System Administration Guide: Basic Administration

Chapter 5 Managing User Accounts and Groups (Tasks)

This chapter describes how to set up and maintain user accounts and groups by using the Solaris Management Console.

For information on the procedures associated with setting up and maintaining user accounts and groups with the Solaris Management Console, see Setting Up User Accounts (Task Map) and Maintaining User Accounts (Task Map).

For background information about managing user accounts and groups, see Chapter 4, Managing User Accounts and Groups (Overview).

Setting Up User Accounts (Task Map)

Task	Description	For Instructions
(Optional) Gather user information	Use a standard form to gather user information to help you keep user information organized.	How to Gather User Information
(Optional) Customize user initialization files	You can set up user initialization files (`.cshrc`, `.profile`, `.login`), so you can provide new users with consistent environments.	How to Customize User Initialization Files
(Optional) Add a group	You can add a group with the following tools:
	Solaris Management Console's Groups tool	How to Add a Group with the Solaris Management Console's Groups Tool
	Solaris command line interface tools	How to Add Groups and Users With CLI Tools
Add a user	You can add a user with the following tools:
	Solaris Management Console's Users Tool	How to Add a User With the Solaris Management Console's Users Tool
	Solaris command line interface tools	How to Add Groups and Users With CLI Tools
(Optional) Set up a user template	You can create a user template so you don't have to manually add all similar user properties.	See Solaris Management Console online help
(Optional) Add rights or a role to a user	You can add rights or a role to a user so the user can perform a specific command or task.	See Solaris Management Console online help
Share the user's home directory	You must share the user's home directory so the directory can be remotely mounted from the user's system.	How to Share a User's Home Directory
Mount the user's home directory	You must mount the user's home directory on the user's system.	How to Mount a User's Home Directory

How to Gather User Information

You can create a form like the one that follows to gather information about users before adding their accounts.

Item	Description
User Name:
Role Name:
Profiles or Authorizations:
User Name:
UID:
Primary Group:
Secondary Groups:
Comment:
Default Shell:
Password Status and Aging:
Home Directory Server Name:
Home Directory Path Name:
Mounting Method:
Permissions on Home Directory:
Mail Server:
Department Name:
Department Administrator:
Manager:
Employee Name:
Employee Title:
Employee Status:
Employee Number:
Start Date:
Add to These Mail Aliases:
Desktop System Name:

How to Customize User Initialization Files

Become superuser or assume an equivalent role on the system where the users' home directories are created and shared.

Create a skeleton directory for each type of user.
# mkdir /shared-dir/skel/user-type
shared-dir

The name of a directory that is available to other systems on the network.

user-type

The name of a directory to store initialization files for a type of user.

Copy the default user initialization files into the directories you created for different types of users.
# cp /etc/skel/local.cshrc /shared-dir/skel/user-type/.cshrc # cp /etc/skel/local.login /shared-dir/skel/user-type/.login # cp /etc/skel/local.profile /shared-dir/skel/user-type/.profile
Note –
If the account has profiles assigned to it, then the user has to launch a special version of the shell called a profile shell to use commands (with any security attributes) that are assigned to the profile. There are three profile shells corresponding to the types of shells: pfsh (Bourne shell), pfcsh (C shell), and pfksh (Korn shell).

Edit the user initialization files for each user type and customize them based on your site's needs.

For a detailed description on the ways to customize the user initialization files, see Customizing a User's Work Environment.

Set the permissions for the user initialization files.
# chmod 744 /shared-dir/skel/user-type/.*

Verify that the permissions for the user initialization files are correct.
# ls -la /shared-dir/skel/*

Example—Customizing User Initialization Files

The following example shows how to customize the C-shell user initialization file in the /export/skel/enduser directory designated for a particular type of user. For an example of a .cshrc file, see Example—.cshrc File.

# mkdir /export/skel/enduser
# cp /etc/skel/local.cshrc /export/skel/enduser/.cshrc
 
(Edit .cshrc file )
# chmod 744 /export/skel/enduser/.*

How to Add a Group with the Solaris Management Console's Groups Tool

Use this procedure to add a group to the system.

