
password. Do not make any changes, just review the tabs and get familiarized.

OL 6 - Lab 04
Page 12 of 59

Under Password Info, you can enable password expiration and then set the
parameters/criteria for password expiration.
And under the Groups tab, you will notice that by default student2 is a member of
the student2 group. This is as per the UPG scheme. Click Cancel to close this
window.

OL 6 - Lab 04
Page 13 of 59
Now that we have created a student2, let us understand the file changes that occur
when you create a user on Linux. When you created the user student2, an entry for
that user was created in the /etc/passwd, /etc/shadow and /etc/group files on
the system.
Examine the entry for the user student2 in the /etc/passwd file and the
/etc/group file. You can use the cat /etc/passwd | grep -i student2 command or
the grep -i student2 /etc/passwd command to examine the entry.
[root@examplehost /]# cat /etc/passwd | grep -i student2
student2:x:502:502:student2 user2:/home/student2:/bin/bash
[root@examplehost /]#
[root@examplehost /]# cat /etc/group | grep -i student2
student2:x:502:

OL 6 - Lab 04
Page 14 of 59

Heres how you can read the line entry for student2 user in the /etc/passwd file.
Each field is separated by a : delimiter.
Username: student2
Shadow passwd: indicated by x
UID: 502
GID: 502
GECOS information (name etc): student2 user2
Home directory: /home/student2
Default Shell: /bin/bash
Heres how you can read the line entry for student2 user in the /etc/group file.
Each field is separated by a : delimiter.
Group name: student2
Shadow passwd: indicated by x
GID: 502 is the GID
The /etc/shadow file is used for user shadow passwords. The user passwords are
hashed and stored in the /etc/shadow file. This file also contains information about
password aging and security policies defined in the /etc/login.defs file.
[root@examplehost /]# cat /etc/shadow | grep student2
student2:$6$1cLhy/ZiwTsQkEJX$.Ho7T0WFlO3B.E.b0nGs52LENLyTiC
ZkNvj1Da8xABBcvVxRHcuPRjBfVRQQL7fEeIwER6kKvmvNwlXpfnlQg0:15
756:0:99999:7:::
Log out of the Desktop GUI and log back in as student2 user to confirm that the
user that we created can login properly.

OL 6 - Lab 04
Page 15 of 59

OL 6 - Lab 04
Page 16 of 59
After logging in as student2 user, open a terminal window and see that a home
directory /home/student2 was created for this user. It already has a predefined
directory structure that you can check using the ls command.
[student2@examplehost ~]$ pwd
/home/student2
[student2@examplehost ~]$ ls -l
total 32
drwxr-xr-x. 2 student2 student2
[student2@examplehost ~]$
4096
4096
4096
4096
4096
4096
4096
4096
Feb
Feb
Feb
Feb
Feb
Feb
Feb
Feb
20
20
20
20
20
20
20
20
14:14
14:14
14:14
14:14
14:14
14:14
14:14
14:14

Desktop
Documents
Downloads
Music
Pictures
Public
Templates
Videos
OL 6 - Lab 04
Page 17 of 59
You may verify the directory is usable by the student2 user by creating a file using
the touch command in this directory.
/home/student2
[student2@examplehost ~]$ touch student2file2
[student2@examplehost ~]$ ls -l student2file2
-rw-rw-r--. 1 student2 student2 0 Feb 20 14:17 student2file2
The id command is a good tool to print the user and group information for the
specified user. Read the man page of the id command then run the id command
with options shown below. The id command output below tells you that student2
user has a UID of 502 and a GID of 502. The student2 user belongs to only one
group and that is the student2 group. Using the g flag, you can print only the
effective group ID of the user and using the ng option will give you the name of the
effective group that the user belongs to. The G option prints all group IDs of a user.

OL 6 - Lab 04
Page 18 of 59

[student2@examplehost ~]$ id
uid=502(student2) gid=502(student2) groups=502(student2)
context=unconfined_u:unconfined_r:unconfined_t:s0s0:c0.c1023
[student2@examplehost ~]$ id -g
502
[student2@examplehost ~]$ id -gn
student2
[student2@examplehost ~]$ id -G
502
Log out from the system as student2 user and log back in as root user. We will
now look at the User Manager Tool for the Groups administration. As root user, start
the User Manager Tool and click on the Groups tab. Notice the groups that are there
on this system. Select the student2 group and then click the Properties button.

