Account ID
Each user account has a numeric ID which uniquely identifies the account. The AIX® operating system grants authorization according to Account ID.
It is important to understand that accounts with the same ID are virtually the same account. When creating users and groups, the AIX mkuser and mkgroup commands always check for the target registry to make sure that the account to be created has no ID collision with existing accounts.
# chsec -f /etc/security/login.cfg -s usw -a dist_uniqid=always
- never
- This value does not check for ID collision against the non-target registries (default).
- always
- This value checks for ID collision against all other registries.
If collision detected between the target registry and any other registry,
the mkuser (mkgroup) command
picks a unique ID which is not used by any registry. It only fails
if the ID value is specified from the command line (for example,
mkuser id=234 foo
, and ID 234 is already taken by a user in any of the registries).
- uniqbyname
- This value checks for ID collision against all other registries.
Collision between registries is permitted only if the account to be
created has the same name as the existing account for a
mkuser id=123 foo
type of command. If the ID is not specified from the command line, the new account might not have the same ID value as an existing account with the same name in another registry. For example, acct1 with ID 234 is a local account. When creating an LDAP account acct1,mkuser -R LDAP acct1
might pick a unique ID of 235 for the LDAP account. The result is acct1 with ID 234 on local, and acct1 with 235 on LDAP.
The uniqbyname value works well against two registries. With more than two registries, and when ID collision already exists between two registries, the behavior of mkuser (mkgroup) is unspecified when creating a new account in a third registry using the colliding ID values. The new account creation might succeed or fail depending the order the registries are checked.
For example: Suppose a system is configured with three registries:
local, LDAP and DCE. An acct1 account exists in LDAP and an acct2 account in DCE, both with ID 234. When the system administrator
runs the mkuser -R files id=234 acct1
(mkgroup
-R files id=234 acct1
) command to create the local account
with the uniqbyname value, the mkuser (mkgroup) command checks against the LDAP registry first,
and finds that ID 234 is taken by LDAP account acct1. Since
the account to be created has the same account name, the mkuser (mkgroup) command successfully
creates the local account acct1 with ID 234. If the DCE registry
is checked first, the mkuser (mkgroup) command finds that ID 234 is taken by DCE account acct2,
and creation of local account acct1 fails. The check for
ID collision enforces ID uniqueness between the local registry and
remote registries or between remote registries. There is no guarantee
of ID uniqueness between the newly created account on the remote registry
and existing local users on other systems which use the same remote
registry. The mkuser (mkgroup) command bypasses the remote registry if it is not reachable at
the time the command is run.