- administer a new user login on the system
useradd [-A authorization [,authorization...]] [-b base_dir] [-c comment] [-d dir] [-e expire] [-f inactive] [-g group] [-G group [,group]...] [-K key=value] [-m [-k skel_dir]] [-p projname] [-P profile [,profile...]] [-R role [,role...]] [-s shell] [-S repository] [-u uid [-o]] login
useradd -D [-A authorization [,authorization...]] [-b base_dir] [-s shell [-k skel_dir]] [-e expire] [-f inactive] [-g group] [-K key=value] [-p projname] [-P profile [,profile...]] [-R role [,role...]]
useradd adds a new user to the passwd, shadow, and user_attr databases in the files and ldap repositories. The -A and -P options respectively assign authorizations and profiles to the user. The -R option assigns roles to a user. The -p option associates a project with a user. The -K option adds a key=value pair to user_attr entry for the user. Multiple key=value pairs may be added with multiple -K options.
useradd also creates supplementary group memberships for the user (-G option) and creates the home directory (-m option) for the user if requested. The new login remains locked until the passwd(1) command is executed.
Specifying useradd -D with the -s, -k,-g, -b, -f, -e, -A, -P, -p, -R, or -K option (or any combination of these options) sets the default values for the respective fields. See the -D option, below. Subsequent useradd commands without the -D option use these arguments.
The system file entries created with this command have a limit of 2048 characters per line. Specifying long arguments to several options can exceed this limit.
An administrator must be granted the User Management Profile to be able to create a new user. The authorizations required to set the various fields in passwd, shadow and user_attr can be found in passwd(4), shadow(4), and user_attr(4). The authorizations required to assign groups and projects can be found in group(4) and project(4).
The following options are supported:
One or more comma-separated authorizations defined in auth_attr(4). Only a user or role who has grant rights to the authorization can assign it to an account.
The base directory for new login home directories (see the -d option below. When a new user account is being created, base_dir must already exist unless the -m option or the -d option is also specified.
Any text string. It is generally a short description of the login, and is currently used as the field for the user's full name. This information is stored in the user's passwd entry.
Specifies the auto_home entry for the new user. The path /home/username is entered in /etc/passwd. When the user subsequently references /home/username, the automounter will mount the directory specified here on /home/username.
The argument to the -d option can be specified as server:dir where server is the hostname of the machine on which the home directory resides and dir is the path to the user's home directory. If the server is a remote host, then the home directory needs to be created on the remote host for the system to mount it, when the user logs in. If no server name is specified then the home directory will be created on the host where the command is executed, when the -m option is used.
Display the default values for group, base_dir, skel_dir, shell, inactive, expire, proj, projname and key=value pairs. When used with the -g, -b, -f, -e, -A, -P, -p, -R, or -K options, the -D option sets the default values for the specified fields. The default values are:
other (GID of 1)
Specify the expiration date for a login. After this date, no user will be able to access this login. The expire option argument is a date entered using one of the date formats included in the template file /etc/datemsk. See getdate(3C).
If the date format that you choose includes spaces, it must be quoted. For example, you can enter 10/6/90 or October 6, 1990. A null value (" ") defeats the status of the expired date. This option is useful for creating temporary logins.
The maximum number of days allowed between uses of a login ID before that ID is declared invalid. Normal values are positive integers. A value of 0 defeats the status.
An existing group's integer ID or character-string name. Without the -D option, it defines the new user's primary group membership and defaults to the default group. You can reset this default value by invoking useradd -D -g group. GIDs 0-99 are reserved for allocation by the Solaris Operating System.
An existing group's integer ID or character-string name. It defines the new user's supplementary group membership. Duplicates between group with the -g and -G options are ignored. No more than NGROUPS_MAX groups can be specified. GIDs 0-99 are reserved for allocation by the Solaris Operating System.
