IBM Support

IV98403: INCORRECT BEHAVIOUR OF CHSEC WHEN DOMAINLESSGROUPS IS ENABLED APPLIES TO AIX 7100-05

Subscribe

You can track all active APARs for this component.

 

APAR status

  • Closed as program error.

Error description

  • Customer has domainlessgroups enabled.

When trying to assign sugroups to root user, where
the group is an LDAP group.
#chsec -f /etc/security/user -s root -a sugroups=testg1
#lsuser -a sugroups root
 root sugroups=testg1

It succeeds and changes the sugroup attribute of root.

As per the documentation of /etc/secvars.cfg
(https://www.ibm.com/support/knowledgecenter/en/ssw_aix_7
2/com.ibm.aix.files/secvars.cfg.htm)
"The root user cannot be assigned LDAP groups
irrespective of the value of the domainlessgroups
attribute."
The chsec command should have failed.

However, chuser command does show correct behavior and
fails with error.

#chuser sugroups=testg1 root
Error assigning LDAP groups to root.
3004-692 Error changing "sugroups" to "testg1" :
Value is invalid.

Therefore chsec command shows incorrect behavior when
domainlessgroups is enabled.

Local fix

  • 



Problem summary


    

  • With domainlessgroup feature on, LDAP group can be assigned to
root user using chsec command. This is unexpected behaviour
of chsec command

    



Problem conclusion


    

  • Add a check when domainless feature is on to see if the
LDAP group is getting assigned to a root user using chsec
command. If so then fail chsec with appropriate error
message.

    



Temporary fix


    

  • 



Comments


    

  • 6100-09 - use AIX APAR IV99296
7100-04 - use AIX APAR IV99185
7100-05 - use AIX APAR IV98403
7100-05 - use AIX APAR IV98403
7200-00 - use AIX APAR IJ01698
7200-01 - use AIX APAR IJ01376
7200-02 - use AIX APAR IV99217

    



APAR Information




    

  • APAR number
    IV98403
    • 

  • Reported component name
    AIX V7.1
    • 

  • Reported component ID
    5765H4000
    • 

  • Reported release
    710
    • 

  • Status
    CLOSED  PER
    • 

  • PE
    NoPE
    • 

  • HIPER
    NoHIPER
    • 

  • Special Attention
    NoSpecatt / Xsystem
    • 

  • Submitted date
    2017-07-25
    • 

  • Closed date
    2017-08-16
    • 

  • Last modified date
    2018-09-21
    • 





    

  • APAR is sysrouted FROM one or more of the following:
    

    • 

  • APAR is sysrouted TO one or more of the following:
    

    
IV99163 IV99185 IV99217 IV99238 IV99296 IJ01376
    

    • 



Fix information


    

  • Fixed component name
    AIX V7.1
    • 

  • Fixed component ID
    5765H4000
    • 



Applicable component levels


    

  • R710  PSY  U875882
       UP18/03/06  I  1000
    • 








      
              
                            

              

              [{"Business Unit":{"code":"BU058","label":"IBM Infrastructure w\/TPS"},"Product":{"code":"SG11R"},"Platform":[{"code":"PF025","label":"Platform Independent"}],"Version":"710","Line of Business":{"code":"LOB08","label":"Cognitive Systems"}}]
              

                                                                    

          
 
        

      

    

      

        

          

            
Document Information


            

            


                        

            Modified date:
            

            20 April 2022
            

            
                      

        


        

        


      

    

  



    

  

  
    
            

          
Page Feedback