NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | ENVIRONMENT VARIABLES | EXIT STATUS | FILES | ATTRIBUTES | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO
The smuser command manages one or more user entries in the local /etc filesystem or a NIS or NIS+ target name service. To set audit classes, the administrator must have the solaris.admin.usermgr.audit
authorization.
smuser subcommands are:
Adds a new user entry to the appropriate files. You can use a template and input file instead of supplying the additional command line options. If you use a template and command line options, the command line options take precedence
and override any conflicting template values. To add an entry, the administrator must have the solaris.admin.usermgr.write
authorization.
Deletes one or more user entries from the appropriate files. Note: You cannot delete the system accounts with IDs less than 100, or 60001, 60002, or 65534. To delete an entry, the administrator
must have the solaris.admin.usermgr.write
authorization.
Lists one more user entries from the appropriate files. To list entries, the administrator must have the solaris.admin.usermgr.read
authorization.
Modifies a user entry in the appropriate files. To modify an entry, the administrator must have the solaris.admin.usermgr.write
authorization.
The smuser authentication arguments, auth_args, are derived from the smc(1M) arg set and are the same regardless of which subcommand you use.The smuser command requires the Solaris Management Console to be initialized for the command to succeed (see smc(1M)). After rebooting the Solaris Management Console server, the first smc connection might time out, so you might need to retry the command.
The subcommand-specific options, subcommand_args, must come after the auth_args and must be separated from them by the - - option.
The valid auth_args are -D, -H, -l, -p, -r, and -u; they are all optional. If no auth_args are specified, certain defaults will be assumed and the user may be prompted for additional information, such as a password for authentication purposes. These letter options can also be specified by their equivalent option words preceded by a double dash. For example, you can use either -D or - -domain with the domain argument.
Specifies the default domain that you want to manage. The syntax of domain is type:/host_name/domain_name, where type is nis, nisplus, dns, ldap, or file; host_name is the name of the machine that serves the domain; and domain_name is the name of the domain you want to manage. (Note: Do not use nis+ for nisplus.)
If you do not specify this option, the Solaris Management Console assumes the file default domain on whatever server you choose to manage, meaning that changes are local to the server. Toolboxes can change the domain on a tool-by-tool basis; this option specifies the domain for all other tools.
Specifies the host_name and port to which you want to connect. If you do not specify a port, the system connects to the default port, 898. If you do not specify host_name:port, the Solaris Management Console connects to the local host on port 898. You may still have to choose a toolbox to load into the console. To override this behavior, use the smc(1M) -B option, or set your console preferences to load a “home toolbox” by default.
Specifies the password for the role_name. If you specify a role_name but do not specify a role_password, the system prompts you to supply a role_password. Passwords specified on the command line can be seen by any user on the system, hence this option is considered insecure.
Specifies the password for the user_name. If you do not specify a password, the system prompts you for one. Passwords specified on the command line can be seen by any user on the system, hence this option is considered insecure.
Specifies a role name for authentication. If you do not specify this option, no role is assumed.
Specifies the user name for authentication. If you do not specify this option, the user identity running the console process is assumed.
This option is required and must always follow the preceding options. If you do not enter the preceding options, you must still enter the - - option.
Note: Descriptions and other arg options that contain white spaces must be enclosed in double quotes.
(Optional) Includes a short description of the login, which is typically the user's name. Consists of a string of up to 256 printable characters, excluding the colon (:).
(Optional) Specifies the home directory of the new user, limited to 1024 characters.
(Optional) Specifies the expiration date for a login. After this date, no user can access this login. This option is useful for creating temporary logins. Specify a null value (“ “) to indicate that the login is always valid.
(Optional) Specifies the maximum number of days allowed between uses of a login ID before that ID is declared invalid. Normal values are positive integers. Enter zero to indicate that the login account is always active.
(Optional) Specifies the full, descriptive name of the user. The full_name must be unique within a domain and can contain alphanumeric characters and spaces. If you use spaces, you must enclose the full_name in double quotes.
(Optional) Specifies the new user's primary group membership in the system group database with an existing group's integer ID.
(Optional) Specifies the new user's supplementary group membership in the system group database with the character string names of one or more existing groups. Duplicates of groups specified with the -g and -G options are ignored.
(Optional) Displays the command's usage statement.
