PreviousNextIndex

Chapter 16: Managing User and Groups


This chapter describes how to use the SMIT System Management (C-SPOC) utility to manage user accounts and groups on all nodes in a cluster by making configuration changes on a single node.

The chapter include the following sections:

  • Overview
  • Managing User Accounts across a Cluster
  • Managing Password Changes for Users
  • Changing the Password for Your Own User Account
  • Managing Group Accounts.
  • Overview

    HACMP lets you manage AIX 5L user and group accounts across an HACMP cluster. Groups provide an additional level of security and enable system administrators to manipulate a group of users as a single entity. In addition, HACMP provides a utility that lets you authorize specified users to change their own password across nodes in an HACMP cluster.

    Requirements for Managing User Accounts in an HACMP Cluster

    AIX 5L files that store user account information should be consistent across cluster nodes. These files are:

  • The system /etc/passwd file
  • Other system files in the /etc/security directory.
  • This way if a cluster node fails, users can log on to the surviving nodes without experiencing problems caused by mismatched user or group IDs.

    As the system administrator of an HACMP cluster, you can use the C-SPOC utility to manage user and group accounts from any node in a cluster. C-SPOC propagates new and updated information to all of the other nodes in the cluster.

    Note: Managing user accounts through C-SPOC requires that the Cluster Communications daemon is running and that all cluster nodes are active.
    Warning: If you manage user accounts with a utility such as Network Information Service (NIS) or Distributed Computing Environment (DCE) Manager, do not use HACMP user management. Using HACMP user management in this environment might cause serious system inconsistencies in the database.

    User Account Configuration

    Make sure user accounts are the same on all nodes in the cluster. Run verification after you make changes to user accounts.

    If a node in the cluster has fewer password restrictions than the other nodes, a user could make changes from the node with fewer restrictions and degrade cluster security.

    Status of C-SPOC Actions

    If an action initiated by the C-SPOC utility fails, check the C-SPOC log file, /tmp/cspoc.log, to obtain the status of the command on each cluster node.

    Note: The default location of this log file is /tmp/cspoc.log. If you redirected this log, check the appropriate location.

    Managing User Accounts across a Cluster

    You can manage user accounts from any node in a cluster by:

  • Listing Users On All Cluster Nodes
  • Adding User Accounts on all Cluster Nodes
  • Changing Attributes of User Accounts in a Cluster
  • Removing User Accounts from a Cluster
  • Starting with HACMP version 5.2, you can authorize users to change their own password and have C-SPOC propagate that password across cluster nodes. For information about this feature, see the section Managing Password Changes for Users.

    Listing Users On All Cluster Nodes

    To obtain information about all user accounts on cluster nodes, or on the nodes in a specified resource group, you can use the following procedure or run the cl_lsuser command. For information about the cl_lsuser command, see its man page.

    To list all user accounts on all cluster nodes using the C-SPOC utility:

      1. Enter the fastpath smit cl_admin
      2. In SMIT, select HACMP Security and Users Management > Users in an HACMP Cluster > List Users in the Cluster.
      3. In the List Users in the Cluster panel, leave the selection for a resource group blank to display information about all users, and press Enter.
    When you press Enter, SMIT executes the cl_lsuser command and displays a listing of user accounts similar to the following:
    			 
    			COMMAND STATUS 
    Command: OK            stdout: yes           stderr: no 
    Before command completion, additional instructions may appear below. 
    [TOP] 
    sigmund  root   0       / 
    sigmund  daemon 1       /etc 
    sigmund  bin    2       /bin 
    sigmund  sys    3       /usr/sys 
    sigmund  adm    4       /var/adm 
    sigmund  uucp   5       /usr/lib/uucp 
    sigmund  guest  100     /home/guest 
    sigmund  nobody -2      / 
    sigmund  lpd    9       / 
    sigmund  nuucp  6       /var/spool/uucppublic 
    orion    root   0       / 
    orion    daemon 1       /etc 
    orion    bin    2       /bin 
    [MORE...18] 
    

    Adding User Accounts on all Cluster Nodes

    In AIX 5L, you can add user accounts by using either:

  • The mkuser command
  • smit mkuser
  • The user account information is stored in the /etc/passwd file and the files in the /etc/security directory. For more information about the mkuser command, see its man page.

