The UNIX operating system requires a user to log in to a UNIX computer and be authenticated before being able to work on the computer. A user account associates a log-in name and password with each user. To avoid confusion among users, no two user accounts on the same system may have the same log-in name; each log-in name must be unique among the user accounts. The log-in name identifies the user account.
To log in and be successfully authenticated, the user must supply the log-in name and password associated with his user account. The UNIX operating system uses the log-in name to locate the correct user account and then completes authentication by checking the password supplied by the user.
A UNIX computer operating in isolation (i.e. not as part of a larger group or network of computers) stores user accounts internally. When a user logs into the stand-alone computer, the UNIX operating system looks through the computer's internal user accounts to find the log-in name and confirm the password supplied by the user. A log-in name used on a stand-alone computer need only be unique within the user accounts stored on that computer.
UNIX computers connected together in a network may allow a single user to log into many different computers on the network. User accounts for cross-network access are typically stored centrally in an authenticator such as a Lightweight Directory Access Protocol (LDAP) server or a Network Information Service (NIS) server. Each computer can send authentication requests to the authenticator. The authenticator uses the log-in name supplied in the authentication request to find a corresponding user account and confirm the password.
User accounts in an authenticator must each have a log-in name that is unique among the accounts stored in the authenticator. This ensures that each log-in name is associated with a single network user account.
A UNIX computer connected to a network may, during user log-in, authenticate users through either local user accounts stored within the computer or through network user accounts stored on an authenticator. The UNIX computer typically checks local accounts first and then—if the log-in name is not located in these accounts—checks network accounts. This allows local user accounts and network user accounts to co-exist, and allows identical log-in names to exist among the local, independent user accounts on each computer.
A UNIX computer traditionally has one or more locally defined user accounts for special log-ins. One of the most common is the local log-in name “root”, used to specify a user account with special administrative privileges on the computer. A system administrator in charge of maintaining a computer logs in using the “root” log-in name and password defined in the local root user account stored in the computer.
To simplify user account management, many computer network administrators eliminate local user accounts on each UNIX computer and convert them to network user accounts on the authenticator. This conversion can cause log-in name conflicts when identically-named local accounts on different computers such as “root” are all converted to network accounts.
To avoid these conflicts, network administrators may modify each account name so that it is unique within the authenticator. For example, the log-in name “root” of a local root account on one computer may be modified to “root1” when converted to a network user account. The log-in name “root” of a local root account on another computer may be modified to “root2” when converted so that the two different root accounts do not have conflicting log-in names within the authenticator.
Converting local user accounts to centralized network accounts works well for consolidating all user accounts in an authenticator. Unfortunately it means there are no longer well-known standard log-in names on each UNIX computer. For example, a system administrator who wants to configure a set of UNIX computers whose local user accounts have been converted to network accounts can no longer log in as “root” to perform administrative duties on each computer. He must know a different converted root log-in name for each computer. These converted root log-in names may not be easy to remember or find.