Lab 5: Users and Groups

Create 1 MS Word file <Fullname.docx>; capture image of each

step, paste all into this file -> save ->close ->submit

5.1 Introduction
This is Lab 5: Creating Users and Groups. By performing this lab, students will learn how to create a
new user account, establish the initial password for this account, and make other modifications such
as making the new user a member of a secondary group.
In this lab, you will perform the following tasks:

 Create a new group with the groupadd command

 Make changes to groups using the groupmod command
 Create a new user with the useradd command
 Set and reset a user's password with the passwd command
 Make changes to the user account with the usermod command

 Previous

 Next

5.2 Creating Groups

In this task, you will create group and user accounts.
Group accounts can be helpful to use in order to be able to assign permissions on files shared by a
group of users.
User accounts in Linux distributions based upon RedHat, like the CentOS distribution, start with the
first User ID (UID) at 500, the next UID given at 501, and so on. The current trend followed by many
other distributions is to have the first UID be 1000, the second to be 1001, and so on. Starting with
RedHat 7, standard user accounts begin at 1000, a consideration when migrating older systems with
existing user accounts.
If managing accounts for multiple systems, then it is desirable to have a network-based
authentication server, where accounts can be created once, but used on many machines.
Otherwise, managing multiple accounts on multiple machines can be challenging as it can be difficult
to ensure that the user, and all the groups they belong to, all have the same UIDs and GIDs on all
machines.
Another issue with multiple machine accounts is that it can be difficult to keep the passwords to each
account synchronized across all machines.
Managing accounts for local users is still useful for individual machines, even if they have access to
a network-based authentication server. In this lab, you will manage local group and user accounts.

 Previous

 Next

5.2.1 Step 1
In order to administer the user and group accounts, you will want to switch users to the root account
with the following command. Provide the root password netlab123 when prompted.

su -
sysadmin@localhost:~$ su -
Password:
root@localhost:~#

 Previous

 Next

5.2.2 Step 2
Use the groupadd command to create groups called research and sales:

groupadd -r research
root@localhost:~# groupadd -r research
root@localhost:~# groupadd -r sales
root@localhost:~#

The research and sales groups that were just added were added in the reserved range (between
1-999) because the -r option was used. With this option, Group Identifiers (GIDs) are automatically
assigned with a value of less than the lowest normal user UID. The groupadd command modifies
the /etc/group file where group account information is stored.
The groupmod command can be used with a -n option to change the name of either of these groups
or with the -g option in order to change the GID for either of the groups. The groupdel command
can be used to delete either of the groups, as long as neither of them have been made the primary
group for a user.

 Previous

 Next
5.2.3 Step 3
Use the getent command to retrieve information about the new research group:

getent group research

root@localhost:~# getent group research
research:x:999:

Your output should appear similar to the example above although the GID that was assigned may be
different. Now that the research group has been created, existing or new users can be made
members of the group.

 Previous

 Next

5.2.4 Step 4
Use the grep command to retrieve information about the new sales group:

grep sales /etc/group

root@localhost:~# grep sales /etc/group
sales:x:998:

Your output should appear similar to the example above although the GID that was assigned may be
different. Now that the sales group has been created, existing or new users can be made members
of this group.

 Previous

 Next

5.2.5 Step 5
Use the groupmod command with the -n option to change the name of the sales group.

groupmod -n clerks sales

root@localhost:~# groupmod -n clerks sales

Now use the groupmod command with the -g option to change the GID for the group.

groupmod -g 10003 clerks

root@localhost:~# groupmod -g 10003 clerks
Use the grep command to verify the changes made above.

grep clerks /etc/group

root@localhost:~# grep clerks /etc/group
clerks:x:10003:

Important
Note that any files that had been in the sales group will now have no group name and will now
be orphaned files.

 Previous

 Next

5.2.6 Step 6
Delete the clerks group using the groupdel command along with the name of the group:

groupdel clerks
root@localhost:~# groupdel clerks

Use the grep command to verify that the clerks group has been removed:

root@localhost:~# grep clerks /etc/group

root@localhost:~#

Important
If you decide to delete a group with the groupdel command, be aware that any files that are owned
by that group will also become orphaned.

 Previous

 Next

5.3 User Configuration

User configuration begins with properly configuring the groups that users will be placed in.

 Previous

 Next

5.3.1 Step 1
View the default values used by the useradd command using the -D option:

useradd -D
root@localhost:~# useradd -D
GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=no

The SKEL value provides administrators with an easy way to populate a new user account with key
configuration files. It determines which skeleton directory will have its contents copied into the new
user’s home directory. The -k option on the useradd command allows a different SKEL directory
than the default to be used when creating a new user account. This is useful because most systems
have users that need access to different resources as appropriate to their job functions.