    For information about managing user accounts in AIX 5L, see your AIX 5L documentation. You can locate the AIX 5L documentation from the following URL:

    http://publib16.boulder.ibm.com/pseries/en_US/infocenter/base/aix.htm

    To add a user to all nodes in a cluster using the C-SPOC utility, perform the following procedure on any cluster node:

      1. Enter smit cl_admin
      2. In SMIT, select HACMP Security and Users Management > Users in an HACMP Cluster > Add a User to the Cluster and press Enter.
      3. Enter data in the entry fields to set up the account.
    AIX 5L provides help panels that describe each attribute. The User Name field is the only required field.
    Note: You should specify a value in the User ID field so that the account’s user ID is the same on all cluster nodes. If you do not specify this value, AIX 5L could assign a different user IDs on each nodes. A mismatch of user IDs for an account could prevent a user from logging on to another cluster node in the event of a fallover.
      4. After entering user data, press Enter. The user account specified is created on all cluster nodes.

    The C-SPOC utility creates the AIX 5L user account and home directory for the new account on each remote cluster node that you specify.

    If a user with the same name already exists on one of the cluster nodes, the operation fails, returning this message:

    user-name already exists on node nodename 
    

    You can specify that the command continue processing even if the user name already exists on one of the cluster nodes by specifying the force option.

    Changing Attributes of User Accounts in a Cluster

    In AIX 5L, you can change any of the attributes associated with an existing user account by using either:

  • The chuser command
  • The AIX 5L SMIT Change User Attributes panel.
  • The chuser command modifies the user information stored in the /etc/passwd file and the files in the /etc/security directory. For more information about the chuser command, see its man page.

    You can also change attributes associated with an existing user account from C-SPOC, as described in the following procedure. This procedure executes the AIX 5L chuser command on each cluster node. All cluster nodes must be active, the Cluster Communications daemon running, and a user with the specified name must exist on all the nodes for the change operation to proceed.

    To change the characteristics of a user account on all cluster nodes using the C-SPOC utility:

      1. Enter the fastpath smit cl_chuser
    SMIT displays the Change/Show Characteristics of a User in the Cluster panel:
    	Change / Show Characteristics of a User in the Cluster 
    	Type or select a value for the entry field. 
    	Press Enter AFTER making all desired changes. 
    	[Entry Fields] 
    	Select nodes by Resource Group                     []                       
    + 
       		*** No selection means all nodes! *** 
    
      2. Specify the name of the user account you want to change and press Enter. Press F4 to obtain a listing of users from which to select. SMIT displays a complete listing of the user account attributes with their current values filled in.
      3. Enter the new values for attributes you want to change and press Enter. AIX 5L provides help panels that explain each attribute. SMIT executes the C-SPOC command to change the attributes of the user account on all cluster nodes.

    Removing User Accounts from a Cluster

    In AIX 5L, you remove a user account by using either:

  • The rmuser command
  • The fastpath smit cl_rmuser
  • For information about the rmuser command, see its man page.

    You can also remove a user account from cluster nodes from C-SPOC, as described in the following procedure. This procedure executes the AIX 5L rmuser command on all cluster nodes.

    Note: The system removes the user account but does not remove the home directory or any files owned by the user. These files are accessible only to users with root permissions or by the group in which the user was a member.

    To remove a user account from all cluster nodes using the C-SPOC utility:

      1. Enter the fastpath smit cl_rmuser
    SMIT displays the Remove a User panel.
      2. Enter field data as follows:
    User Name
    Enter a user name. The user name can be up to 8 characters in length.
    Remove Authentication information?
    Specify Yes to delete the password and other authentication information from system security files.
      3. Press Enter.
    SMIT removes the specified user account from cluster nodes.

    Managing Password Changes for Users

    You can manage user passwords from any node in a cluster by:

  • Changing Passwords for User Accounts
  • Allowing Users to Change Their Own Passwords
  • Starting with HACMP version 5.2, you can let specified users change their password on multiple nodes in the cluster by changing their password on one node.

    Note: Changing user passwords is not supported on SP nodes that use PSSP user management.

    An HACMP user, that is a user who has an AIX 5L user account on each node in a cluster, can use the C-SPOC utility to change their own password across nodes in the cluster. For information about how a user changes their own password, see the section Changing the Password for Your Own User Account.

    Warning: If you manage user accounts with a utility such as Network Information Service (NIS) or Distributed Computing Environment (DCE) Manager, do not use HACMP user management. Using HACMP user management in this environment might cause serious system inconsistencies in the database.

