System Administration Guide: Basic Administration

Chapter 5 Managing User Accounts and Groups (Tasks)

This chapter describes how to set up and maintain user accounts and groups.

For information on the procedures associated with setting up and maintaining user accounts and groups, see the following:

For background information about managing user accounts and groups, see Chapter 4, Managing User Accounts and Groups (Overview).

Setting Up User Accounts (Task Map)

Task 

Description 

For Instructions 

Gather user information. 

Use a standard form to gather user information to help you keep user information organized. 

Gathering User Information

Customize user initialization files. 

You can set up user initialization files (.cshrc, .profile, .login), so that you can provide new users with consistent environments.

How to Customize User Initialization Files

Add a group. 

You can add a group with the following tools: 

Solaris Management Console's Groups tool 

Solaris command-line interface tools 

How to Add a Group With the Solaris Management Console's Groups Tool

Adding Groups and Users With Command-Line Tools

Add a user. 

You can add a user with the following tools: 

Solaris Management Console's Users tool 

Solaris command-line interface tools 

How to Add a User With the Solaris Management Console's Users Tool

Adding Groups and Users With Command-Line Tools

Set up a user template. 

You can create a user template so that you don't have to manually add all similar user properties. 

See Solaris Management Console online help 

Add rights or a role to a user. 

You can add rights or a role to a user so that the user can perform a specific command or task. 

See Solaris Management Console online help 

Share the user's home directory. 

You must share the user's home directory so that the directory can be remotely mounted from the user's system.  

How to Share a User's Home Directory

Mount the user's home directory. 

You must mount the user's home directory on the user's system. 

How to Mount a User's Home Directory

Gathering User Information

You can create a form such as the following to gather information about users before adding their accounts.

Item 

Description 

User Name: 

 

Role Name: 

 

Profiles or Authorizations: 

 

UID: 

 

Primary Group: 

 

Secondary Groups: 

 

Comment: 

 

Default Shell: 

 

Password Status and Aging: 

 

Home Directory Path Name: 

 

Mounting Method: 

 

Permissions on Home Directory: 

 

Mail Server: 

 

Department Name: 

 

Department Administrator: 

 

Manager: 

 

Employee Name: 

 

Employee Title: 

 

Employee Status: 

 

Employee Number: 

 

Start Date: 

 

Add to These Mail Aliases: 

 

Desktop System Name: 

 

ProcedureHow to Customize User Initialization Files

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Create a skeleton directory for each type of user.


    # mkdir /shared-dir/skel/user-type
    
    shared-dir

    The name of a directory that is available to other systems on the network.

    user-type

    The name of a directory to store initialization files for a type of user.

  3. Copy the default user initialization files into the directories that you created for different types of users.


    # cp /etc/skel/local.cshrc /shared-dir/skel/user-type/.cshrc
    # cp /etc/skel/local.login /shared-dir/skel/user-type/.login
    # cp /etc/skel/local.profile /shared-dir/skel/user-type/.profile
    

    Note –

    If the account has profiles assigned to it, then the user has to launch a special version of the shell called a profile shell to use commands (with any security attributes) that are assigned to the profile. There are three profile shells corresponding to the types of shells: pfsh (Bourne shell), pfcsh (C shell), and pfksh (Korn shell). For information about profile shells, see Role-Based Access Control (Overview) in System Administration Guide: Security Services.


  4. Edit the user initialization files for each user type and customize them based on your site's needs.

    For a detailed description on the ways to customize the user initialization files, see Customizing a User's Work Environment.

  5. Set the permissions for the user initialization files.


    # chmod 744 /shared-dir/skel/user-type/.*
    
  6. Verify that the permissions for the user initialization files are correct.


    # ls -la /shared-dir/skel/*
    

Example 5–1 Customizing User Initialization Files

The following example shows how to customize the C-shell user initialization file in the /export/skel/enduser directory designated for a particular type of user. For an example of a .cshrc file, see Example 4–3.


# mkdir /export/skel/enduser
# cp /etc/skel/local.cshrc /export/skel/enduser/.cshrc
 
(Edit .cshrc file)
# chmod 744 /export/skel/enduser/.*

ProcedureHow to Add a Group With the Solaris Management Console's Groups Tool

You can add existing users to the group when you add the group. Or, you can just add the group and then add the user to the group when you add the user.

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Start the Solaris Management Console.


    # /usr/sadm/bin/smc &
    

    For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment.

  3. Click the This Computer icon under the Management Tools icon in the Navigation pane.

    A list of categories is displayed.

  4. (Optional) Select the appropriate toolbox for your name service environment.

