Unix‎ > ‎Solaris‎ > ‎Solaris man pages‎ > ‎1m‎ > ‎

smuser


NAME
     smuser - manage user entries

SYNOPSIS
     /usr/sadm/bin/smuser    subcommand    [    auth_args]     --
     [subcommand_args]

DESCRIPTION
     The smuser command manages one or more user entries  in  the
     local /etc filesystem or a NIS or NIS+ target name service.

  subcommands
     smuser subcommands are:

     add             Adds a new user  entry  to  the  appropriate
                     files. You can use a template and input file
                     instead of supplying the additional  command
                     line options. If you use a template and com-
                     mand line options, the command line  options
                     take precedence and override any conflicting
                     template  values.  To  add  an  entry,   the
                     administrator       must       have      the
                     solaris.admin.usermgr.write authorization.



     delete          Deletes one or more user  entries  from  the
                     appropriate  files.  To delete an entry, the
                     administrator      must       have       the
                     solaris.admin.usermgr.write   authorization.
                     Note: You cannot delete the system  accounts
                     with  IDs less than 100, or 60001, 60002, or
                     65534.



     list            Lists  one  more  user  entries   from   the
                     appropriate  files.  To  list  entries,  the
                     administrator      must       have       the
                     solaris.admin.usermgr.read authorization.



     modify          Modifies a user  entry  in  the  appropriate
                     files. To modify an entry, the administrator
                     must  have  the  solaris.admin.usermgr.write
                     authorization.



OPTIONS

     The smuser authentication arguments, auth_args, are  derived
     from  the  smc(1M)  arg  set  and are the same regardless of
     which subcommand you use.  The smuser command  requires  the
     Solaris Management Console to be initialized for the command
     to  succeed  (see  smc(1M)).  After  rebooting  the  Solaris
     Management Console server, the first Solaris Management Con-
     sole connection might time out, so you might need  to  retry
     the command.

     The subcommand-specific options, subcommand_args, must  come
     after  the  auth_args and must be separated from them by the
     -- option.

  auth_args
     The valid auth_args are -D, -H,  -l,  -p,  -r,  and  -u  are
     described  below. They are all optional. These options are a
     subset of the full complement of supported options described
     in smc(1M).

     If no auth_args are  specified,  certain  defaults  will  be
     assumed and the user may be prompted for additional informa-
     tion, such as a password for authentication purposes.  These
     letter  options  can  also  be specified by their equivalent
     option words preceded by a double dash.   For  example,  you
     can use either -D or --domain with the domain argument.

     -D | --domain  domain

         Specifies the default domain that you  want  to  manage.
         The  syntax  of  domain  is type:/host_name/domain_name,
         where  type  is  nis,  nisplus,  dns,  ldap,  or   file;
         host_name  is  the  name  of the machine that serves the
         domain; and domain_name is the name of  the  domain  you
         want to manage. (Note: Do not use nis+ for nisplus.)

         If you do not specify this option, the  Solaris  Manage-
         ment Console assumes the file default domain on whatever
         server you choose to manage, meaning  that  changes  are
         local  to the server. Toolboxes can change the domain on
         a tool-by-tool basis; this option specifies  the  domain
         for all other tools.



     -H | --hostname  host_name:port

         Specifies the host_name and port to which  you  want  to
         connect.  If  you do not specify a port, the system con-
         nects to the default port, 898. If you  do  not  specify
         host_name:port,  the Solaris Management Console connects
         to the local host on port 898. You  may  still  have  to
         choose  a toolbox to load into the console.  To override
         this behavior, use the smc(1M) -B option,  or  set  your
         console preferences to load a "home toolbox" by default.



     -l | --rolepassword  role_password

         Specifies the password for the role_name. If you specify
         a role_name but do not specify a role_password, the sys-
         tem prompts you to  supply  a  role_password.  Passwords
         specified on the command line can be seen by any user on
         the system, hence this option is considered insecure.



     -p | --password  password

         Specifies the password for the user_name. If you do  not
         specify  a  password,  the  system  prompts you for one.
         Passwords specified on the command line can be  seen  by
         any  user on the system, hence this option is considered
         insecure.



     -r | --rolename  role_name

         Specifies a role name for authentication. If you do  not
         specify this option, no role is assumed.



     -u | --username  user_name

         Specifies the user name for authentication.  If  you  do
         not  specify  this option, the user identity running the
         console process is assumed.



     --

         This option is  required  and  must  always  follow  the
         preceding  options.  If  you  do not enter the preceding
         options, you must still enter the -- option.



  subcommand_args
     Note: Descriptions and other arg options that  contain  whi-
     tespace must be enclosed in double quotes.

     To add or change privileges, the administrator must have the
     solaris.admin.privilege.write       authorization.       See
     privileges(5).

       o  For subcommand add:

          -c comment

              (Optional) Includes  a  short  description  of  the
              login, which is typically the user's name. Consists
              of a string of  up  to  256  printable  characters,
              excluding the colon (:).