    Prerequisites for Allowing Users to Change Passwords

    Before you authorize users to change their password or change a user’s passwords, ensure that:

  • The cluster topology is configured properly.
  • The user’s account exists on every cluster node in a specified resource group, and if no resource group is specified, in the entire cluster.
  • The user’s account exists on the local node. (The password changes on the local node, even if that node is not in the selected resource group.)
  • All cluster nodes are powered up and accessible.
  • Note: These conditions should also be met before a user changes their own password. As a user may not have this information, the utility displays messages to a user should their attempt to change their password fail.

    Allowing Users to Change Their Own Passwords

    In HACMP version 5.2 and up, system administrators can enable the new Cluster Password (clpasswd) utility. This utility, when enabled, links to the AIX 5L system password utility to:

  • Let system administrators authorize specified users to change their password across cluster nodes
  • Let authorized users change their own password across a resource group or cluster (as configured), rather than having to change their password on each node in the cluster.
  • This means that the user’s AIX 5L system password is the same on the set of nodes specified.
    Note: The security of the password propagated to other nodes is only as secure as the network used to distribute the password.

    Depending on the configuration of the Cluster Password utility, it lets users change their password from:

  • C-SPOC as described in the section Changing the Password for Your Own User Account
  • The clpasswd command.
  • Both of these call the AIX 5L passwd command. The clpasswd command uses the same arguments as the passwd command. For more information about the clpasswd command, see its man page.

    The following table shows where a user’s password is changed based on the user’s authorization, the password utility that is active, and the command executed:

     
    When the system password utility is linked to clpasswd and the AIX 5L passwd command is run
    When the system password utility is active (not linked to clpasswd)
    The AIX 5L passwd command is run
    The HACMP clpasswd command is run
    The user authorized to change password across cluster
    The password is changed on all cluster nodes.
    The password is changed only on the local node.
    The password is changed on all cluster nodes.
    The user is not authorized to change password across cluster
    The password is changed only on the local node.
    The password is changed only on the local node.
    The password is not changed.

    Configuring the Cluster Password Utility

    To enable the Cluster Password utility:

      1. Enter smit cl_admin
      2. In SMIT, select HACMP Security and User Management > Passwords in an HACMP Cluster > Modify System Password Utility.
    The Modify System Password Utility panel appears.
      3. Enter field values as follows:
    /bin/passwd utility is
    Select Link to Cluster Password Utility to link the Cluster Password Utility to the AIX 5L password utility. This enables the Cluster Password utility.
    Select Original AIX System Command to remove the link from the Cluster Password utility to the AIX 5L password utility. This disables the Cluster Password utility.
    Select Nodes by Resource Group
    Select one or more resource groups to enable the Cluster Password utility on the nodes in the specified group(s).
    Leave the field blank, to enable the Cluster Password utility on all cluster nodes.

    When the Cluster Password utility is linked to the AIX 5L password utility, HACMP creates a /usr/es/sbin/cluster/etc/clpasswd/passwd.orig file to store the AIX 5L passwd utility. If you disable the Cluster Password utility, HACMP removes the link between the two files, and the passwd.orig file is moved to /bin/passwd.

    Configuring Authorization

    After the Cluster Password utility is linked to the AIX 5L system password utility (passwd), you can specify and update which users have permission to change their passwords across a cluster. For information about linking the Cluster Password utility, see the section Configuring the Cluster Password Utility.

    To specify which users can change their own password:

      1. Enter smit cl_admin
      2. In SMIT, select HACMP Security and User Management > Passwords in an HACMP Cluster > Manage List of Users Allowed to Change Password and press Enter.
      3. In the Manage List of Users Allowed to Change Password panel, view a list of users and select which users you want to allow to change their password across cluster nodes.
    or
    Select ALL to allow all cluster users to change their password across the cluster.
    You can also view the list of users allowed to change their password across a cluster, and select and remove a user from the list.

    The /etc/clpasswd/cl_passwd_users file stores the list of users allowed to change their password across a cluster.

    Changing Passwords for User Accounts

    As administrator, you can use C-SPOC to change users’ passwords or to specify that particular users change their password on next login. You can direct that this change take place on all cluster nodes or on nodes that are part of specified resource groups.