Specifies the new user's login name. The login name must be unique within a domain, contain 2–32 alphanumeric characters, begin with a letter, and contain at least one lowercase letter.
(Optional) Specifies up to an eight-character password assigned to the user account. Note: When you specify a password, you type the password in plain text. Specifying a password using this method
introduces a security gap while the command is running. If this option is not specified, the user is prompted to input a password upon first login to the new account. This only works on the local file system. To set the password, the administrator must have the solaris.admin.usermgr.pswd
authorization.
(Optional) Specifies the full pathname (limited to 1024 characters) of the program used as the user's shell on login. Valid entries are a user-defined shell, /bin/csh (C shell), bin/ksh (Korn shell), and the default, /bin/sh (Bourne shell).
(Optional) Specifies a template, created using the User Manager tool, that contains a set of pre-defined user attributes. You may have entered a name service server in the template. However, when a user is actually added with this template, if a name service is unavailable, the user's local server will be used for both the Home Directory Server and Mail Server.
(Optional) Specifies the user ID of the user you want to add. If you do not specify this option, the system assigns the next available unique user ID greater than 100.
(Optional) Sets the home directory to automount if set to Y. The user's home directory path in the password entry is set to /home/login name.
(Optional) Specifies the user's clearance. clearanceval can be a string value or a hex value. If this option is not specified, the default is the user's system
default clearance. To set the clearance, the administrator must have the solaris.admin.usermgr.labels
authorization.
(Optional) Specifies the command to execute if the system has been idled. If LOGOUT is specified, idlecmd=logout will be recorded in user_attr. If LOCK is specified, idlecmd=lock will be recorded in user_attr. If this option is not specified, the default is the IDLECMD in the /etc/security/policy.conf file.
(Optional) Specifies the number of minutes before the specified idle command gets executed. Any integer value between 1 and 120 is valid. This value is recorded into user_attr as idletime=val. If this option is not specified, the default is the IDLETIME in the /etc/security/policy.conf file.
(Optional) Specifies the user's minimum label. labelval can be a string label or a hex label. If this option is not specified, the default is the user's system default
minimum label. To set the minimum label, the administrator must have the solaris.admin.usermgr.labels
authorization.
(Optional) Specifies the second part of the labelview key value pair. If SHOW is specified, labelview=*showsl will be recorded. If HIDE is specified, labelview=*hidesl will be recorded. * can be “internal,”, “external,”, or ““. If this option is not specified, the default is the LABELVIEW in the /etc/security/policy.conf file.
(Optional) Specifies if an account is locked after a specified number of failed logins. This value is recorded in user_attr as lock_after_retries. If this option is not specified, the default is the LOCK_AFTER_RETRIES in the /etc/security/policy.conf file.
(Optional) Specifies the host name of the user's mail server, and creates a mail file on the server. Users created in a local scope must have a mail server created on their local machines.
(Optional) Sets the permissions on the user's home directory. perm is interpreted as an octal number. If this option is not specified, the default is 0775.
(Optional) Specifies the maximum number of days that the user's password is valid.
(Optional) Specifies the minimum number of days between user password changes.
(Optional) Specifies how the password is changed by the user. If the AUTO option is specified, passwd=automatic will be recorded in user_attr. If MANUAL is specified, passwd=manual will be recorded in user_attr. If this option is not specified, the default is the PASSWORD in the /etc/security/policy.conf file.
(Optional) Specifies the number of days relative to pwmax that the user is warned about password expiration prior to the password expiring.
(Optional) Specifies the name of the server where the user's home directory resides. Users created in a local scope must have their home directory server created on their local machines.
(Optional) Specifies the label view type for the labelview in user_attr. If INTERNAL is specified, labelview=internal will be recorded; if EXTERNAL is specified, labelview=external will be recorded; if DEFAULT is specified, nothing will be recorded to user_attr. If this option is not specified, nothing will get recorded to user_attr by default.
(Optional) Displays the command's usage statement.
Specifies the login name of the user you want to delete.
(Optional) Specifies the additional login name(s) of the user(s) you want to delete.
(Optional) Displays the command's usage statement.
Displays the output for each user in a block of key:value pairs (for example, user name:root) followed by a blank line to delimit each user block. Each key:value pair is displayed on a separate line. The keys are: autohome setup, comment, days to warn, full name,home directory, home directory permissions, login shell, mail server, max days change, max days inactive, min days change, password expires, password type, primary group, rights, roles, secondary groups, server, user ID (UID), and user name.
