Hello,
I’m using /confd_dyncfg:confdConfig/aaa/defaultGroup as below, so that any user
to whom group is not assigned, uses defaultGroup as its group
/confd_dyncfg:confdConfig/aaa/defaultGroup = default_role,
This is working fine with remote users (RADIUS, TACACS). So if remote user is
not returning group value, confd assigns it to default_role.
However, for local user, defaultGroup value is not taking effect, as confd is
picking up group values from linux.
Any linux user is always assigned to group with same user name, so, there is no
way a local user will NOT have a group assigned, even though I’m not defining
any group for this user in NACM.
e.g.
manishv@vbuntu1204x64v2:~$ ssh test@10.250.177.115
test@10.250.177.115’s password:
*** Welcome to PFOS CLI ***
test connected from 10.252.66.25 using ssh on PFS5010
PFS5010# id
user = test(1004), gid=1004, groups=test,vxosuser, gids=1001
PFS5010#
username is test, groups test, vxosuser are both linux groups. I could probably,
get rid of vxosuser group, but group test is created by linux by default for
user test.
How can I ensure that confd to NOT user linux groups for any user and ONLY use
NACM groups for local users and remote groups for remote users?
I’ve tried /nacm/enable-external-groups, but that disables any group that remote
server provides for a user. I need remote groups for remote users.
Below is output from /etc/passwd and /etc/group file for user test
cat /etc/passwd | grep test
test:x:1004:1004:Linux User,:/sda3/home/test:/opt/confd/bin/confd_cli
cat /etc/group | grep test
vxosuser:x:1001:admin,user_no_access,test
test:x:1004:
Thanks,
Manish