    If you use C-SPOC to change a user password for all nodes that belong to a resource group, make sure you perform this operation on a node that is included in the resource group. If you run this C-SPOC command from a node that is not part of the resource group, the password changes on that node also.

    Note: All nodes must have HACMP version 5.2 or higher installed. For other prerequisites, see the section Prerequisites for Allowing Users to Change Passwords.

    To use SMIT to change a user’s password on a list of nodes in the cluster:

      1. Enter the fastpath smit cl_chpasswd
      2. In the Change a User’s Password in the Cluster panel, select the resource group that contains the nodes on which the user has an account and press Enter.
    If you leave the field blank, all nodes in the cluster are selected.
      3. Enter field values as follows:
    User Name
    Select the name of the user whose password you want to change.
    User must change Password
    on first login?
    Set to true to require the user to change the password on each node on the next login.
    Set to false if you do not want to require the user to change the password on the next login.
    The default is true.
      4. Press Enter to change the password.
    The panels that appear are similar to the AIX 5L Change a User’s Password panels. You enter the user name and the current password and then change the password.

    Changing the Password for Your Own User Account

    As an individual user, you can change your password on all cluster nodes, or on nodes within a specified resource group, if:

  • The Cluster Password utility is enabled on each cluster node.
  • The administrator (who has root privileges) has given you permission to change your password on nodes across a cluster.
  • Note: The password you are changing is your AIX 5L password on the specified nodes.

    If you are unsure whether or not you are authorized to change your password, or if you try to change your password and receive an error message, contact your system administrator.

    For information about how the configuration for the Cluster Password utility affects where your password is changed, see the section Allowing Users to Change Their Own Passwords.

    To change your password on cluster nodes:

      1. Enter smit hacmp
      2. In SMIT, select System Management (C-SPOC) > HACMP Security and User Management > Password in an HACMP Cluster > Change Current User’s Password and press Enter.
    The Change Current User’s Password panel appears.
      3. Enter field values as follows:
    Select nodes by Resource Group
    Select the resource group(s) that contains the nodes where you want to change your password.
    Leave the field blank to select all nodes in the cluster.
    User Name
    Verify that this field displays your user name. If it displays another name, contact your system administrator.
      4. Press Enter.
      5. Change your password on the panel that appears.

    If C-SPOC can distribute your new password to all cluster nodes or the nodes in a specified resource group, it changes your password across the nodes. Messages advise you of the progress of the password change and display the nodes on which the change takes place.

    If C-SPOC cannot communicate with all cluster nodes, it does not change your password, and it displays a message to that affect.

    Note: If your password is changed on some, but not all, of the cluster nodes, a message appears that directs you to contact your system administrator. Be sure to talk with your system administrator because your password might be inconsistent among nodes in the specified resource groups or cluster.

    You can also use the clpasswd command to change your cluster password. If you have not been authorized to change your password on cluster nodes, the clpasswd command does not let you change your password on any node, including the one you are currently logged in to.

    Managing Group Accounts

    All users must belong to a group. Groups add a level of security.

    Warning: If you manage user accounts with a utility such as Network Information Service (NIS) or Distributed Computing Environment (DCE) Manager, do not use HACMP user management. Using HACMP user management in this environment might cause serious system inconsistencies in the database.

    You can manage group accounts from any node in a cluster by:

  • Listing Groups on All Cluster Nodes
  • Adding Groups on Cluster Nodes
  • Changing Characteristics of Groups in a Cluster
  • Removing Groups from the Cluster
  • Listing Groups on All Cluster Nodes

    Each group has associated attributes that include the names of the users in the group, the user name of the administrator of the group, and the group ID. In AIX 5L, you obtain information about all the groups defined on an AIX 5L system by running the lsgroup command. For information about the lsgroup command, see its man page.

    You can obtain information about the groups defined on all cluster nodes from C-SPOC, as described in the following procedure, or by running the C-SPOC cl_lsgroup command specifying the ALL argument. (For more information about the cl_lsgroup command, see its man page.) Both C-SPOC and the cl_lsgroup command execute the lsgroup command on each cluster node. The output from the lsgroup command for all nodes is displayed on the node on which the command was executed.

    If you specify a group name that does not exist on a cluster node, the cl_lsgroup command displays a warning message but continues execution of the command on all of the other cluster nodes.

    To list all the groups defined on each cluster node using the C-SPOC utility SMIT interface:

  • Enter the fastpath smit cl_lsgroup
  • SMIT displays the following command status window.
    		 
