How to assign linux user/group on conf local authentication methods

Hello,
I am porting CONFD to a linux system using local authentication.
As I read the user guide of confd, it shows data in file “/etc/passwd” and “/etc/group” will be used for local authentication. And group info will be used as role in confd_aaa subsys authentication process.
But following error occurred when I tried to get/set msg via netconf client:
devel-aaa User: support[] rejected data access path /if:interfaces op read due to no rule matched and /nacm/read-default is ‘deny’
And in audit.log, no groups was found:
3-Jan-2025::04:34:33.468 router confd[1959]: audit user: support/11 assigned to groups:
Here are the groups in “/etc/group”

image157×198 2.77 KB

My question is:
1.Except for configuring authentication methods in configuration files and pre-defining the specified group and Rule-list in aaa_init.xml, other configurations are required.
2.Is there any means to add more diagnostic logs to determine what happened in the context of the problem?
3.Can you give some advice on the current problem?

Thanks！
Arthur

I declared the global default read and write rules in aaa_init.xml and created the root group.

image780×484 57.9 KB

Hi @arthurMa94

For the 2nd question, you could try to enable the ‘log-if-permit’ leaf to get more info in developer.log file.

There is a nice explanation about it on chapter ‘Command authorization’ from Confd User Guide.

Hi @joaohf
Thanks for your advice. I found “log-if-permit” leaf node under /nacm/rule-list. Yet I declared global default-read/write rule under /nacm/write-default and /nacm/read-default, hence if no rule-list matches, no such logs will be recorded.
It’s strange why corresponding data locally in /etc/group exists, but the corresponding group data is not found in the authentication process.

Thanks!
Arthur