lab4 oracle linux 6 user group administration

8/9/2019 Lab4 Oracle Linux 6 User Group Administration

1/59

Oracle Linux 6 Boot Camp

Oracle Linux 6 Lab Exercise

Safe Harbor Statement

The following is intended to outline our general product direction. It is intended for

information purposes only, and may not be incorporated into any contract. It is not a

commitment to deliver any material, code, or functionality, and should not be relied

upon in making purchasing decisions.

The development, release, and timing of any features or functionality described for

Oracles products remains at the sole discretion of Oracle.

Oracle Training Materials Usage Agreement

Use of this Site (Site) or Materials constitutes agreement with the following termsand conditions:

1. Oracle Corporation (Oracle) is pleased to allow its business partner (Partner)

to download and copy the information, documents, and the online training courses

(collectively, Materials") found on this Site. The use of the Materials is restricted to

the non-commercial, internal training of the Partners employees only. TheMaterials may not be used for training, promotion, or sales to customers or other

partners or third parties.

2. All the Materials are trademarks of Oracle and are proprietary information of

Oracle. Partner or other third party at no time has any right to resell, redistribute or

create derivative works from the Materials.

3. Oracle disclaims any warranties or representations as to the accuracy or

completeness of any Materials. Materials are provided "as is" without warranty of

any kind, either express or implied, including without limitation warranties of

merchantability, fitness for a particular purpose, and non-infringement.

4. Under no circumstances shall Oracle or the Oracle Authorized Delivery Partner be

liable for any loss, damage, liability or expense incurred or suffered which is claimed

to have resulted from use of this Site of Materials. As a condition of use of theMaterials, Partner agrees to indemnify Oracle from and against any and all actions,

claims, losses, damages, liabilities and expenses (including reasonable attorneys'

fees) arising out of Partners use of the Materials.

5. Reference materials including but not limited to those identified in the Boot Camp

manifest cannot be redistributed in any format without Oracle written consent.


2/59

OL 6 Users & Groups Admin Lab 4

For Oracle employees and authorized partners only. Do

not distribute to third parties. 2013 Oracle Corporation

Page 2OL 6 - Lab 04

Oracle Linux Users and Groups

AdministrationV1.0 January 2013

1 Introduction

Participants will gain example-led awareness and understanding of the Linux Users

and Groups Administrative tasks.

With a few basic exercises we will introduce the learner to some ways to perform

Linux Users and Groups creation and administration in Oracle Linux 6. We will also

introduce you to LDAP and NIS authentication options and discuss Pluggable

Authentication Modules (PAM). Upon completion of this lab, participants will have

learned how to do Users and Groups Administration on Oracle Linux 6.

2Overview

In this lab well be practicing User and Group Administration on Oracle Linux 6.

Well briefly review some of the advanced concepts like LDAP and NISAuthentication and PAM configuration.

Some of the commands and concepts well review are listed below.

Creating Users and Groups using User Manager GUI Tool

Users and Groups Administration using Command-Line Utilities

Configure Password Aging

Describe LDAP and NIS authentication options(no lab)

Introduction to Pluggable Authentication Modules (PAM)(no lab)

This practice can be accomplished with a single VirtualBox Oracle Linux 6.3

instance. You must have a working instance of Oracle Linux 6.3 running in your

VirtualBox environment to perform this lab.


3/59




Page 3OL 6 - Lab 04

3Pre-requisites

This lab requires the use of the following elements:

A current 64 bit laptop with at least 2GB RAM and 20GB free disk space

Operating system: A 64-bitversion of Microsoft Windows, Mac OS X, Linux

or Solaris. Alternatively, a 32-bit host OS installed on a 64-bit CPU with VT-x/AMD-V enabled in the BIOS.

Oracle VirtualBox Software 4.2.6 or later (4.2 with Extension Pack installed)

Oracle Linux 6.3 instance running inside VirtualBox:

o VM Image Provided by instructor or downloaded on your owno Installed in Lab 1 of Oracle Linux 6 Boot camp

The following assumptions have been made regarding the environment where this

lab is being performed:

1.

Network connectivity to the Internet is available

2.

Your Oracle Linux 6.3 VirtualBox instance has been installed and youveassigned a normal user/password and a root user password.

a. The recommended user name is student1b.

The recommended password is oraclec.

The recommended root password is oracle

4VirtualBox lab setup

If you already have an instance of Oracle Linux 6.3 installed in VirtualBox or havealready imported the Oracle Linux 6.3 image, you can skip this section and proceed

to the Labs in Section 5. If you need to import the Oracle Linux 6.3 appliance (image

in ova file provided for this training) then complete the steps in this section before

you start with the Labs.

1 - In the VirtualBox

main window choose

File > Import

Appliance


4/59




Page 4OL 6 - Lab 04

2 - From the Appliance

Import Wizard click the

Open appliance..

button and navigate to

the

Oracle_Linux_6_Bootcamp.ovafile which is the

pre-built Oracle Linux

6.3 VM image you

downloaded or obtained

from the instructor

3 - Navigate to the folder

where you downloaded

or copied the Oracle

Linux 6.3 Prebuilt image

and click Open. The file

is named

Oracle_Linux_6_Bootca

mp.ova.


