System Administration Commands smuser(1M)
NAME
smuser - manage user entries
SYNOPSIS
/usr/sadm/bin/smuser subcommand [ auth_args] --
[subcommand_args]
DESCRIPTION
The smuser command manages one or more user entries in the
local /etc filesystem or an NIS target name service. subcommandssmuser subcommands are:
add Adds a new user entry to the appropriate files. You can use a template and input file instead of supplying the additional command line options. If you use a template and command line options, the command line options take precedence and override any conflicting template values. To add an entry, the administrator must have the solaris.admin.usermgr.write authorization. delete Deletes one or more user entries from the appropriate files. To delete an entry, the administrator must have the solaris.admin.usermgr.write authorization. Note: You cannot delete the system accounts with IDs less than 100, or 60001, 60002, or 65534. list Lists one more user entries from the appropriate files. To list entries, the administrator must have the solaris.admin.usermgr.read authorization. modify Modifies a user entry in the appropriate files. To modify an entry, the administrator must have the solaris.admin.usermgr.write authorization. OPTIONSThe smuser authentication arguments, auth_args, are derived
from the smc(1M) arg set and are the same regardless ofSunOS 5.11 Last change: 11 Dec 2009 1
System Administration Commands smuser(1M)
which subcommand you use. The smuser command requires the
Solaris Management Console to be initialized for the command to succeed (see smc(1M)). After rebooting the SolarisManagement Console server, the first Solaris Management Con-
sole connection might time out, so you might need to retry the command.The subcommand-specific options, subcommand_args, must come
after the auth_args and must be separated from them by the
-- option.
auth_args
The valid auth_args are -D, -H, -l, -p, -r, and -u are
described below. They are all optional. These options are a subset of the full complement of supported options described in smc(1M).If no auth_args are specified, certain defaults will be
assumed and the user may be prompted for additional informa-
tion, such as a password for authentication purposes. These letter options can also be specified by their equivalent option words preceded by a double dash. For example, you canuse either -D or --domain with the domain argument.
-D | --domain 13;domain
Specifies the default domain that you want to manage.The syntax of domain is type:/host_name/domain_name,
where type is nis, dns, ldap, or file; host_name is the
name of the machine that serves the domain; anddomain_name is the name of the domain you want to
manage.If you do not specify this option, the Solaris Manage-
ment Console assumes the file default domain on whatever server you choose to manage, meaning that changes are local to the server. Toolboxes can change the domain ona tool-by-tool basis; this option specifies the domain
for all other tools.-H | --hostname 13;host_name:port
Specifies the host_name and port to which you want to
connect. If you do not specify a port, the system con-
nects to the default port, 898. If you do not specifyhost_name:port, the Solaris Management Console connects
to the local host on port 898. You may still have to choose a toolbox to load into the console. To overridethis behavior, use the smc(1M) -B option, or set your
SunOS 5.11 Last change: 11 Dec 2009 2
System Administration Commands smuser(1M)
console preferences to load a "home toolbox" by default.-l | --rolepassword 13;role_password
Specifies the password for the role_name. If you specify
a role_name but do not specify a role_password, the sys-
tem prompts you to supply a role_password. Passwords
specified on the command line can be seen by any user on the system, hence this option is considered insecure.-p | --password 13;password
Specifies the password for the user_name. If you do not
specify a password, the system prompts you for one. Passwords specified on the command line can be seen by any user on the system, hence this option is considered insecure.-r | --rolename 13;role_name
Specifies a role name for authentication. If you do not specify this option, no role is assumed.-u | --username 13;user_name
Specifies the user name for authentication. If you do not specify this option, the user identity running the console process is assumed.--
This option is required and must always follow the preceding options. If you do not enter the precedingoptions, you must still enter the -- option.
