Vous êtes ici : Formations en Ligne Gratuites » Catalogue » workbooks » Red Hat » RH124 - Course Overview » RH12406 - User Management

Différences

Ci-dessous, les différences entre deux révisions de la page.

Lien vers cette vue comparative

--- elearning:workbooks:redhat:rh124en:l105 [2024/11/11 13:36] – admin
+++ elearning:workbooks:redhat:rh124en:l105 [2024/11/26 13:43] (Version actuelle) – admin
@@ Ligne 1: / Ligne 1: @@
 ~~PDF:LANDSCAPE~~
-Version : **2024.01**
+Version: **2024.01**
-Last update : ~~LASTMOD~~
+Last update: ~~LASTMOD~~
-======RH12406 - User management======
+======RH12406 - User Management======
 =====Contents=====
@@ Ligne 14: / Ligne 14: @@
       * /etc/nsswitch.conf
       * Querying databases
-      * The /etc/group and /etc/gshadow files
+      * The /etc/group and /etc/gshadow Files
-      * The /etc/passwd and /etc/shadow files
+      * The /etc/passwd and /etc/shadow Files
     * Commands
       * Groups
@@ Ligne 43: / Ligne 43: @@
 </WRAP>
-Good user management involves a good group strategy. In fact, each user is assigned to a **main** group but can also be a member of one or more secondary groups.
+Good user management involves a good group strategy. In fact, each user is assigned to a **primary** group but can also be a member of upto 15 secondary groups.
 As in other operating systems, under Linux it is preferable to give access rights to groups and not to individual users.
@@ Ligne 53: / Ligne 53: @@
   * **/etc/group**.
-====/etc/nsswitch.conf under RHEL 9====
+====/etc/nsswitch.conf====
 <code>
@@ Ligne 153: / Ligne 153: @@
 </code>
-In this file :
+In this file:
   * **sss** indicates the use of the **System Security Services Daemon** (SSSD).
-    * SSSD has its origines in the **FreeIPA** (Identity, Policy and Audit) and provides Linux/Unix networks with similar functionalities as those provided by Microsoft Active Directory Domain Services to Windows(tm) networks,
+    * SSSD has its origines in **FreeIPA** (Identity, Policy and Audit) and provides Linux/Unix networks with similar functionalities as those provided by Microsoft Active Directory Domain Services to Windows(tm) networks,
     * For more information, consult **[[https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/system-level_authentication_guide/configuring_services|this page]]**.
   * **files** indicates the use of local text files in **/etc**,
@@ Ligne 165: / Ligne 165: @@
 The **getent** command is used to query databases. It takes the following form:
-  getent database-key
+  getent database key
-For example, to search for the user in the user database, use the following command:
+For example, to search for a user in the user database, use the following command:
 <code>
@@ Ligne 181: / Ligne 181: @@
 </code>
-Using the getent command without specifying a key prints the contents of the database on the screen :
+Using the getent command without specifying a key prints the contents of the database to STDOUT:
 <code>
@@ Ligne 224: / Ligne 224: @@
 </code>
-====Files /etc/group and /etc/gshadow====
+====The /etc/group and /etc/gshadow Files====
 To list the existing groups on the system, enter the following command:
@@ Ligne 293: / Ligne 293: @@
 <WRAP center round important 60%>
-**Important**: Note that the root group GID value is always 0. Note that under RHEL 9 normal user GIDs start at **1000** and system account GIDs are included between 1 and 99 and between 201 and 999.
+**Important**: Note that the root group GID value is always 0. Note that under RHEL 9, normal user GIDs start at **1000** and system account GIDs are included between 1 and 99 and between 201 and 999.
 </WRAP>
@@ Ligne 371: / Ligne 371: @@
 Each line consists of 4 fields:
-  * The group name. This field is used to link to the **/etc/group** file,
+  * The unique group name from the **/etc/group** file,
-  * The **encrypted** group password if one exists. A value of **empty** in this field indicates that only members of the group can execute the **newgrp** command. A value of **!**, **x** or ***** indicates that no one can execute the **newgrp** command for the group,
+  * The encrypted group password. If this is empty, only the users who are members of the group can use the newgrp command. If the field contains a !, an x or a %%*%% it indicates that noone can use the newgrp command,
   * The group administrator if one exists,
-  * The list of members who have the group as their **secondary** group.
+  * The list of users who have the group as a secondary group.
 To check the **/etc/group** and **/etc/gshadow** files for possible errors, enter the following command:
@@ Ligne 382: / Ligne 382: @@
 [root@redhat9 ~]#
 </code>
-In the event that your files do not contain any errors, you will find yourself returned to the prompt.
 <WRAP center round important 60%>
-**Important**: The **-r** option allows error checking without modifying it.
+**Important**: The **-r** option allows error checking without modifying anything.
