Configuring Root and User Accounts

Language:

Enter the following sysconfig create-profile command with the users grouping to generate a valid profile that configures the root user and initial user.

# sysconfig create-profile -g users -o sc_users.xml

The svc:/system/config-user SMF service configures user and root accounts. This service recognizes two property groups:

The root_account property group includes SMF properties that configure the root account.
The user_account property group includes SMF properties that configure user accounts.

Tip - One method of generating encrypted passwords for the Oracle Solaris OS is to create a user of the intended name and password, copy the password from the /etc/shadow file between the first and second colons of the user's record, and add that information into the password values in the manifest.

Configuring the Root Account

The root_account property group contains the properties listed in the following table.

Table 11-1 root_account Property Group Properties

Property	Type	Required	Description
`password`	`astring`	required	Encrypted root password. If you do not provide a root password, the root password is empty.
`type`	`astring`	optional	Account type: `normal` or `role`. The default is `normal`.
`expire`	`string`	optional	Expiration date for login. If set to 0 (zero), the user will be forced to change the root password at the next login.

Example 11-1 Configuring the Root Account Only With Password Expired

<service name="system/config-user" version="1" type="service">
    <instance name="default" enabled="true">
        <property_group name="root_account" type="application">
            <propval name="password" value="encrypted_password"/>
            <propval name="type" value="normal"/>
            <propval name="expire" value="0"/>
        </property_group>
    </instance>
</service>

Configuring a User Account

This section includes the following information:

Creating a User Account Without Depending on the Automounter
User Account Properties
Configuring Multiple Initial Users

Creating a User Account Without Depending on the Automounter

By default, when initial user accounts are created, the home directories are managed by the automounter and accessed under /home/login directories. To create initial user accounts without depending on the automounter, set the user_account/autohome property to the empty string ("") in the system configuration profile.

Setting the user_account/autohome property to the empty string has the following effects:

The home directory entry in the /etc/passwd file is set to the mount point of the home ZFS dataset, not to /home/login. The default mount point of the home ZFS dataset is /export/home/login.
No mapping entry is added to the /etc/auto_home file.

User Account Properties

The user_account property group contains the properties listed in the following table.

Table 11-2 user_account Property Group Properties

Property	Type	Required	Description
`login`	`astring`	`required`	User's login.
`password`	`astring`	`required`	Encrypted user password.
`description`	`astring`	`optional`	Usually the user's full name.
`shell`	`astring`	`optional`	Full pathname of the program used as the user's shell on login.
`uid`	`count`	`optional`	UID of the new user. The default UID is 101.
`gid`	`count`	`optional`	User's primary group membership. The default GID is 10.
`type`	`astring`	`optional`	Account type: `normal` or `role`. The default is `normal`.
`profiles`	`astring`	`optional`	One or more comma-separated execution profiles defined in the `prof_attr`(4) man page.
`roles`	`astring`	`optional`	One or more comma-separated roles defined in the `user_attr`(4) man page.
`sudoers`	`astring`	`optional`	Entry added to the `sudoers` file along with the `login`.
`expire`	`astring`	`optional`	Expiration date for the login. If set to 0 (zero), the user will be forced to change the password at the next login.
`home_zfs_dataset`	`astring`	`optional`	User's home directory ZFS dataset. The default is `root_pool/export/home/login`.
`home_mountpoint`	`astring`	`optional`	User's home directory mount point. The default is `/export/home/login`.
`autohome`	`astring`	`optional`	User's auto home directory mount point. The value is entered in the `/etc/auto_home` file for the configured user. The default value is `localhost:/export/home/login`. If the `autohome` property is set to the empty string (`""`), the user account is created without depending on the automounter.

Configuring Multiple Initial Users

To configure multiple users on the newly-installed system, specify the users by using the useradd command in a script. Then use a run-once SMF service to run the script at first boot. See Chapter 13, Running a Custom Script During First Boot for instructions.

Configuring SSH Keys

The ssh_public_keys property group holds pre-generated ssh keys. The keys will be written to the users $HOME/ .ssh/authorized_keys file when the client is configured.

Example 11-2 Configuring SSH Keys

  <property_group name="user_account" type="application">
    <...>
    <property type="astring" name="ssh_public_keys">
        <astring_list>
            <value_node value='[<options>] <key-type> <base64-encoding-key> [<comment>]'
            <value_node value='[<options>] <key-type> <base64-encoding-key> [<comment>]'
        </astring_list>
     </property>
   </property_group>