Académique Documents
Professionnel Documents
Culture Documents
1 Introduction
Participants will gain example-led awareness and understanding of the Linux Users
and Groups Administrative tasks.
With a few basic exercises we will introduce the learner to some ways to perform
Linux Users and Groups creation and administration in Oracle Linux 6. We will also
introduce you to LDAP and NIS authentication options and discuss Pluggable
Authentication Modules (PAM). Upon completion of this lab, participants will have
learned how to do Users and Groups Administration on Oracle Linux 6.
2 Overview
In this lab well be practicing User and Group Administration on Oracle Linux 6.
Well briefly review some of the advanced concepts like LDAP and NIS
Authentication and PAM configuration.
Some of the commands and concepts well review are listed below.
This practice can be accomplished with a single VirtualBox Oracle Linux 6.3
instance. You must have a working instance of Oracle Linux 6.3 running in your
VirtualBox environment to perform this lab.
OL 6 - Lab 04
Page 2 of 59
A current 64 bit laptop with at least 2GB RAM and 20GB free disk space
Operating system: A 64-bit version of Microsoft Windows, Mac OS X, Linux
or Solaris. Alternatively, a 32-bit host OS installed on a 64-bit CPU with VTx/AMD-V enabled in the BIOS.
Oracle VirtualBox Software 4.2.6 or later (4.2 with Extension Pack installed)
Oracle Linux 6.3 instance running inside VirtualBox:
o VM Image Provided by instructor or downloaded on your own
o Installed in Lab 1 of Oracle Linux 6 Boot camp
The following assumptions have been made regarding the environment where this
lab is being performed:
1. Network connectivity to the Internet is available
2. Your Oracle Linux 6.3 VirtualBox instance has been installed and youve
assigned a normal user/password and a root user password.
a. The recommended user name is student1
b. The recommended password is oracle
c. The recommended root password is oracle
OL 6 - Lab 04
Page 3 of 59
OL 6 - Lab 04
Page 4 of 59
OL 6 - Lab 04
Page 5 of 59
OL 6 - Lab 04
Page 6 of 59
Alternatively, you can start this application by selecting the System>Administration->Users and Groups option from the Desktop menu panel. The
screenshot below shows how to start the start the User Tool Manager using the
Desktop panel.
OL 6 - Lab 04
Page 7 of 59
Note that if you run the application as a regular Linux user, the application will
prompt you to authenticate as root user.
Once the User Manager Tool has launched, you should see the following GUI
window. You should be able to see student1 user listed under the Users tab. This
is the user that was created during installation of Oracle Linux 6 along with the
root user.
OL 6 - Lab 04
Page 8 of 59
By default, the Users and Groups listed in the User Manager Application do not
include the system users and groups. If you want to see the system users and
groups, you can click Edit->Preferences and then uncheck the Hide system users
and groups option.
Create a new user by clicking the Add User button in the User Manager Tool. In the
Add New User window, create a user with username as student2 as shown in the
screenshot below. Notice, you can define the login shell for the user in this window.
We will use the default bash shell for this student2 user from the choice list.
OL 6 - Lab 04
Page 9 of 59
In the lower section of the Add New User window, you can decide whether you
want to create a home directory for the user and also the location of the home
directory. Oracle Linux 6 uses a User Private Group (UPG) scheme by default. A User
Private Group is created whenever a new user is added to the system. It has the
same name as the user for which it was created and that user is the only member of
the user private group. User private groups make it safe to set default permissions
for a newly created file or directory, allowing both the user and the group of that
user to make modifications to the file or directory. This helps to make Linux groups
easier to use and manage.
Notice, you can also specify the Group ID (GID) and User ID (UID) manually by
entering a value. By default Oracle Linux and RHEL reserve UIDs and GIDs below
500 for system users and groups. We will assign /home/student2 as the home
directory for student2 user and let the system pick the UID and GID values. Click
the OK button to create the user.
