smuser(1M) System Administration Commands smuser(1M)NAMEsmuser - manage user entries
SYNOPSIS
/usr/sadm/bin/smuser subcommand [ auth_args] -− [subcommand_args]
DESCRIPTION
The smuser command manages one or more user entries in the local /etc
filesystem or a NIS or NIS+ target name service.
subcommands
smuser subcommands are:
add Adds a new user entry to the appropriate files. You can
use a template and input file instead of supplying the
additional command line options. If you use a template
and command line options, the command line options take
precedence and override any conflicting template val‐
ues. To add an entry, the administrator must have the
solaris.admin.usermgr.write authorization.
delete Deletes one or more user entries from the appropriate
files. To delete an entry, the administrator must have
the solaris.admin.usermgr.write authorization. Note:
You cannot delete the system accounts with IDs less
than 100, or 60001, 60002, or 65534.
list Lists one more user entries from the appropriate files.
To list entries, the administrator must have the
solaris.admin.usermgr.read authorization.
modify Modifies a user entry in the appropriate files. To mod‐
ify an entry, the administrator must have the
solaris.admin.usermgr.write authorization.
OPTIONS
The smuser authentication arguments, auth_args, are derived from the
smc(1M) arg set and are the same regardless of which subcommand you
use. The smuser command requires the Solaris Management Console to be
initialized for the command to succeed (see smc(1M)). After rebooting
the Solaris Management Console server, the first Solaris Management
Console connection might time out, so you might need to retry the com‐
mand.
The subcommand-specific options, subcommand_args, must come after the
auth_args and must be separated from them by the -− option.
auth_args
The valid auth_args are -D, -H, -l, -p, -r, and -u are described below.
They are all optional. These options are a subset of the full comple‐
ment of supported options described in smc(1M).
If no auth_args are specified, certain defaults will be assumed and the
user may be prompted for additional information, such as a password for
authentication purposes. These letter options can also be specified by
their equivalent option words preceded by a double dash. For example,
you can use either -D or -−domain with the domain argument.
-D | -−domain domain
Specifies the default domain that you want to manage. The syntax of
domain is type:/host_name/domain_name, where type is nis, nisplus,
dns, ldap, or file; host_name is the name of the machine that
serves the domain; and domain_name is the name of the domain you
want to manage. (Note: Do not use nis+ for nisplus.)
If you do not specify this option, the Solaris Management Console
assumes the file default domain on whatever server you choose to
manage, meaning that changes are local to the server. Toolboxes can
change the domain on a tool-by-tool basis; this option specifies
the domain for all other tools.
-H | -−hostname host_name:port
Specifies the host_name and port to which you want to connect. If
you do not specify a port, the system connects to the default port,
898. If you do not specify host_name:port, the Solaris Management
Console connects to the local host on port 898. You may still have
to choose a toolbox to load into the console. To override this
behavior, use the smc(1M)-B option, or set your console prefer‐
ences to load a "home toolbox" by default.
-l | -−rolepassword role_password
Specifies the password for the role_name. If you specify a
role_name but do not specify a role_password, the system prompts
you to supply a role_password. Passwords specified on the command
line can be seen by any user on the system, hence this option is
considered insecure.
-p | -−password password
Specifies the password for the user_name. If you do not specify a
password, the system prompts you for one. Passwords specified on
the command line can be seen by any user on the system, hence this
option is considered insecure.
-r | -−rolename role_name
Specifies a role name for authentication. If you do not specify
this option, no role is assumed.
-u | -−username user_name
Specifies the user name for authentication. If you do not specify
this option, the user identity running the console process is
assumed.
-−
This option is required and must always follow the preceding
options. If you do not enter the preceding options, you must still
enter the -− option.
subcommand_args
Note: Descriptions and other arg options that contain whitespace must
be enclosed in double quotes.
To add or change privileges, the administrator must have the
solaris.admin.privilege.write authorization. See privileges(5).