5/59




Page 5OL 6 - Lab 04

4 - Choose Next on theAppliance to import

screen

5 - Confirm the default

settings and choose

Import to beginimporting the virtual

image. If you see a

License Agreement

window, read and accept

the license.

6 - The progress bar will

show the importprogress. Usually looks

slow in the beginning

but this shouldnt takemore than a few

minutes.


6/59




Page 6OL 6 - Lab 04

7 - Your new image has

been imported and is

ready for use. Select the

Oracle Linux 6

Bootcamp image.

8 - After your image has

finished importing select

it in the VB application

and choose Settingsand review settings.

Once you have reviewed

the settings, you canselect the image and

click the Startbutton to

boot Oracle Linux 6.

After booting, login as

root user and activate

your network

connection to start using

the image.

The following video demonstrates how to import an appliance:

Importing Oracle Linux VM Appliance Video
http://www.youtube.com/watch?v=nrH6ZBYfSc0&feature=player_embeddedhttp://www.youtube.com/watch?v=nrH6ZBYfSc0&feature=player_embeddedhttp://www.youtube.com/watch?v=nrH6ZBYfSc0&feature=player_embedded


7/59




Page 7OL 6 - Lab 04

5Lab Exercises

5.1 Creating Users and Groups using User Manager GUI Tool

In this lab, we will learn how to create Users and Groups in Oracle Linux 6 using the

User Manager Tool. The User Manager GUI tool is a simple application that allows

you to view, modify, add, and delete local users and groups.

To start User Manager tool from the command line, you can use system-config-

users command:

[root@examplehost /]# system-config-users

Alternatively, you can start this application by selecting the System-

>Administration->Users and Groupsoption from the Desktop menu panel. The

screenshot below shows how to start the start the User Tool Manager using the

Desktop panel.


8/59




Page 8OL 6 - Lab 04

Note that if you run the application as a regular Linux user, the application will

prompt you to authenticate as rootuser.

Once the User Manager Tool has launched, you should see the following GUI

window. You should be able to see student1 user listed under the Users tab. Thisis the user that was created during installation of Oracle Linux 6 along with the

root user.


9/59




Page 9OL 6 - Lab 04

By default, the Users and Groups listed in the User Manager Application do not

include the system users and groups. If you want to see the system users andgroups, you can click Edit->Preferencesand then uncheck the Hide system users

and groups option.

Create a new user by clicking the Add Userbutton in the User Manager Tool. In the

Add New Userwindow, create a user with username as student2 as shown in thescreenshot below. Notice, you can define the login shell for the user in this window.

We will use the default bash shell for this student2 user from the choice list.


10/59




Page 10OL 6 - Lab 04

In the lower section of the Add New User window, you can decide whether youwant to create a home directory for the user and also the location of the home

directory. Oracle Linux 6 uses a User Private Group (UPG) scheme by default. A User

Private Group is created whenever a new user is added to the system. It has the

same name as the user for which it was created and that user is the only member of

the user private group. User private groups make it safe to set default permissions

for a newly created file or directory, allowing both the user and thegroup of that

user to make modifications to the file or directory. This helps to make Linux groups

easier to use and manage.

Notice, you can also specify the Group ID (GID) and User ID (UID) manually by

entering a value. By default Oracle Linux and RHEL reserve UIDs and GIDs below500 for system users and groups. We will assign /home/student2 as the home

directory for student2 user and let the system pick the UID and GID values. Clickthe OK button to create the user.


11/59





Once the user student2 has been created, you should see it listed under the Users

tab of the application window. Select the student2

Select the student2 user and click the Properties button.


12/59





Notice that under Account Info, you can enable account expiration and also lock the

password. Do not make any changes, just review the tabs and get familiarized.


13/59





Under Password Info, you can enable password expiration and then set the

parameters/criteria for password expiration.

And under the Groups tab, you will notice that by default student2 is a member ofthe student2 group. This is as per the UPG scheme. Click Cancel to close this

window.


14/59





Now that we have created a student2, let us understand the file changes that occurwhen you create a user on Linux. When you created the user student2, an entry for

that user was created in the /etc/passwd, /etc/shadow and /etc/group files onthe system.

Examine the entry for the user student2 in the /etc/passwd file and the

/etc/group file. You can use the cat /etc/passwd | grep -i student2 command or

the grep -i student2 /etc/passwdcommand to examine the entry.

[root@examplehost /]# cat /etc/passwd | grep -i student2student2:x:502:502:student2 user2:/home/student2:/bin/bash[root@examplehost /]#[root@examplehost /]# cat /etc/group | grep -i student2student2:x:502:[root@examplehost /]#


15/59





Heres how you can read the line entry for student2 user in the /etc/passwd file.Each field is separated by a : delimiter.

