This chapter describes how to set up and maintain user accounts and groups.For information on the procedures associated with setting up and maintaining user accounts and groups, see the following:Setting Up User Accounts (Task Map) Maintaining User Accounts (Task Map) For background information about managing user accounts and groups, see Chapter 4, Managing User Accounts and Groups (Overview). Task Description For Instructions Gather user information. Use a standard form to gather user information to help you keep user information organized. Gathering User Information Customize user initialization files. You can set up user initialization files (.cshrc, .profile, .login), so that you can provide new users with consistent environments. How to Customize User Initialization Files Add a group. You can add a group with the following tools:Solaris Management Console's Groups toolSolaris command-line interface tools How to Add a Group With the Solaris Management Console's Groups ToolAdding Groups and Users With Command-Line Tools Add a user. You can add a user with the following tools:Solaris Management Console's Users toolSolaris command-line interface tools How to Add a User With the Solaris Management Console's Users ToolAdding Groups and Users With Command-Line Tools Set up a user template. You can create a user template so that you don't have to manually add all similar user properties. See Solaris Management Console online help Add rights or a role to a user. You can add rights or a role to a user so that the user can perform a specific command or task. See Solaris Management Console online help Share the user's home directory. You must share the user's home directory so that the directory can be remotely mounted from the user's system. How to Share a User's Home Directory Mount the user's home directory. You must mount the user's home directory on the user's system. How to Mount a User's Home Directory user accountssetting upinformation sheetYou can create a form such as the following to gather information about users before adding their accounts. Item Description User Name: Role Name: Profiles or Authorizations: UID: Primary Group: Secondary Groups: Comment: Default Shell: Password Status and Aging: Home Directory Path Name: Mounting Method: Permissions on Home Directory: Mail Server: Department Name: Department Administrator: Manager: Employee Name: Employee Title: Employee Status: Employee Number: Start Date: Add to These Mail Aliases: Desktop System Name: &rolestep.sgm;Create a skeleton directory for each type of user.# mkdir /shared-dir/skel/user-typeshared-dirThe name of a directory that is available to other systems on the network. user-typeThe name of a directory to store initialization files for a type of user. Copy the default user initialization files into the directories that you created for different types of users. # cp /etc/skel/local.cshrc /shared-dir/skel/user-type/.cshrc # cp /etc/skel/local.login /shared-dir/skel/user-type/.login # cp /etc/skel/local.profile /shared-dir/skel/user-type/.profileIf the account has profiles assigned to it, then the user has to launch a special version of the shell called a profile shell to use commands (with any security attributes) that are assigned to the profile. There are three profile shells corresponding to the types of shells: pfsh (Bourne shell), pfcsh (C shell), and pfksh (Korn shell). For information about profile shells, see Role-Based Access Control (Overview) in System Administration Guide: Security Services. Edit the user initialization files for each user type and customize them based on your site's needs.For a detailed description on the ways to customize the user initialization files, see Customizing a User's Work Environment. Set the permissions for the user initialization files.# chmod 744 /shared-dir/skel/user-type/.* Verify that the permissions for the user initialization files are correct.# ls -la /shared-dir/skel/* The following example shows how to customize the C-shell user initialization file in the /export/skel/enduser directory designated for a particular type of user. For an example of a .cshrc file, see Example 4–3.# mkdir /export/skel/enduser # cp /etc/skel/local.cshrc /export/skel/enduser/.cshrc (Edit .cshrc file) # chmod 744 /export/skel/enduser/.* You can add existing users to the group when you add the group. Or, you can just add the group and then add the user to the group when you add the user. &rolestep.sgm;Start the Solaris Management Console.# /usr/sadm/bin/smc &For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment. Click the This Computer icon under the Management Tools icon in the Navigation pane.A list of categories is displayed. (Optional) Select the appropriate toolbox for your name service environment. Click the System Configuration icon. Click the User icon and provide the superuser password or the role password. Click the Groups icon. Select Add Group from the Action menu.Use the Context help to add a group to the system. Identify the group name at the Group Name prompt under Group Identification.For example, mechanoids. Identify the group number at the Group ID number prompt.For example, GID 101. Click OK. Use the following procedure to add a user with the Solaris Management Console's Users tool. &rolestep.sgm;Start the Solaris Management Console.