· For subcommand add:
-c comment
(Optional) Includes a short description of the login, which is
typically the user's name. Consists of a string of up to 256
printable characters, excluding the colon (:).
-d dir
(Optional) Specifies the home directory of the new user, lim‐
ited to 1024 characters.
-e ddmmyyyy
(Optional) Specifies the expiration date for a login. After
this date, no user can access this login. This option is use‐
ful for creating temporary logins. Specify a null value (" ")
to indicate that the login is always valid. The administrator
must have the solaris.admin.usermgr.pswd authorization.
-f inactive
(Optional) Specifies the maximum number of days allowed
between uses of a login ID before that ID is declared invalid.
Normal values are positive integers. Enter zero to indicate
that the login account is always active.
-F full_name
(Optional) Specifies the full, descriptive name of the user.
The full_name must be unique within a domain and can contain
alphanumeric characters and spaces. If you use spaces, you
must enclose the full_name in double quotes.
-g group
(Optional) Specifies the new user's primary group membership
in the system group database with an existing group's integer
ID.
-G group1 -G group2 . . .
(Optional) Specifies the new user's supplementary group mem‐
bership in the system group database with the character string
names of one or more existing groups. Duplicates of groups
specified with the -g and -G options are ignored.
-h
(Optional) Displays the command's usage statement.
-n login
Specifies the new user's login name. The login name must be
unique within a domain, contain 2-32 alphanumeric characters,
begin with a letter, and contain at least one lowercase let‐
ter.
-P password
(Optional) Specifies up to an eight-character password
assigned to the user account. Note: When you specify a pass‐
word, you type the password in plain text. Specifying a pass‐
word using this method introduces a security gap while the
command is running. To set the password, the administrator
must have the solaris.admin.usermgr.pswd authorization.
-s shell
(Optional) Specifies the full pathname (limited to 1024 char‐
acters) of the program used as the user's shell on login.
Valid entries are a user-defined shell, /bin/csh (C shell),
bin/ksh (Korn shell), and the default, /bin/sh (Bourne shell).
-t template
(Optional) Specifies a template, created using the User Man‐
ager tool, that contains a set of pre-defined user attributes.
You may have entered a name service server in the template.
However, when a user is actually added with this template, if
a name service is unavailable, the user's local server will be
used for both the Home Directory Server and Mail Server.
-u uid
(Optional) Specifies the user ID of the user you want to add.
If you do not specify this option, the system assigns the next
available unique user ID greater than 100.
-x autohome=Y|N
(Optional) Sets the home directory to automount if set to Y.
The user's home directory path in the password entry is set to
/home/login name.
-x mail=mail_server
(Optional) Specifies the host name of the user's mail server,
and creates a mail file on the server. Users created in a
local scope must have a mail server created on their local
machines.
-x perm=home_perm
(Optional) Sets the permissions on the user's home directory.
perm is interpreted as an octal number, and the default is
0775.
-x pwmax=days
(Optional) Specifies the maximum number of days that the
user's password is valid. The administrator must have the
solaris.admin.usermgr.pswd authorization.
-x pwmin=days
(Optional) Specifies the minimum number of days between user
password changes. The administrator must have the
solaris.admin.usermgr.pswd authorization.
-x pwwarn=days
(Optional) Specifies the number of days relative to pwmax that
the user is warned about password expiration prior to the
password expiring. The administrator must have the
solaris.admin.usermgr.pswd authorization.
-x serv=homedir_server
(Optional) Specifies the name of the server where the user's
home directory resides. Users created in a local scope must
have their home directory server created on their local
machines.
-M limit_privs
Specifies the privilege name(s) to add to the new user_attr(4)
entry. The default is all for limit privilege.
To add or change privileges, the administrator must have the
solaris.admin.privilege.write authorization. See privi‐
leges(5).
-D default_privs
Specifies the default privilege name(s) to add to the new
user_attr(4) entry.
The following options to the add subcommand are available only if
a system is configured with Solaris Trusted Extensions. See "Using
Options that Require Solaris Trusted Extensions," below.