OL 6 - Lab 04
Page 10 of 59
Once the user student2 has been created, you should see it listed under the Users
tab of the application window. Select the student2
OL 6 - Lab 04
Page 11 of 59
Notice that under Account Info, you can enable account expiration and also lock the
password. Do not make any changes, just review the tabs and get familiarized.
OL 6 - Lab 04
Page 12 of 59
And under the Groups tab, you will notice that by default student2 is a member of
the student2 group. This is as per the UPG scheme. Click Cancel to close this
window.
OL 6 - Lab 04
Page 13 of 59
Now that we have created a student2, let us understand the file changes that occur
when you create a user on Linux. When you created the user student2, an entry for
that user was created in the /etc/passwd, /etc/shadow and /etc/group files on
the system.
Examine the entry for the user student2 in the /etc/passwd file and the
/etc/group file. You can use the cat /etc/passwd | grep -i student2 command or
the grep -i student2 /etc/passwd command to examine the entry.
[root@examplehost /]# cat /etc/passwd | grep -i student2
student2:x:502:502:student2 user2:/home/student2:/bin/bash
[root@examplehost /]#
[root@examplehost /]# cat /etc/group | grep -i student2
student2:x:502:
[root@examplehost /]#
OL 6 - Lab 04
Page 14 of 59
The /etc/shadow file is used for user shadow passwords. The user passwords are
hashed and stored in the /etc/shadow file. This file also contains information about
password aging and security policies defined in the /etc/login.defs file.
[root@examplehost /]# cat /etc/shadow | grep student2
student2:$6$1cLhy/ZiwTsQkEJX$.Ho7T0WFlO3B.E.b0nGs52LENLyTiC
ZkNvj1Da8xABBcvVxRHcuPRjBfVRQQL7fEeIwER6kKvmvNwlXpfnlQg0:15
756:0:99999:7:::
[root@examplehost /]#
Log out of the Desktop GUI and log back in as student2 user to confirm that the
user that we created can login properly.
OL 6 - Lab 04
Page 15 of 59
OL 6 - Lab 04
Page 16 of 59
After logging in as student2 user, open a terminal window and see that a home
directory /home/student2 was created for this user. It already has a predefined
directory structure that you can check using the ls command.
[student2@examplehost ~]$ pwd
/home/student2
[student2@examplehost ~]$ ls -l
total 32
drwxr-xr-x. 2 student2 student2
drwxr-xr-x. 2 student2 student2
drwxr-xr-x. 2 student2 student2
drwxr-xr-x. 2 student2 student2
drwxr-xr-x. 2 student2 student2
drwxr-xr-x. 2 student2 student2
drwxr-xr-x. 2 student2 student2
drwxr-xr-x. 2 student2 student2
[student2@examplehost ~]$
4096
4096
4096
4096
4096
4096
4096
4096
Feb
Feb
Feb
Feb
Feb
Feb
Feb
Feb
20
20
20
20
20
20
20
20
14:14
14:14
14:14
14:14
14:14
14:14
14:14
14:14
Desktop
Documents
Downloads
Music
Pictures
Public
Templates
Videos
OL 6 - Lab 04
Page 17 of 59
You may verify the directory is usable by the student2 user by creating a file using
the touch command in this directory.
[student2@examplehost ~]$ pwd
/home/student2
[student2@examplehost ~]$ touch student2file2
[student2@examplehost ~]$ ls -l student2file2
-rw-rw-r--. 1 student2 student2 0 Feb 20 14:17 student2file2
[student2@examplehost ~]$
The id command is a good tool to print the user and group information for the
specified user. Read the man page of the id command then run the id command
with options shown below. The id command output below tells you that student2
user has a UID of 502 and a GID of 502. The student2 user belongs to only one
group and that is the student2 group. Using the g flag, you can print only the
effective group ID of the user and using the ng option will give you the name of the
effective group that the user belongs to. The G option prints all group IDs of a user.
OL 6 - Lab 04
Page 18 of 59
Log out from the system as student2 user and log back in as root user. We will
now look at the User Manager Tool for the Groups administration. As root user, start
the User Manager Tool and click on the Groups tab. Notice the groups that are there
on this system. Select the student2 group and then click the Properties button.
