AAA defaultGroup

I’m using /confd_dyncfg:confdConfig/aaa/defaultGroup as below, so that any user
to whom group is not assigned, uses defaultGroup as its group

/confd_dyncfg:confdConfig/aaa/defaultGroup = default_role,

This is working fine with remote users (RADIUS, TACACS). So if remote user is
not returning group value, confd assigns it to default_role.

However, for local user, defaultGroup value is not taking effect, as confd is
picking up group values from linux.
Any linux user is always assigned to group with same user name, so, there is no
way a local user will NOT have a group assigned, even though I’m not defining
any group for this user in NACM.


manishv@vbuntu1204x64v2:~$ ssh test@
test@’s password:
*** Welcome to PFOS CLI ***
test connected from using ssh on PFS5010
PFS5010# id
user = test(1004), gid=1004, groups=test,vxosuser, gids=1001

username is test, groups test, vxosuser are both linux groups. I could probably,
get rid of vxosuser group, but group test is created by linux by default for
user test.

How can I ensure that confd to NOT user linux groups for any user and ONLY use
NACM groups for local users and remote groups for remote users?

I’ve tried /nacm/enable-external-groups, but that disables any group that remote
server provides for a user. I need remote groups for remote users.

Below is output from /etc/passwd and /etc/group file for user test

cat /etc/passwd | grep test

test:x:1004:1004:Linux User,:/sda3/home/test:/opt/confd/bin/confd_cli

cat /etc/group | grep test



Why not assign the Linux PAM authenticated users to your “default_role” default group too, if that is what you want?

# Create the group
$ sudo groupadd default_role
# Create a user without a user group
$ sudo useradd --create-home --home-dir /home/test --no-user-group  --no-log-init --groups default_role --shell /bin/bash test
$ groups test
test : test default_role
# Add an existing user to a group
$ sudo groupadd default_role2
$ sudo usermod -a -G default_role2 test
$ groups test
test : users default_role default_role2

A Linux PAM authenticated user is not a “local” user. “local” users are configured under /aaa/authentication/users.

You should not assign a non-local user, here a Linux PAM user, to a group. That will have no effect.