    			COMMAND STATUS 
    Command: OK            stdout: yes           stderr: no 
    Before command completion, additional instructions may appear below. 
    [TOP] 
    cav      system 0       true    root 
    cav      staff  1       false   daemon 
    cav      bin    2       true    root,bin 
    cav      sys    3       true    root,bin,sys 
    cav      adm    4       true    bin,adm 
    cav      uucp   5       true    nuucp,uucp 
    cav      mail   6       true 
    cav      security       7       true    root 
    cav      cron   8       true    root 
    cav      printq 9       true 
    cav      audit  10      true    root 
    cav      ecs    28      true 
    cav      nobody -2      false   nobody,lpd 
    [MORE...56] 
    

    Adding Groups on Cluster Nodes

    To define a new group on AIX 5L systems, you use the mkgroup command. This command adds an entry for the new group to various system security files, including /etc/group and /etc/security/group. For more information about the mkgroup command, see its man page.

    You can also define a new group on all cluster nodes from C-SPOC as described in the following procedure. The C-SPOC command performs some verification and then calls the AIX 5L mkgroup command on each cluster node to create the group you specify.

    If a group with the same name already exists on a cluster node, the operation is aborted. By default, the C-SPOC command requires that the nodes in the HACMP cluster must be powered up and accessible over the network; otherwise, the command fails with an error.

    To define a new AIX 5L group on cluster nodes using the C-SPOC utility:

      1. Enter the fastpath smit cl_mkgroup
    SMIT displays the Add a Group panel.
      2. Enter data in entry fields to create the group account. The Group Name is the only required field. Note, however, that you should also specify the Group ID.
      3. After you finish filling in the SMIT fields, press Enter. The C-SPOC command executes, creating the new group on all cluster nodes.

    Changing Characteristics of Groups in a Cluster

    In AIX 5L, you can change the attributes of a group by using either:

  • The chgroup command
  • The AIX 5L SMIT Change Group Attributes panel.
  • For more information about the chgroup command, see its man page.

    The chgroup command modifies the user information stored in the /etc/group and the /etc/security/group files.

    You can also change the attributes of a group on all cluster nodes from C-SPOC as described in the following procedure. This procedure executes the AIX 5L chgroup command on each cluster node.

    Changing group characteristics from C-SPOC requires that:

  • All cluster nodes are accessible
  • The Cluster Communications daemon is running
  • A group with the name specified exists on all cluster nodes.
  • Optionally, you can force the C-SPOC command to continue processing even if it encounters an error on one of the cluster nodes.

    To change the attributes of a group on all cluster nodes using the C-SPOC utility:

      1. Enter the fastpath smit cl_chgroup
    SMIT displays the Change a Group panel.
      2. Specify the name of the group you want to change and press Enter.
    Press F4 to obtain a listing of groups from which to select. SMIT displays a complete listing of the attributes of the group specified, with their current values filled in.
      3. Change the value of any group attribute and press Enter.
    The command executes, writing the new attribute value in the appropriate system security files on all cluster nodes.

    Removing Groups from the Cluster

    To delete a group on an AIX 5L system, you use the rmgroup command. This command removes the entry for the group from the /etc/group and /etc/security/group files. Users that are members of the group are not deleted.

    If the group is the primary group for any user, the remove operation fails unless you redefine the user’s primary group with the chuser command. (For more information about using the chuser command, see the section Managing Group Accounts.) Only the root user can remove an administrative group or a group with administrative users as members.

    To remove a group from all cluster nodes, complete the steps in the following procedure. C-SPOC performs some cluster-wide verification checks and then calls the AIX 5L rmgroup command to remove the group on each cluster node.

    If a group with the name specified does not exist on one of the cluster nodes, the command reports a warning message but continues the operation on the other cluster nodes. By default, the command requires that all cluster nodes are powered up and accessible over the network; otherwise, the command fails with an error. Optionally, you can force the command to continue processing even if it encounters an error on one of the cluster nodes.

    To remove a group from cluster nodes using the C-SPOC utility:

      1. Enter smit cl_rmgroup
    SMIT displays the Remove a Group panel.
      2. Enter the name of the group you want to remove. Press the F4 key to get a listing of available groups from which to select. After specifying the group name, press Enter.
    The command executes, removing the group from all cluster nodes.

    PreviousNextIndex