-x clear=clearanceval
(Optional) Specifies the role's clearance. clearanceval can be
a string value or a hex value. If this option is not speci‐
fied, the default is the user's system default clearance. To
set the clearance, the administrator must have the
solaris.admin.usermgr.labels authorization.
-x idlecmd=LOGOUT|LOCK
Specifies the command to execute if the system has been idled.
If LOGOUT is specified, idlecmd=logout will be recorded in
user_attr. If LOCK is specified, idlecmd=lock will be recorded
in user_attr. If this option is not specified, the default is
the IDLECMD in the /etc/security/policy.conf file.
-x idletime=minutes
(Optional) Specifies the number of minutes before the speci‐
fied idle command gets executed. Any integer value in the
range from 1 to 120 is valid. This value is recorded in
user_attr as idletime=val. If this option is not specified,
the default is the IDLETIME in the /etc/security/policy.conf
file.
-x label=labelval
(Optional) Specifies the user's minimum label. labelval can be
a string label or a hex label. If this option is not speci‐
fied, the default is the user's system default minimum label.
To set the minimum label, the administrator must have the
solaris.admin.usermgr.labels authorization.
-x labelview=HIDE|SHOW
(Optional) Specifies the second part of the labelview key-
value pair. If SHOW is specified, labelview=*showsl will be
recorded. If HIDE is specified, labelview=*hidesl will be
recorded. The asterisk portion can be replaced by "internal,",
"external,", or ""(null). If this option is not specified, the
default is the LABELVIEW in the /etc/security/policy.conf
file.
-x lock=Y|N
(Optional) Specifies if an account is locked after a specified
number of failed logins. This value is recorded in user_attr
as lock_after_retries. If this option is not specified, the
default is the LOCK_AFTER_RETRIES in the /etc/security/pol‐
icy.conf file.
-x view=INTERNAL|EXTERNAL|DEFAULT
(Optional) Specifies the label view type for the labelview in
user_attr. If INTERNAL is specified, labelview=internal will
be recorded; if EXTERNAL is specified, labelview=external will
be recorded; if DEFAULT is specified, nothing will be recorded
in user_attr. If this option is not specified, the default
action, that nothing gets recorded in user_attr, is in effect.
· For subcommand delete:
-h
(Optional) Displays the command's usage statement.
-n login1
Specifies the login name of the user you want to delete.
-n login2 . . .
(Optional) Specifies the additional login name(s) of the
user(s) you want to delete.
· For subcommand list:
-h
(Optional) Displays the command's usage statement.
-l
Displays the output for each user in a block of key:value
pairs (for example, user name:root) followed by a blank line
to delimit each user block. Each key:value pair is displayed
on a separate line. The keys are: autohome setup, comment,
days to warn, full name,home directory, home directory permis‐
sions, login shell, mail server, max days change, max days
inactive, min days change, password expires, password type,
primary group, rights, roles, secondary groups, server, user
ID (UID), and user name.
-n login1
Specifies the login name of the user you want to list.
-n login2 . . .
(Optional) Specifies the additional login name(s) of the
user(s) you want to list.
· For subcommand modify:
-a addrole1 -a addrole2 . . .
(Optional) Specifies the role(s) to add to the user account.
To assign a role to a user, the administrator must have the
solaris.role.assign authorization or must have the
solaris.role.delegate authorization and be a member of each of
the roles specified.
-c comment
(Optional) Describes the changes you made to the user account.
Consists of a string of up to 256 printable characters,
excluding the colon (:).
-d description
(Optional) Specifies the user's home directory, limited to
1024 characters.
-e ddmmyyyy
(Optional) Specifies the expiration date for a login in a for‐
mat appropriate to the locale. After this date, no user can
access this login. This option is useful for creating tempo‐
rary logins. Specify a null value (" ") to indicate that the
login is always valid.
-f inactive
(Optional) Specifies the maximum number of days allowed
between uses of a login ID before the ID is declared invalid.