Username:student2

Shadow passwd:indicated by x

UID:502GID:502

GECOS information (name etc):student2 user2

Home directory:/home/student2

Default Shell:/bin/bash

Heres how you can read the line entry for student2 user in the /etc/group file.Each field is separated by a : delimiter.

Group name:student2

Shadow passwd:indicated by x

GID:502 is the GID

The /etc/shadow file is used for user shadow passwords. The user passwords are

hashed and stored in the /etc/shadow file. This file also contains information about

password aging and security policies defined in the /etc/login.defs file.

[root@examplehost /]# cat /etc/shadow | grep student2student2:$6$1cLhy/ZiwTsQkEJX$.Ho7T0WFlO3B.E.b0nGs52LENLyTiCZkNvj1Da8xABBcvVxRHcuPRjBfVRQQL7fEeIwER6kKvmvNwlXpfnlQg0:15

756:0:99999:7:::[root@examplehost /]#

Log out of the Desktop GUI and log back in as student2 user to confirm that the

user that we created can login properly.


16/59






17/59





After logging in as student2 user, open a terminal window and see that a homedirectory /home/student2 was created for this user. It already has a predefineddirectory structure that you can check using the ls command.

[student2@examplehost ~]$ pwd/home/student2[student2@examplehost ~]$ ls -ltotal 32drwxr-xr-x. 2 student2 student2 4096 Feb 20 14:14 Desktop

drwxr-xr-x. 2 student2 student2 4096 Feb 20 14:14 Documentsdrwxr-xr-x. 2 student2 student2 4096 Feb 20 14:14 Downloadsdrwxr-xr-x. 2 student2 student2 4096 Feb 20 14:14 Musicdrwxr-xr-x. 2 student2 student2 4096 Feb 20 14:14 Picturesdrwxr-xr-x. 2 student2 student2 4096 Feb 20 14:14 Publicdrwxr-xr-x. 2 student2 student2 4096 Feb 20 14:14 Templatesdrwxr-xr-x. 2 student2 student2 4096 Feb 20 14:14 Videos[student2@examplehost ~]$


18/59





You may verify the directory is usable by the student2 user by creating a fileusing

the touch commandin this directory.

[student2@examplehost ~]$ pwd/home/student2[student2@examplehost ~]$ touch student2file2

[student2@examplehost ~]$ ls -l student2file2-rw-rw-r--. 1 student2 student2 0 Feb 20 14:17 student2file2[student2@examplehost ~]$

The id command is a good tool to print the user and group information for thespecified user. Read the man page of the id command thenrun the id command

with options shown below. The id command output below tells you that student2user has a UID of 502 and a GID of 502. The student2 user belongs to only one

group and that is the student2 group. Using the g flag, you can print only the

effective group ID of the user and using the ng option will give you the name of theeffective group that the user belongs to. The G option prints all group IDs of a user.


19/59





[student2@examplehost ~]$ iduid=502(student2) gid=502(student2) groups=502(student2)context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023[student2@examplehost ~]$

[student2@examplehost ~]$ id -g502[student2@examplehost ~]$[student2@examplehost ~]$ id -gnstudent2[student2@examplehost ~]$[student2@examplehost ~]$ id -G502[student2@examplehost ~]$

Log out from the system as student2 user and log back in as root user. We will

now look at the User Manager Tool for the Groups administration. As root user, start

the User Manager Tool and click on the Groups tab. Notice the groups that are thereon this system. Select the student2 group and then click the Properties button.


20/59





In the Group properties window, click the Group Users tab and verify that thisgroup has student2 as a member. Remember this student2 user was added to this

group because of the UPG scheme. Click the Cancel button to close this window.

We will now create a new group. Click the Add Group button to create a new group.

In the Add New Group window, create a new students group as shown below.

Specify the GID to be 550 and click the OK button.


21/59





You should now see the students2 group. Select this student2 group and click theProperties button.

In the GroupProperties window, select the student2 user to add this user to this

group and then click the OK button.


22/59





If you now see the Properties of student2 user under the Users tab, you will

notice that the student2 user is now a member of 2 groups (student2, students).

Select student2 user and then click the Properties button.

Under the Groups tab of the User Properties window, you will now see that

student2 is a member of two groups. Click the Cancel button to close the window.

You can also run the id command again as student2 user and see the results. Seeexamples below. You can see that the G option of the id command lists the 2

groups that the user student2 belongs to.


23/59





[root@examplehost Desktop]# su - student2[student2@examplehost ~]$[student2@examplehost ~]$ whoamistudent2[student2@examplehost ~]$

[student2@examplehost ~]$ iduid=502(student2) gid=502(student2)groups=502(student2),550(students)context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023[student2@examplehost ~]$[student2@examplehost ~]$ id -G502 550[student2@examplehost ~]$ id -Gnstudent2 students[student2@examplehost ~]$

This concludes the simple lab of creating users and groups using the User Manager

GUI Tool.

5.2 Users and Groups Administration using Command-Line Utilities

In this lab exercise, we will learn how to create/modify/delete users and groupsusing command line utilities. We will also look at some of the files associated with

user/group administration.