OL 6 - Lab 04
Page 19 of 59

In the Group properties window, click the Group Users tab and verify that this
group has student2 as a member. Remember this student2 user was added to this
group because of the UPG scheme. Click the Cancel button to close this window.
We will now create a new group. Click the Add Group button to create a new group.
In the Add New Group window, create a new students group as shown below.
Specify the GID to be 550 and click the OK button.

OL 6 - Lab 04
Page 20 of 59
You should now see the students2 group. Select this student2 group and click the
Properties button.
In the Group Properties window, select the student2 user to add this user to this
group and then click the OK button.

OL 6 - Lab 04
Page 21 of 59

If you now see the Properties of student2 user under the Users tab, you will
notice that the student2 user is now a member of 2 groups (student2, students).
Select student2 user and then click the Properties button.
Under the Groups tab of the User Properties window, you will now see that
student2 is a member of two groups. Click the Cancel button to close the window.
You can also run the id command again as student2 user and see the results. See
examples below. You can see that the G option of the id command lists the 2
groups that the user student2 belongs to.

OL 6 - Lab 04
Page 22 of 59

[root@examplehost Desktop]# su - student2
[student2@examplehost ~]$ whoami
student2
uid=502(student2) gid=502(student2)
groups=502(student2),550(students)
502 550
[student2@examplehost ~]$ id -Gn
student2 students
This concludes the simple lab of creating users and groups using the User Manager
GUI Tool.
5.2 Users and Groups Administration using Command-Line Utilities

In this lab exercise, we will learn how to create/modify/delete users and groups
using command line utilities. We will also look at some of the files associated with
user/group administration.
Before we learn how to create/modify/delete users and groups we will look at some
of the important files related to user/group administration. We will start by looking
at the /etc/default/useradd file on our Oracle Linux 6 systems.

OL 6 - Lab 04
Page 23 of 59

[root@examplehost ~]# cd /etc/default
[root@examplehost default]#
[root@examplehost default]# pwd
/etc/default
[root@examplehost default]# ls -l useradd
-rw-------. 1 root root 119 Oct 12 2011 useradd
[root@examplehost default]#
Examine the /etc/default/useradd file on your system using the cat command.
[root@examplehost /]# cat /etc/default/useradd
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

OL 6 - Lab 04
Page 24 of 59

Or you can run the useradd D command to see the default values. We will look at
the useradd command in more details later in this lab.
This /etc/default/useradd file is used to specify default settings when creating a

user account. As you can see, by default the user home directories are created under
the /home directory, the default user shell is /bin/bash and a mail spool directory
will be created for every user that is created. The SKEL variable points to
/etc/skel/ directory by default. The contents of the directory specified by the SKEL
variable are copied to a users home directory when the user is created.
[root@examplehost /]# ls -al /etc/skel
total 36
drwxr-xr-x.
4 root root 4096 Dec 10 14:06 .
drwxr-xr-x. 113 root root 12288 Feb 20 14:24 ..
-rw-r--r--.
1 root root
18 May 10 2012 .bash_logout
-rw-r--r--.
1 root root
176 May 10 2012 .bash_profile
-rw-r--r--.
1 root root
124 May 10 2012 .bashrc
drwxr-xr-x.
2 root root 4096 Nov 20 2010 .gnome2
drwxr-xr-x.
4 root root 4096 Dec 10 14:01 .mozilla

OL 6 - Lab 04
Page 25 of 59
Create a file using an editor (eg. vi editor) in the /etc/skel directory and call this
file Readme.txt.
[root@examplehost /]# vi /etc/skel/Readme.txt
Enter some text into the Readmefile.txt file and save and quit the editor. Later in
this lab, we will later create a Linux user student3. When that user is created, we
will notice that the home directory contains this Readme.txt file automatically. This
is because this file is created in the /etc/skel directory whose contents
automatically get copied into a users home directory upon creation.
[root@examplehost /]# cat /etc/skel/Readme.txt
Read this file first.