Become superuser or assume an equivalent role.

Start the Solaris Management Console.
# /usr/sadm/bin/smc &
For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment.

Double-click the This Computer icon under the Management Tools icon in the Navigation pane.

A list of categories is displayed.

(Optional) Select the appropriate toolbox for your name service environment.

Double-click the System Configuration icon.

Double-click the User Accounts icon.

Provide the superuser password or the role password.

Double-click the Groups icon.

Use the Context help to add a group to the system.

Example—Adding a Group With the Solaris Management Console's Groups Tool

The following example identifies the steps to add the group mechanoids (group ID 101) to the system starbug. This example assumes that the launcher has been started and Users tool is open.

You can add existing users to the group when you add the group. Or, you can just add the group and then add the user to the group when you add the user.

Select Add Group from the Action menu.
Identify the group name, mechaniods, at the Group Name prompt under Group Identification.
Identify the group number, 101, at the Group ID number prompt.
Click on OK.

How to Add a User With the Solaris Management Console's Users Tool

Use the following procedure to add a user to the system.

Become superuser or assume an equivalent role.

Start the Solaris Management Console.
# /usr/sadm/bin/smc &
For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment.

Double-click the This Computer icon under the Management Tools icon in the Navigation pane.

A list of categories is displayed.

(Optional) Select the appropriate toolbox for your name service environment.

Double-click the System Configuration icon.

Double-click the User Accounts icon.

Provide the superuser password or the role password.

Double-click the Users icon.

Use the Context help to add a user to the system.

Example—Adding a User With the Solaris Management Console's Groups Tool

The following example identifies the steps to add the user kryten (user ID 1001) to the system starbug. This example assumes that the launcher has been started and Users Tool is open.

Click Next between the steps below.

Select Add User—>With Wizard from the Action menu.
Step 1 – Identify the user's name or login name, kryten, at the User Name prompt under Group Identification.
(Optional) Identify the user's full name, kryten series 3000, at the Full Name prompt.
(Optional) Provide a further description of this user at the Description prompt.
Step 2 – Provide the user ID, 1001, at the User ID Number prompt.
Step 3 – Select the User Must Use This Password At First Login option.

Provide a password for the user at the Password prompt and then confirm the password at the Confirm Password prompt.
Step 4 – Select the user's primary group, mechanoids.
Step 5 – Create the user's home directory by accepting the defaults at the Server and Path prompts.
Step 6 – Specify the mail server.
Step 7 – Review the information you provided and go back to correct the information, if necessary. Otherwise, click on Finish.

How to Add Groups and Users With CLI Tools

This section provides examples of adding users and groups with CLI tools.

Example—Adding a Group and User With the `groupadd` and `useradd` Commands

The following example shows how to use the groupadd and useradd commands to add the group scutters and user scutter1 to files on the local system. These commands cannot be used to manage users in a name service environment.

# groupadd -g 102 scutters
# useradd -u 1003 -g 102 -d /export/home/scutter1 -s /bin/csh -c "Scutter 1" 
-m -k /etc/skel scutter1
64 blocks

For more information, see groupadd(1M) and useradd(1M).

Example—Adding a Group and User With the `smgroup` and `smuser` Commands

The following example shows how to use the smgroup and smuser commands to add the group gelfs and the user camille to the NIS domain solar.com on the host starbug.

# /usr/sadm/bin/smgroup add -D nis:/starbug/solar.com -- -g 103 -n gelfs
# /usr/sadm/bin/smuser add -D nis:/starbug/solar.com -- -u 1004 -n camille 
-c "Camille G." -d /export/home/camille -s /bin/csh -g gelfs

For more information, see smgroup(1M) and smuser(1M).

How to Share a User's Home Directory

Become superuser or assume an equivalent role on the system that contains the home directory.

Verify that the mountd daemon is running.
# ps -ef | grep mountd root 176 1 0 May 02 ? 0:19 /usr/lib/nfs/mountd
The /usr/lib/nfs/mountd line shows whether the mountd daemon is running.

