Account ID

Edit online

Each user account has a numeric ID which uniquely identifies the account. The AIX® operating system grants authorization according to Account ID.

It is important to understand that accounts with the same ID are virtually the same account. When creating users and groups, the AIX mkuser and mkgroup commands always check for the target registry to make sure that the account to be created has no ID collision with existing accounts.

The system can also be configured to check all user (group) registries during account creation using the dist_uniqid system attribute. The dist_uniqid attribute of the usw stanza in the /etc/security/login.cfg file can be managed using the chsec command. To configure the system to always check for id collision against all registries, run:

# chsec -f /etc/security/login.cfg -s usw -a dist_uniqid=always

There are three valid values for the dist_uniqid attribute:

never: This value does not check for ID collision against the non-target registries (default).

always: This value checks for ID collision against all other registries. If collision detected between the target registry and any other registry, the mkuser (mkgroup) command picks a unique ID which is not used by any registry. It only fails if the ID value is specified from the command line (for example, mkuser id=234 foo, and ID 234 is already taken by a user in any of the registries).

uniqbyname: This value checks for ID collision against all other registries. Collision between registries is permitted only if the account to be created has the same name as the existing account for a mkuser id=123 foo type of command. If the ID is not specified from the command line, the new account might not have the same ID value as an existing account with the same name in another registry. For example, acct1 with ID 234 is a local account. When creating an LDAP account acct1, mkuser -R LDAP acct1 might pick a unique ID of 235 for the LDAP account. The result is acct1 with ID 234 on local, and acct1 with 235 on LDAP.

Note: ID collision detection in the target registry is always enforced regardless of the dist_uniqid attribute.

The uniqbyname value works well against two registries. With more than two registries, and when ID collision already exists between two registries, the behavior of mkuser (mkgroup) is unspecified when creating a new account in a third registry using the colliding ID values. The new account creation might succeed or fail depending the order the registries are checked.

For example: Suppose a system is configured with three registries: local, LDAP and DCE. An acct1 account exists in LDAP and an acct2 account in DCE, both with ID 234. When the system administrator runs the mkuser -R files id=234 acct1 (mkgroup -R files id=234 acct1) command to create the local account with the uniqbyname value, the mkuser (mkgroup) command checks against the LDAP registry first, and finds that ID 234 is taken by LDAP account acct1. Since the account to be created has the same account name, the mkuser (mkgroup) command successfully creates the local account acct1 with ID 234. If the DCE registry is checked first, the mkuser (mkgroup) command finds that ID 234 is taken by DCE account acct2, and creation of local account acct1 fails. The check for ID collision enforces ID uniqueness between the local registry and remote registries or between remote registries. There is no guarantee of ID uniqueness between the newly created account on the remote registry and existing local users on other systems which use the same remote registry. The mkuser (mkgroup) command bypasses the remote registry if it is not reachable at the time the command is run.