 </WRAP>
@@ Ligne 396: / Ligne 394: @@
     * regenerates the **/etc/group** file from the **/etc/gshadow** file and possibly from the existing **/etc/group** file, then deletes the **/etc/gshadow** file.
-==== Files /etc/passwd and /etc/shadow====
+==== The /etc/passwd and /etc/shadow Files====
 <WRAP center round important 60%>
@@ Ligne 454: / Ligne 452: @@
   * The password. A value of **x** in this field indicates that the system uses the **/etc/shadow** file to store passwords.
   * THE UID. A unique value used to determine rights to files and directories.
-  * GID. A value indicating the user's **main** group.
+  * GID. A value indicating the user's **primary** group.
   * The full name. This optional field is also called **GECOS**.
   * The user's home directory
@@ Ligne 506: / Ligne 504: @@
   * The user's name. This field is used to make the link with the **/etc/passwd** file,
   * The user's **encrypted** password. Encryption is **one-way**. This field can also contain one of the following three values:
-    **!!** - The password has not yet been set and the user cannot log in,
+    * **!!** - The password has not yet been set and the user cannot log in,
-    ***** - The user cannot log in,
+    * ***** - The user cannot log in,
-    **empty** - No password will be requested for this user,
+    * **empty** - No password will be requested for this user,
   * The number of days between **01/01/1970** and the last password change,
   * The number of days that the password is still valid. A value of **0** in this field indicates that the password never expires,
@@ Ligne 524: / Ligne 522: @@
 <WRAP center round important 60%>
-**Important**: Any errors concerning the login directories of certain system accounts are not important. They are due to the fact that the directories are not created by the system when the accounts are created. Once again, the **-r** option allows errors to be checked in without modifying it.
+**Important**: Any errors concerning the login directories of certain system accounts are not important. They are due to the fact that the directories are not created by the system when the accounts are created. Once again, the **-r** option allows errors to be checked in without modifying anything.
 </WRAP>
@@ Ligne 531: / Ligne 529: @@
   * **pwconv**
     * regenerates the **/etc/shadow** file from the **/etc/passwd** file and possibly the existing **/etc/shadow** file.
-  **pwunconv**
+  *  **pwunconv**
     * regenerates the **/etc/passwd** file from the **/etc/shadow** file and possibly from the existing **/etc/passwd** file, then deletes the **/etc/shadow** file.
@@ Ligne 564: / Ligne 562: @@
 <WRAP center round important 60%>
-**Important** : It is possible to create several groups with the same GID.
+**Important**: It is possible to create several groups with the same GID.
 </WRAP>
-<WRAP centre round important 60%>
+<WRAP center round important 60%>
 **Important**: Note the **-r** option which allows the creation of a system group.
 </WRAP>
@@ Ligne 625: / Ligne 623: @@
 ===gpasswd===
-This command is used to modify administer the **/etc/group** file.
+This command is used to administer groups.
 ==Command Line Switches==
@@ Ligne 656: / Ligne 654: @@
 ^ Return code ^ Description ^
 | 1 | Unable to update /etc/passwd file |
-| 2 | Syntax invalid |
+| 2 | Invalid syntax |
 | 3 | Invalid option |
 | 4 | The requested UID is already in use |
 | 6 | The specified group does not exist |
 | 9 | The specified user name already exists |
-| 10 | Unable to update /etc/group file |
+| 10 | Unable to update the /etc/group file |
-| 12 | Unable to create user home directory |
+| 12 | Unable to create the user's home directory |
-| 13 | Unable to create user's mail spool |
+| 13 | Unable to create the user's mail spool |
 ==Command Line Switches==
@@ Ligne 712: / Ligne 710: @@
 </WRAP>
-<WRAP centre round important 60%>
+<WRAP center round important 60%>
 **Important**: Note the **-r** option which allows a system account to be created. In this case the useradd command does not create a home directory.
 </WRAP>
@@ Ligne 813: / Ligne 811: @@
 </code>
-<WRAP centre round important 60%>
+<WRAP center round important 60%>
-**Important** : Note the **-l** option, which locks an account by placing the character **!** in front of the encrypted password.
+**Important**: Note the **-l** option, which locks an account by placing the character **!** in front of the encrypted password.
 </WRAP>
@@ Ligne 862: / Ligne 860: @@
 In this file we find the following directives:
-  * **GROUP** - identifies the user's default main group when the **-N** option is used with the **useradd** command. Otherwise, the main group is either the group specified by the **-g** option of the command, or a new group with the same name as the user,
+  * **GROUP** - identifies the user's default primary group when the **-N** option is used with the **useradd** command. Otherwise, the primary group is either the group specified by the **-g** option of the command, or a new group with the same name as the user,
