Loading...

VONDS ©

Lab 140: Defaults & Realistic Provisioning Workflow

Back to Lab Index

Validate useradd defaults, then provision a contractor account in one ticket-style command with required groups, aging controls, and a custom skeleton directory. Verify NSS identity, group membership, aging fields, and home contents, then remove the user cleanly.

rhel rhcsa users

Scenario

Ticket INC-140: Onboard a contractor account ( satoshi ) during a short change window. The account must be created once, match the requirements exactly, and be verified like a real admin task.

Operator context

“Done” means you can prove the outcome quickly: NSS entry, group membership, aging fields, and home directory contents.

Requirements

UID 1055 , home /home/satoshi , shell /bin/bash , primary group developers , supplementary groups wheel and docker , comment Satoshi Nakamoto , account expires 2025-12-31 , inactive lockout 30 days after password expiry, custom skeleton /etc/skel-custom containing README.WELCOME .

Objective

  • Inspect system-wide useradd defaults.
  • Ensure prerequisite groups exist: developers , wheel , docker .
  • Create a custom skeleton directory at /etc/skel-custom with README.WELCOME .
  • Create satoshi in one useradd command with all ticket requirements.
  • Verify identity and NSS entry with getent and id .
  • Verify expiration and aging fields with chage -l .
  • Verify skeleton deployment in /home/satoshi .
  • Clean up by removing the user and home directory.

Concepts

  • Default provisioning behavior via useradd -D and /etc/default/useradd .
  • Idempotent group creation with groupadd -f .
  • Skeleton directory seeding using -m and -k .
  • NSS verification with getent (what services actually query).
  • Account aging and expiration fields with chage -l .
  • Clean removal using userdel -r and filesystem validation.

Walkthrough

Step 1 : Inspect system-wide defaults for useradd .
Command 
useradd -D

This shows defaults applied when you do not override values. In ticket work, it is a fast baseline check before changing state. 

GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
Step 2 : Ensure required groups exist.
Command 
sudo groupadd -f developers && sudo groupadd -f docker && sudo groupadd -f wheel

-f makes the operation idempotent: it creates the group if missing and succeeds if it already exists.

Note

Group IDs vary between systems. Verify group names unless the ticket requires specific numeric GIDs.

Step 3 : Build the custom skeleton directory and welcome file.
Commands 
sudo mkdir -p /etc/skel-custom
printf 'Welcome. Read the change-window notes in this home directory.\n' | sudo tee /etc/skel-custom/README.WELCOME >/dev/null

The skeleton directory is copied into the new home directory when you create the user with -m and point -k at the custom skeleton.

Step 4 : Create the account once with all ticket requirements.
Command 
sudo useradd -m -u 1055 -g developers -G wheel,docker -c 'Satoshi Nakamoto' -s /bin/bash -d /home/satoshi -e 2025-12-31 -f 30 -k /etc/skel-custom satoshi

This is a single, ticket-style provisioning command: identity fields, groups, home path, shell, expiry, inactive policy, and skeleton source are set explicitly.

Step 5 : Verify the NSS passwd entry for the new user.
Command 
getent passwd satoshi

getent queries NSS, which is what most services rely on. Confirm UID, home directory, shell, and the comment field. 

satoshi:x:1055:1001:Satoshi Nakamoto:/home/satoshi:/bin/bash
Step 6 : Verify primary and supplementary groups.
Command 
id satoshi

Confirm the primary group is developers and the supplementary groups include wheel and docker . 

uid=1055(satoshi) gid=1001(developers) groups=1001(developers),10(wheel),993(docker)
Step 7 : Verify expiration and aging fields.
Command 
sudo chage -l satoshi

Confirm the account expiration date is set and review the aging policy fields. The inactive field is evaluated after password expiry, so validate what the system is reporting. 

Account expires                                         : Dec 31, 2025
Reality check

If the output still shows Password inactive : never , that usually means the password does not expire under current policy, so the inactive lockout will never trigger.

Step 8 : Confirm the skeleton file landed in the user’s home directory.
Command 
ls -la /home/satoshi

Verify ownership, permissions, and that README.WELCOME exists in the provisioned home directory. 

total 20
drwx------. 2 satoshi developers  96 Feb  1 08:12 .
drwxr-xr-x. 1 root    root        34 Feb  1 08:12 ..
-rw-r--r--. 1 satoshi developers  18 Apr 18  2023 .bash_logout
-rw-r--r--. 1 satoshi developers 141 Apr 18  2023 .bash_profile
-rw-r--r--. 1 satoshi developers 492 Apr 18  2023 .bashrc
-rw-r--r--. 1 satoshi developers  66 Feb  1 08:12 README.WELCOME

Common breakpoints

useradd fails: “UID is not unique”

UID 1055 already exists. Confirm with getent passwd 1055 and choose a different UID only if the ticket allows it.

Primary group missing

If developers does not exist, useradd fails. Create it first with groupadd developers (or groupadd -f for idempotence).

Inactive lockout appears as “never”

Inactive lockout is evaluated after password expiry. If the account has no password expiry policy, the inactive lockout never triggers.

Skeleton file did not copy

Skeleton contents only copy when the home directory is created. Confirm you used -m and -k /etc/skel-custom , and that /etc/skel-custom/README.WELCOME exists.

Cleanup leaves files behind

If the user has running processes, userdel -r may warn or fail to fully remove the home. On real systems you would stop processes before retrying.

Cleanup checklist

Your goal is to leave the system in a clean state with no leftover account, home directory, or lab-only artifacts.

Commands 
sudo userdel -r satoshi
getent passwd satoshi || echo "satoshi removed"
sudo rm -rf /etc/skel-custom
Success signal

getent passwd satoshi returns nothing, and /home/satoshi does not exist.

Reference

  • useradd -D : Displays current default values used by useradd .
  • groupadd -f <group> : Creates a group if missing and succeeds if it already exists.
    • -f : Do not fail if the group already exists.
  • mkdir -p <dir> : Creates a directory path if it does not exist.
    • -p : Create parent directories as needed.
  • tee <file> : Writes stdin to a file (useful with sudo when redirecting output).
    • /dev/null : Discards output when you only want the file write.
  • useradd -m -u <uid> -g <group> -G <groups> -c <comment> -s <shell> -d <home> -e <date> -f <days> -k <skel> <user> : Creates a user with explicit identity fields, groups, home path, aging controls, and a custom skeleton directory.
    • -m : Create the home directory.
    • -u <uid> : Set numeric UID.
    • -g <group> : Set primary group by name.
    • -G <groups> : Set supplementary groups (comma-separated).
    • -c <comment> : Set the GECOS/comment field.
    • -s <shell> : Set login shell.
    • -d <home> : Set home directory path.
    • -e <date> : Set account expiration date (YYYY-MM-DD).
    • -f <days> : Set inactive days after password expiry.
    • -k <skel> : Copy files from a custom skeleton directory.
  • getent passwd <user> : Returns the NSS passwd entry for a user.
  • id <user> : Shows UID, primary group, and supplementary groups.
  • chage -l <user> : Displays account aging and expiration information.
  • ls -la <path> : Lists files with permissions and ownership.
  • userdel -r <user> : Removes a user and the home directory.
    • -r : Remove the user’s home directory and mail spool (if present).
  • rm -rf <path> : Removes a directory tree recursively.
    • -r : Remove directories and their contents.
    • -f : Do not prompt; ignore missing files.