UNAB preferences of the same user in AD or locally

book

Article ID: 193915

calendar_today

Updated On:

Products

CA Privileged Access Manager - Server Control (PAMSC) CA Privileged Identity Management Endpoint (PIM)

Issue/Introduction

When the same user is defined locally and in ldap, which of the two users does UNAB prefer, basically?

Environment

Release : 14.1

Component : PAM SERVER CONTROL ENDPOINT WINDOWS

Resolution

In general you should avoid having different UIDs with the same account name - in particular to not run into this uncertainty.

 

This article explains the behaviour in Linux - other Unix flavours may behave differently:

Whether the local UID or the AD UID is picked first for authentication is determined by the account enumeration order of the system name service switch.

You can verify enumeration by running
# getent passwd

and see the accounts of the configured name services in the listed order.

The name service order is determined what is set in /etc/nsswitch.conf, e.g. by default it is
...
passwd:     files uxauth
...

In this case the local files are the most relevant name service.

Hence, for the same user with different UIDs in the local /etc/passwd and in the AD it is the local user which will return upon authentication.

Anyway, this is not related to UNAB, it is the operating system's behaviour.