   * **HOME** - indicates that the user's home directory will be created in the **home** directory when the account is created if this option has been enabled in the **/etc/login.defs** file,
   * **INACTIVE** - indicates the number of days of inactivity after a password has expired before the account is locked. A value of -1 disables this directive,
-  * **EXPIRE** - no value, this directive indicates that the user's password never expires,
+  * **EXPIRE** - with no value, this directive indicates that the user's password never expires,
   * **SHELL** - specifies the user's shell,
   * **SKEL** - indicates the directory containing the files that will be copied to the user's home directory, if this directory is created when the user is created,
@@ Ligne 949: / Ligne 947: @@
 =====LAB #1 - Manage Users and Groups=====
-Now create three groups **group1**, **group2** and **group3**. The GID value of group **group3** must be **1807** :
+Now create three groups **group1**, **group2** and **group3**. The GID value of group **group3** must be **1807**:
 <code>
@@ Ligne 955: / Ligne 953: @@
 </code>
-Now create three users **fenestros1**, **fenestros2** and **fenestros3**. The three users have **group1**, **group2** and **group3** as their main group respectively. **fenestros2** is also a member of **group1** and **group3**. **fenestros1** has a GECOS of **tux1** :
+Now create three users **fenestros1**, **fenestros2** and **fenestros3**. The three users have **group1**, **group2** and **group3** as their primary group respectively. **fenestros2** is also a member of **group1** and **group3**. **fenestros1** has a GECOS of **tux1**:
 <code>
@@ Ligne 995: / Ligne 993: @@
 </code>
-Create the password **fenestros** for **group3** :
+Create the password **fenestros** for **group3**:
 <code>
@@ Ligne 1008: / Ligne 1006: @@
 </WRAP>
-Check the **/etc/gshadow** file :
+Check the **/etc/gshadow** file:
 <code>
@@ Ligne 1027: / Ligne 1025: @@
 </WRAP>
-Now name **fenestros1** administrator of **group3** :
+Now name **fenestros1** administrator of **group3**:
 <code>
@@ Ligne 1050: / Ligne 1048: @@
 <WRAP center round important 60%>
-**Important**: The **fenestros1** user can now administer the **group3** group by adding or deleting users as long as they know the group password.
+**Important**: The **fenestros1** user can now administer the **group3** group by adding or deleting users.
 </WRAP>
@@ Ligne 1064: / Ligne 1062: @@
 </WRAP>
-So delete the user **fenestros3** :
+So delete the user **fenestros3**:
 <code>
@@ Ligne 1100: / Ligne 1098: @@
 <WRAP center round important 60%>
-**Important** : The **find** command is run iteratively. The error is normal because when the **find** command finds no more files to delete, it stops with a return code of 2.
+**Important**: The **find** command is run iteratively. The error is normal because when the **find** command finds no more files to delete, it stops with a return code of 2.
 </WRAP>
@@ Ligne 1122: / Ligne 1120: @@
 <WRAP center round important 60%>
-**Important** : Note that the rules governing the use of passwords are not applied to users created by root. Also note that passwords entered will **NOT** be visible.
+**Important**: Note that the rules governing the use of passwords are not applied to users created by root. Also note that passwords entered will **NOT** be visible.
 </WRAP>
@@ Ligne 1260: / Ligne 1258: @@
 [root@redhat9 ~]# cat /etc/pam.d/login
 #%PAM-1.0
-auth substack system-auth
+auth       substack     system-auth
-auth include postlogin
+auth       include      postlogin
-account required pam_nologin.so
+account    required     pam_nologin.so
-account include system-auth
+account    include      system-auth
-password include system-auth
+password   include      system-auth
 # pam_selinux.so close should be the first session rule
-session required pam_selinux.so close
+session    required     pam_selinux.so close
-session required pam_loginuid.so
+session    required     pam_loginuid.so
 # pam_selinux.so open should only be followed by sessions to be executed in the user context
-session required pam_selinux.so open
+session    required     pam_selinux.so open
-session required pam_namespace.so
+session    required     pam_namespace.so
-session optional pam_keyinit.so force revoke
+session    optional     pam_keyinit.so force revoke
-session include system-auth
+session    include      system-auth
-session include postlogin
+session    include      postlogin
--session optional pam_ck_connector.so
+-session   optional     pam_ck_connector.so
 </code>
@@ Ligne 1288: / Ligne 1286: @@
 ^ Type ^ Description
 | **auth** | Used to authenticate a user or system prerequisites ( for example /etc/nologin ) |
-| **account** | Used to check whether the user can authenticate (e.g. account validity).
+| **account** | Used to check whether the user can authenticate (e.g. account validity). |