Normal values are positive integers. Specify zero to indicate
that the login account is always active.
-F full_name
(Optional) Specifies the full, descriptive name of the user.
The full_name must be unique within a domain and can contain
alphanumeric characters and spaces. If you use spaces, you
must enclose the full_name in double quotes.
-g group
(Optional) Specifies the new user's primary group membership
in the system group database with an existing group's integer
ID.
-G group1 -G group2 . . .
(Optional) Specifies the new user's supplementary group mem‐
bership in the system group database with the character string
names of one or more existing groups. Duplicates of groups
specified with the -g and -G options are ignored.
-h
(Optional) Displays the command's usage statement.
-n name
Specifies the user's current login name.
-N new_name
(Optional) Specifies the user's new login name. The login name
must be unique within a domain, contain 2-32 alphanumeric
characters, begin with a letter, and contain at least one low‐
ercase letter.
-p addprof1 -p addprof2 . . .
(Optional) Specifies the profile(s) to add to the user
account. To assign a profile to a user, the administrator must
have the solaris.profmgr.assign or solaris.profmgr.delegate
authorization.
-P password
(Optional) Specifies up to an eight-character password
assigned to the user account.
When you specify a password, you type the password in plain
text. Specifying a password using this method introduces a
security gap while the command is running.
-q delprof1 -q delprof2 . . .
(Optional) Specifies the profile(s) to delete from the user
account.
-r delrole1 -r delrole2 . . .
(Optional) Specifies the role(s) to delete from the user
account.
-s shell
(Optional) Specifies the full pathname (limited to 1024 char‐
acters) of the program used as the user's shell on login.
Valid entries are a user-defined shell, /bin/csh (C shell),
bin/ksh (Korn shell), and the default, /bin/sh (Bourne
shell).l)
-x autohome=Y|N
(Optional) Sets up the home directory to automount if set to
Y. The user's home directory path in the password entry is set
to /home/login name.
-x pwmax=days
(Optional) Specifies the maximum number of days that the
user's password is valid.
-x pwmin=days
(Optional) Specifies the minimum number of days between pass‐
word changes.
-x pwwarn=days
(Optional) Specifies the number of days relative to pwmax that
the user is warned about password expiration before the pass‐
word expires.
-M limit_privs
Specifies the privilege name(s) to modify in the user_attr(4)
entry. The default is all for limit privilege.
To add or change privileges, the administrator must have the
solaris.admin.privilege.write authorization. See privi‐
leges(5).
-D default_privs
Specifies the default privilege name(s) to modify in the
user_attr(4) entry.
The following options to the modify subcommand are available only
if a system is configured with Solaris Trusted Extensions. See
"Using Options that Require Solaris Trusted Extensions," below.
-x clear=clearanceval
(Optional) Specifies the role's clearance. clearanceval can be
a string value or a hex value. If this option is not speci‐
fied, the default is the user's system default clearance. To
set the clearance, the administrator must have the
solaris.admin.usermgr.labels authorization.
-x idlecmd=LOGOUT|LOCK
Specifies the command to execute if the system has been idled.
If LOGOUT is specified, idlecmd=logout will be recorded in
user_attr. If LOCK is specified, idlecmd=lock will be recorded
in user_attr. If this option is not specified, the default is
the IDLECMD in the /etc/security/policy.conf file.
-x idletime=minutes
(Optional) Specifies the number of minutes before the speci‐
fied idle command gets executed. Any integer value in the
range from 1 to 120 is valid. This value is recorded in
user_attr as idletime=val. If this option is not specified,
the default is the IDLETIME in the /etc/security/policy.conf
file.
-x label=labelval
(Optional) Specifies the user's minimum label. labelval can be
a string label or a hex label. If this option is not speci‐
fied, the default is the user's system default minimum label.
To set the minimum label, the administrator must have the
solaris.admin.usermgr.labels authorization.
