|Skip Navigation Links|
|Exit Print View|
|Transitioning From Oracle Solaris 10 to Oracle Solaris 11 Oracle Solaris 11 Information Library|
In Oracle Solaris 11, you create and manage users, groups, and roles by using command-line tools only. There is currently no GUI tool for performing these tasks. In addition, the command-line tools that are used by the Solaris Management Console are no longer available. See Removal of Legacy System Management Commands, Tools, Services, and Files.
For information about managing using accounts and groups, see Chapter 2, Managing User Accounts and Groups (Overview), in Oracle Solaris Administration: Common Tasks and Chapter 3, Managing User Accounts and Groups (Tasks), in Oracle Solaris Administration: Common Tasks.
The default password hashing algorithm is now SHA256. This password hash is similar to the following:
Also, there is no longer an eight character limitation for user passwords. The eight character limitation only applies to passwords that use the older crypt_unix(5) algorithm, which has been preserved for backwards compatibility with any existing passwd file entries and NIS maps.
Passwords are encoded by using one of the other crypt(3c) algorithms, including the SHA256 algorithm, which is the default in the policy.conf file. Thus, passwords can now be much longer than eight characters. See policy.conf(4).
User account creation and management in Oracle Solaris 11 has changed in the following ways:
User accounts are created as individual ZFS file systems, which enables users to have their own file system and their own ZFS dataset. Every home directory that is created with the useradd and roleadd commands places the user's home directory on /export/home as an individual ZFS file system.
The useradd command relies on the automount service, svc:/system/filesystem/autofs, to mount home directories. This service should never be disabled. Each home directory entry for a user in the passwd database uses the format, /home/username, which is an autofs trigger that is resolved by the automounter through the auto_home map.
The useradd command automatically creates entries in the auto_home map that correspond to the pathname that is specified by using the -d option of this command. If the pathname includes a remote host specification, for example, foobar:/export/home/jdoe, then the home directory for jdoe must be created on the system foobar. The default pathname is localhost:/export/home/user. Because /export/home is the mount point for a ZFS dataset, the user's home directory is created as a child ZFS dataset, with the ZFS permission to take snapshots delegated to the user. If a pathname that does not correspond to a ZFS dataset is specified, then a regular directory is created. If the -S ldap option is specified, then the auto_home map entry is updated on the LDAP server instead of the local auto_home map.
In Oracle Solaris 10, audit attributes cannot be assigned by using the usermod command. In Oracle Solaris 11, the usermod command works with LDAP and files. All security attributes can be assigned to a user by using this mechanism.
For example, an administrator can add a role to a user's account by using the usermod command.
# roleadd -K roleauth=user -P "Network Management" netmgt # usermod -R +netmgt jdoe
See usermod(1M) for additional examples.
An administrator who has the solaris.group.manage authorization can create a group. At group creation, the system assigns the solaris.group.assign/groupname authorization to the administrator, which gives the administrator complete control over that group. The administrator can then modify or delete that groupname, as needed. For more information, see the groupadd(1M) and groupmod(1M) man pages.
Roles can be created locally and in an LDAP repository. To create a role and assign an initial password, you must be assigned the User Management rights profile. To assign security attributes to the role, you must be assigned the User Security rights profile. The important difference for role authentication in Oracle Solaris 11 is the addition of the roleauth=user keyword and the pam_tty_tickets module for authentication caching. Note that the pam_tty_tickets module is not enabled by default. To add the module, edit the /etc/pam.conf file as follows:
# vi /etc/pam.conf su auth required pam_unix_cred.so.1 su auth sufficient pam_tty_tickets.so.1 su auth requisite pam_authtok_get.so.1 su auth required pam_dhkeys.so.1 su auth required pam_unix_auth.so.1
The entire su stack is required. The pam_tty_tickets.so.1 module provides the cache. See pam.conf(4). For instructions on creating a role, see How to Create a Role in Oracle Solaris Administration: Security Services.
An NFS or a SMB share of a ZFS file system is created and then the share is published, which involves the following actions:
The file system share is created by using the zfs set share command. At this time, specific share properties can be defined. If share properties are not defined, the default property values are used.
The NFS or SMB share is published by setting the sharenfs or sharesmb property. The share is published permanently until the property is set to off.
Because home directories are created as ZFS file systems in Oracle Solaris 11, you typically do not need to manually mount home directories. The home directory is automatically mounted during its creation and also at boot time from the SMF local file system service. For instructions on manually mounting a user's home directory, see Manually Mounting a User’s Home Directory. in Oracle Solaris Administration: Common Tasks.