-| **password** | Used to check whether the user has the rights to update the authentication mechanism.
+| **password** | Used to check whether the user has the rights to update the authentication mechanism. |
-| **session** | Used to manage the session after authentication (for example, mount a directory).
+| **session** | Used to manage the session after authentication (for example, mount a directory). |
 The **second field** is the //**Control-flag**//. There are four of them:
 ^ Control-flag ^ Description ^
-| **required** | Successful completion of this module is essential. The failure of a //required// module is not communicated to the application until all modules with a //control-flag// of **required**| have been checked.
+| **required** | Successful completion of this module is essential. The failure of a //required// module is not communicated to the application until all modules with a //control-flag// of **required** have been checked. |
-| **requisite** | This module must be passed. Failure of a //requisite// module is immediately communicated to the |
+| **requisite** | This module must succeed. Failure of a //requisite// module is immediately communicated to the application. |
-| **sufficient** | Passing this module is sufficient to authorise authentication. If no previous //required// test has failed, verification stops. If a previous //required// test failed, the //sufficient// test is ignored. The failure of a //sufficient// test has no consequence if all the //required// tests succeed.
+| **sufficient** | Success is sufficient to authorise authentication. If no previous //required// test has failed, verification stops. If a previous //required// test failed, the //sufficient// test is ignored. The failure of a //sufficient// test has no consequence if all the //required// tests succeed. |
-| **optional** | The success or failure of this module is irrelevant, **unless** it is the only module to be executed.
+| **optional** | The success or failure of this module is irrelevant, **unless** it is the only module to be executed. |
-| **include** | This control flag is used to include all lines of the same //module type// in the file specified as an argument.
+| **include** | This control flag is used to include all lines of the same //module type// in the file specified as an argument. |
 The **third field** specifies the //**module**// associated with the rule. Without an absolute path, the file is assumed to be in the **/lib/security** directory. To include a module outside this directory, its absolute path must be specified.
@@ Ligne 1305: / Ligne 1303: @@
 The **fourth field** may contain the **arguments**.
-PAM now offers a solution for all applications that do not have their own PAM configuration files. This solution takes the form of the **/etc/pam.d/other** file:
+PAM also offers a solution for all applications that do not have their own PAM configuration files. This solution takes the form of the **/etc/pam.d/other** file:
 <code>
@@ Ligne 1341: / Ligne 1339: @@
 | **time.conf** | Used by the pam_time.so module |
-Password complexity is managed by the pam_pwquality.so module. In order to set up a complex password policy, the **/etc/security/pwquality.conf** file needs to be modified:
+Password complexity is managed by the **pam_pwquality.so** module. In order to set up a complex password policy, the **/etc/security/pwquality.conf** file needs to be modified:
 <code>
@@ Ligne 1618: / Ligne 1616: @@
 <WRAP center round important 60%>
-**Important**: Note the presence of the line **%wheel ALL=(ALL) ALL**. This line has the format **Who Where = (As who) What**. The line therefore implies that members of the **wheel** group can execute all system commands from any host and as any role. In this file, a group is referenced by a **%**. A name without this character is necessarily a user. To edit the **/etc/sudoers** file, it is **necessary** to use the **visudo** command.
+**Important**: Note the presence of the line **%wheel ALL=(ALL) ALL**. This line has the format **Who Where = (As who) What**. The line therefore implies that members of the **wheel** group can execute all system commands from any host and as any role. In this file, a group is referenced by a **%**. A name without this character is user. To edit the **/etc/sudoers** file, it is **necessary** to use the **visudo** command.
 </WRAP>
 -----
 Copyright © 2024 Hugh Norris.

Piste : • BDF106 - Configurer le Capacity Scheduler • DOF600 - Prérequis • RH12402 - L’Éditeur VI • BDF101 - Ajouter un Hôte et des Services à un Cluster HDP Existant • BDF100 - Hortonworks Data Platform Administration - Mise en Place de l'Infrastructure • GRA500 - Sketch App • LRF409 - Serveur Proxy • LCF604 - Présentation, Installation et Configuration de KVM • RH13403 - Gestion des Paramètres du matériel et les Ressources • LCF603 - Gestion du Réseau

Différences

Recherche

Imprimer/exporter

Menu