subcommand_args
Note: Descriptions and other arg options that contain whi-
tespace must be enclosed in double quotes. To add or change privileges, the administrator must have the solaris.admin.privilege.write authorization. See privileges(5). o For subcommand add:SunOS 5.11 Last change: 11 Dec 2009 3
System Administration Commands smuser(1M)
-c comment
(Optional) Includes a short description of thelogin, which is typically the user's name. Con-
sists of a string of up to 256 printable char-
acters, excluding the colon (:).-d dir
(Optional) Specifies the home directory of the new user, limited to 1024 characters.-e ddmmyyyy
(Optional) Specifies the expiration date for a login. After this date, no user can access thislogin. This option is useful for creating tem-
porary logins. Specify a null value (" ") to indicate that the login is always valid. The administrator must have the solaris.admin.usermgr.pswd authorization.-f inactive
(Optional) Specifies the maximum number of days allowed between uses of a login ID before thatID is declared invalid. Normal values are posi-
tive integers. Enter zero to indicate that the login account is always active.-F full_name
(Optional) Specifies the full, descriptive nameof the user. The full_name must be unique
within a domain and can contain alphanumeric characters and spaces. If you use spaces, youmust enclose the full_name in double quotes.
-g group
(Optional) Specifies the new user's primary group membership in the system group database with an existing group's integer ID.-G group1 -G group2 . . .
SunOS 5.11 Last change: 11 Dec 2009 4
System Administration Commands smuser(1M)
(Optional) Specifies the new user's supplemen-
tary group membership in the system group data-
base with the character string names of one or more existing groups. Duplicates of groupsspecified with the -g and -G options are
ignored.-h
(Optional) Displays the command's usage state-
ment.-n login
Specifies the new user's login name. The login name must be unique within a domain, contain2-32 alphanumeric characters, begin with a
letter, and contain at least one lowercase letter.-P password
(Optional) Specifies up to an eight-character
password assigned to the user account. Note:When you specify a password, you type the pass-
word in plain text. Specifying a password using this method introduces a security gap while the command is running. To set the password, the administrator must have the solaris.admin.usermgr.pswd authorization.-s shell
(Optional) Specifies the full pathname (limited to 1024 characters) of the program used as the user's shell on login. Valid entries are auser-defined shell, /bin/csh (C shell), bin/ksh
(Korn shell), and the default, /bin/sh (Bourne shell).-t template
(Optional) Specifies a template, created using the User Manager tool, that contains a set ofpre-defined user attributes. You may have
entered a name service server in the template. However, when a user is actually added withSunOS 5.11 Last change: 11 Dec 2009 5
System Administration Commands smuser(1M)
this template, if a name service is unavail-
able, the user's local server will be used for both the Home Directory Server and Mail Server.-u uid
(Optional) Specifies the user ID of the user you want to add. If you do not specify this option, the system assigns the next available unique user ID greater than 100.-x autohome=Y|N
(Optional) Sets the home directory to automount if set to Y. The user's home directory path in the password entry is set to /home/login name.-x mail=mail_server
(Optional) Specifies the host name of the user's mail server, and creates a mail file on the server. Users created in a local scope must have a mail server created on their local machines.-x perm=home_perm
(Optional) Sets the permissions on the user's home directory. perm is interpreted as an octal number, and the default is 0775.-x pwmax=days
(Optional) Specifies the maximum number of daysthat the user's password is valid. The adminis-
trator must have the solaris.admin.usermgr.pswd authorization.-x pwmin=days
(Optional) Specifies the minimum number of daysbetween user password changes. The administra-
tor must have the solaris.admin.usermgr.pswd authorization.SunOS 5.11 Last change: 11 Dec 2009 6
System Administration Commands smuser(1M)
-x pwwarn=days
(Optional) Specifies the number of days rela-
tive to pwmax that the user is warned about password expiration prior to the password expiring. The administrator must have the solaris.admin.usermgr.pswd authorization.-x serv=homedir_server
(Optional) Specifies the name of the server where the user's home directory resides. Users created in a local scope must have their home directory server created on their local machines.-M limit_privs
Specifies the privilege name(s) to add to thenew user_attr(4) entry. The default is all for
limit privilege. To add or change privileges, the administrator must have the solaris.admin.privilege.write authorization. See privileges(5).-D default_privs
Specifies the default privilege name(s) to addto the new user_attr(4) entry.