OL 6 - Lab 04
Page 19 of 59
We will now create a new group. Click the Add Group button to create a new group.
In the Add New Group window, create a new students group as shown below.
Specify the GID to be 550 and click the OK button.
OL 6 - Lab 04
Page 20 of 59
You should now see the students2 group. Select this student2 group and click the
Properties button.
In the Group Properties window, select the student2 user to add this user to this
group and then click the OK button.
OL 6 - Lab 04
Page 21 of 59
Under the Groups tab of the User Properties window, you will now see that
student2 is a member of two groups. Click the Cancel button to close the window.
You can also run the id command again as student2 user and see the results. See
examples below. You can see that the G option of the id command lists the 2
groups that the user student2 belongs to.
OL 6 - Lab 04
Page 22 of 59
This concludes the simple lab of creating users and groups using the User Manager
GUI Tool.
OL 6 - Lab 04
Page 23 of 59
Examine the /etc/default/useradd file on your system using the cat command.
[root@examplehost /]# cat /etc/default/useradd
# useradd defaults file
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
[root@examplehost /]#
OL 6 - Lab 04
Page 24 of 59
OL 6 - Lab 04
Page 25 of 59
Create a file using an editor (eg. vi editor) in the /etc/skel directory and call this
file Readme.txt.
[root@examplehost /]# vi /etc/skel/Readme.txt
Enter some text into the Readmefile.txt file and save and quit the editor. Later in
this lab, we will later create a Linux user student3. When that user is created, we
will notice that the home directory contains this Readme.txt file automatically. This
is because this file is created in the /etc/skel directory whose contents
automatically get copied into a users home directory upon creation.
[root@examplehost /]# cat /etc/skel/Readme.txt
Read this file first.
[root@examplehost /]#
OL 6 - Lab 04
Page 26 of 59
The /etc/login.defs file defines the configuration for the shadow password suite. It
is a readable text file that describes the various configuration parameters associated
with shadow password. It contains information about things like password aging,
option to remove user groups if no user exists, encryption method for the password
etc. You can read the man pages of login.defs to understand the various
parameters. Enclosed below is sample output of this file.
[root@examplehost /]# more /etc/login.defs
OL 6 - Lab 04
Page 27 of 59
This file also defines the min/max values for automatic GID selection for the
groupadd command.
[root@examplehost /]# cat /etc/login.defs | grep GID
GID_MIN
500
GID_MAX
60000
[root@examplehost /]#
OL 6 - Lab 04
Page 28 of 59
Purpose
useradd
usermod
userdel
users
sudo
groupadd
Add groups
groupmod
Modify groups
groupdel
Delete groups
groups
gpasswd
pwck, grpck
OL 6 - Lab 04
Page 29 of 59
We will now create a user with username student3 using the useradd command
line utility. The c option in the command below is used to provide the GECOS
information (name etc). This command will create a student3 user using the
default settings specified in the /etc/default/useradd file.
[root@examplehost /]# useradd -c "student3 user3" student3
[root@examplehost /]#
Once the student3 user has been created on the system, you can check the entries
added in the /etc/passwd and the /etc/group files for this user. See example
screenshot below.
OL 6 - Lab 04
Page 30 of 59
You can also login as student3 using the su student3 command. After logging in,
you will find a Readme.txt file was created for this user. This is the file we created
in the /etc/skell directory earlier in the lab.
[root@examplehost /]#
[student3@examplehost
[student3@examplehost
student3
[student3@examplehost
su - student3
~]$
~]$ whoami
~]$
OL 6 - Lab 04
Page 31 of 59
If you want, you can set the password for this student3 user using the passwd
command as shown below. In the example below, we run the passwd command as
root user to set the password of student3 user to oracle.
[root@examplehost /]# passwd student3
Changing password for user student3.
New password:
Retype new password:
passwd: all authentication tokens updated successfully.
[root@examplehost /]#
You can also check the entry created for this student3 user in the /etc/shadow
file.
