On AIX, can a user be a member of a secondary group locally defined on AIX but not on AD?

I know this question has sort of been asked in the past but it was a long time ago so just wanted to see if that was still the case?

  • You can do this but the version of Authentication Services needs to be 4.1.0-21630 or higher for this to work as expected. It also requires a configuration setting in the vas.conf.

    This article here should cover the details.

     

    Leigh Grant

  • In reply to Leigh Grant:

    Luckily, we are on 4.1.0.21708 so doing :-
    /opt/quest/bin/vastool configure vas aix_vas include-local-group-memberships true
    and having the AD user in the local group did the trick.
    I'm a bit worried about the scenarios it is not recommended for, like DB2 but I'll try that out.
  • In reply to jon.scobie:

    If the Resolution using the vas.conf setting conflicts on a given system based on those scenarios you can use the Workaround solution in that instance and it should work fine.

    IBM actually advised at one point that we should not mix the repositories but it ended up being a large inconvenience for many organizations and we felt that a configurable setting was the best approach.

    Leigh Grant
  • In reply to Leigh Grant:

    Well, it worked for me so that was a sensible decision as far as I'm concerned.