missing user name
Steve Grubb
sgrubb at redhat.com
Fri Aug 3 19:14:32 UTC 2012
On Tuesday, July 31, 2012 03:06:44 PM Harris, Todd wrote:
> I'm looking at a problem that has me really scratching my head.
>
> I've got a rhel 5.4 system that's using likewise and active directory to
> authenticate users, at least ones that are not defined locally. Locally
> defined users work just fine, but any user that is defined in the active
> directory server is showing up in events as "unknown(uid)" the uid appears
> to be filled out correctly, and if the user is defined locally as well as
> in active directory it works just fine, but that kind of defeats the
> purpose.
Ausearch/report/libauparse all use the glibc function, getpwuid(). So, the
names would need to be available via that function. That said, there are ways
to hook it up so that it resolves with NSS or nscd. It would seem like more
than just ausearch would have problems resolving user names since getpwnam and
getpwuid are central to almost all Linux programs that display uid or names.
> Also failed logins are showing up correctly,
This is because they are handled differently. They are in an acct field rather
than auid field.
-Steve
More information about the Linux-audit
mailing list