A key=value pair to add to the user's attributes. Multiple -K options may be used to add multiple key=value pairs. The generic -K option with the appropriate key may be used instead of the specific implied key options (-A, -P, -R, -p). See user_attr(4) for a list of valid key=value pairs. The “type” key is not a valid key for this option. Keys may not be repeated.
A directory that contains skeleton information (such as .profile) that can be copied into a new user's home directory. This directory must already exist. The system provides the /etc/skel directory that can be used for this purpose.
Create the new user's home directory if it does not already exist. If the directory already exists, it must have read, write, and execute permissions by group, where group is the user's primary group. If the server name specified to the -d option is a remote host then the system will not attempt to create the home directory.
If the directory does not already exist, a new ZFS dataset will be created. In the global zone, the dataset is created as rpool/export/home/username. For non-global zones, the dataset will be created as ROOT-dataset/export/home/username. The mountpoint for the ZFS dataset is /export/home/username by default. If -d path is specified and it is a path on the local machine, the dataset will be mounted at the specified location. The user is delegated permissions to create ZFS snapshots and promote them. The newly created dataset will inherit the encryption setting from its parent. If it is encrypted, the user is granted permission to change its wrapping key.
This option allows a UID to be duplicated (non-unique).
One or more comma-separated execution profiles defined in prof_attr(4).
Name of the project with which the added user is associated. See the projname field as defined in project(4).
One or more comma-separated execution profiles defined in user_attr(4). Roles cannot be assigned to other roles.
Full pathname of the program used as the user's shell on login. If unspecified, it will default to any value previously configured with the -D -s option. If no default has been set with -D -s, then /usr/bin/bash will be used. The value of shell must be a valid executable file.
The valid repositories are files, ldap. The repository specifies which name service will be updated. The default repository is files. When the repository is files, the authorizations, profiles, and roles can be present in other name service repositories and can be assigned to a user in the files repository. When the repository is ldap, all the assignable attributes must be present in the ldap repository.
The UID of the new user. This UID must be a non-negative decimal integer below MAXUID as defined in <sys/param.h>. The UID defaults to the next available (unique) number above the highest number currently assigned. For example, if UIDs 100, 105, and 200 are assigned, the next default UID number will be 201. UIDs 0-99 are reserved for allocation by the Solaris Operating System.
See attributes(5) for descriptions of the following attributes:
passwd(1), profiles(1), roles(1), users(1B), groupadd(1M), groupdel(1M), groupmod(1M), grpck(1M), logins(1M), pwck(1M), userdel(1M), usermod(1M), getdate(3C), auth_attr(4), group(4), passwd(4), prof_attr(4), project(4), user_attr(4), attributes(5)
In case of an error, useradd displays an error message and exits with a non-zero status.
The following indicates that login specified is already in use:
UX: useradd: ERROR: login is already in use. Choose another.
The following indicates that the uid specified with the -u option is not unique:
UX: useradd: ERROR: uid uid is already in use. Choose another.
The following indicates that the group specified with the -g option has not yet been created:
UX: useradd: ERROR: group group does not exist. Choose another.
The following indicates that the uid specified with the -u option is in the range of reserved UIDs (from 0-99):
UX: useradd: WARNING: uid uid is reserved.
The following indicates that the uid specified with the -u option exceeds MAXUID as defined in <sys/param.h>:
UX: useradd: ERROR: uid uid is too big. Choose another.
The following indicates that the /etc/passwd or /etc/shadow files do not exist:
UX: useradd: ERROR: Cannot update system files - login cannot be created.
The following indicates that the user executing the command does not have sufficient authorization to perform the operation:
UX: roleadd: ERROR: Permission denied.
The following indicates that an invalid directory was specified in a useradd command:
UX: invalid_directory is not a valid directory. Choose another.
The useradd utility adds definitions to the passwd, shadow, group, project, and user_attr databases in the scope (default or specified). It will verify the uniqueness of the user name (or role) and user id and the existence of any group names specified against the external name service.