  5. Click the System Configuration icon.

  6. Click the User icon and provide the superuser password or the role password.

  7. Click the Groups icon. Select Add Group from the Action menu.

    Use the Context help to add a group to the system.

  8. Identify the group name at the Group Name prompt under Group Identification.

    For example, mechanoids.

  9. Identify the group number at the Group ID number prompt.

    For example, GID 101.

  10. Click OK.

ProcedureHow to Add a User With the Solaris Management Console's Users Tool

Use the following procedure to add a user with the Solaris Management Console's Users tool.

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Start the Solaris Management Console.


    # /usr/sadm/bin/smc &
    

    For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment.

  3. Click the This Computer icon under the Management Tools icon in the Navigation pane.

    A list of categories is displayed.

  4. (Optional) Select the appropriate toolbox for your name service environment.

  5. Click the System Configuration icon.

  6. Click the User icon and provide the superuser password or the role password.

  7. Click the User Accounts icon.

    Use the Context help to add a user to the system.

  8. Select Add User⇒With Wizard from the Action menu.

    Click Next between the steps below.

    1. Identify the user name or login name at the User Name prompt.

      For example, kryten

    2. (Optional) Identify the user's full name at the Full Name prompt.

      For example, kryten series 3000.

    3. (Optional) Provide a further description of this user at the Description prompt.

    4. Provide the user ID at the User ID Number prompt.

      For example, 1001.

    5. Select the User Must Use This Password At First Login option.

      Provide a password for the user at the Password prompt and then confirm the password at the Confirm Password prompt.

    6. Select the user's primary group.

      For example, mechanoids.

    7. Create the user's home directory by accepting the defaults at the Server and Path prompts.

    8. Specify the mail server.

    9. Review the information you provided and go back to correct the information, if necessary. Otherwise, click Finish.

Adding Groups and Users With Command-Line Tools

This section provides examples of adding users and groups with command-line tools.

Adding a Group and User With the groupadd and useradd Commands

The following example shows how to use the groupadd and useradd commands to add the group scutters and the user scutter1 to files on the local system. These commands cannot be used to manage users in a name service environment.


# groupadd -g 102 scutters
# useradd -u 1003 -g 102 -d /export/home/scutter1 -s /bin/csh \
-c "Scutter 1" -m -k /etc/skel scutter1
64 blocks

For more information, see the groupadd(1M) and useradd(1M) man pages.

Adding a Group and User With the smgroup and smuser Commands

The following example shows how to use the smgroup and smuser commands to add the group gelfs and the user camille to the NIS domain solar.com on the host starlite.


# /usr/sadm/bin/smgroup add -D nis:/starlitesolar.com -- -g 103 -n gelfs
# /usr/sadm/bin/smuser add -D nis:/starlite/solar.com -- -u 1004 
-n camille -c "Camille G." -d /export/home/camille -s /bin/csh -g gelfs

For more information, see the smgroup(1M) and smuser(1M) man pages.

Setting Up Home Directories With the Solaris Management Console

Keep the following in mind when using the Solaris Management Console tools to manage user home directories:

ProcedureHow to Share a User's Home Directory

Use the following procedure to share a user's home directory.

  1. Become superuser or assume an equivalent role on the system that contains the home directory.

  2. Verify that the mountd daemon is running.

    In this release, mountd is now started as part of the NFS server service. To see if the mountd daemon is running, type the following command:


    # svcs network/nfs/server
    STATE          STIME    FMRI
    online         Aug_26   svc:/network/nfs/server:default
  3. If the mountd daemon is not running, start it.


    # svcadm network/nfs/server
    
  4. List the file systems that are shared on the system.


    # share
    
  5. Select one of the following based on whether the file system that contains the user's home directory is already shared.

    1. If the user's home directory is already shared, go to the step 8.

    2. If the user's home directory is not shared, go to Step 6.

  6. Edit the /etc/dfs/dfstab file and add the following line:


    share -F nfs /file-system
    

    /file-system is the file system that contains the user's home directory that you need to share. By convention, the file system is /export/home.

  7. Share the file systems listed in the /etc/dfs/dfstab file.


    # shareall -F nfs
    

    This command executes all the share commands in the /etc/dfs/dfstab file so that you do not have to wait to reboot the system.

  8. Verify that a user's home directory is shared.


    # share
    

Example 5–2 Sharing a User's Home Directory

The following example shows how to share the /export/home directory.


# svcs network/nfs/server
# svcadm network/nfs/server
# share
# vi /etc/dfs/dfstab
 
(The line share -F nfs /export/home is added.)
# shareall -F nfs
# share
-               /usr/dist                ro   "" 
-               /export/home/user-name     rw   ""  

See Also

If the user's home directory is not located on the user's system, you have to mount the user's home directory from the system where it is located. For detailed instructions, see How to Mount a User's Home Directory.

