| Skip Navigation Links | |
| Exit Print View | |
|
Managing User Accounts and User Environments in Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Managing User Accounts and User Environments in Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
1. Managing User Accounts and User Environments (Overview)
2. Managing User Accounts by Using the Command-Line Interface (Tasks)
Setting Up and Managing User Accounts by Using the CLI
Setting Up and Managing User Accounts by Using the CLI (Task Map)
How to Customize User Initialization Files
How to Change Account Defaults For All Roles
Guidelines for Setting Up User Accounts
How to Share Home Directories That Are Created as ZFS File Systems
3. Managing User Accounts by Using the User Manager GUI (Tasks)
The following tasks describe how to set up and manage user accounts by using the CLI.
|
When setting up user accounts you can create a form similar to the following form to gather information about users before setting up their accounts.
|
$ su - Password: #
# mkdir /shared-dir/skel/user-type
The name of a directory to store initialization files for a type of user.
For a detailed description on the ways to customize the user initialization files, see Customizing a User's Work Environment.
# chmod 744 /shared-dir/skel/user-type/.*
# ls -la /shared-dir/skel/*
In the following procedure, the administrator has customized a roles directory . The administrator changes the default home directory and skeleton directory for all roles.
# roleadd -D group=other,1 project=default,3 basedir=/home skel=/etc/skel shell=/bin/pfsh inactive=0 expire= auths= profiles=All limitpriv= defaultpriv= lock_after_retries=
# roleadd -D -b /export/home -k /etc/skel/roles # roleadd -D group=staff,10 project=default,3 basedir=/export/home skel=/etc/skel/roles shell=/bin/sh inactive=0 expire= auths= profiles= roles= limitpriv= defaultpriv= lock_after_retries=
Future uses of the roleadd command create home directories in /export/home, and populate the roles' environment from the /etc/skel/roles directory.
Note the following guidelines for setting up user accounts by using the CLI:
In this release, user accounts are created as Oracle Solaris ZFS file systems. As an administrator, when you create user accounts, you are giving users their own file system and their own ZFS dataset. Every home directory that is created by using the useradd and roleadd commands places the home directory of the user on the /export/home file system as an individual ZFS file system. As a result, users have the ability to back up their home directories, create ZFS snapshots of their home directories, and replace files in their current home directory from the ZFS snapshots that they created.
To set up user accounts, you must assume the root role or a role that has the appropriate rights profile, for example, the User Management rights profile. See How to Use Your Assigned Administrative Rights in Oracle Solaris 11.1 Administration: Security Services.
When you create a user account with the useradd command, you must specify the -m option in the command syntax. Otherwise, a home directory will not be created for the user.
For example, the following command will create a home directory for the user jdoe:
# useradd -m jdoe
But, the following syntax will not create a home directory for the user:
# useradd jdoe
Note - The only exception to this rule is if you want the pam_zfs_key module to create an encrypted home directory for the user. In this case, you would not specify the -m option with the useradd command. See the pam_zfs_key(5) and zfs_encrypt(1M) man pages.
The useradd command creates entries in the auto_home map only if the -d option is specified with hostname:/pathname. Otherwise, the path name that is specified is updated as the home directory for the user in the passwd database, and no auto_home map entry is created. Home directories that are specified in the auto_home automounter map are only mounted if the autofs service is enabled.
For example, if you specify the -d option to create a user as follows, the user is created without an auto_home entry, and the passwd entry specifies /export/home/user1 as the user's home directory:
# useradd -d /export/home/user1 user1
But, if you use the -d option to create the user as follows, the user with have an auto_home entry, and the passwd database will contain /home/user1, indicating a dependency on the autofs service:
# useradd -d localhost:/export/home/user1 user1
If the pathname of the home directory includes a remote host specification, for example, foobar:/export/home/jdoe, then the home directory for jdoe must be created on the system foobar. The default pathname is localhost:/export/home/username.
When the file system is a ZFS dataset, which is the case for all of Oracle Solaris 11, the user's home directory is created as a child ZFS dataset, with the ZFS permission to take snapshots delegated to the user. If a pathname is specified that does not correspond to a ZFS dataset, then a regular directory is created. If the -S ldap option is specified, then the auto_home map entry is updated on the LDAP server instead of the local auto_home map.
In this release, user accounts are created as Oracle Solaris ZFS file systems. Every home directory that is created by using the useradd and roleadd commands places the home directory of the user on the /export/home file system as an individual ZFS file system.
The useradd command creates entries in the auto_home map only if the -d option is specified with hostname:/pathname. Otherwise, the pathname that is specified is updated as the home directory for the user in the passwd database, and no auto_home map entry is created. Home directories that are specified in the auto_home automounter map are only mounted if the autofs service is enabled.
By default, the user is created locally. If you include the -S ldap option, the user is created in an existing LDAP repository.
# useradd -d dir -m username
Creates an account for the specified user.
Specifies the location of the home directory of the user.
Use the -d localhost:/export/home/username instead of -d /export/home/username to force the entry to be written to auto_home.
Creates a local home directory on the system for the user.