[root@examplehost /]# cat /etc/shadow | grep student3
student3:$6$tlj4yP0T$09INZnAkSqNuf4c/dCE0KSWEq3NbWQbwdV6Aa5
gB3pW/vK1l8.7wSVcAVcRbUBGZjhKl2Ok/dP/ojg7tGsc.a/:15756:0:99
999:7:::
OL 6 - Lab 04
Page 32 of 59
Looking at the /etc/passwd file, we see that student3 has /bin/bash as the
default shell. The default shell is specified in the /etc/default/useradd file.
[root@examplehost /]# cat /etc/passwd | grep -i student3
student3:x:503:503:student3 user3:/home/student3:/bin/bash
[root@examplehost /]#
If you want to create a Linux user but prevent that user from logging in to the
system, then you can set the user shell to /sbin/nologin. For example, to create a
user named reports_user, you can run the following command:
[root@examplehost ~]# useradd -s /sbin/nologin reports_user
Now if you try to login as reports_user it will log a message saying - This account is
currently not available. This means that although the user exists on the system but
it is not allowed to login because the user does not have a shell.
[root@examplehost ~]# su - reports_user
This account is currently not available.
[root@examplehost ~]#
OL 6 - Lab 04
Page 33 of 59
We will now look at the usermod command which can be used to modify an
existing Linux user. Simply typing the usermod command will list out the options
available for this command.
[root@examplehost ~]# usermod
Usage: usermod [options] LOGIN
Options:
-c, --comment COMMENT
new value of the GECOS field
-d, --home HOME_DIR
new home directory for the
user account
-e, --expiredate EXPIRE_DATE set account expiration date
to EXPIRE_DATE
-f, --inactive INACTIVE
set password inactive after
expiration to INACTIVE
-g, --gid GROUP
force use GROUP as new
primary group
-G, --groups GROUPS
new list of supplementary
GROUPS
-a, --append
append the user to the
supplemental GROUPS mentioned by the -G option without
removing him/her from other groups
-h, --help
display this help message
.....
.....
OL 6 - Lab 04
Page 34 of 59
The list of shells available on the system is specified in the /etc/shells file. Examine
the /etc/shells file on your Oracle Linux 6 system.
[root@examplehost /]# cat /etc/shells
/bin/sh
/bin/bash
/sbin/nologin
/bin/tcsh
/bin/csh
[root@examplehost /]#
OL 6 - Lab 04
Page 35 of 59
You can verify by both checking the /etc/passwd file and by logging in as student3
to confirm the shell has been changed to /bin/csh.
[root@examplehost /]# su - student3
[student3@examplehost ~]$
[student3@examplehost ~]$ ps
PID TTY
TIME CMD
7243 pts/4
00:00:00 csh
7258 pts/4
00:00:00 ps
[student3@examplehost ~]$
The next command we will look at is the groupadd command to create groups on
the system. Again, simply typing the groupadd command will show the options
available for this command.
OL 6 - Lab 04
Page 36 of 59
Let us check the group information for student3 using the id command as shown
below. Notice that the student3 user belongs to one group called student3 with a
GID of 503.
[root@examplehost /]#
[student3@examplehost
[student3@examplehost
student3
[student3@examplehost
503
[student3@examplehost
su - student3
~]$
~]$ id -Gn
~]$ id -G
~]$
As root user, run the groupadd command to create a new support group.
OL 6 - Lab 04
Page 37 of 59
Verify that the new group support has been created by examining the /etc/group
file. Also, note the GID of the support group. In the example below, the GID is 551.
[root@examplehost /]# cat /etc/group | grep support
support:x:551:
[root@examplehost /]#
Modify the student3 group membership. We will make student3 a member of this
new support group. Run the usermod command to append (-a) and add support
group (-G) as shown below.
[root@examplehost /]# usermod -a -G support student3
[root@examplehost /]#
OL 6 - Lab 04
Page 38 of 59
The groupmod command can be used to modify a group. Typing the groupmod
command will list out the options available for this command.
[root@examplehost /]# groupmod
Usage: groupmod [options] GROUP
Options:
-g, --gid GID
-h, --help
..