-x labelview=HIDE|SHOW
(Optional) Specifies the second part of the labelview key-
value pair. If SHOW is specified, labelview=*showsl will be
recorded. If HIDE is specified, labelview=*hidesl will be
recorded. The asterisk portion can be replaced by "internal,",
"external,", or ""(null). If this option is not specified, the
default is the LABELVIEW in the /etc/security/policy.conf
file.
-x lock=Y|N
(Optional) Specifies if an account is locked after a specified
number of failed logins. This value is recorded in user_attr
as lock_after_retries. If this option is not specified, the
default is the LOCK_AFTER_RETRIES in the /etc/security/pol‐
icy.conf file.
-x view=INTERNAL|EXTERNAL|DEFAULT
(Optional) Specifies the label view type for the labelview in
user_attr. If INTERNAL is specified, labelview=internal will
be recorded; if EXTERNAL is specified, labelview=external will
be recorded; if DEFAULT is specified, nothing will be recorded
in user_attr. If this option is not specified, the default
action, that nothing gets recorded in user_attr, is in effect.
Using Options that Require Solaris Trusted Extensions
To use an option that requires the Solaris Trusted Extensions feature,
you must use the -B toolbox option to specify a toolbox that contains
support for Trusted Extensions. For example:
# smuser add -H myhost -p mypasswd -x idlecmd=LOGOUT \
-B http://<server>/toolboxes/tsol_files.tbx
In the command above, <server> is the name of the machine running the
Solaris Management Console. See smc(1M) for a description of the -B
option.
EXAMPLES
Example 1: Creating a New User Account
The following creates a new user account on the local file system. The
account name is user1, and the full name is Joe Smith. The comment
field verifies that the account is for Joe Smith. The system will
assign the next available user ID greater than 100 to this account.
There is no password set for this account, so when Joe Smith logs in
for the first time, he will be prompted to enter a password.
./smuser add -H myhost -p mypasswd -u root -- -F "Joe Smith" \
-n user1 -c "Joe's account"
Example 2: Deleting a User Account
The following deletes the user1 account from the local file system:
./smuser delete -H myhost -p mypasswd -u root -- -n user1
Example 3: Listing All User Accounts
The following lists all user accounts on the local file system in sum‐
mary form:
./smuser list -H myhost -p mypasswd -u root --
Example 4: Modifying a User Account
The following modifies the user1 account to default to a Korn shell,
and assigns the account to the qa_group secondary group.
./smuser modify -H myhost -p mypasswd -u root -- -n user1 \
-s /bin/ksh -G qa_group
ENVIRONMENT VARIABLES
See environ(5) for a description of the JAVA_HOME environment variable,
which affects the execution of the smuser command. If this environment
variable is not specified, the /usr/java location is used. See smc(1M).
EXIT STATUS
The following exit values are returned:
0 Successful completion.
1 Invalid command syntax. A usage message displays.
2 An error occurred while executing the command. An error mes‐
sage displays.
FILES
The following files are used by the smuser command:
/etc/aliases Mail aliases. See aliases(4).
/etc/auto_home Automatic mount points. See auto‐
mount(1M).
/etc/group Group file. See group(4).
/etc/passwd Password file. See passwd(4).
/etc/security/policy.conf Configuration file for security policy.
See policy.conf(4).
/etc/shadow Shadow password file. See shadow(4).
/etc/user_attr Extended user attribute database. See
user_attr(4).
ATTRIBUTES
See attributes(5) for descriptions of the following attributes:
┌─────────────────────────────┬─────────────────────────────┐
│ ATTRIBUTE TYPE │ ATTRIBUTE VALUE │
├─────────────────────────────┼─────────────────────────────┤
│Availability │SUNWmga │
├─────────────────────────────┼─────────────────────────────┤
│Interface Stability │Evolving │
└─────────────────────────────┴─────────────────────────────┘
SEE ALSOautomount(1M), smc(1M), aliases(4), group(4), passwd(4), pol‐
icy.conf(4), shadow(4), user_attr(4), attributes(5), environ(5)SunOS 5.10 17 Mar 2006 smuser(1M)