1. Managing User Accounts and User Environments in Oracle Solaris 11.4
  2. Managing User Accounts by Using the Command-Line Interface
  3. Managing User Accounts by Using CLI

Managing User Accounts by Using CLI

This section describes different procedures for managing user accounts.

How to Add a User

  1. Become an administrator or a user with the User Management rights profile.
  2. Create a local user.
    # useradd -d dir -m [-S ldap] username -z no|yes|nodelegation
    -ddir
    Specifies the location of the home directory of the user. An optional server name can be added to the directory path, such as system1:/home/ export/jdoe. The host information is written to auto_home and used by the automounter to mount the home directory.
    -m
    Creates a local home directory on the system for the user if the directory does not yet exist. However, if the -d option specifies a host that is remote, then the home directory is not created.
    If the directory does not yet exist, the home directory is created under the parent directory which is assumed as the the mount point of a ZFS dataset, such as export/home. The newly created directory is created as a multilevel dataset.
    -S ldap
    This option indicates that you are using LDAP and its repository for the account information. If you use LDAP, you can also assign default attributes by to the default@ user name which are applied to all users. For example:
    $ useradd -S -K user-attributes default@
    Multiple values can be specified for user-attributes and use the format key=value. These attributes are detailed in the user_attr(5) man page.

    For more information, see How to Assign Default User Attributes for LDAP Accounts.

    -z yes|no| nodelegation
    Specifies the default behavior of the useradd command when using the -z option.
    no
    Specifies that a new user account has a home directory that is a directory rather than a ZFS file system
    yes
    Specifies that a new user account has a home directory that is a ZFS file system with delegations specified by the zfs allow snapshot,mount,create command
    nodelegation
    Specifies that a new user account has a home directory that is a ZFS file system with no delegations

    Note:

    After creating a user, you might need to perform some additional tasks, including adding and assigning roles to a user, and displaying or changing the rights profiles of a user. For more information, see “Creating a Role” in Securing Users and Processes in Oracle Solaris 11.4.

How to Modify a User Account

The usermod command is used to change the definition of a user's login and make appropriate login-related file system changes for the user.
  1. Become an administrator or a user with the User Management rights profile.
  2. Modify the user account, as required.
    For example, to add a role to a user, you would type:

    # usermod -R role username

    See the usermod(8) man page for details about the arguments and options that you can specify with the usermod command.

Example 1 Setting Per-User PAM Policy by Modifying a User's Account

This example shows how to modify a user to set PAM policy. This particular modification specifies that user jdoe should only be authenticated with the Kerberos V5 protocol for all PAM services. For more information, see the pam_user_policy(7) man page.

# usermod -K pam_policy=krb5_only jdoe

For additional information, see “Creating a Role” in Securing Users and Processes in Oracle Solaris 11.4.

How to Unlock a User Account

  1. Become an administrator or a user with the User Security rights profile.
  2. Check the status of the user account that you need to unlock.
    $ passwd -s username
username LK
  3. Unlock the user account.
    $ passwd -u username
passwd: password information changed for username
  4. Check if the desired user account has been unlocked.
    $ passwd -s username PS

Note:

For more information about unlocking a user account, see Guidelines for Assigning User Names, UIDs, and GIDs and the passwd(1) man page.

How to Delete a User

  1. Become an administrator.
    $ su -
Password:
#

    Note:

    This method works whether root is a user account or a role.
  2. Archive the home directory of the user.
  3. Delete the user.

    Use one of the following commands:

    • Use the useradm command.
      $ useradm delete [-S [files | ldap]] username
    • Use the userdel command.
      $ userdel -r username

      The -r option removes the account from the system.

      The preferred method for removing a local home directory for a deleted user is to specify the -r option with the userdel command. This method is preferred because user home directories are now ZFS datasets. If the user's home directory is on a remote server, manually delete it:

      $ userdel username

      For a full list of command options, see the userdel(8) man page.

  4. Confirm the user account has been deleted.
    $ useradm list [-S [files | ldap]] username
Next Steps: Additional cleanup might be required if the user that you deleted had administrative responsibilities, for example creating cron jobs, or if the user had additional accounts in nonglobal zones.

How to Add a Group

When an administrator creates a group, the system assigns the solaris.group.assign/groupname to that administrator, giving the administrator complete control over that group. If another administrator who has the same authorization creates a group, that administrator has the control over that group. An administrator who has control of one group cannot administer the group of the other administrator. For more information, see the groupadd(8) and groupmod(8) man pages.
  1. Become an administrator with the root role or an administrator who has the solaris.group.manage authorization.
  2. List the existing groups.
    # cat /etc/group
  3. Create a new group.
    $ groupadd -g group-ID group-name

    -g assigns the group ID for the new group. For more information, see the groupadd(8) man page.

Example: Setting Up a Group and User With the groupadd and useradd Commands

This example shows how to use the groupadd and useradd commands to add the group scutters and the user scutter1 to files on the local system. 

# groupadd -g 102 scutters
# useradd -u 1003 -g 102 -d /export/home/scutter1 -s /bin/csh \
-c "Scutter 1" -m -k /etc/skel scutter1
64 blocks

For more information, see the groupadd(8) and useradd(8) man pages.