Before we learn how to create/modify/delete users and groups we will look at some

of the important files related to user/group administration. We will start by looking

at the /etc/default/useraddfile on our Oracle Linux 6 systems.


24/59





[root@examplehost ~]# cd /etc/default[root@examplehost default]#[root@examplehost default]# pwd/etc/default[root@examplehost default]# ls -l useradd-rw-------. 1 root root 119 Oct 12 2011 useradd[root@examplehost default]#

Examine the /etc/default/useradd file on your system using the cat command.

[root@examplehost /]# cat /etc/default/useradd# useradd defaults fileGROUP=100HOME=/homeINACTIVE=-1

EXPIRE=SHELL=/bin/bashSKEL=/etc/skelCREATE_MAIL_SPOOL=yes[root@examplehost /]#


25/59





Or you can run the useradd D command to see the default values. We will look at

the useradd command in more details later in this lab.

This /etc/default/useradd file is used to specify default settings when creating a

user account. As you can see, by default the user home directories are created under

the /home directory, the default user shell is /bin/bash and a mail spool directory

will be created for every user that is created. The SKELvariable points to/etc/skel/ directory by default. The contents ofthe directory specified by the SKEL

variable are copied to a users home directory when the user is created.

[root@examplehost /]# ls -al /etc/skeltotal 36drwxr-xr-x. 4 root root 4096 Dec 10 14:06 .drwxr-xr-x. 113 root root 12288 Feb 20 14:24 ..-rw-r--r--. 1 root root 18 May 10 2012 .bash_logout-rw-r--r--. 1 root root 176 May 10 2012 .bash_profile-rw-r--r--. 1 root root 124 May 10 2012 .bashrcdrwxr-xr-x. 2 root root 4096 Nov 20 2010 .gnome2drwxr-xr-x. 4 root root 4096 Dec 10 14:01 .mozilla[root@examplehost /]#


26/59





Create a file using an editor (eg. vi editor) in the /etc/skel directory and call this

file Readme.txt.

[root@examplehost /]# vi /etc/skel/Readme.txt

Enter some text into the Readmefile.txt file and save and quit the editor. Later inthis lab, we will later create a Linux user student3. When that user is created, we

will notice that the home directory contains this Readme.txt file automatically. Thisis because this file is created in the /etc/skel directory whose contents

automatically get copied into a users home directory upon creation.

[root@examplehost /]# cat /etc/skel/Readme.txtRead this file first.[root@examplehost /]#


27/59





Another file that we will now look at is the /etc/login.defs file.

[root@examplehost /]# ls -l /etc/login.defs-rw-r--r--. 1 root root 1816 Oct 12 2011 /etc/login.defs[root@examplehost /]#

The /etc/login.defs file defines the configuration for the shadow password suite. Itis a readable text file that describes the various configuration parameters associated

with shadow password. It contains information about things like password aging,option to remove user groups if no user exists, encryption method for the password

etc. You can read the man pages of login.defs to understand the variousparameters. Enclosed below is sample output of this file.

[root@examplehost /]# more /etc/login.defs


28/59





This file also defines the min/max values for automatic GID selection for thegroupaddcommand.

[root@examplehost /]# cat /etc/login.defs | grep GIDGID_MIN 500GID_MAX 60000[root@examplehost /]#


29/59





Enclosed below is a table with some of the common command line utilities related

to user/group administration in Oracle Linux 6. We will use some of these

commands below in our lab exercise and you can explore the remaining commands

on your own.

Command/Utility Purpose

useradd Add user accounts

usermod Modify user accounts

userdel Delete user accounts

users Print the user names of users logged in on the host

sudo Execute a command as another user

groupadd Add groups

groupmod Modify groups

groupdel Delete groups

groups Print the groups a user is in

gpasswd Administer /etc/gshadow and /etc/group files

pwck, grpck Verification of the password, group, and associated

shadow files

Start by reading the man page of useradd command.

[root@examplehost /]# man useradd


30/59





We will now create a user with username student3 using the useradd command

line utility. The c option in the command below is used to provide the GECOS

information (name etc). This command will create a student3 user using the

default settings specified in the /etc/default/useradd file.

[root@examplehost /]# useradd -c "student3 user3" student3[root@examplehost /]#

Once the student3 user has been created on the system, you can check the entriesadded in the /etc/passwd and the /etc/group files for this user. See examplescreenshot below.


31/59





[root@examplehost /]# cat /etc/passwd | grep -i student3student3:x:503:503:student3 user3:/home/student3:/bin/bash[root@examplehost /]#[root@examplehost /]# cat /etc/group | grep student3student3:x:503:

[root@examplehost /]#

You can also login as student3 using the su student3 command. After logging in,

you will find a Readme.txt file was created for this user. This is the file we created

in the /etc/skell directory earlier in the lab.