OL 6 - Lab 04
Page 26 of 59

Another file that we will now look at is the /etc/login.defs file.
[root@examplehost /]# ls -l /etc/login.defs
-rw-r--r--. 1 root root 1816 Oct 12 2011 /etc/login.defs
The /etc/login.defs file defines the configuration for the shadow password suite. It
is a readable text file that describes the various configuration parameters associated
with shadow password. It contains information about things like password aging,
option to remove user groups if no user exists, encryption method for the password
etc. You can read the man pages of login.defs to understand the various
parameters. Enclosed below is sample output of this file.
[root@examplehost /]# more /etc/login.defs

OL 6 - Lab 04
Page 27 of 59
This file also defines the min/max values for automatic GID selection for the
groupadd command.
[root@examplehost /]# cat /etc/login.defs | grep GID
GID_MIN
500
GID_MAX
60000

OL 6 - Lab 04
Page 28 of 59

Enclosed below is a table with some of the common command line utilities related
to user/group administration in Oracle Linux 6. We will use some of these
commands below in our lab exercise and you can explore the remaining commands
on your own.
Command/Utility
Purpose
useradd
Add user accounts
usermod
Modify user accounts
userdel
Delete user accounts
users
Print the user names of users logged in on the host
sudo
Execute a command as another user
groupadd
Add groups
groupmod
Modify groups
groupdel
Delete groups
groups
gpasswd
pwck, grpck
Print the groups a user is in

Administer /etc/gshadow and /etc/group files
Verification of the password, group, and associated
shadow files
Start by reading the man page of useradd command.

[root@examplehost /]# man useradd

OL 6 - Lab 04
Page 29 of 59
We will now create a user with username student3 using the useradd command
line utility. The c option in the command below is used to provide the GECOS
information (name etc). This command will create a student3 user using the
default settings specified in the /etc/default/useradd file.
[root@examplehost /]# useradd -c "student3 user3" student3
Once the student3 user has been created on the system, you can check the entries
added in the /etc/passwd and the /etc/group files for this user. See example
screenshot below.

OL 6 - Lab 04
Page 30 of 59

[root@examplehost /]# cat /etc/group | grep student3
student3:x:503:
You can also login as student3 using the su student3 command. After logging in,
you will find a Readme.txt file was created for this user. This is the file we created
in the /etc/skell directory earlier in the lab.
[student3@examplehost
student3
su - student3
~]$
~]$ whoami
~]$

/home/student3
[student3@examplehost ~]$ ls -l
total 4
-rw-r--r--. 1 student3 student3 22 Feb 20 14:57 Readme.txt
[student3@examplehost ~]$ cat Readme.txt
Read this file first.

OL 6 - Lab 04
Page 31 of 59
If you want, you can set the password for this student3 user using the passwd
command as shown below. In the example below, we run the passwd command as
root user to set the password of student3 user to oracle.
[root@examplehost /]# passwd student3
Changing password for user student3.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
You can also check the entry created for this student3 user in the /etc/shadow
file.
student3:$6$tlj4yP0T$09INZnAkSqNuf4c/dCE0KSWEq3NbWQbwdV6Aa5
gB3pW/vK1l8.7wSVcAVcRbUBGZjhKl2Ok/dP/ojg7tGsc.a/:15756:0:99
999:7:::

OL 6 - Lab 04
Page 32 of 59
Looking at the /etc/passwd file, we see that student3 has /bin/bash as the
default shell. The default shell is specified in the /etc/default/useradd file.
If you want to create a Linux user but prevent that user from logging in to the
system, then you can set the user shell to /sbin/nologin. For example, to create a
user named reports_user, you can run the following command:
[root@examplehost ~]# useradd -s /sbin/nologin reports_user
Now if you try to login as reports_user it will log a message saying - This account is
currently not available. This means that although the user exists on the system but
it is not allowed to login because the user does not have a shell.
[root@examplehost ~]# su - reports_user
This account is currently not available.
[root@examplehost ~]#

OL 6 - Lab 04
Page 33 of 59
We will now look at the usermod command which can be used to modify an
existing Linux user. Simply typing the usermod command will list out the options
available for this command.
[root@examplehost ~]# usermod
Usage: usermod [options] LOGIN
Options:
-c, --comment COMMENT
new value of the GECOS field
-d, --home HOME_DIR
new home directory for the
user account
-e, --expiredate EXPIRE_DATE set account expiration date
to EXPIRE_DATE
-f, --inactive INACTIVE
set password inactive after
expiration to INACTIVE
-g, --gid GROUP
force use GROUP as new
primary group
-G, --groups GROUPS
new list of supplementary
GROUPS
-a, --append
append the user to the
supplemental GROUPS mentioned by the -G option without
removing him/her from other groups
-h, --help
display this help message
.....
.....