The following options to the add subcommand are avail-
able only if a system is configured with Solaris TrustedExtensions. smuser automatically detects when a system
is running these extensions.-x clear=clearanceval
(Optional) Specifies the role's clearance. clearanceval can be a string value or a hex value. If this option is not specified, the default is the user's system default clearance. To set the clearance, the administrator musthave the solaris.admin.usermgr.labels authori-
zation.SunOS 5.11 Last change: 11 Dec 2009 7
System Administration Commands smuser(1M)
-x idlecmd=LOGOUT|LOCK
Specifies the command to execute if the system has been idled. If LOGOUT is specified,idlecmd=logout will be recorded in user_attr.
If LOCK is specified, idlecmd=lock will berecorded in user_attr. If this option is not
specified, the default is the IDLECMD in the /etc/security/policy.conf file.-x idletime=minutes
(Optional) Specifies the number of minutesbefore the specified idle command gets exe-
cuted. Any integer value in the range from 1 to 120 is valid. This value is recorded inuser_attr as idletime=val. If this option is
not specified, the default is the IDLETIME in the /etc/security/policy.conf file.-x label=labelval
(Optional) Specifies the user's minimum label. labelval can be a string label or a hex label. If this option is not specified, the default is the user's system default minimum label. To set the minimum label, the administrator must have the solaris.admin.usermgr.labels authorization.-x labelview=HIDE|SHOW
(Optional) Specifies the second part of thelabelview key-value pair. If SHOW is specified,
labelview=*showsl will be recorded. If HIDE is specified, labelview=*hidesl will be recorded.The asterisk portion can be replaced by "inter-
nal,", "external,", or ""(null). If this option is not specified, the default is the LABELVIEW in the /etc/security/policy.conf file.-x lock=Y|N
(Optional) Specifies if an account is locked after a specified number of failed logins. Thisvalue is recorded in user_attr as
lock_after_retries. If this option is not
specified, the default is theLOCK_AFTER_RETRIES in the
SunOS 5.11 Last change: 11 Dec 2009 8
System Administration Commands smuser(1M)
/etc/security/policy.conf file.-x view=INTERNAL|EXTERNAL|DEFAULT
(Optional) Specifies the label view type forthe labelview in user_attr. If INTERNAL is
specified, labelview=internal will be recorded; if EXTERNAL is specified, labelview=external will be recorded; if DEFAULT is specified,nothing will be recorded in user_attr. If this
option is not specified, the default action,that nothing gets recorded in user_attr, is in
effect. o For subcommand delete:-h
(Optional) Displays the command's usage state-
ment.-n login1
Specifies the login name of the user you want to delete.-n login2 . . .
(Optional) Specifies the additional login name(s) of the user(s) you want to delete. o For subcommand list:-h
(Optional) Displays the command's usage state-
ment.-l
Displays the output for each user in a block of key:value pairs (for example, user name:root)SunOS 5.11 Last change: 11 Dec 2009 9
System Administration Commands smuser(1M)
followed by a blank line to delimit each user block. Each key:value pair is displayed on a separate line. The keys are: autohome setup,comment, days to warn, full name,home direc-
tory, home directory permissions, login shell,mail server, max days change, max days inac-
tive, min days change, password expires, pass-
word type, primary group, rights, roles, secon-
dary groups, server, user ID (UID), and user name.-n login1
Specifies the login name of the user you want to list.-n login2 . . .
(Optional) Specifies the additional login name(s) of the user(s) you want to list. o For subcommand modify:-a addrole1 -a addrole2 . . .