If the mountd daemon is not running, start it.
# /etc/init.d/nfs.server start

List the file systems that are shared on the system.
# share

Select one of the following based on whether the file system containing the user's home directory is already shared.
1. If the user's home directory is already shared, go to the verification step below.
2. If the user's home directory is not shared, go to Step 6.

Edit the /etc/dfs/dfstab file and add the following line.
share -F nfs /file-system
file-system is the file system containing the user's home directory that you need to share. By convention, the file system is /export/home.

Share the file systems listed in the /etc/dfs/dfstab file.
# shareall -F nfs
This command executes all the share commands in the /etc/dfs/dfstab file, so you do not have to wait to reboot the system.

Verify that a user's home directory is shared, as follows:
# share

Where to Go From Here

If the user's home directory is not located on the user's system, you have to mount the user's home directory from the system where it is located. For detailed instructions, see How to Mount a User's Home Directory.

Example—Sharing a User's Home Directory

# ps -ef | grep mountd
# /etc/init.d/nfs.server start
# share
# vi /etc/dfs/dfstab
 
(The line share -F nfs /export/home is added.)
# shareall -F nfs
# share
-               /usr/dist                ro   "" 
-               /export/home/user-name     rw   ""

How to Mount a User's Home Directory

For information on automounting a home directory, see “Task Overview for Autofs Administration” in System Administration Guide: Resource Management and Network Services.

Make sure that the user's home directory is shared.

For more information, see How to Share a User's Home Directory.

Edit the /etc/vfstab file and create an entry for the user's home directory.

system-name:/export/home/user-name - /export/home/user-name nfs - yes rw

`system-name`	The name of the system where the home directory is located.
`/export/home/user-name`	The name of the user's home directory that will be shared. By convention, `/export/homeuser-name` contains user's home directories. However, this could be a different file system.
`-`	Required placeholders in the entry.
`/export/home/user-name`	The name of the directory where the user's home directory will be mounted.

For more information about adding an entry to the /etc/vfstab file, see Chapter 40, Mounting and Unmounting File Systems (Tasks).

Create the mount point for the user's home directory.
# mkdir -p /export/home/user-name

Mount the user's home directory.
# mountall
All entries in the current vfstab file (whose mount at boot fields are set to yes) are mounted.

Verify that the home directory is mounted.
# mount | grep user-name

Example—Mounting a User's Home Directory

# vi /etc/vfstab
 
(The line  venus:/export/home/ripley - /export/home/ripley
nfs - yes rw is added.)
# mkdir -p /export/home/ripley
# mountall
# mount
/ on /dev/dsk/c0t0d0s0 read/write/setuid/intr/largefiles/xattr/onerror=panic/dev=...
/usr on /dev/dsk/c0t0d0s6 read/write/setuid/intr/largefiles/xattr/onerror=panic/dev=...
/proc on /proc read/write/setuid/dev=38c0000 on Sun Feb  2 18:20:07 2003
/etc/mnttab on mnttab read/write/setuid/dev=3980000 on Sun Feb  2 18:20:07 2003
/dev/fd on fd read/write/setuid/dev=39c0000 on Sun Feb  2 18:20:10 2003
/var/run on swap read/write/setuid/xattr/dev=1 on Sun Feb  2 18:20:11 2003
/tmp on swap read/write/setuid/xattr/dev=2 on Sun Feb  2 18:20:15 2003
/export/home on /dev/dsk/c0t0d0s7 read/write/setuid/intr/largefiles/xattr/onerror=...
/export/home/ripley on venus:/export/home/ripley remote/read/write/setuid/xattr/dev=...

Maintaining User Accounts (Task Map)

Task	Description	Instructions
Modify a Group	You can modify a group's name or the users in a group by using the Groups Tool.	See Solaris Management Console online help
Delete a Group	You can delete a group if its no longer needed.	See Solaris Management Console online help
Modify a User Account	Disable a User Account You can temporarily disable a user account if it will be needed in the future.	See Solaris Management Console online help
	Change a User's Password You might need to change a user's password if the user forgets it.	See Solaris Management Console online help
	Change Password Aging You can force users to change their passwords periodically with User Account tool's Password Options menu.	See Solaris Management Console online help
Delete a User Account	You can delete a user account if it is no longer needed.	See Solaris Management Console online help

Solaris User Registration

Solaris User Registration is a tool for getting information about new Solaris releases, upgrade offers, and promotions. This graphical user interface (GUI) automatically starts when you first log into your desktop. The GUI lets you register now, later, or never. The registration process also provides Sun with the user's Solaris version, survey type, platform, hardware, and locale.