If you specify the -d dir option as follows, the user is created without an auto_home entry, and the passwd entry specifies /export/home/user1 as the user's home directory:
# useradd -d /export/home/user1 user1
If you specify the -d dir option as follows, the user with have an auto_home entry, and the passwd database will contain /home/user1, indicating a dependency on the autofs service:
# useradd -d localhost:/export/home/user1 user1
Note - If you want the pam_zfs_key module to create an encrypted home directory for the user. In this case, do not specify the -m option with the useradd command. See Guidelines for Setting Up User Accounts.
For a detailed description of all of the options and arguments that you can specify with the useradd command, see the useradd(1M) man page.
Note - The account is locked until you assign the user a password.
# passwd username New password: Type user password Re-enter new password: Retype password
For more command options, see the useradd(1M) and passwd(1) man pages.
See Also
After creating a user, you might need to perform some additional tasks, including adding and assigning roles to a user, listing and changing the rights profiles of a user, and changing the RBAC properties of a user. For more information, see the following references:
How to Create a Role in Oracle Solaris 11.1 Administration: Security Services and How to Assign a Role in Oracle Solaris 11.1 Administration: Security Services
How to View All Defined Security Attributes in Oracle Solaris 11.1 Administration: Security Services
How to Create a Rights Profile in Oracle Solaris 11.1 Administration: Security Services
The usermod command is used to change the definition of a user's login and make appropriate login-related file system changes for the user.
See the usermod(1M) man page for details about the arguments and options that you can specify with the usermod command.
For example, to add a role to a user, you would type:
# usermod -R role username
Example 2-1 Setting Per-User PAM Policy by Modifying a User's Account
The following example shows how to modify a user to set PAM policy. This particular modification specifies that user jdoe should only be authenticated with the Kerberos V5 protocol for all PAM services. See pam_user_policy(5) for more information.
# usermod -K pam_policy=krb5_only jdoe
See Also
See the following references for additional examples of modifying a user:
$ su - Password: #
Note - This method works whether root is a user account or a role.
# userdel -r username
Deletes the account of the specified user.
Removes the account from the system.
Because user home directories are now ZFS datasets, the preferred method for removing a local home directory for a deleted user is to specify the -r option with the userdel command.
# userdel username
You must manually delete the user's home directory on the remote server.
For a full list of command options, see the userdel(1M) man page.
Next Steps
Additional cleanup might be required if the user that you deleted had administrative responsibilities, for example creating cron jobs, or if the user had additional accounts in non-global zones.
When an administrator creates a group, the system assigns the solaris.group.assign/groupname to that administrator, giving the administrator complete control over that group. If another administrator who has the same authorization creates a group, that administrator has the control over that group. An administrator who has control of one group cannot administer the group of the other administrator. For more information, see the groupadd(1M) and groupmod(1M) man pages.
# cat /etc/group
$ groupadd -g 18 exadata
Creates a new group definition on the system by adding the appropriate entry to the /etc/group file.
Assigns the group ID for the new group.
For more information, see the groupadd(1M) man page.
Example 2-2 Setting Up a Group and User With the groupadd and useradd Commands
The following example shows how to use the groupadd and useradd commands to add the group scutters and the user scutter1 to files on the local system.
# groupadd -g 102 scutters # useradd -u 1003 -g 102 -d /export/home/scutter1 -s /bin/csh \ -c "Scutter 1" -m -k /etc/skel scutter1 64 blocks
For more information, see the groupadd(1M) and useradd(1M) man pages.
In this Oracle Solaris release, you can share a ZFS file system by setting the share.nfs property or the share.smb property. Or, you can create a file system share by using the zfs share command. By default, all file systems are unshared.
By default, the pool/export/home dataset is already mounted on /export/home. The useradd command automatically creates per-user datasets as children of this dataset. As an administrator, you can choose to create a new pool for user home directories. The following procedure describes these steps.
For more information about sharing and unsharing file systems, see Sharing and Unsharing ZFS File Systems in Oracle Solaris 11.1 Administration: ZFS File Systems.
# zpool create users mirror c1t1d0 c1t2d0 mirror c2t1d0 c2t2d0
# zfs create users/home
# zfs set share.nfs=on users/home
When using this new syntax, each file system contains an "auto share" that is created as soon as the share.nfs property (or the share.smb property) is set to on for that file system. The previous command shares a file system named users/home and all of its children.
# zfs get -r share.nfs users/home
The -r option displays all of the descendent file systems.
User accounts that are created as ZFS file systems do not typically need to be manually mounted. With ZFS, file systems are automounted when they are created and then mounted at boot time from the SMF local file system service.
When creating user accounts, make sure home directories are set up as they are in the name service, at /home/username. Then, make sure that the auto_home map indicates the NFS path to the user's home directory. For task-related information, see Task Overview for Autofs Administration in Managing Network File Systems in Oracle Solaris 11.1.
If you need to manually mount a user's home directory, use the zfs mount command. For example:
# zfs mount users/home/alice
Note - Make sure that the user's home directory is shared. For more information, see How to Share Home Directories That Are Created as ZFS File Systems.
|