OL 6 - Lab 04
Page 34 of 59
The list of shells available on the system is specified in the /etc/shells file. Examine
the /etc/shells file on your Oracle Linux 6 system.
[root@examplehost /]# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh

OL 6 - Lab 04
Page 35 of 59

We will now run the usermod command to change the default shell of the
student3 user from /bin/bash shell to /bin/csh shell. The shell can be changed
using the s flag of the usermod command.
[root@examplehost /]# usermod -s /bin/csh student3
[root@examplehost /]# cat /etc/passwd | grep student3
student3:x:503:503:student3 user3:/home/student3:/bin/csh
You can verify by both checking the /etc/passwd file and by logging in as student3
to confirm the shell has been changed to /bin/csh.
[root@examplehost /]# su - student3
[student3@examplehost ~]$ ps
PID TTY
TIME CMD
7243 pts/4
00:00:00 csh
7258 pts/4
00:00:00 ps
The next command we will look at is the groupadd command to create groups on
the system. Again, simply typing the groupadd command will show the options
available for this command.

OL 6 - Lab 04
Page 36 of 59
Let us check the group information for student3 using the id command as shown
below. Notice that the student3 user belongs to one group called student3 with a
GID of 503.
student3
503
su - student3
~]$
~]$ id -Gn
~]$ id -G
~]$
As root user, run the groupadd command to create a new support group.

OL 6 - Lab 04
Page 37 of 59

[root@examplehost /]# whoami
root
[root@examplehost /]# groupadd support
Verify that the new group support has been created by examining the /etc/group
file. Also, note the GID of the support group. In the example below, the GID is 551.
[root@examplehost /]# cat /etc/group | grep support
support:x:551:
Modify the student3 group membership. We will make student3 a member of this
new support group. Run the usermod command to append (-a) and add support
group (-G) as shown below.
[root@examplehost /]# usermod -a -G support student3

OL 6 - Lab 04
Page 38 of 59

Login (su) as student3 user and confirm that the student3 user is now a member
of two groups student3 and support. Note the GIDs of the two groups.
[root@examplehost /]# su - student3
uid=503(student3) gid=503(student3)
groups=503(student3),551(support)
[student3@examplehost ~]$ id -Gn
student3 support
503 551
The groupmod command can be used to modify a group. Typing the groupmod
command will list out the options available for this command.
[root@examplehost /]# groupmod
Usage: groupmod [options] GROUP
Options:
-g, --gid GID
-h, --help
..
change the group ID to GID

display this help message
..
.

OL 6 - Lab 04
Page 39 of 59
Use the groupmod command to change the group name. Running the groupmod
command with n option, as shown below, will change the group name to staff
from the old name support. You can check the /etc/group file to confirm that the
name has been changed. Note the GID remains same as the old name.
[root@examplehost /]# groupmod -n staff support
[root@examplehost /]# cat /etc/group | grep staff
staff:x:551:student3

OL 6 - Lab 04
Page 40 of 59

The userdel command can be used to delete users from the system. As with other
commands, typing the userdel command will show the available options.
We will now remove the student3 user from the system and also make sure the
home directory of this user is removed. Run the userdel command with the r
option as shown below to delete student3 user. You can verify by examining the
/etc/passwd file that the user has been deleted.
[root@examplehost /]# userdel -r student3
[root@examplehost /]# cat /etc/passwd | grep student3
[root@examplehost /]# ls /home/
student1 student2

OL 6 - Lab 04
Page 41 of 59

If you have a use case where you want the users creating files in a directory such
that the files created by those users are owned by group which owns the directory
then you would use the setgid bit. The setgid bit makes managing group projects
that share a common directory very simple because any files a user creates within
the directory are owned by the group which owns the directory.
Lets say a group of people (john and jack in development group) need to work
on files in the /home/development directory. Some people (john, jack) are
trusted to modify this directory, but not everyone. To achieve this requirement, you
would run the following commands:
#
#
#
#
#
#
groupadd development
mkdir /home/development
chown R root.development /home/development
gasswd a john development
gpasswd a jack development
chmod 2775 /home/development
Once you run the above commands, files created by users john or jack in the
/home/development directory will get the same group permission as that
directory itself. In the above example, the chmod command sets the setgid bit,
which assigns everything created in the directory the same group permission as the
directory itself.
5.3 Configure Password Aging

In this lab, we will learn how to configure password aging. Password aging is
another technique used by system administrators to defend against bad passwords
within an organization. Password aging means that after a set amount of time the
user is prompted to create a new password.
There are two ways used to specify password aging in Oracle Linux 6. The first way
is the chage command and the second way is using the User Manager Tool
(system-config-users command) application. We will look at the chage command
in this small lab.
Type the chage command to list out the available options. You may also read the
man pages of this command.