# /usr/sadm/bin/smc &For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment. Click the This Computer icon under the Management Tools icon in the Navigation pane.A list of categories is displayed. (Optional) Select the appropriate toolbox for your name service environment. Click the System Configuration icon. Click the User icon and provide the superuser password or the role password. Click the User Accounts icon.Use the Context help to add a user to the system. Select Add User⇒With Wizard from the Action menu.Click Next between the steps below.Identify the user name or login name at the User Name prompt.For example, kryten (Optional) Identify the user's full name at the Full Name prompt.For example, kryten series 3000. (Optional) Provide a further description of this user at the Description prompt. Provide the user ID at the User ID Number prompt.For example, 1001. Select the User Must Use This Password At First Login option.Provide a password for the user at the Password prompt and then confirm the password at the Confirm Password prompt. Select the user's primary group.For example, mechanoids. Create the user's home directory by accepting the defaults at the Server and Path prompts. Specify the mail server. Review the information you provided and go back to correct the information, if necessary. Otherwise, click Finish. This section provides examples of adding users and groups with command-line tools.The following example shows how to use the groupadd and useradd commands to add the group scutters and the user scutter1 to files on the local system. These commands cannot be used to manage users in a name service environment.# groupadd -g 102 scutters # useradd -u 1003 -g 102 -d /export/home/scutter1 -s /bin/csh \ -c "Scutter 1" -m -k /etc/skel scutter1 64 blocksFor more information, see the groupadd1M and useradd1M man pages. The following example shows how to use the smgroup and smuser commands to add the group gelfs and the user camille to the NIS domain solar.com on the host starlite.# /usr/sadm/bin/smgroup add -D nis:/starlitesolar.com -- -g 103 -n gelfs # /usr/sadm/bin/smuser add -D nis:/starlite/solar.com -- -u 1004 -n camille -c "Camille G." -d /export/home/camille -s /bin/csh -g gelfsFor more information, see the smgroup1M and smuser1M man pages. Keep the following in mind when using the Solaris Management Console tools to manage user home directories:If you use the Users tool's Add User Wizard to add a user account and you specify the user's home directory as /export/home/username, the home directory is automatically set up to automount. Also, the following entry is added to the passwd file./home/username There is only way you can use Users tool to set up a user account that does not automount the home directory. First, set up a user account template that disables this feature. Then, add users with this template. You cannot disable this feature with the Add User Wizard. You can use the smuser add command with the x autohome=N option to add a user without automounting the user's home directory. However, there is no option to the smuser delete command to remove the home directory after the user is added. You would have to remove the user and the user's home directory with the Users tool. Use the following procedure to share a user's home directory. user home directoriessharing (how to)sharinguser home directories (how to)Become superuser or assume an equivalent role on the system that contains the home directory. Verify that the mountd daemon is running.In this release, mountd is now started as part of the NFS server service. To see if the mountd daemon is running, type the following command:# svcs network/nfs/server STATE STIME FMRI online Aug_26 svc:/network/nfs/server:default If the mountd daemon is not running, start it.# svcadm network/nfs/server List the file systems that are shared on the system.# share Select one of the following based on whether the file system that contains the user's home directory is already shared.If the user's home directory is already shared, go to the step 8. If the user's home directory is not shared, go to Step 6. /etc/dfs/dfstab fileuser home directory sharing anddfstab fileuser home directory sharing andEdit the /etc/dfs/dfstab file and add the following line: share -F nfs /file-system/file-system is the file system that contains the user's home directory that you need to share. By convention, the file system is /export/home. Share the file systems listed in the /etc/dfs/dfstab file.# shareall -F nfsThis command executes all the share commands in the /etc/dfs/dfstab file so that you do not have to wait to reboot the system. Verify that a user's home directory is shared.# share The following example shows how to share the /export/home directory.# svcs network/nfs/server # svcadm network/nfs/server # share # vi /etc/dfs/dfstab (The line share -F nfs /export/home is added.) # shareall -F nfs # share - /usr/dist ro "" - /export/home/user-name rw "" If the user's home directory is not located on the user's system, you have to mount the user's home directory from the system where it is located. For detailed instructions, see How to Mount a User's Home Directory. For information on automounting a home directory, see Task Overview for Autofs Administration in System Administration Guide: Network Services. Make sure that the user's home directory is shared.user home directoriesmounting (how to)mountinguser home directories (how to)For more information, see How to Share a User's Home Directory. Log in as superuser on the user's system. /etc/vfstab fileEdit the /etc/vfstab file and create an entry for the user's home directory.system-name:/export/home/user-name - /export/home/username nfs - yes rwsystem-nameThe name of the system where the home directory is located. /export/home/usernameThe name of the user's home directory that will be shared. By convention, /export/home/username contains user home directories. However, you can use a different file system. -Required placeholders in the entry. /export/home/usernameThe name of the directory where the user's home directory will be mounted. For more information about adding an entry to the /etc/vfstab file, see Mounting File Systems in System Administration Guide: Devices and File Systems. Create the mount point for the user's home directory.