[root@examplehost /]# su - student3[student3@examplehost ~]$[student3@examplehost ~]$ whoamistudent3

[student3@examplehost ~]$

[student3@examplehost ~]$ pwd/home/student3[student3@examplehost ~]$ ls -ltotal 4-rw-r--r--. 1 student3 student3 22 Feb 20 14:57 Readme.txt[student3@examplehost ~]$[student3@examplehost ~]$ cat Readme.txtRead this file first.[student3@examplehost ~]$


32/59





If you want, you can set the password for this student3 user using the passwdcommand as shown below. In the example below, we run the passwd command asroot user to set the password of student3 userto oracle.

[root@examplehost /]# passwd student3Changing password for user student3.New password:Retype new password:passwd: all authentication tokens updated successfully.[root@examplehost /]#

You can also check the entry created for this student3 user in the /etc/shadowfile.

[root@examplehost /]# cat /etc/shadow | grep student3student3:$6$tlj4yP0T$09INZnAkSqNuf4c/dCE0KSWEq3NbWQbwdV6Aa5gB3pW/vK1l8.7wSVcAVcRbUBGZjhKl2Ok/dP/ojg7tGsc.a/:15756:0:99999:7:::


33/59





Looking at the /etc/passwd file, we see that student3 has /bin/bash as thedefault shell. The default shell is specified in the /etc/default/useradd file.

[root@examplehost /]# cat /etc/passwd | grep -i student3student3:x:503:503:student3 user3:/home/student3:/bin/bash[root@examplehost /]#

If you want to create a Linux user but prevent that user from logging in to the

system, then you can set the user shell to /sbin/nologin. For example, to create a

user named reports_user, you can run the following command:

[root@examplehost ~]# useradd -s /sbin/nologin reports_user

Now if you try to login as reports_user it will log a message saying - This account iscurrently not available. This means that although the user exists on the system butit is not allowed to login because the user does not have a shell.

[root@examplehost ~]# su - reports_user

This account is currently not available.

[root@examplehost ~]#


34/59





We will now look at the usermod command which can be used to modify anexisting Linux user. Simply typing the usermod command will list out the optionsavailable for this command.

[root@examplehost ~]# usermod

Usage: usermod [options] LOGIN

Options:

-c, --comment COMMENT new value of the GECOS field

-d, --home HOME_DIR new home directory for theuser account

-e, --expiredate EXPIRE_DATE set account expiration dateto EXPIRE_DATE

-f, --inactive INACTIVE set password inactive afterexpiration to INACTIVE

-g, --gid GROUP force use GROUP as newprimary group

-G, --groups GROUPS new list of supplementaryGROUPS

-a, --append append the user to thesupplemental GROUPS mentioned by the -G option withoutremoving him/her from other groups

-h, --help display this help message.....

.....


35/59





The list of shells available on the system is specified in the /etc/shells file. Examine

the /etc/shells file on your Oracle Linux 6 system.[root@examplehost /]# cat /etc/shells/bin/sh/bin/bash/sbin/nologin/bin/tcsh/bin/csh[root@examplehost /]#


36/59





We will now run the usermod command to change the default shell of thestudent3 user from /bin/bash shell to /bin/csh shell. The shell can be changedusing the s flag of the usermod command.

[root@examplehost /]# usermod -s /bin/csh student3[root@examplehost /]#

[root@examplehost /]# cat /etc/passwd | grep student3student3:x:503:503:student3 user3:/home/student3:/bin/csh[root@examplehost /]#

You can verify by both checking the /etc/passwd file and by logging in as student3

to confirm the shell has been changed to /bin/csh.

[root@examplehost /]# su - student3[student3@examplehost ~]$[student3@examplehost ~]$ psPID TTY TIME CMD7243 pts/4 00:00:00 csh7258 pts/4 00:00:00 ps[student3@examplehost ~]$

The next command we will look at is the groupadd command to create groups on

the system. Again, simply typing the groupadd command will show the options

available for this command.


37/59





Let us check the group information for student3 using the id command as shownbelow. Notice that the student3 user belongs to one group called student3 with aGID of 503.

[root@examplehost /]# su - student3[student3@examplehost ~]$[student3@examplehost ~]$ id -Gnstudent3

[student3@examplehost ~]$ id -G503[student3@examplehost ~]$

As root user, run the groupadd command to create a new support group.


38/59





[root@examplehost /]# whoamiroot[root@examplehost /]# groupadd support[root@examplehost /]#

Verify that the new group support has been created by examining the /etc/group

file. Also, note the GID of the support group. In the example below, the GID is 551.

[root@examplehost /]# cat /etc/group | grep supportsupport:x:551:[root@examplehost /]#

Modify the student3 group membership. We will make student3 a member of thisnew support group. Run the usermod command to append (-a) and add support

group (-G) as shown below.

[root@examplehost /]# usermod -a -G support student3[root@examplehost /]#


39/59





Login (su) as student3 user and confirm that the student3 user is now a memberof two groups student3 and support. Note the GIDs of the two groups.

[root@examplehost /]# su - student3[student3@examplehost ~]$[student3@examplehost ~]$ iduid=503(student3) gid=503(student3)groups=503(student3),551(support)context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023[student3@examplehost ~]$[student3@examplehost ~]$ id -Gnstudent3 support[student3@examplehost ~]$ id -G503 551[student3@examplehost ~]$

The groupmod command can be used to modify a group. Typing the groupmodcommand will list out the options available for this command.