Accessing Solaris Solve

Completing the Solaris User Registration process provides access to Solaris Solve^SM, an exclusive web site that offers valuable Solaris product information and solutions—all in one convenient location. It provides a quick and easy method for getting the most recent information on what's happening around the latest Solaris release. Solaris Solve also provides a preview to additional Sun contract and service opportunities.

Basically, the steps for completing Solaris User Registration and accessing Solaris Solve are:

Fill in the electronic Solaris User Registration profile.
Submit the profile by email or print the profile to fax or mail.
Create your login ID and password to access the Solaris Solve site.

Even if you do not access the Solaris Solve site immediately, we recommend that you create your Solaris Solve login ID and password during the Solaris User Registration process. A Solaris Solve login ID and password should contain 6 to 8 alphanumeric characters without spaces and colons.
Access the Solaris Solve site.

Note –

Solaris User Registration is not invoked if the system administrator or user is logged in as superuser.

If you choose to register, a copy of the completed form is stored in $HOME/.solregis/uprops. If you choose to never register and change your mind later, you can start User Registration by:

Typing /usr/dt/bin/solregis at any command line prompt, or
Clicking the Registration icon in the Application Manager's desktop tools folder (Common Desktop Environment desktop only)

For more information, see solregis(1).

Troubleshooting Solaris User Registration Problems

This section provides troubleshooting tips for solving Solaris User Registration problems.

The following table describes problems that may occur when you try to register, and actions required to resolve these conflicts.

Table 5–1 Registration Problem Descriptions and Suggested Resolutions


Problem Description	How to Resolve the Problem
The registration form failed to initialize: Web page window displays and requests user see system administrator to resolve problem that prevents registration setup.	Check for missing registration files.
The form could not be emailed: Dialog box displays and requests user see system administrator to resolve problem.	Check to see if email is configured correctly. Also check if CDE is on user's system since it must be present to email completed registration form. Alternatively, users can print the form and fax or mail it.
The form could not be printed: Dialog box displays and requests user to see system administrator to resolve problem.	Check to see if the printer is configured correctly. Alternatively, the user can email form.
The form could not be saved: Dialog box displays and verifies that registration succeeded; however, the registration information cannot be recalled when updating registration in the future.	Check the user's home directory. Required action depends on the system's configuration.
You forgot your Solaris Solve login ID and password.	Send a mail message describing the problem to `SolarisSolve@sun.com` or see How to Restart Solaris User Registration.
You want to restart the registration process.	How to Restart Solaris User Registration.

How to Restart Solaris User Registration

Use the following procedure to restart the Solaris User Registration process.

Change to the $HOME/.solregis directory.
% cd $HOME/.solregis

Remove the uprops file.
% rm uprops

Restart the registration process.
% /usr/dt/bin/solregis &

How To Disable User Registration

You can disable User Registration before or after installing Solaris software. Before disabling Solaris User Registration, Sun recommends that system administrators register for their organization.

To disable user registration before installing the Solaris release, select one of the following:
- Deselect the SUNWsregu package (interactive installation).
- Modify a custom JumpStart profile to not install the SUNWsregu package.
- Create and run a finish script that creates a file named solregis in the /etc/default directory on one or more systems with the following line in the script:
  DISABLE=1
For more information see Solaris 9 Installation Guide or solregis(1).

To disable user registration after installing the Solaris release, select one of the following:
- Remove the SUNWsregu package
- Add the solregis file to the /etc/default directory.

`shared-dir`	The name of a directory that is available to other systems on the network.
`user-type`	The name of a directory to store initialization files for a type of user.