Specifies the login name of the user you want to list.
(Optional) Specifies the additional login name(s) of the user(s) you want to list.
(Optional) Specifies the role(s) to add to the user account.To assign a role to a user, the administrator must have the solaris.role.assign
or solaris.role.delegate
authorization.
(Optional) Describes the changes you made to the user account. Consists of a string of up to 256 printable characters, excluding the colon (:).
(Optional) Specifies the user's home directory, limited to 1024 characters.
(Optional) Specifies the expiration date for a login in a format appropriate to the locale. After this date, no user can access this login. This option is useful for creating temporary logins. Specify a null value (“ “) to indicate that the login is always valid.
(Optional) Specifies the maximum number of days allowed between uses of a login ID before the ID is declared invalid. Normal values are positive integers. Specify zero to indicate that the login account is always active.
(Optional) Specifies the full, descriptive name of the user. The full_name must be unique within a domain and can contain alphanumeric characters and spaces. If you use spaces, you must enclose the full_name in double quotes.
(Optional) Specifies the new user's primary group membership in the system group database with an existing group's integer ID.
(Optional) Specifies the new user's supplementary group membership in the system group database with the character string names of one or more existing groups. Duplicates of groups specified with the -g and -G options are ignored.
(Optional) Displays the command's usage statement.
Specifies the user's current login name.
(Optional) Specifies the user's new login name. The login name must be unique within a domain, contain 2–32 alphanumeric characters, begin with a letter, and contain at least one lowercase letter.
(Optional) Specifies the profile(s) to add to the user account. To assign a profile to a user, the administrator must have
the solaris.profmgr.assign
or solaris.profmgr.delegate
authorization.
(Optional) Specifies up to an eight-character password assigned to the user account.
When you specify a password, you type the password in plain text. Specifying a password using this method introduces a security gap while the command is running.
(Optional) Specifies the profile(s) to delete from the user account.
(Optional) Specifies the role(s) to delete from the user account.
(Optional) Specifies the full pathname (limited to 1024 characters) of the program used as the user's shell on login. Valid entries are a user-defined shell, /bin/csh (C shell), bin/ksh (Korn shell), and the default, /bin/sh (Bourne shell).l)
(Optional) Sets up the home directory to automount if set to Y. The user's home directory path in the password entry is set to /home/login name.
(Optional) Specifies the user's clearance. clearanceval can be a string value or a hex value. If this option is not specified, the default is the user's system
default clearance. To set the clearance, the administrator must have the solaris.admin.usermgr.labels
authorization.
(Optional) Specifies the command to execute if the system has been idled. If LOGOUT is specified, idlecmd=logout will be recorded in user_attr. If LOCK is specified, idlecmd=lock will be recorded in user_attr. If this option is not specified, the default is the IDLECMD in the /etc/security/policy.conf file.
(Optional) Specifies the number of minutes before the specified idle command gets executed. Any integer value between 1 and 120 is valid. This value is recorded into user_attr as idletime=val. If this option is not specified, the default is the IDLETIME in the /etc/security/policy.conf file.
(Optional) Specifies the user's minimum label. labelval can be a string label or a hex label. If this option is not specified, the default is the user's system default
minimum label. To set the minimum label, the administrator must have the solaris.admin.usermgr.labels
authorization.
(Optional) Specifies the second part of the labelview key value pair. If SHOW is specified, labelview=*showsl will be recorded. If HIDE is specified, labelview=*hidesl will be recorded. * can be “internal,”, “external,”, or ““. If this option is not specified, the default is in the LABELVIEW in the /etc/security/policy.conf file.
(Optional) Specifies if an account is locked after a specified number of failed logins. This value is recorded in user_attr as lock_after_retries. If this option is not specified, the default is the LOCK_AFTER_RETRIES in the /etc/security/policy.conf file.
(Optional) Specifies the maximum number of days that the user's password is valid.
(Optional) Specifies the minimum number of days between password changes.
(Optional) Specifies how the password is changed by the user. If the AUTO option is specified, passwd=automatic will be recorded in user_attr. If MANUAL is specified, passwd=manual will be recorded in user_attr. If this option is not specified, the default is the PASSWORD in the /etc/security/policy.conf file.