 Previous

 Next

5.3.2 Step 2
Set the INACTIVE parameter to allow users with expired passwords to log in for up to thirty days
before their accounts are disabled, then view the new default values. The -D option to
the useradd command will allow you to view or change some of the default values used by
the useradd command.
In the example below, the -D option specifies changes to the default values used when creating a
new user. The -f 30 option specifies that users who have expired passwords can still log in for up to
thirty days before their accounts are inactivated. Using the -D option by itself displays the current
defaults, which have been changed by the previous command.

useradd -D -f 30
useradd -D
root@localhost:~# useradd -D -f 30
root@localhost:~# useradd -D
GROUP=100
HOME=/home
INACTIVE=30
EXPIRE=
SHELL=/bin/sh
SKEL=/etc/skel
CREATE_MAIL_SPOOL=no
root@localhost:~#

 Previous

 Next

5.3.3 Step 3
Modify the CREATE_MAIL_SPOOL value in the /etc/default/useradd file using the nano text
editor:

nano /etc/default/useradd
root@localhost:~# nano /etc/default/useradd
  Previous

 Next

5.3.4 Step 4
Press the down arrow key to scroll to the bottom of the file:
  Previous

 Next

5.3.5 Step 5
On the CREATE_MAIL_SPOOL=no line, backspace over the no and type yes:
Press Ctl + X to exit and type Y. Press Enter to save your changes then type useradd -D at the
prompt to confirm the new setting:

useradd -D
root@localhost:~# useradd -D
GROUP=100
HOME=/home
INACTIVE=30
EXPIRE=
SHELL=/bin/sh
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes

The useradd command will now create a mail spool file.

 Previous

 Next

5.3.6 Step 6
Create a new user named student who is a secondary member of the research group and a
primary member of their own private group. Use a comment of Linux Student that will appear as
the full name of the user when they do a graphical login. Make sure that their home directory will be
created by specifying the -m option. Then use grep to verify the new user and their group
memberships:

useradd -G research -c 'Linux Student' -m student

grep student /etc/passwd
grep student /etc/group
root@localhost:~# useradd -G research -c 'Linux Student' -m student
root@localhost:~# grep student /etc/passwd
student:x:1002:1002:Linux Student:/home/student:/bin/sh
root@localhost:~# grep student /etc/group
research:x:999:student
student:x:1002:

The user's account information is stored in the /etc/passwd and /etc/shadow files. The user's
group information can be found in the /etc/passwd and /etc/group files.
  Previous

 Next

5.3.7 Step 7
Use the usermod command to add the research group as a secondary group for
the sysadmin user:

usermod -aG research sysadmin

root@localhost:~# usermod -aG research sysadmin
root@localhost:~#

Users who are actively logged into the system will not be able to use any new group memberships
until the next time they log into the system.

 Previous

 Next

5.3.8 Step 8
Using the getent command, view the research group members again:

getent group research

root@localhost:~# getent group research
research:x:999:student,sysadmin

Use getent to show the student group:

getent group student

root@localhost:~# getent group student
student:x:1002:

Next, use getent to show the passwd and shadow databases for the student user:

getent passwd student

getent shadow student
root@localhost:~# getent passwd student
student:x:1002:1002:Linux Student:/home/student:/bin/sh
root@localhost:~# getent shadow student
student:!:5902:0:99999:7:30::
root@localhost:~#

The output should now show that both sysadmin and student are secondary members of
the research group.
The GID of the student group matches the fourth field of the passwd information for
the student user. This is what makes the student a primary member of the student group.
Finally, the ! appearing in the second password field of the shadow file, shows that the password for
the student has not been set.

 Previous

 Next

5.3.9 Step 9
Use the passwd command to set the password, netlab123, for the student user. Enter the
password twice then view the shadow file entry for the student user again:

passwd student
root@localhost:~# passwd student
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

Note
No characters will appear when typing the password.
The output from the /etc/shadow file now shows an encrypted password in the second field:

getent shadow student

root@localhost:~# getent shadow student
student:$6$pIEEdvAX$GBo0beYhojL3/vDrOP2UAQR6uVCWMZXxMPqImREJWw/5oR2WTtM6dH3H8
3VjrmG6hGd9ux2I9FQFWQLtg3/:5902:0:99999:7:30::

 Previous

 Next

5.3.10 Step 10
Just because a user has a password doesn't mean that they have ever logged into the system. Use
the last command to see if the student user has ever logged in:
last
last student
root@localhost:~# last
sysadmin console Thu Jan 3 21:44 still logged in
wtmp begins Thu Jan 3 21:44:06 2019
root@localhost:~# last student
wtmp begins Thu Jan 3 21:44:06 2019
root@localhost:~#

The output of the last command should show that the sysadmin user has logged in before, but not
the student user. There is also a lastb command, which works similar to the last command
except that it shows "bad" or failed login attempts.
If you no longer wanted the student user to have access to the system, then the usermod -L
student command could be used to "lock" the account. The account could be unlocked with
the usermod -U student command.

 Previous

 Next

5.3.11 Step 11
A more permanent solution to preventing access to the student account would be to delete the
account with either the userdel student or userdel -r student commands. Using the -r option
with the userdel command removes the user's home directory and mail, in addition to deleting the
user's account.
Delete the student account and remove the user's home directory:

userdel -r student
root@localhost:~# userdel -r student
Use grep to verify the student user has been removed.
root@localhost:~# grep student /etc/group
root@localhost:~#

 Previous

 Next