Solaris CIFS Administration Guide

Managing CIFS Groups (Task Map)

This section describes how to manage CIFS groups and privileges for the Solaris CIFS service.


Note –

CIFS groups apply only to users that are connected through CIFS.


For information about CIFS groups and local users, see Local CIFS Groups.

The following table points to the tasks that you can use to manage CIFS groups through the Solaris CIFS service.

Task 

Description 

For Instructions 

Create a CIFS group. 

Create a CIFS group to manage users. 

How to Create a CIFS Group

Add a member to a CIFS group. 

Add a member to a CIFS group by using the smbadm command.

How to Add a Member to a CIFS Group

Remove a member from a CIFS group. 

Remove a member from a CIFS group by using the smbadm command.

How to Remove a Member From a CIFS Group

Modify CIFS group properties. 

A CIFS group can grant the following privileges:

  • backup. Permit group members to back up file system objects.

  • restore. Permit group members to restore file system objects.

  • take-ownership. Permit group members to take ownership of file system objects.

You can specify a description of the CIFS group if you modify the value of the description property.

How to Modify CIFS Group Properties

You use the smbadm(1M) command to manage CIFS groups on the system that runs the Solaris CIFS service.

ProcedureHow to Create a CIFS Group

  1. Become superuser, assume an equivalent role, obtain the solaris.smf.value.smb and solaris.smf.manage.smb RBAC authorizations, or use the “SMB Management” RBAC profile, which is part of the “File System Management” profile.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Choose the name of the group to create.

    You might choose a name that reflects a common set of tasks that the group can perform or the organization to which the group members belong.

  3. Create the CIFS group.


    # smbadm create [-d description] group-name
    

    The -d option is used to specify a textual description of the CIFS group.

    For example, to create a group called wsales, type:


    # smbadm create -d "Sales Force for the Western Region" wsales
    

    In order to provide proper identity mapping between CIFS groups and Solaris groups, a CIFS group must have a corresponding Solaris group. This requirement has two consequences. First, the group name must conform to the intersection of the Windows and Solaris group name rules. Thus, a CIFS group name can be up to eight (8) characters long and contain only lowercase characters and numbers. Second, a Solaris group has to be created before a CIFS group can be created. The Solaris group is created by using the groupadd command. See the groupadd(1M) man page.

ProcedureHow to Add a Member to a CIFS Group

  1. Become superuser, assume an equivalent role, obtain the solaris.smf.value.smb and solaris.smf.manage.smb RBAC authorizations, or use the “SMB Management” RBAC profile, which is part of the “File System Management” profile.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Add a user to the CIFS group.


    # smbadm add-member -m member-name [[-m member-name] …] group-name
    

    member-name can be specified as [domain-name\]username or [domain-name/]username. The domain name is the domain in which the user can be authenticated. By default, the domain name is the name of the domain that you joined.

    The backslash character (\) is a shell special character and must be quoted. For instance, escape the backslash character with another backslash character: domain\\username. For more information about handling shell special characters, see the man page for your shell.

    For example, to add user terry of the sales domain to the wsales group, type:


    # smbadm add-member -m sales\\terry wsales
    

    To add a local user to a CIFS group, specify the Solaris host name rather than the domain name. For example, to add local user terry of the solarsystem host to the wsales group, type:


    # smbadm add-member -m solarsystem\\terry wsales
    

ProcedureHow to Remove a Member From a CIFS Group

  1. Become superuser, assume an equivalent role, obtain the solaris.smf.value.smb and solaris.smf.manage.smb RBAC authorizations, or use the “SMB Management” RBAC profile, which is part of the “File System Management” profile.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Remove a user from the CIFS group.


    # smbadm remove-member -m member-name [[-m member-name] …] group-name
    

    member-name can be specified as [domain-name\]username or [domain-name/]username. The domain name is the domain in which the user can be authenticated. By default, the domain name is the name of the domain that you joined.

    The backslash character (\) is a shell special character and must be quoted. For instance, escape the backslash character with another backslash character: domain\\username. For more information about handling shell special characters, see the man page for your shell.

    For example, to remove user terry of the sales domain from the wsales group, type:


    # smbadm remove-member -m sales\\terry wsales
    

    To remove a local user from a CIFS group, specify the Solaris host name rather than the domain name. For example, to remove local user terry of the solarsystem host from the wsales group, type:


    # smbadm remove-member -m solarsystem\\terry wsales
    

ProcedureHow to Modify CIFS Group Properties

  1. Become superuser, assume an equivalent role, obtain the solaris.smf.value.smb and solaris.smf.manage.smb RBAC authorizations, or use the “SMB Management” RBAC profile, which is part of the “File System Management” profile.

    Roles contain authorizations and privileged commands. For more information about roles, see Configuring RBAC (Task Map) in System Administration Guide: Security Services. To configure a role with the Primary Administrator profile, see Chapter 2, Working With the Solaris Management Console (Tasks), in System Administration Guide: Basic Administration.

  2. Modify one or more CIFS group properties.


    # smbadm set -p property=value [[-p property=value] …] group-name
    

    You can specify one or more property-value pairs on the command line. Each property-value pair must be preceded by the -p option. Valid values for privileges are on or off. The value of the description property is an arbitrary text string.

    For example, to grant the backup privilege and to modify the description of the wsales group, type:


    # smbadm set -p backup=on \
    -p description="Sales force for the Western region" wsales