OL 6 - Lab 04
Page 42 of 59
Examine the /etc/shadow file and look at the entry for any one user. In the
example below, we look at the student2 user. The fields towards the end of this file
are the password aging related parameters.
756:0:99999:7:::
You can read the values of the password aging parameter using the chage l
command as shown below. It is easier to understand it using this listing than by
examining the entry in the /etc/shadow file but that file is where the values are
updated.

OL 6 - Lab 04
Page 43 of 59
[root@examplehost /]# chage -l student2

Last password change
: Feb 20, 2013
Password expires
: never
Password inactive
: never
Account expires
: never
Minimum number of days between password change
: 0
Maximum number of days between password change
: 99999
Number of days of warning before password expires : 7
Let us change the minimum password age to 10, maximum password age to 30, and
the password expiration warning to 10 days. This can be done using the chage
command as shown below.
[root@examplehost /]# chage student2
Changing the aging information for student2
Enter the new value, or press ENTER for the default
Minimum Password Age [0]: 10
Maximum Password Age [99999]: 30
Last Password Change (YYYY-MM-DD) [2013-02-20]:
Password Expiration Warning [7]: 10
Password Inactive [-1]:
Account Expiration Date (YYYY-MM-DD) [1969-12-31]:

OL 6 - Lab 04
Page 44 of 59
You can verify using the l option that the password aging parameters have been
changed as shown below.
[root@examplehost /]# chage -l student2
Last password change
: Feb 20,
Password expires
: Mar 22,
Password inactive
: never
Account expires
: never
Minimum number of days between password change
Maximum number of days between password change
Number of days of warning before password expires
2013
2013
: 10
: 30
: 10
Also, observe the /etc/shadow file password aging related fields have been
updated.
756:10:30:10:::

OL 6 - Lab 04
Page 45 of 59
To force a user to change his/her password immediately upon the next login, you
can run the chage command with the d option.
[root@examplehost /]# chage d 0 student2
Log out as root user and use the switch user option to log back in as student2 user.
When you enter the password for the student2 user, you will be prompted to enter
the current password.

OL 6 - Lab 04
Page 46 of 59
After entering the current password, you will be prompted to enter a new password
because we used the chage command with d and specified 0 to force a password
change.
This concludes the short and simple lab exercise.
5.4 Describe LDAP and NIS authentication options

Before we discuss LDAP and NIS, we will briefly talk about authentication.
Authentication is the way that a user is identified and verified to a system. The
authentication process requires presenting some sort of identity and credentials,
like a username and password. The credentials are then compared to information
stored in some data store on the system.

OL 6 - Lab 04
Page 47 of 59

Till now, we talked about local authentication which relied on local /etc/passwd
and /etc/shadow files for authenticating users on Oracle Linux system. We will
now look at two other options available for authentication. The two authentication
mechanisms we will discuss are:
1. NIS (Network Information Service)
2. LDAP (Lightweight Directory Access Protocol)
NIS: Per Wikipedia The Network Information Service or NIS (originally called
Yellow Pages or YP) is a clientserver directory service protocol for distributing
system configuration data such as user and host names between computers on a
computer network. Sun Microsystems developed the NIS; the technology is licensed
to virtually all other Unix vendors.
A NIS/YP system maintains and distributes a central directory of user and group
information, hostnames, e-mail aliases and other text-based tables of information in
a computer network. There is a NIS server that is used by the NIS clients for
authentication. So, Linux systems can be configured to talk to a central NIS Server
for authentication.
LDAP: LDAP is an Internet standard protocol used by applications to access
information in a directory. LDAP is based on a client-server model. LDAP servers
provide the directory service, and LDAP clients use the directory service to access
entries and attributes. An LDAP client starts an LDAP session by connecting to an
LDAP server that listens by default on TCP port 389. The client then sends an
operation request to the server, and the server sends responses in return.
We will not be configuring LDAP/NIS authentications in this lab. We will just
introduce you to some basic concepts about configuring LDAP/NIS authentication
on Oracle Linux 6 systems.
Configuring Authentication:
Oracle Linux includes a tool to select the authentication databases and configure
associated authentication options. This tool is called the Authentication
Configuration Tool. The Authentication Configuration Tool has both GUI and
command-line options to configure any user data stores.
You can launch the Authentication Configuration Tool by clicking the System ->
Administration -> Authentication menu option.