(Optional) Specifies the role(s) to add to the user account. To assign a role to a user, the administrator must have the solaris.role.assign authorization or must have the solaris.role.delegate authorization and be a member of each of the roles specified.-c comment
(Optional) Describes the changes you made to the user account. Consists of a string of up to 256 printable characters, excluding the colon (:).-d description
(Optional) Specifies the user's home directory, limited to 1024 characters.SunOS 5.11 Last change: 11 Dec 2009 10
System Administration Commands smuser(1M)
-e ddmmyyyy
(Optional) Specifies the expiration date for a login in a format appropriate to the locale. After this date, no user can access this login. This option is useful for creating temporary logins. Specify a null value (" ") to indicate that the login is always valid.-f inactive
(Optional) Specifies the maximum number of days allowed between uses of a login ID before theID is declared invalid. Normal values are posi-
tive integers. Specify zero to indicate that the login account is always active.-F full_name
(Optional) Specifies the full, descriptive nameof the user. The full_name must be unique
within a domain and can contain alphanumeric characters and spaces. If you use spaces, youmust enclose the full_name in double quotes.
-g group
(Optional) Specifies the new user's primary group membership in the system group database with an existing group's integer ID.-G group1 -G group2 . . .
(Optional) Specifies the new user's supplemen-
tary group membership in the system group data-
base with the character string names of one or more existing groups. Duplicates of groupsspecified with the -g and -G options are
ignored.-h
(Optional) Displays the command's usage state-
ment.SunOS 5.11 Last change: 11 Dec 2009 11
System Administration Commands smuser(1M)
-n name
Specifies the user's current login name.-N new_name
(Optional) Specifies the user's new login name. The login name must be unique within a domain,contain 2-32 alphanumeric characters, begin
with a letter, and contain at least one lower-
case letter.-p addprof1 -p addprof2 . . .
(Optional) Specifies the profile(s) to add to the user account. To assign a profile to a user, the administrator must have the solaris.profmgr.assign or solaris.profmgr.delegate authorization.-P password
(Optional) Specifies up to an eight-character
password assigned to the user account.When you specify a password, you type the pass-
word in plain text. Specifying a password using this method introduces a security gap while the command is running.-q delprof1 -q delprof2 . . .
(Optional) Specifies the profile(s) to delete from the user account.-r delrole1 -r delrole2 . . .
(Optional) Specifies the role(s) to delete from the user account.-s shell
(Optional) Specifies the full pathname (limited to 1024 characters) of the program used as the user's shell on login. Valid entries are auser-defined shell, /bin/csh (C shell), bin/ksh
SunOS 5.11 Last change: 11 Dec 2009 12
System Administration Commands smuser(1M)
(Korn shell), and the default, /bin/sh (Bourne shell).l)-x autohome=Y|N
(Optional) Sets up the home directory to auto-
mount if set to Y. The user's home directory path in the password entry is set to /home/login name.-x pwmax=days
(Optional) Specifies the maximum number of days that the user's password is valid.-x pwmin=days
(Optional) Specifies the minimum number of days between password changes.-x pwwarn=days
(Optional) Specifies the number of days rela-
tive to pwmax that the user is warned about password expiration before the password expires.-M limit_privs
Specifies the privilege name(s) to modify inthe user_attr(4) entry. The default is all for
limit privilege. To add or change privileges, the administrator must have the solaris.admin.privilege.write authorization. See privileges(5).-D default_privs
Specifies the default privilege name(s) tomodify in the user_attr(4) entry.
The following options to the modify subcommand are available only if a system is configured with SolarisTrusted Extensions. smuser automatically detects when a
SunOS 5.11 Last change: 11 Dec 2009 13
System Administration Commands smuser(1M)
system is running these extensions.-x clear=clearanceval
(Optional) Specifies the role's clearance. clearanceval can be a string value or a hex value. If this option is not specified, the default is the user's system default clearance. To set the clearance, the administrator musthave the solaris.admin.usermgr.labels authori-
zation.-x idlecmd=LOGOUT|LOCK
Specifies the command to execute if the system has been idled. If LOGOUT is specified,idlecmd=logout will be recorded in user_attr.