[root@examplehost /]# groupmodUsage: groupmod [options] GROUP

Options:-g, --gid GID change the group ID to GID

-h, --help display this help message..

..

.


40/59





Use the groupmod command to change the group name. Running the groupmodcommand with n option, as shown below, will change the group name to staff

from the old name support. You can check the /etc/group file to confirm that thename has been changed. Note the GID remains same as the old name.

[root@examplehost /]# groupmod -n staff support[root@examplehost /]#[root@examplehost /]# cat /etc/group | grep staffstaff:x:551:student3[root@examplehost /]#


41/59





The userdel command can be used to delete users from the system. As with other

commands, typing the userdel command will show the available options.

We will now remove the student3 user from the system and also make sure the

home directory of this user is removed. Run the userdel command with the r

option as shown below to delete student3 user.You can verify by examining the/etc/passwd file that the user has been deleted.

[root@examplehost /]# userdel -r student3[root@examplehost /]#

[root@examplehost /]# cat /etc/passwd | grep student3[root@examplehost /]#[root@examplehost /]# ls /home/student1 student2[root@examplehost /]#


42/59





If you have a use case where you want the users creating files in a directory such

that the files created by those users are owned by group which owns the directory

then you would use the setgid bit. The setgid bit makes managing group projects

that share a common directory very simple because any files a user creates within

the directory are owned by the group which owns the directory.

Lets say a group of people(john and jack in development group)need to workon files in the /home/developmentdirectory. Some people (john, jack)are

trusted to modify this directory, but not everyone. To achieve this requirement, you

would run the following commands:

# groupadd development

# mkdir /home/development

# chown R root.development /home/development

# gasswd a john development

# gpasswd a jack development# chmod 2775 /home/development

Once you run the above commands, files created by users john or jack in the/home/development directory will get the same group permission as that

directory itself. In the above example, the chmod command sets the setgid bit,which assigns everything created in the directory the same group permission as the

directory itself.

5.3 Configure Password Aging

In this lab, we will learn how to configure password aging. Password aging is

another technique used by system administrators to defend against bad passwords

within an organization. Password aging means that after a set amount of time the

user is prompted to create a new password.

There are two ways used to specify password aging in Oracle Linux 6. The first way

is the chagecommand and the second way is using the User Manager Tool

(system-config-users command) application. We will look at the chage commandin this small lab.

Type the chage command to list out the available options. You may also read theman pages of this command.


43/59





Examine the /etc/shadow file and look at the entry for any one user. In theexample below, we look at the student2 user. The fields towards the end of this fileare the password aging related parameters.

[root@examplehost /]# cat /etc/shadow | grep student2student2:$6$1cLhy/ZiwTsQkEJX$.Ho7T0WFlO3B.E.b0nGs52LENLyTiCZkNvj1Da8xABBcvVxRHcuPRjBfVRQQL7fEeIwER6kKvmvNwlXpfnlQg0:15

756:0:99999:7:::[root@examplehost /]#

You can read the values of the password aging parameter using the chage lcommand as shown below. It is easier to understand it using this listing than by

examining the entry in the /etc/shadow file but that file is where the values are

updated.


44/59





[root@examplehost /]# chage -l student2Last password change : Feb 20, 2013Password expires : never

Password inactive : neverAccount expires : neverMinimum number of days between password change : 0Maximum number of days between password change : 99999Number of days of warning before password expires : 7[root@examplehost /]#

Let us change the minimum password age to 10, maximum password age to 30, and

the password expiration warning to 10 days. This can be done using the chagecommand as shown below.

[root@examplehost /]# chage student2Changing the aging information for student2Enter the new value, or press ENTER for the default

Minimum Password Age [0]: 10Maximum Password Age [99999]: 30Last Password Change (YYYY-MM-DD) [2013-02-20]:Password Expiration Warning [7]: 10Password Inactive [-1]:Account Expiration Date (YYYY-MM-DD) [1969-12-31]:

[root@examplehost /]#


45/59





You can verify using the l option that the password aging parameters have been

changed as shown below.

[root@examplehost /]# chage -l student2Last password change : Feb 20, 2013Password expires : Mar 22, 2013Password inactive : neverAccount expires : neverMinimum number of days between password change : 10Maximum number of days between password change : 30Number of days of warning before password expires : 10[root@examplehost /]#

Also, observe the /etc/shadow file password aging related fields have beenupdated.

[root@examplehost /]# cat /etc/shadow | grep student2student2:$6$1cLhy/ZiwTsQkEJX$.Ho7T0WFlO3B.E.b0nGs52LENLyTiCZkNvj1Da8xABBcvVxRHcuPRjBfVRQQL7fEeIwER6kKvmvNwlXpfnlQg0:15756:10:30:10:::[root@examplehost /]#


46/59





To force a user to change his/her password immediately upon the next login, you

can run the chage command with the d option.