ProcedureHow to Mount a User's Home Directory

For information on automounting a home directory, see Task Overview for Autofs Administration in System Administration Guide: Network Services.

  1. Make sure that the user's home directory is shared.

    For more information, see How to Share a User's Home Directory.

  2. Log in as superuser on the user's system.

  3. Edit the /etc/vfstab file and create an entry for the user's home directory.


    system-name:/export/home/user-name - /export/home/username nfs - yes rw
    system-name

    The name of the system where the home directory is located.

    /export/home/username

    The name of the user's home directory that will be shared. By convention, /export/home/username contains user home directories. However, you can use a different file system.

    -

    Required placeholders in the entry.

    /export/home/username

    The name of the directory where the user's home directory will be mounted.

    For more information about adding an entry to the /etc/vfstab file, see Mounting File Systems in System Administration Guide: Devices and File Systems.

  4. Create the mount point for the user's home directory.


    # mkdir -p /export/home/username
    
  5. Mount the user's home directory.


    # mountall
    

    All entries in the current vfstab file (whose mount at boot fields are set to yes) are mounted.

  6. Verify that the home directory is mounted.


    # mount | grep username
    

Example 5–3 Mounting a User's Home Directory

The following example shows how to mount user ripley's home directory.


# vi /etc/vfstab
 
(The line venus:/export/home/ripley - /export/home/ripley
nfs - yes rw is added.)
# mkdir -p /export/home/ripley
# mountall
# mount
/ on /dev/dsk/c0t0d0s0 read/write/setuid/intr/largefiles/xattr/onerror=panic/dev=...
/devices on /devices read/write/setuid/dev=46c0000 on Thu Jan  8 09:38:19 2004
/usr on /dev/dsk/c0t0d0s6 read/write/setuid/intr/largefiles/xattr/onerror=panic/dev=...
/proc on /proc read/write/setuid/dev=4700000 on Thu Jan  8 09:38:27 2004
/etc/mnttab on mnttab read/write/setuid/dev=47c0000 on Thu Jan  8 09:38:27 2004
/dev/fd on fd read/write/setuid/dev=4800000 on Thu Jan  8 09:38:30 2004
/var/run on swap read/write/setuid/xattr/dev=1 on Thu Jan  8 09:38:30 2004
/tmp on swap read/write/setuid/xattr/dev=2 on Thu Jan  8 09:38:30 2004
/export/home on /dev/dsk/c0t0d0s7 read/write/setuid/intr/largefiles/xattr/onerror=...
/export/home/ripley on venus:/export/home/ripley remote/read/write/setuid/xattr/dev=...

Maintaining User Accounts (Task Map)

Task 

Description 

Instructions 

Modify a group. 

You can modify a group's name or the users in a group by using the Groups tool. 

How to Modify a Group

Delete a group. 

You can delete a group if it is no longer needed. 

How to Delete a Group

Modify a user account. 

Disable a user account

You can temporarily disable a user account if it will be needed in the future. 

Change a user's password

You might need to change a user's password if the user forgets it. 

Set password aging

You can force users to change their passwords periodically with User Account tool's Password Options menu. 

How to Disable a User Account

 

 

 

How to Change a User's Password

 

 

 

How to Set Password Aging on a User Account

Delete a user account. 

You can delete a user account if it is no longer needed. 

How to Delete a User Account

Modifying User Accounts

Unless you define a user name or UID number that conflicts with an existing one, you should never need to modify a user account's user name or UID number.

Use the following steps if two user accounts have duplicate user names or UID numbers:

If you do use the Users tool to change a user name, the home directory's ownership is changed, if a home directory exists for the user.

One part of a user account that you can change is a user's group memberships. Select the Properties option from Users tool's Action menu to add or delete a user's secondary groups. Alternatively, you can use the Groups tool to directly modify a group's member list.

You can also modify the following parts of a user account:

Disabling User Accounts

Occasionally, you might need to temporarily or permanently disable a user account. Disabling or locking a user account means that an invalid password, *LK*, is assigned to the user account, preventing future logins.

The easiest way to disable a user account is to lock the password for an account with Users tool.

You can also enter an expiration date in the account availability section of the User Properties screen. An expiration date enables you to set a limit on how long the account is active.

Other ways to disable a user account: set up password aging or change the user's password.

Deleting User Accounts

When you delete a user account with the Users tool, the software deletes the entries in the passwd and group files. In addition, the files in the user's home directory and mail directory are deleted also.

ProcedureHow to Modify a Group

Use the following procedure to modify a group.

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Start the Solaris Management Console.


    # /usr/sadm/bin/smc &
    

    For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment.