(Optional) Specifies the number of days relative to pwmax that the user is warned about password expiration before the password expires.
(Optional) Specifies the label view type for the labelview in user_attr. If INTERNAL is specified, labelview=internal will be recorded; if EXTERNAL is specified, labelview=external will be recorded; if DEFAULT is specified, nothing will be recorded to user_attr. If this option is not specified, nothing will get recorded to user_attr by default.
The admin role connects to port 898 (which happens to be the default) of the aviary server on the nis:/birds/aves.Sun.COM domain, and adds a new user entry, kmochida. Several options are given: the password is set to $jPoP213 (note: this is insecure), the comment is set to Kaori's account, the full name is set to Kaori Mochida, the password update is set to provide a list from which the user must choose for the new password, the minimum label is set to Confidential, the clearance is set to Top Secret Able Baker, the view is internal, the labelview is set to show the labels, the idle command will be executed in 30 minutes, the system will lock when idled too long, and the account will lock after the maximum number of failed logins is reached. The system will assign the next available user ID greater than 100 to this account. The administrator is prompted for the admin password.
$ /usr/sadm/bin/smuser add -D nis:/birds/aves.Sun.COM \ -H aviary:898 -- -n kmochida -P $jPoP213 -c "Kaori's account" \ -F "Kaori Mochida" -x pwupdate=AUTO -x label=confidential \ -x clear="TS A B" -x view=INTERNAL -x labelview=SHOW \ -x idletime=30 -x idlecmd=LOCK -x lock=Y |
The admin role deletes the kmochida user entry in the local file system. Since no authorization arguments were specified, the administrator connects to port 898 of the local host on the local server with the file domain type, which are the defaults. The administrator is prompted for the admin password.
$ /usr/sadm/bin/smuser delete -- -n kmochida |
The admin role connects to the nis:/birds/aves.Sun.COM domain and lists all user accounts on the local file system. Since the host and port were not specified, the local host and port 898 are used by default. The administrator is prompted for the admin password.
$ /usr/sadm/bin/smuser list -D nis:/birds/aves.Sun.COM -- |
The admin role connects to port 898 of the aviary server and modifies the kmochida user entry by changing the default shell to the Korn shell, the supplementary group to qa_group, the password update method to manual, the clearance to Secret Able, and having the account not lock after the maximum number of failed logins is reached. Since the domain was not specified, the file domain type and local server are used by default. The administrator is prompted for the admin password.
$ /usr/sadm/bin/smuser modify -H aviary:898 -- -n kmochida \ -s /bin/ksh -G qa_group -x pwupdate=MANUAL -x clear="S A" \ -x lock=N |
See environ(5) for a description of the JAVA_HOME environment variable, which affects the execution of the smuser command. If this environment variable is not specified, the /usr/java location is used. See smc(1M).
The following exit values are returned:
Successful completion.
Invalid command syntax. A usage message displays.
An error occurred while executing the command. An error message displays.
The following files are used by the smuser command:
Mail aliases. See aliases(4).
Automatic mount points. See automount(1M).
Group file. See group(4).
Password file. See passwd(4).
Configuration file for security policy. See policy.conf(4).
Shadow password file. See shadow(4).
Extended user attribute database. See user_attr(4).
See attributes(5) for descriptions of the following attributes:
ATTRIBUTE TYPE |
ATTRIBUTE VALUE |
---|---|
Availability |
SUNWmga |
For the list subcommand, the user must have the solaris.admin.usermgr.read
authorization. To set audit classes, the user must have the solaris.admin.usermgr.audit
authorization. To set the clearance
or minimum label, the user must have the solaris.admin.usermgr.labels
authorization. To set the password, the user must have the solaris.admin.usermgr.pswd
authorization. To make most other changes, the user must have
the solaris.admin.usermgr.write
authorization. To assign a role to a user, the user must have the solaris.role.assign
or solaris.role.delegate
authorization. To assign a profile
to a user, the user must have the solaris.profmgr.assign
or solaris.profmgr.delegate
authorization.
Additional -x security options may be specified for the add and modify subcommands.
NAME | SYNOPSIS | DESCRIPTION | OPTIONS | EXAMPLES | ENVIRONMENT VARIABLES | EXIT STATUS | FILES | ATTRIBUTES | SUMMARY OF TRUSTED SOLARIS CHANGES | SEE ALSO