..
.
OL 6 - Lab 04
Page 39 of 59
Use the groupmod command to change the group name. Running the groupmod
command with n option, as shown below, will change the group name to staff
from the old name support. You can check the /etc/group file to confirm that the
name has been changed. Note the GID remains same as the old name.
[root@examplehost /]# groupmod -n staff support
[root@examplehost /]#
[root@examplehost /]# cat /etc/group | grep staff
staff:x:551:student3
[root@examplehost /]#
OL 6 - Lab 04
Page 40 of 59
We will now remove the student3 user from the system and also make sure the
home directory of this user is removed. Run the userdel command with the r
option as shown below to delete student3 user. You can verify by examining the
/etc/passwd file that the user has been deleted.
[root@examplehost /]# userdel -r student3
[root@examplehost /]#
[root@examplehost /]# cat /etc/passwd | grep student3
[root@examplehost /]#
[root@examplehost /]# ls /home/
student1 student2
[root@examplehost /]#
OL 6 - Lab 04
Page 41 of 59
groupadd development
mkdir /home/development
chown R root.development /home/development
gasswd a john development
gpasswd a jack development
chmod 2775 /home/development
Once you run the above commands, files created by users john or jack in the
/home/development directory will get the same group permission as that
directory itself. In the above example, the chmod command sets the setgid bit,
which assigns everything created in the directory the same group permission as the
directory itself.
OL 6 - Lab 04
Page 42 of 59
Examine the /etc/shadow file and look at the entry for any one user. In the
example below, we look at the student2 user. The fields towards the end of this file
are the password aging related parameters.
[root@examplehost /]# cat /etc/shadow | grep student2
student2:$6$1cLhy/ZiwTsQkEJX$.Ho7T0WFlO3B.E.b0nGs52LENLyTiC
ZkNvj1Da8xABBcvVxRHcuPRjBfVRQQL7fEeIwER6kKvmvNwlXpfnlQg0:15
756:0:99999:7:::
[root@examplehost /]#
You can read the values of the password aging parameter using the chage l
command as shown below. It is easier to understand it using this listing than by
examining the entry in the /etc/shadow file but that file is where the values are
updated.
OL 6 - Lab 04
Page 43 of 59
Let us change the minimum password age to 10, maximum password age to 30, and
the password expiration warning to 10 days. This can be done using the chage
command as shown below.
[root@examplehost /]# chage student2
Changing the aging information for student2
Enter the new value, or press ENTER for the default
Minimum Password Age [0]: 10
Maximum Password Age [99999]: 30
Last Password Change (YYYY-MM-DD) [2013-02-20]:
Password Expiration Warning [7]: 10
Password Inactive [-1]:
Account Expiration Date (YYYY-MM-DD) [1969-12-31]:
[root@examplehost /]#
OL 6 - Lab 04
Page 44 of 59
You can verify using the l option that the password aging parameters have been
changed as shown below.
[root@examplehost /]# chage -l student2
Last password change
: Feb 20,
Password expires
: Mar 22,
Password inactive
: never
Account expires
: never
Minimum number of days between password change
Maximum number of days between password change
Number of days of warning before password expires
[root@examplehost /]#
2013
2013
: 10
: 30
: 10
Also, observe the /etc/shadow file password aging related fields have been
updated.
[root@examplehost /]# cat /etc/shadow | grep student2
student2:$6$1cLhy/ZiwTsQkEJX$.Ho7T0WFlO3B.E.b0nGs52LENLyTiC
ZkNvj1Da8xABBcvVxRHcuPRjBfVRQQL7fEeIwER6kKvmvNwlXpfnlQg0:15
756:10:30:10:::
[root@examplehost /]#
OL 6 - Lab 04
Page 45 of 59
To force a user to change his/her password immediately upon the next login, you
can run the chage command with the d option.
[root@examplehost /]# chage d 0 student2
Log out as root user and use the switch user option to log back in as student2 user.
When you enter the password for the student2 user, you will be prompted to enter
the current password.