# mkdir -p /export/home/username Mount the user's home directory.# mountallAll entries in the current vfstab file (whose mount at boot fields are set to yes) are mounted. Verify that the home directory is mounted.# mount | grep username The following example shows how to mount user ripley's home directory.# vi /etc/vfstab (The line venus:/export/home/ripley - /export/home/ripley nfs - yes rw is added.) # mkdir -p /export/home/ripley # mountall # mount / on /dev/dsk/c0t0d0s0 read/write/setuid/intr/largefiles/xattr/onerror=panic/dev=... /devices on /devices read/write/setuid/dev=46c0000 on Thu Jan 8 09:38:19 2004 /usr on /dev/dsk/c0t0d0s6 read/write/setuid/intr/largefiles/xattr/onerror=panic/dev=... /proc on /proc read/write/setuid/dev=4700000 on Thu Jan 8 09:38:27 2004 /etc/mnttab on mnttab read/write/setuid/dev=47c0000 on Thu Jan 8 09:38:27 2004 /dev/fd on fd read/write/setuid/dev=4800000 on Thu Jan 8 09:38:30 2004 /var/run on swap read/write/setuid/xattr/dev=1 on Thu Jan 8 09:38:30 2004 /tmp on swap read/write/setuid/xattr/dev=2 on Thu Jan 8 09:38:30 2004 /export/home on /dev/dsk/c0t0d0s7 read/write/setuid/intr/largefiles/xattr/onerror=... /export/home/ripley on venus:/export/home/ripley remote/read/write/setuid/xattr/dev=... Task Description Instructions Modify a group. You can modify a group's name or the users in a group by using the Groups tool. How to Modify a Group Delete a group. You can delete a group if it is no longer needed. How to Delete a Group Modify a user account. Disable a user account You can temporarily disable a user account if it will be needed in the future.Change a user's passwordYou might need to change a user's password if the user forgets it.Set password agingYou can force users to change their passwords periodically with User Account tool's Password Options menu. How to Disable a User AccountHow to Change a User's PasswordHow to Set Password Aging on a User Account Delete a user account. You can delete a user account if it is no longer needed. How to Delete a User Account user login nameschanginguser accountsID numbersuser accountslogin namesuser ID numbersnamesuser loginchangingUIDslogin names (user)changingID numbersuserchanginguser login nameschanginguser ID numbersUnless you define a user name or UID number that conflicts with an existing one, you should never need to modify a user account's user name or UID number. Use the following steps if two user accounts have duplicate user names or UID numbers:If two user accounts have duplicate UID numbers, use the Users tool to remove one account and add it again with a different UID number. You cannot use the Users tool to modify a UID number of an existing user account. If two user accounts have duplicate user names, use the Users tool to modify one of the accounts and change the user name. fileschanging ownership for user accountsdirectorieschanging ownership for user accountschangingfile ownership for user accountschangingdirectory ownership for user accountsuser home directorieschanging ownership ofIf you do use the Users tool to change a user name, the home directory's ownership is changed, if a home directory exists for the user.One part of a user account that you can change is a user's group memberships. Select the Properties option from Users tool's Action menu to add or delete a user's secondary groups. Alternatively, you can use the Groups tool to directly modify a group's member list. You can also modify the following parts of a user account:Description (comment) Login shell Passwords and password options Home directory and home directory access Rights and roles disablinguser accountsUsers toolpasswords (user)disabling/locking user accounts and*LK* passworddisablinguser accountspasswords andpasswords (user)*LK* passwordUsers Tooldisabling accountsuser accountsdisabling/lockingpasswords anduser accountsdisabling/lockingUsers ToolOccasionally, you might need to temporarily or permanently disable a user account. Disabling or locking a user account means that an invalid password, *LK*, is assigned to the user account, preventing future logins.The easiest way to disable a user account is to lock the password for an account with Users tool.NIS+user accounts andYou can also enter an expiration date in the account availability section of the User Properties screen. An expiration date enables you to set a limit on how long the account is active.Other ways to disable a user account: set up password aging or change the user's password. deletinguser mailboxes/etc/passwd filedeleting user accounts andgroup filedeleting user accounts andpasswd filedeleting user accounts anduser home directoriesdeletingdeletinguser home directoriesWhen you delete a user account with the Users tool, the software deletes the entries in the passwd and group files. In addition, the files in the user's home directory and mail directory are deleted also. Use the following procedure to modify a group. &rolestep.sgm;Start the Solaris Management Console.