If LOCK is specified, idlecmd=lock will berecorded in user_attr. If this option is not
specified, the default is the IDLECMD in the /etc/security/policy.conf file.-x idletime=minutes
(Optional) Specifies the number of minutesbefore the specified idle command gets exe-
cuted. Any integer value in the range from 1 to 120 is valid. This value is recorded inuser_attr as idletime=val. If this option is
not specified, the default is the IDLETIME in the /etc/security/policy.conf file.-x label=labelval
(Optional) Specifies the user's minimum label. labelval can be a string label or a hex label. If this option is not specified, the default is the user's system default minimum label. To set the minimum label, the administrator must have the solaris.admin.usermgr.labels authorization.-x labelview=HIDE|SHOW
(Optional) Specifies the second part of thelabelview key-value pair. If SHOW is specified,
labelview=*showsl will be recorded. If HIDE is specified, labelview=*hidesl will be recorded.SunOS 5.11 Last change: 11 Dec 2009 14
System Administration Commands smuser(1M)
The asterisk portion can be replaced by "inter-
nal,", "external,", or ""(null). If this option is not specified, the default is the LABELVIEW in the /etc/security/policy.conf file.-x lock=Y|N
(Optional) Specifies if an account is locked after a specified number of failed logins. Thisvalue is recorded in user_attr as
lock_after_retries. If this option is not
specified, the default is theLOCK_AFTER_RETRIES in the
/etc/security/policy.conf file.-x view=INTERNAL|EXTERNAL|DEFAULT
(Optional) Specifies the label view type forthe labelview in user_attr. If INTERNAL is
specified, labelview=internal will be recorded; if EXTERNAL is specified, labelview=external will be recorded; if DEFAULT is specified,nothing will be recorded in user_attr. If this
option is not specified, the default action,that nothing gets recorded in user_attr, is in
effect.EXAMPLES
Example 1 Creating a New User Account The following creates a new user account on the local file system. The account name is user1, and the full name is Joe Smith. The comment field verifies that the account is for Joe Smith. The system will assign the next available user ID greater than 100 to this account. There is no password set for this account, so when Joe Smith logs in for the first time, he will be prompted to enter a password../smuser add -H myhost -p mypasswd -u root -- -F "Joe Smith" \
-n user1 -c "Joe's account"
Example 2 Deleting a User AccountSunOS 5.11 Last change: 11 Dec 2009 15
System Administration Commands smuser(1M)
The following deletes the user1 account from the local file system:./smuser delete -H myhost -p mypasswd -u root -- -n user1
Example 3 Listing All User AccountsThe following lists all user accounts on the local file sys-
tem in summary form:./smuser list -H myhost -p mypasswd -u root --
Example 4 Modifying a User Account The following modifies the user1 account to default to aKorn shell, and assigns the account to the qa_group secon-
dary group../smuser modify -H myhost -p mypasswd -u root -- -n user1 \
-s /bin/ksh -G qa_group
ENVIRONMENT VARIABLESSee environ(5) for a description of the JAVA_HOME environ-
ment variable, which affects the execution of the smuser
command. If this environment variable is not specified, the /usr/java location is used. See smc(1M). EXIT STATUS The following exit values are returned: 0 Successful completion. 1 Invalid command syntax. A usage message displays.SunOS 5.11 Last change: 11 Dec 2009 16
System Administration Commands smuser(1M)
2 An error occurred while executing the command. An error message displays. FILESThe following files are used by the smuser command:
/etc/aliases Mail aliases. See aliases(4)./etc/auto_home
Automatic mount points. See automount(1M). /etc/group Group file. See group(4). /etc/passwd Password file. See passwd(4). /etc/security/policy.conf Configuration file for security policy. See policy.conf(4). /etc/shadow Shadow password file. See shadow(4)./etc/user_attr
Extended user attribute database. See user_attr(4).
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:SunOS 5.11 Last change: 11 Dec 2009 17
System Administration Commands smuser(1M)
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWmga ||_____________________________|_____________________________|
| Interface Stability | Committed ||_____________________________|_____________________________|
SEE ALSO
automount(1M), smc(1M), aliases(4), group(4), passwd(4),policy.conf(4), shadow(4), user_attr(4), attributes(5),
environ(5)SunOS 5.11 Last change: 11 Dec 2009 18