Saturday, December 13, 2008

Problem with user Privileges and Roles in OpenSolaris

Had tried out Open Solaris a few months ago...and straightaway faced a numerous problems :P ...

The most annoying was that the user privileges were getting reset on every login.
So here i am posting how i worked around this problem.

As I said,

The user privileges of my user were getting reset on every login and now, the GUI had started throwing a strange error...when i started the user admin tool ( Users and Groups ), it asked me for authorization, when i provided the root password, it simply rejected it.

The funny part is, that i can "su" root using the same password through the terminal !! (This is ofcourse after i "su" the Primary Administrator) .

So, i was forced to work with the CLI, i tried using the "usermod" command, but I did not understand clearly the way it is supposed to be used, so gave up on that too.


Next, i opened the /etc/user_attr file .

/****************
/etc/user_attr snippet :

root::::type=role;auths=solaris.*,solaris.grant;profiles=All;lock_afte r_retries=no;min_label=admin_low;clearance=admin_high
aditya::::profiles=Prim ary Administrator;roles=root

#amod::::profiles=Apache 22 Administration,Application Server Management,Audit Control,Audit Review,Basic Actions,Console #User,Contract Observer,Cron Management,Crypto Management,DAT Administration,D-BUS Management,Desktop Configuration,Device #Management,Device Security,DHCP Management,dtwm,File System Management,File System Security,FTP Management,HAL #Management,Idmap Name Mapping Management,Idmap Service Management,Inetd Management,Information Security,IP Filter #Management,ISCSI Target Administration,ISCSI Target Management,ISNS Server Management,Kerberos Client Management,Kerberos #Server Management,Log Management,Mail Management,Maintenance and Repair,Media Backup,Media Restore,MySQL #Administration,Name Service Management,Name Service Security,NDMP Management,Network IPsec Management,Network Link #Security,Network Management,Network Security,Network Wifi Management,Network Wifi Security,Object Access #Management,Object Label Management,Operator,Outside Accred,Postgres Administration,Primary Administrator,Printer #Management,Process Management,Project Management,Rights Delegation,Rmvolmgr Management,Service Management,Service #Operator,shutdown,SMBFS Management,SMB Management,Software Installation,System Administrator,System Event Management,User #Management,User Security,VSCAN Management,Web Console Management,ZFS File System Management,ZFS Storage Management,Zone #Management;

amod::::auths=solaris.*,solaris.grant;profiles=All;roles=root

/***** ***************end of snippet

(all the lines of amod (second from last) have been commented, they might not show up properly...formatting problems)

so as u can see, my user (amod) had all the privileges, but they weren't showing up in the GUI ! (bug ?). And now i understood why i couldn't "su" root... i had no "roles" defined. I have no idea of how to set roles through the GUI or the CLI, so instead i just copied "root's" line and made some changes :P

So now, my problem is solved, i can su root directly from amod and do everything i want (heck ! im _almost_ root now :D ).

But, the problem of the GUI not showing the privileges still persists.

I had posted this workaround on the Pune Open Solaris User Group's forums and was suggested that I post it on the Open Solaris desktop-discuss forums. The post on the desktop-discuss forums can be found here. The same problem has been confirmed by 3 users there.
So, until an update for the GUI, which allows roles to be defined is released, the above workaround works just fine :-)

EDIT:
You can also assign roles to a user using the "usermod" command with a "-r" option. I did not know this then. This, again, can be done only by the Primary Admin, if no other users have "root" role defined.

2 comments:

  1. Please mention changes u made in ur privileges

    ReplyDelete
  2. I did not make any changes to my privileges from the file. All the privileges were set through the GUI, I only added a *role* to my user !.

    ReplyDelete