OL 6 - Lab 04
Page 48 of 59
Alternatively, you can run the Authentication Configuration Tool from the command
line by using system-config-authentication command as shown below.
The Authentication Configuration Tool will launch the GUI application. There are
two tabs in this application window:
Identity & Authentication

Advanced Options

OL 6 - Lab 04
Page 49 of 59
The Identity & Authentication tab helps configure the resource used as the identity
store. You can define how users should be authenticated. Under the User Account
Configuration section, you can select the User Account Database to be used for
authentication. The choices available are:
Local accounts only: local /etc/passwd and /etc/shadow files

LDAP LDAP server and base DN configuration
NIS - NIS Server and domain configuration
Winbind - Winbind authentication requires samba-winbind package
IPAv2 IPA Domain, server, realm configuration

OL 6 - Lab 04
Page 50 of 59
We will only look at NIS and LDAP authentication in this training.

The Advanced Options tab allows authentication methods other than passwords or
certificates, like smart cards and fingerprint. You can also enable local access control
and that is managed by the /etc/security/access.conf file.

OL 6 - Lab 04
Page 51 of 59
Configuring NIS Authentication:

NIS Authentication requires the ypbind and yp-tools packages on the client
systems. When the ypbind service is installed and configured, the portmap and
ypbind services are started and enabled to start at boot time. We will not be
actually doing any NIS authentication since we do not have a NIS Server configured.

OL 6 - Lab 04
Page 52 of 59

In the Authentication Configuration Tool, on the Identity & Authentication tab, you
can select NIS as the User Account database. Next you can enter your NIS domain
and NIS server information. In the lower section, you can configure the
Authentication method to be NIS Password or Kerberos password. See example
screenshot below. Since we do not have any NIS server available for this training, we
will not make any changes. Cancel and quit this tool without making any changes.
On the NIS server side, you will need to install the ypserv package and then
configure the server. That involves several things like NIS Domain,
/etc/ypserv.conf configuration, NIS maps etc. Refer to the Linux documentation for
complete details.

OL 6 - Lab 04
Page 53 of 59

Configuring LDAP Authentication:
Launch the Authentication Configuration Tool and select LDAP as the user account
database to configure LDAP Authentication. You will have to define the LDAP Search
Base DN and LDAP Server. You can define LDAP or LDAPS (secure) servers. For
Authentication method, you can choose LDAP Password or Kerberos password. See
example screenshot below. We will not make any changes since we do not have a
LDAP server available for this training. Just review and familiarize with the available
configuration options.
The packages needed for LDAP server/client configuration include:

openldap-clients Open LDAP Client utilities
openldap-servers server package
openldap Open LDAP support libraries
nss-pam-ldapd nsswitch module which uses directory servers

OL 6 - Lab 04
Page 54 of 59

Configuring Authentication from the Command Line:
The authconfig command-line tool updates all of the configuration files and
services required for system authentication, according to the settings passed to the
script. Along with allowing all the identity and authentication configuration options
that can be set through the UI, the authconfig tool can also be used to create backup
and kickstart files. For a complete list of authconfig command options, check the
help output and the man page.
For the authconfig command, you can use either the --update or --test option.
One of those options is required for the command to run successfully. Using -update writes the configuration changes. And, the --test option prints the changes
to stdout but does not apply the changes to the configuration.
Example: To print the password hashing algorithm, you can use the authconfig
command with the --test option as shown below.

OL 6 - Lab 04
Page 55 of 59
To update the hash/crypt algorithm for new passwords, you can use the authconfig
command with the passalgo option.
# authconfig passalgo=sha256 --update
You can also enable and configure LDAP from the command line using the
authconfig command. To use an LDAP identity store, you can use the --enableldap
option. To use LDAP as the authentication source, you can use the --enableldapauth
option and then provide information like the LDAP server name, base DN for the
user suffix etc. Example screenshot is provided below.
# authconfig --enableldap --enableldapauth -ldapserver=ldap://host:port ldapbasedn=base dn update
Similarly, NIS configuration can be done using the authconfig command. The syntax
is as follows:
# authconfig --enablenis --nisdomain <nisdomainname> -nisserver <host> -update