# /usr/sadm/bin/smc &For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment. Click the This Computer icon under the Management Tools icon in the Navigation pane.A list of categories is displayed. (Optional) Select the appropriate toolbox for your name service environment. Click the System Configuration icon. Click the User icon. Provide the superuser password or the role password. Click the Groups icon. Select the group to modify.For example, select scutters. Modify the selected group in the Group Name: text box. Click OK when you are finished.For example, change scutters to scutter.All the users that were in the scutters group are now in the scutter group. Use the following procedure to delete a group. &rolestep.sgm;Start the Solaris Management Console.# /usr/sadm/bin/smc &For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment. Click the This Computer icon under the Management Tools icon in the Navigation pane.A list of categories is displayed. (Optional) Select the appropriate toolbox for your name service environment. Click the System Configuration icon. Click the User icon. Provide the superuser password or the role password. Click the Groups icon. Select the group to delete.For example, select scutter. Click OK in the popup window.The group is removed from all the users who were a member of this group. Users Toolpassword administrationpasswords (user)Users Toolpasswords (user)settingpasswords (user)changingUsers Toolchanginguser passwordsUsers ToolYou can use the Users tool for password administration. This tool includes the following capabilities:Specifying a normal password for a user account Enabling users to create their own passwords during their first login Disabling or locking a user account Specifying expiration dates and password aging information passwords (user)agingaging user passwordsPassword aging is not supported by the NIS name service. If you are using NIS+ or the /etc files to store user account information, you can set up password aging on a user's password. Starting in the Solaris 9 12/02 release, password aging is also supported in the LDAP directory service.passwords (user)agingaging user passwordspasswords (user)descriptionPassword aging enables you to force users to change their passwords periodically or to prevent a user from changing a password before a specified interval. If you want to prevent an intruder from gaining undetected access to the system by using an old and inactive account, you can also set a password expiration date when the account becomes disabled. You can set password aging attributes with the passwd command or the Solaris Management Console's Users tool. For information about starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role. Use the following procedure if you need to disable a user account. &rolestep.sgm;Start the Solaris Management Console.# /usr/sadm/bin/smc &For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment. Click the This Computer icon under the Management Tools icon in the Navigation pane.A list of categories is displayed. (Optional) Select the appropriate toolbox for your name service environment. Click the System Configuration icon. Click the User icon and provide the superuser password or the role password. Click the User Accounts icon. Double–click the user.For example, select scutter2. Select the Account is Locked option in the Account Availability section of the General tab features. Click OK. Use the following procedure when a user forgets her password. &rolestep.sgm;Start the Solaris Management Console.# /usr/sadm/bin/smc &For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment. Click the This Computer icon under the Management Tools icon in the Navigation pane.A list of categories is displayed. (Optional) Select the appropriate toolbox for your name service environment. Click the System Configuration icon. Click the User icon. Provide the superuser password or the role password. Click the User Accounts icon, then double–click the user who needs a new password.For example, select scutter1. Select the Password tab, then select the User Must Use This Password at Next Login option. . Enter the user's new password and click OK. Use the following procedure to set password aging on a user account. &rolestep.sgm;Start the Solaris Management Console.# /usr/sadm/bin/smc &For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment. Click the This Computer icon under the Management Tools icon in the Navigation pane.A list of categories is displayed. (Optional) Select the appropriate toolbox for your name service environment. Click the System Configuration icon. Click the User Accounts icon and provide the superuser password or the role password. Click the User Accounts icon. Double–click the user, then select the Password Options tab.For example, select scutter2. Select the Password Options tab. Select the appropriate Password Options in Days option and click OK.For example, select Users Must Change Within to set a date when the user must change his or her password. Use the following procedure to remove a user account. &rolestep.sgm;Start the Solaris Management Console.# /usr/sadm/bin/smc &For more information on starting the Solaris Management Console, see How to Start the Console as Superuser or as a Role or How to Start the Solaris Management Console in a Name Service Environment. Click the This Computer icon under the Management Tools icon in the Navigation pane.A list of categories is displayed. (Optional) Select the appropriate toolbox for your name service environment. Click the System Configuration icon. Click the User icon. Provide the superuser password or the role password. Click the User Accounts icon. Double–click the user account to be removed.For example, select scutter4. Click Delete in the popup window if you are sure you want to remove the user account.You are prompted to remove the user's home directory and mailbox contents.