[root@examplehost /]# chage d 0 student2

Log out as root user and use the switch user option to log back in as student2 user.

When you enter the password for the student2 user, you will be prompted to enterthe current password.


47/59





After entering the current password, you will be prompted to enter a new password

because we used the chage command with d and specified 0 to force a password

change.

This concludes the short and simple lab exercise.

5.4 Describe LDAP and NIS authentication options

Before we discuss LDAP and NIS, we will briefly talk about authentication.Authentication is the way that a user is identified and verified to a system. The

authentication process requires presenting some sort of identity and credentials,

like a username and password. The credentials are then compared to information

stored in some data store on the system.


48/59





Till now, we talked about local authentication which relied on local /etc/passwdand /etc/shadow files for authenticating users on Oracle Linux system. We willnow look at two other options available for authentication. The two authentication

mechanisms we will discuss are:

1.

NIS (Network Information Service)2. LDAP (Lightweight Directory Access Protocol)

NIS: PerWikipediaThe Network Information Service or NIS (originally calledYellow Pages or YP) is a clientserver directory service protocol for distributing

system configuration data such as user and host names between computers on a

computer network. Sun Microsystems developed the NIS; the technology is licensed

to virtually all other Unix vendors.

A NIS/YP system maintains and distributes a central directory of user and group

information, hostnames, e-mail aliases and other text-based tables of information ina computer network. There is a NIS server that is used by the NIS clients for

authentication. So, Linux systems can be configured to talk to a central NIS Server

for authentication.

LDAP: LDAP is an Internet standard protocol used by applications to access

information in a directory. LDAP is based on a client-server model. LDAP servers

provide the directory service, and LDAP clients use the directory service to access

entries and attributes. An LDAP client starts an LDAP session by connecting to an

LDAP server that listens by default on TCP port 389. The client then sends an

operation request to the server, and the server sends responses in return.

We will not be configuring LDAP/NIS authentications in this lab. We will just

introduce you to some basic concepts about configuring LDAP/NIS authentication

on Oracle Linux 6 systems.

Configuring Authentication:

Oracle Linux includes a tool to select the authentication databases and configure

associated authentication options. This tool is called the Authentication

Configuration Tool. The Authentication Configuration Tool has both GUI and

command-line options to configure any user data stores.

You can launch the Authentication Configuration Tool by clicking the System ->

Administration -> Authenticationmenu option.
http://en.wikipedia.org/wiki/Network_Information_Servicehttp://en.wikipedia.org/wiki/Network_Information_Servicehttp://en.wikipedia.org/wiki/Network_Information_Servicehttp://en.wikipedia.org/wiki/Network_Information_Service


49/59





Alternatively, you can run the Authentication Configuration Tool from the command

line by using system-config-authentication command as shown below.

The Authentication Configuration Tool will launch the GUI application. There are

two tabs in this application window:

Identity & Authentication

Advanced Options


50/59





The Identity & Authentication tab helps configure the resource used as the identitystore. You can define how users should be authenticated. Under the User AccountConfiguration section, you can select the User Account Database to be used for

authentication. The choices available are:

Local accounts only: local /etc/passwd and /etc/shadow files

LDAP LDAP server and base DN configuration

NIS - NIS Server and domain configuration

Winbind - Winbind authentication requires samba-winbind package

IPAv2 IPA Domain, server, realm configuration


51/59





We will only look at NIS and LDAP authentication in this training.

The Advanced Options tab allows authentication methods other than passwords orcertificates, like smart cards and fingerprint. You can also enable local access control

and that is managed by the /etc/security/access.conf file.


52/59





Configuring NIS Authentication:

NIS Authentication requires the ypbind and yp-tools packages on the clientsystems. When the ypbind service is installed and configured, the portmap and

ypbind services are started and enabled to start at boot time. We will not be

actually doing any NIS authentication since we do not have a NIS Server configured.


53/59





In the Authentication Configuration Tool, on the Identity & Authentication tab, youcan select NIS as the User Account database. Next you can enter your NIS domain

and NIS server information. In the lower section, you can configure the

Authentication method to be NIS Password or Kerberos password. See example

screenshot below. Since we do not have any NIS server available for this training, wewill not make any changes. Cancel and quit this tool without making any changes.

On the NIS server side, you will need to install the ypserv package and thenconfigure the server. That involves several things like NIS Domain,

/etc/ypserv.conf configuration, NIS maps etc. Refer to the Linux documentation for

complete details.


54/59





Configuring LDAP Authentication:

Launch the Authentication Configuration Tool and select LDAP as the user account

database to configure LDAP Authentication. You will have to define the LDAP Search

Base DN and LDAP Server. You can define LDAP or LDAPS (secure) servers. For

Authentication method, you can choose LDAP Password or Kerberos password. Seeexample screenshot below. We will not make any changes since we do not have a

LDAP server available for this training. Just review and familiarize with the available

configuration options.