OL 6 - Lab 04
Page 46 of 59
After entering the current password, you will be prompted to enter a new password
because we used the chage command with d and specified 0 to force a password
change.
OL 6 - Lab 04
Page 47 of 59
OL 6 - Lab 04
Page 48 of 59
Alternatively, you can run the Authentication Configuration Tool from the command
line by using system-config-authentication command as shown below.
The Authentication Configuration Tool will launch the GUI application. There are
two tabs in this application window:
OL 6 - Lab 04
Page 49 of 59
The Identity & Authentication tab helps configure the resource used as the identity
store. You can define how users should be authenticated. Under the User Account
Configuration section, you can select the User Account Database to be used for
authentication. The choices available are:
OL 6 - Lab 04
Page 50 of 59
OL 6 - Lab 04
Page 51 of 59
OL 6 - Lab 04
Page 52 of 59
On the NIS server side, you will need to install the ypserv package and then
configure the server. That involves several things like NIS Domain,
/etc/ypserv.conf configuration, NIS maps etc. Refer to the Linux documentation for
complete details.
OL 6 - Lab 04
Page 53 of 59
OL 6 - Lab 04
Page 54 of 59
For the authconfig command, you can use either the --update or --test option.
One of those options is required for the command to run successfully. Using -update writes the configuration changes. And, the --test option prints the changes
to stdout but does not apply the changes to the configuration.
Example: To print the password hashing algorithm, you can use the authconfig
command with the --test option as shown below.
OL 6 - Lab 04
Page 55 of 59
To update the hash/crypt algorithm for new passwords, you can use the authconfig
command with the passalgo option.
# authconfig passalgo=sha256 --update
You can also enable and configure LDAP from the command line using the
authconfig command. To use an LDAP identity store, you can use the --enableldap
option. To use LDAP as the authentication source, you can use the --enableldapauth
option and then provide information like the LDAP server name, base DN for the
user suffix etc. Example screenshot is provided below.
# authconfig --enableldap --enableldapauth -ldapserver=ldap://host:port ldapbasedn=base dn update
Similarly, NIS configuration can be done using the authconfig command. The syntax
is as follows:
# authconfig --enablenis --nisdomain <nisdomainname> -nisserver <host> -update
OL 6 - Lab 04
Page 56 of 59
OL 6 - Lab 04
Page 57 of 59
For example, in the following line, the module_interface is auth, the control_flag is
required and the module name is pam_unix.so
auth
required
pam_unix.so
Take a look at the /etc/pam.d/xserver PAM configuration file. In this file, each line
starts with the module_interface name, next is the control_flag, third field is the
module name and the last field (optional) is the arguments for the module.
[root@examplehost pam.d]# pwd
/etc/pam.d
[root@examplehost pam.d]# cat xserver
#%PAM-1.0
auth
sufficient
pam_rootok.so
auth
required pam_console.so
account
required pam_permit.so
session
optional pam_keyinit.so force revoke
[root@examplehost pam.d]#
In the above example, the first line uses the pam_rootok.so module to check
whether the current user is root by verifying that their UID is 0. If this test
succeeds, no other modules are consulted and the command is executed. If this test
fails, the next module line is checked. This is how the configuration files are used in
PAM authentication mechanism.
OL 6 - Lab 04
Page 58 of 59
We will not be developing any PAM modules or doing any lab exercise on PAM in
this training.
6 Lab Summary
In this lab, you learned how to create/modify/delete users and groups on Oracle
Linux 6 systems. You learned how to do user and group administration using both
the User Manager GUI Tool and command line utilities. You also learned about
password aging configuration. We introduced you to NIS and LDAP Authentication
mechanisms and learned about the Authentication Configuration Tool and the
command line authconfig tool. We ended this lab with a short discussion about
Pluggable Authentication Modules (PAM).
7 References
For more information and next steps, please consult additional resources: Click the
hyperlinks to access the resource.
Deployment Guide Chapter 3 (Users and Groups Administration)
Deployment Guide Chapter 10 (Configuring Authentication)
PAM Documentation
OL 6 - Lab 04
Page 59 of 59