Are user/group collisions supported in Red Hat Enterprise Linux?

Solution Verified - Updated

Environment

  • Red Hat Enterprise Linux (RHEL)
    • All versions
  • SSSD
  • LDAP
    • Active Directory
    • Identity Management in RHEL (IPA)
    • Red Hat Directory Server (RHDS)
    • OpenLDAP
    • Any other third party LDAP solution

Issue

  • Are user/group collision supported?
  • Is it supported to keep user with same name locally in /etc/passwd file as well as in AD or LDAP or IPA server?

Resolution

  • User/group collision is not supported/recommended.
  • Moreover, try setting files first in /etc/nsswitch.conf file then getgrnam() function will use files first and will resolve your GID as a local group.

Root Cause

  • What is meant by user/group collision is: if a local user uid, local user user name or a local group name is the same as a external source, this is not supported.

  • UID/GID collision is not supported. It will confuse the NSS process. It may work intermittently. When user information is requested about a user (with getent, id or similar), typically one of the functions of the Name Service Switch, such as getpwnam() or initgroups() in glibc is called no matter whether its a local/domain user or ldap user.

    Example:
Lookup call for local user "open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3</usr/lib64/libc-2.17.so>"
Lookup call for ldap/AD user "open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3</usr/lib64/libc-2.17.so>"

Diagnostic Steps

  • You need to check with those results is return more than one result, if it shows a result for files and (sss or ldap) which means that you have collision in your current configuration.

    • Check user collisions

        Local User
  # getent passwd -s files  username

  Domain User for sssd         
  # getent passwd -s sss  username

  Domain User for winbind         
  # getent passwd -s winbind username

  LDAP User          
  # getent passwd -s ldap username

    • Check group collisions

        Local Group
  # getent group -s files  groupname

  Domain Group for sssd
  # getent group -s sss groupname

  Domain Group for winbind
  # getent group -s winbind groupname

  LDAP Group
  # getent group -s ldap groupname
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.