000018547 - How does sdshell extract the uid from UNIX after logging on to UNIX and pass the information to ACE/Server?

Document created by RSA Customer Support Employee on Jun 16, 2016Last modified by RSA Customer Support Employee on Apr 21, 2017
Version 2Show Document
  • View in full screen mode

Article Content

Article Number000018547
Applies ToRSA ACE/Agent for UNIX
NIS+
RSA ACE/Server
sdshell
IssueHow does sdshell extract the uid from UNIX after logging on to UNIX and pass the information to ACE/Server?
A user attempts a login to an ACE/Client but the ACE/Server Activity Log shows someone else trying to log in.
ResolutionA user assigned an account on a UNIX system has a UNIX UID (user identification) number which can be found in the UNIX passwd file (or NIS or NIS+ passwd files). This is true on all UNIX platforms.

When a user logs into an ACE/Client for UNIX via sdshell, the sdshell program performs a UNIX function called "GETUID". The UNIX system responds by providing sdshell with the UID found in the passwd file associated with the username. The sdshell program then performs a "get pwname" which is a process that scans the passwd file for the first instance of a user with that UID. It then returns the username associated with the UID. These processes are designed for user verification purposes and to determine user rights and privileges.

There will be a problem if two users have the same UID. When the user with a lower position in the UNIX passwd file attempts to login, the process "getpwnam" starts at the top of the passwd file and will take the first user with that UID. This, of course, will be the "other user". The ACE/Server will respond by trying to authenticate the wrong user.

Users MUST have unique UIDs on any UNIX system on which an ACE/Client for UNIX is installed.

Windows NT employs a completely different login process where SIDs are used instead of UIDs and no two users can have the same SID.
Legacy Article IDa1352

Attachments

    Outcomes