Loading...

VONDS ©

Lab 150: Secure User Onboarding Workflow

Back to Lab Index

Confirm system-wide useradd defaults, ensure prerequisite groups exist, provision a contractor account in a single ticket-style command, then verify identity, NSS records, and expiration settings using getent, id, and chage. Finish with clean lab hygiene by removing the user and home directory.

users security core

Scenario

Ticket INC-150: Onboard a contractor account satoshi for a short change window. Requirements:

  • UID 1055, home /home/satoshi, shell /bin/bash
  • Primary group developers, supplementary groups wheel,docker
  • Comment: Satoshi Nakamoto
  • Account expires 2025-12-31
  • Inactive lockout: 30 days after password expiry (policy setting)
Operator context

Confirm defaults first, create the account once with the full spec, verify, and then clean up the lab host.

Objective

  • Inspect system-wide useradd defaults.
  • Ensure required groups exist: developers, wheel, docker.
  • Create satoshi in one useradd command meeting all requirements.
  • Verify NSS passwd record with getent.
  • Verify primary and supplementary groups with id.
  • Validate account expiry and aging fields with chage.
  • Remove the user and home directory after verification.

Concepts

  • Inspecting defaults with useradd -D before provisioning.
  • Prerequisite group creation using groupadd -f to keep runs idempotent.
  • Ticket-style account creation in a single useradd command using UID, primary group, supplementary groups, comment, shell, home, expiry, and inactive settings.
  • NSS verification: getent passwd provides the authoritative user record view for the system.
  • Identity verification: id proves group membership by name (GIDs can vary).
  • Expiration and aging review: chage -l reports account expiry, password ageing fields, and derived dates.

Walkthrough

Step 1 : Show system-wide default settings for useradd.
Command 
useradd -D

Defaults matter because they silently apply to new accounts. This is where you confirm baseline HOME, SHELL, SKEL, and global INACTIVE/EXPIRE defaults before you override anything per-ticket. 

GROUP=100
HOME=/home
INACTIVE=-1
EXPIRE=
SHELL=/bin/bash
SKEL=/etc/skel
CREATE_MAIL_SPOOL=yes
Step 2 : Ensure required groups exist.
Command 
sudo groupadd -f developers && sudo groupadd -f docker && sudo groupadd -f wheel

Using -f makes the command safe to rerun. If the group already exists, groupadd exits successfully and the workflow stays predictable.

Step 3 : Create satoshi in one useradd command.
Command 
sudo useradd -m -u 1055 -g developers -G wheel,docker -c 'Satoshi Nakamoto' -s /bin/bash -d /home/satoshi -e 2025-12-31 -f 30 satoshi

This is the ticket-style “do it once” provisioning command. It creates the home directory, pins the UID, sets primary and supplementary groups, writes the gecos comment, sets shell and home, enforces an account expiration date, and sets the inactivity lockout window.

Step 4 : Verify the passwd database entry via NSS.
Command 
getent passwd satoshi

getent confirms the system’s authoritative user record view, including UID, primary GID, home directory, and login shell. GID numbers vary across systems, so focus on the group name mapping. 

satoshi:x:1055:1001:Satoshi Nakamoto:/home/satoshi:/bin/bash
(GID number may vary; primary group must be developers)
Step 5 : Verify group memberships.
Command 
id satoshi

id is the practical verification for access and privilege. The ticket requirement is group names: developers as the primary group, and wheel and docker as supplementary groups. 

uid=1055(satoshi) gid=1001(developers) groups=1001(developers),10(wheel),993(docker)
(group IDs may vary; group NAMES must include developers, wheel, docker)
Step 6 : Verify account expiration and aging fields using chage.
Command 
sudo chage -l satoshi

chage -l confirms the account expiration date and displays password aging fields. Note that password expiry fields can show “never” on new accounts until a password policy is applied and a password is set. 

Last password change                                    : Feb 01, 2026
Password expires                                        : never
Password inactive                                       : never
Account expires                                         : Dec 31, 2025
Minimum number of days between password change          : 0
Maximum number of days between password change          : 99999
Number of days of warning before password expires       : 7
Step 7 : Cleanup after verification (remove user and home directory).
Command 
sudo userdel -r satoshi

Removing the user and home directory keeps the lab host clean and repeatable. In a real environment, cleanup would also include access revocation and audit trail updates.

Common breakpoints

useradd fails: “UID 1055 is not unique”

The ticket UID collides with an existing account. Verify the current UID allocation and either pick a new UID per policy or deconflict with the requester.

Primary group developers does not exist

Create prerequisite groups first. If the group is managed by directory services, ensure NSS is configured correctly and the group is resolvable via getent group developers .

Supplementary groups are missing in id output

Ensure you used -G wheel,docker and verify group names match exactly. If you are modifying an existing user, use usermod -aG to avoid overwriting groups.

chage does not show expected behavior for inactive lockout

The inactive window applies after password expiry. If the password is set to never expire, inactive will also be irrelevant. Confirm password policy and expiration settings if you need to test inactive lockouts realistically.

Cleanup checklist

This lab is complete after verification and user removal. If you are repeating runs, confirm the user no longer exists and the home directory is gone.

Commands 
getent passwd satoshi
ls -ld /home/satoshi
Success signal

getent passwd satoshi returns no output and /home/satoshi does not exist.

Reference

  • useradd -D : Displays system-wide defaults for new accounts.
    • -D : Show or set default values.
  • groupadd -f <group> : Creates a group if it does not exist.
    • -f : Exit successfully if the group already exists.
  • useradd -m -u <uid> -g <group> -G <g1,g2> -c '<comment>' -s <shell> -d <home> -e <YYYY-MM-DD> -f <days> <user> : Creates a user with explicit ticket requirements.
    • -m : Create the user’s home directory.
    • -u : Set numeric UID.
    • -g : Set primary group.
    • -G : Set supplementary groups (comma-separated).
    • -c : Set account comment (GECOS).
    • -s : Set login shell.
    • -d : Set home directory path.
    • -e : Set account expiration date.
    • -f : Set inactive days after password expiry.
  • getent passwd <user> : Shows the NSS passwd entry for a user.
  • id <user> : Displays UID, primary group, and supplementary groups.
  • chage -l <user> : Shows password aging and account expiration details.
  • userdel -r <user> : Removes the user and their home directory.
    • -r : Remove home directory and mail spool.