How to Create the Home Directory for a User Without Creating a ZFS Dataset

  1. Become an administrator.
  2. Add a new user account and specify the base directory for the same.
    # useradd -z no -m username
80 blocks
  3. Assign a password to the new user account.
    # passwd username
New Password:
Re-enter new Password:
passwd: password successfully changed for username

    Note:

    Make sure you have the User Security rights profile assigned in order to assign passwords.
  4. The home directory of the user account is created in the /export/home directory.
    # cat /etc/passwd
root:x:0:0:Super-User:/root:/usr/bin/bash
daemon:x:1:1::/:/bin/sh
bin:x:2:2::/:/bin/sh
sys:x:3:3::/:/bin/sh
adm:x:4:4:Admin:/var/adm:/bin/sh
dladm:x:15:65:Datalink Admin:/:
netadm:x:16:65:Network Admin:/:
netcfg:x:17:65:Network Configuration Admin:/:
sshd:x:22:22:sshd privsep:/var/empty:/bin/false
smmsp:x:25:25:SendMail Message Submission Program:/:
username:x:167:10::/export/home/username:/usr/bin/bash
Example: Creating a User Account With a Home Directory That Is a Directory
Use the following command to create a user account with a home directory that is a directory rather than a ZFS file system:
# useradd -D -z no

Example: Creating a User Account With a Home Directory That Is a ZFS File System With Delegations

Use the following command to create a user account with a home directory that is a ZFS file system with the mount, create, and snapshot delegations: 

# useradd -D -z yes

Example: Creating a User Account With a Home Directory That Is a ZFS File System Without Delegations

Use the following command to create a user account with a home directory that is a ZFS file system without delegations:
# useradd -D -z nodelegation

How to Assign Default User Attributes for LDAP Accounts

For LDAP accounts, an administrator can assign qualified user attributes to users by using the default account name default@. The useradd, usermod, and userdel commands have been modified to support this account name. The following example shows how to create a default account and assign default user attributes to users based on their netgroup membership.
  1. Become an administrator.
  2. Create the default and test accounts in the LDAP name service.
    # useradd -S ldap default@
# useradd -S ldap -m admin1
# useradd -S ldap -m admin2
# useradd -S ldap -m admin3
  3. Create two netgroups.
    # cat netgroups
dba (,admin1,) (,admin2,)
web (,admin3)

# ldapaddent -D cn=admin,ou=profile,dc=gfaden,dc=com -f netgroups netgroup
  4. Assign the netgroups as qualifiers to the default account.
    # usermod -q @dba -K profiles="Oracle DBA" default@
# usermod -q @web -K profiles="Web Admin" default@
  5. Assign the user_attr entries.
    # ldapaddent -d user_attr |grep ^default@
default@:@dba:::profiles=Oracle DBA
default@:@web:::profiles=Web Admin
  6. List the effective user_attr for each user.
    # getent user_attr admin1
default@:@dba:::profiles=Oracle DBA

# getent user_attr admin2
default@:@dba:::profiles=Oracle DBA

# getent user_attr admin3
default@:@web:::profiles=Web Admin

Sharing ZFS File Systems

You can share a ZFS file system by setting the share.nfs property or the share.smb property. Or, you can create a file system share by using the zfs share command. By default, all file systems are unshared.

You can assign a clearance label to each user, which restricts users' access to confidential process information. You set the value for clearance label in the encodings file. When you assign a specific clearance to a user you should also assign the user a multilevel home directory as shown in the next procedure.

For more information about sharing and unsharing file systems, see Autofs Administration in Managing Network File Systems in Oracle Solaris 11.4.

How to Share Home Directories That Are Created as ZFS File Systems

  1. Become an administrator.
  2. Create a separate pool for the user home directories.
    # zpool create pool mirror disk 1 disk 2 mirror disk 3 disk 4
    For example:
    # zpool create users mirror c1t1d0 c1t2d0 mirror c2t1d0 c2t2d0
  3. Create a container for the home directories.
    # zfs create filesystem
    For example:
    # zfs create users/home
  4. (Optional) Assign a multilevel home directory to users who have been assigned a specific clearance.
    zfs create -o multilevel=on filesystem

    For more information, see the clearance(7) man page.

  5. Set the share properties for the home directory.
    For example, to create an NFS share and set the share.nfs property for users/home, you would type:
    # zfs set share.nfs=on users/home

    When using this new syntax, each file system contains an "auto share" that is created as soon as the share.nfs property (or the share.smb property) is set to on for that file system. The previous command shares a file system named users/home and all of its children.

  6. (Optional) Enable labeled sharing when sharing the file system.
    If you assign a multilevel home directory to a user, then you must enable labeled sharing while sharing file systems.
    zfs set share.nfs=on share.nfs.labeled=on filesystem
  7. Confirm that the descendent file system shares are also published.
    For example:
    # zfs get -r share.nfs users/home

    The -r option displays all of the descendent file systems.

Manually Mounting a User's Home Directory

With ZFS, file systems that are newly created are automatically mounted at boot time from the SMF local file system service.

When creating user accounts, make sure home directories are set up as they are in the name service, at /home/username. Then, make sure that the auto_home map indicates the NFS path to the user's home directory. For task-related information, see Autofs Administration in Managing Network File Systems in Oracle Solaris 11.4.

If you need to manually mount a user's home directory, use the zfs mount command. For example: 

# zfs mount users/home/jdoe

Note:

Make sure that the user's home directory is shared. For more information, see How to Share Home Directories That Are Created as ZFS File Systems.