OL 6 - Lab 04
Page 56 of 59
Well, that completes this introductory lab exercise on authentication.
5.5 Introduction to Pluggable Authentication Modules (PAM)

Per Wikipedia Pluggable authentication modules (PAM) are a mechanism to
integrate multiple low-level authentication schemes into a high-level application
programming interface (API). It allows programs that rely on authentication to be
written independent of the underlying authentication scheme.
Pluggable Authentication Modules are a common framework for authentication and
security. Basically, PAM authentication mechanism allows you to configure how
applications can use authentication to verify the identity of users.
The PAM Configuration files are in the /etc/pam.d directory and it contains the
configuration files for each PAM aware application. Each PAM-aware application has
a file in the /etc/pam.d/ directory and usually has the same name as the service to
which it controls access. The PAM-aware program/application is responsible for
defining its service name and installing its own PAM configuration file in the
/etc/pam.d/ directory. For example, the login program defines its service name as
login and installs the /etc/pam.d/login PAM configuration file.

OL 6 - Lab 04
Page 57 of 59

Each PAM configuration file contains a group of directives that define the module
and any controls or arguments with it. The directives are:
module_interface auth, account, password, session

control_flag required, requisite, sufficient, optional, include
module_name pam_unix.so, pam_wheel.so are couple of examples
module_arguments some modules need arguments
For example, in the following line, the module_interface is auth, the control_flag is
required and the module name is pam_unix.so
auth
required
pam_unix.so
Take a look at the /etc/pam.d/xserver PAM configuration file. In this file, each line
starts with the module_interface name, next is the control_flag, third field is the
module name and the last field (optional) is the arguments for the module.
[root@examplehost pam.d]# pwd
/etc/pam.d
[root@examplehost pam.d]# cat xserver
#%PAM-1.0
auth
sufficient
pam_rootok.so
auth
required pam_console.so
account
required pam_permit.so
session
optional pam_keyinit.so force revoke
[root@examplehost pam.d]#
In the above example, the first line uses the pam_rootok.so module to check
whether the current user is root by verifying that their UID is 0. If this test
succeeds, no other modules are consulted and the command is executed. If this test
fails, the next module line is checked. This is how the configuration files are used in
PAM authentication mechanism.

OL 6 - Lab 04
Page 58 of 59

New PAM modules can be created or added at any time for use by PAM-aware
applications. Documentation on writing modules is included in the
/usr/share/doc/pam-version# directory.
We will not be developing any PAM modules or doing any lab exercise on PAM in
this training.
6 Lab Summary
In this lab, you learned how to create/modify/delete users and groups on Oracle
Linux 6 systems. You learned how to do user and group administration using both
the User Manager GUI Tool and command line utilities. You also learned about
password aging configuration. We introduced you to NIS and LDAP Authentication
mechanisms and learned about the Authentication Configuration Tool and the
command line authconfig tool. We ended this lab with a short discussion about
Pluggable Authentication Modules (PAM).
7 References
For more information and next steps, please consult additional resources: Click the
hyperlinks to access the resource.
Deployment Guide Chapter 3 (Users and Groups Administration)
Deployment Guide Chapter 10 (Configuring Authentication)
PAM Documentation

OL 6 - Lab 04
Page 59 of 59

Lab4 Oracle Linux 6 User Group Administration

Transféré par

Informations du document

Copyright

Formats disponibles

Partager ce document

Partager ou intégrer le document

Options de partage

Avez-vous trouvé ce document utile ?

Ce contenu est-il inapproprié ?

Droits d'auteur :

Formats disponibles

Lab4 Oracle Linux 6 User Group Administration

Transféré par

Droits d'auteur :

Formats disponibles

Oracle Linux 6 Boot Camp

Oracle Linux 6 Lab Exercise

Safe Harbor Statement

Oracle Training Materials Usage Agreement

OL 6 Users & Groups Admin Lab 4

Oracle Linux Users and Groups

Creating Users and Groups using User Manager GUI Tool

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

4 VirtualBox lab setup

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

3 - Navigate to the folder

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

5 - Confirm the default

6 - The progress bar will

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

8 - After your image has

Once you have reviewed

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

Select the student2 user and click the Properties button.

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

5.2 Users and Groups Administration using Command-Line Utilities

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4

This /etc/default/useradd file is used to specify default settings when creating a

For Oracle employees and authorized partners only. Do

OL 6 Users & Groups Admin Lab 4