The packages needed for LDAP server/client configuration include:

openldap-clients Open LDAP Client utilities

openldap-servers server package

openldap Open LDAP support libraries

nss-pam-ldapd nsswitch module which uses directory servers


55/59





Configuring Authentication from the Command Line:

The authconfigcommand-line tool updates all of the configuration files and

services required for system authentication, according to the settings passed to the

script. Along with allowing all the identity and authentication configuration options

that can be set through the UI, the authconfigtool can also be used to create backup

and kickstart files. For a complete list of authconfig commandoptions, check thehelp output and the man page.

For the authconfigcommand, you can use either the --updateor --testoption.One of those options is required for the command to run successfully. Using --

updatewrites the configuration changes. And, the --testoption prints the changes

to stdout but does not apply the changes to the configuration.

Example: To print the password hashing algorithm, you can use the authconfig

command with the --test option as shown below.


56/59





To update the hash/crypt algorithm for new passwords, you can use the authconfigcommand with the passalgo option.

# authconfig passalgo=sha256 --update

You can also enable and configure LDAP from the command line using the

authconfig command. To use an LDAP identity store, you can use the --enableldap

option. To use LDAP as the authentication source, you can use the --enableldapauthoption and then provide information like the LDAP server name, base DN for the

user suffix etc. Example screenshot is provided below.

# authconfig --enableldap --enableldapauth --

ldapserver=ldap://host:port ldapbasedn=base dn update

Similarly, NIS configuration can be done using the authconfig command. The syntax

is as follows:

# authconfig --enablenis --nisdomain --nisserver -update


57/59





Well, that completes this introductory lab exercise on authentication.

5.5 Introduction to Pluggable Authentication Modules (PAM)

PerWikipediaPluggable authentication modules (PAM) are a mechanism to

integrate multiple low-level authentication schemes into a high-level application

programming interface (API). It allows programs that rely on authentication to be

written independent of the underlying authentication scheme.

Pluggable Authentication Modules are a common framework for authentication andsecurity. Basically, PAM authentication mechanism allows you to configure how

applications can use authentication to verify the identity of users.

The PAM Configuration files are in the /etc/pam.d directory and it contains the

configuration files for each PAM aware application. Each PAM-aware application has

a file in the /etc/pam.d/directory and usually has the same name as the service to

which it controls access. The PAM-aware program/application is responsible for

defining its service name and installing its own PAM configuration file in the

/etc/pam.d/directory. For example, the loginprogram defines its service name as

login and installs the /etc/pam.d/loginPAM configuration file.
http://en.wikipedia.org/wiki/Pluggable_authentication_modulehttp://en.wikipedia.org/wiki/Pluggable_authentication_modulehttp://en.wikipedia.org/wiki/Pluggable_authentication_modulehttp://en.wikipedia.org/wiki/Pluggable_authentication_module


58/59





Each PAM configuration file contains a group of directives that define the module

and any controls or arguments with it. The directives are:

module_interface auth, account, password, session

control_flag required, requisite, sufficient, optional, include

module_name pam_unix.so, pam_wheel.so are couple of examples module_arguments some modules need arguments

For example, in the following line, the module_interface is auth, the control_flag isrequired and the module name is pam_unix.so

auth required pam_unix.so

Take a look at the /etc/pam.d/xserver PAM configuration file. In this file, each linestarts with the module_interface name, next is the control_flag, third field is the

module name and the last field (optional) is the arguments for the module.

[root@examplehost pam.d]# pwd/etc/pam.d[root@examplehost pam.d]# cat xserver#%PAM-1.0auth sufficient pam_rootok.soauth required pam_console.soaccount required pam_permit.sosession optional pam_keyinit.so force revoke

[root@examplehost pam.d]#

In the above example, the first line uses the pam_rootok.somodule to checkwhether the current user is rootby verifying that their UID is 0. If this test

succeeds, no other modules are consulted and the command is executed. If this test

fails, the next module line is checked. This is how the configuration files are used in

PAM authentication mechanism.


59/59


New PAM modules can be created or added at any time for use by PAM-aware

applications. Documentation on writing modules is included in the

/usr/share/doc/pam-version#directory.

We will not be developing any PAM modules or doing any lab exercise on PAM in

this training.

6Lab Summary

In this lab, you learned how to create/modify/delete users and groups on Oracle

Linux 6 systems. You learned how to do user and group administration using boththe User Manager GUI Tool and command line utilities. You also learned about

password aging configuration. We introduced you to NIS and LDAP Authentication

mechanisms and learned about the Authentication Configuration Tool and the

command line authconfig tool. We ended this lab with a short discussion aboutPluggable Authentication Modules (PAM).

7References

For more information and next steps, please consult additional resources: Click the

hyperlinks to access the resource.

Deployment GuideChapter 3 (Users and Groups Administration)
http://linux.oracle.com/documentation/OL6/Red_Hat_Enterprise_Linux-6-Deployment_Guide-en-US.pdfhttp://linux.oracle.com/documentation/OL6/Red_Hat_Enterprise_Linux-6-Deployment_Guide-en-US.pdfhttp://linux.oracle.com/documentation/OL6/Red_Hat_Enterprise_Linux-6-Deployment_Guide-en-US.pdf