This section describes how to manage CIFS groups and privileges for the Solaris CIFS service.
CIFS groups apply only to users that are connected through CIFS.
For information about CIFS groups and local users, see Local CIFS Groups.
The following table points to the tasks that you can use to manage CIFS groups through the Solaris CIFS service.
You use the smbadm(1M) command to manage CIFS groups on the system that runs the Solaris CIFS service.
Become superuser, assume an equivalent role, obtain the solaris.smf.value.smb and solaris.smf.manage.smb RBAC authorizations, or use the “SMB Management” RBAC profile, which is part of the “File System Management” profile.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Choose the name of the group to create.
You might choose a name that reflects a common set of tasks that the group can perform or the organization to which the group members belong.
Create the CIFS group.
# smbadm create [-d description] group-name |
The -d option is used to specify a textual description of the CIFS group.
For example, to create a group called wsales, type:
# smbadm create -d "Sales Force for the Western Region" wsales |
In order to provide proper identity mapping between CIFS groups and Solaris groups, a CIFS group must have a corresponding Solaris group. This requirement has two consequences. First, the group name must conform to the intersection of the Windows and Solaris group name rules. Thus, a CIFS group name can be up to eight (8) characters long and contain only lowercase characters and numbers. Second, a Solaris group has to be created before a CIFS group can be created. The Solaris group is created by using the groupadd command. See the groupadd(1M) man page.
Become superuser, assume an equivalent role, obtain the solaris.smf.value.smb and solaris.smf.manage.smb RBAC authorizations, or use the “SMB Management” RBAC profile, which is part of the “File System Management” profile.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Add a user to the CIFS group.
# smbadm add-member -m member-name [[-m member-name] …] group-name |
member-name can be specified as [domain-name\]username or [domain-name/]username. The domain name is the domain in which the user can be authenticated. By default, the domain name is the name of the domain that you joined.
The backslash character (\) is a shell special character and must be quoted. For instance, escape the backslash character with another backslash character: domain\\username. For more information about handling shell special characters, see the man page for your shell.
For example, to add user terry of the sales domain to the wsales group, type:
# smbadm add-member -m sales\\terry wsales |
To add a local user to a CIFS group, specify the Solaris host name rather than the domain name. For example, to add local user terry of the solarsystem host to the wsales group, type:
# smbadm add-member -m solarsystem\\terry wsales |
Become superuser, assume an equivalent role, obtain the solaris.smf.value.smb and solaris.smf.manage.smb RBAC authorizations, or use the “SMB Management” RBAC profile, which is part of the “File System Management” profile.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Remove a user from the CIFS group.
# smbadm remove-member -m member-name [[-m member-name] …] group-name |
member-name can be specified as [domain-name\]username or [domain-name/]username. The domain name is the domain in which the user can be authenticated. By default, the domain name is the name of the domain that you joined.
The backslash character (\) is a shell special character and must be quoted. For instance, escape the backslash character with another backslash character: domain\\username. For more information about handling shell special characters, see the man page for your shell.
For example, to remove user terry of the sales domain from the wsales group, type:
# smbadm remove-member -m sales\\terry wsales |
To remove a local user from a CIFS group, specify the Solaris host name rather than the domain name. For example, to remove local user terry of the solarsystem host from the wsales group, type:
# smbadm remove-member -m solarsystem\\terry wsales |
Become superuser, assume an equivalent role, obtain the solaris.smf.value.smb and solaris.smf.manage.smb RBAC authorizations, or use the “SMB Management” RBAC profile, which is part of the “File System Management” profile.
Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.
Modify one or more CIFS group properties.
# smbadm set -p property=value [[-p property=value] …] group-name |
You can specify one or more property-value pairs on the command line. Each property-value pair must be preceded by the -p option. Valid values for privileges are on or off. The value of the description property is an arbitrary text string.
For example, to grant the backup privilege and to modify the description of the wsales group, type:
# smbadm set -p backup=on \ -p description="Sales force for the Western region" wsales |