  3. Click the This Computer icon under the Management Tools icon in the Navigation pane.

    A list of categories is displayed.

  4. (Optional) Select the appropriate toolbox for your name service environment.

  5. Click the System Configuration icon.

  6. Click the User icon.

  7. Provide the superuser password or the role password.

  8. Click the Groups icon.

  9. Select the group to modify.

    For example, select scutters.

  10. Modify the selected group in the Group Name: text box. Click OK when you are finished.

    For example, change scutters to scutter.

    All the users that were in the scutters group are now in the scutter group.

ProcedureHow to Delete a Group

Use the following procedure to delete a group.

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Start the Solaris Management Console.


    # /usr/sadm/bin/smc &
    

    For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment.

  3. Click the This Computer icon under the Management Tools icon in the Navigation pane.

    A list of categories is displayed.

  4. (Optional) Select the appropriate toolbox for your name service environment.

  5. Click the System Configuration icon.

  6. Click the User icon.

  7. Provide the superuser password or the role password.

  8. Click the Groups icon.

  9. Select the group to delete.

    For example, select scutter.

  10. Click OK in the popup window.

    The group is removed from all the users who were a member of this group.

Administering Passwords

You can use the Users tool for password administration. This tool includes the following capabilities:


Note –

Password aging is not supported by the NIS name service.


Using Password Aging

If you are using NIS+ or the /etc files to store user account information, you can set up password aging on a user's password. Starting in the Solaris 9 12/02 release, password aging is also supported in the LDAP directory service.

Password aging enables you to force users to change their passwords periodically or to prevent a user from changing a password before a specified interval. If you want to prevent an intruder from gaining undetected access to the system by using an old and inactive account, you can also set a password expiration date when the account becomes disabled. You can set password aging attributes with the passwd command or the Solaris Management Console's Users tool.

For information about starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role.

ProcedureHow to Disable a User Account

Use the following procedure if you need to disable a user account.

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Start the Solaris Management Console.


    # /usr/sadm/bin/smc &
    

    For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment.

  3. Click the This Computer icon under the Management Tools icon in the Navigation pane.

    A list of categories is displayed.

  4. (Optional) Select the appropriate toolbox for your name service environment.

  5. Click the System Configuration icon.

  6. Click the User icon and provide the superuser password or the role password.

  7. Click the User Accounts icon.

  8. Double–click the user.

    For example, select scutter2.

  9. Select the Account is Locked option in the Account Availability section of the General tab features.

  10. Click OK.

ProcedureHow to Change a User's Password

Use the following procedure when a user forgets her password.

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Start the Solaris Management Console.


    # /usr/sadm/bin/smc &
    

    For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment.

  3. Click the This Computer icon under the Management Tools icon in the Navigation pane.

    A list of categories is displayed.

  4. (Optional) Select the appropriate toolbox for your name service environment.

  5. Click the System Configuration icon.

  6. Click the User icon.

  7. Provide the superuser password or the role password.

  8. Click the User Accounts icon, then double–click the user who needs a new password.

    For example, select scutter1.

  9. Select the Password tab, then select the User Must Use This Password at Next Login option. .

  10. Enter the user's new password and click OK.

ProcedureHow to Set Password Aging on a User Account

Use the following procedure to set password aging on a user account.

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Start the Solaris Management Console.


    # /usr/sadm/bin/smc &
    

    For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment.

  3. Click the This Computer icon under the Management Tools icon in the Navigation pane.

    A list of categories is displayed.

  4. (Optional) Select the appropriate toolbox for your name service environment.

  5. Click the System Configuration icon.

  6. Click the User Accounts icon and provide the superuser password or the role password.

  7. Click the User Accounts icon.

  8. Double–click the user, then select the Password Options tab.

    For example, select scutter2.

  9. Select the Password Options tab.

  10. Select the appropriate Password Options in Days option and click OK.

    For example, select Users Must Change Within to set a date when the user must change his or her password.

ProcedureHow to Delete a User Account

Use the following procedure to remove a user account.

  1. Become superuser or assume an equivalent role.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services.

  2. Start the Solaris Management Console.


    # /usr/sadm/bin/smc &
    

    For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment.

  3. Click the This Computer icon under the Management Tools icon in the Navigation pane.

    A list of categories is displayed.

  4. (Optional) Select the appropriate toolbox for your name service environment.

  5. Click the System Configuration icon.

  6. Click the User icon.

  7. Provide the superuser password or the role password.

  8. Click the User Accounts icon.

  9. Double–click the user account to be removed.

    For example, select scutter4.

  10. Click Delete in the popup window if you are sure you want to remove the user account.

    You are prompted to remove the user's home directory and mailbox contents.