          -d dir

              (Optional) Specifies the home directory of the  new
              user, limited to 1024 characters.



          -e ddmmyyyy

              (Optional) Specifies  the  expiration  date  for  a
              login.  After  this  date,  no user can access this
              login. This option is useful for creating temporary
              logins. Specify a null value (" ") to indicate that
              the login is always valid. The  administrator  must
              have the solaris.admin.usermgr.pswd authorization.



          -f inactive

              (Optional) Specifies the  maximum  number  of  days
              allowed  between  uses of a login ID before that ID
              is declared invalid.  Normal  values  are  positive
              integers.  Enter  zero  to  indicate that the login
              account is always active.



          -F full_name

              (Optional) Specifies the full, descriptive name  of
              the  user.  The  full_name  must be unique within a
              domain and can contain alphanumeric characters  and
              spaces.  If  you  use  spaces, you must enclose the
              full_name in double quotes.


          -g group

              (Optional) Specifies the new user's  primary  group
              membership  in  the  system  group database with an
              existing group's integer ID.



          -G group1 -G group2 . . .

              (Optional) Specifies the new  user's  supplementary
              group  membership in the system group database with
              the character string names of one or more  existing
              groups.  Duplicates of groups specified with the -g
              and -G options are ignored.



          -h

              (Optional) Displays the command's usage statement.



          -n login

              Specifies the new user's login name. The login name
              must  be  unique  within  a  domain,  contain  2-32
              alphanumeric characters, begin with a  letter,  and
              contain at least one lowercase letter.



          -P password

              (Optional) Specifies up to an eight-character pass-
              word  assigned  to the user account. Note: When you
              specify a password, you type the password in  plain
              text.  Specifying  a  password  using  this  method
              introduces a security gap while the command is run-
              ning.  To  set the password, the administrator must
              have the solaris.admin.usermgr.pswd authorization.



          -s shell

              (Optional) Specifies the full pathname (limited  to
              1024  characters) of the program used as the user's
              shell on login. Valid entries  are  a  user-defined
              shell,  /bin/csh  (C  shell), bin/ksh (Korn shell),
              and the default, /bin/sh (Bourne shell).

          -t template

              (Optional) Specifies a template, created using  the
              User  Manager  tool,  that  contains  a set of pre-
              defined user attributes. You  may  have  entered  a
              name  service server in the template. However, when
              a user is actually added with this template,  if  a
              name  service  is  unavailable,  the  user's  local
              server will be used for  both  the  Home  Directory
              Server and Mail Server.



          -u uid

              (Optional) Specifies the user ID of  the  user  you
              want to add. If you do not specify this option, the
              system assigns the next available  unique  user  ID
              greater than 100.



          -x autohome=Y|N

              (Optional) Sets the home directory to automount  if
              set  to  Y.  The  user's home directory path in the
              password entry is set to /home/login name.



          -x mail=mail_server

              (Optional) Specifies the host name  of  the  user's
              mail server, and creates a mail file on the server.
              Users created in a local scope  must  have  a  mail
              server created on their local machines.



          -x perm=home_perm

              (Optional) Sets the permissions on the user's  home
              directory.  perm is interpreted as an octal number,
              and the default is 0775.



          -x pwmax=days

              (Optional) Specifies the  maximum  number  of  days
              that  the user's password is valid. The administra-
              tor  must   have   the   solaris.admin.usermgr.pswd
              authorization.



          -x pwmin=days

              (Optional) Specifies the  minimum  number  of  days
              between  user  password  changes. The administrator
              must have the solaris.admin.usermgr.pswd authoriza-
              tion.



          -x pwwarn=days

              (Optional) Specifies the number of days relative to
              pwmax  that  the  user  is  warned  about  password
              expiration prior  to  the  password  expiring.  The
              administrator         must         have         the
              solaris.admin.usermgr.pswd authorization.



          -x serv=homedir_server

              (Optional) Specifies the name of the  server  where
              the user's home directory resides. Users created in
              a local scope must have their home directory server
              created on their local machines.



          -M limit_privs

              Specifies the privilege name(s) to add to  the  new
              user_attr(4)  entry.  The  default is all for limit
              privilege.

              To add or change privileges, the administrator must
              have  the  solaris.admin.privilege.write authoriza-
              tion. See privileges(5).



          -D default_privs

              Specifies the default privilege name(s) to  add  to
              the new user_attr(4) entry.




          The following options to the add subcommand are  avail-
          able  only  if  a  system  is  configured  with Solaris
          Trusted Extensions. See  "Using  Options  that  Require
          Solaris Trusted Extensions," below.


          -x clear=clearanceval

              (Optional) Specifies the role's clearance. clearan-
              ceval can be a string value or a hex value. If this
              option is not specified, the default is the  user's
              system default clearance. To set the clearance, the
              administrator         must         have         the
              solaris.admin.usermgr.labels authorization.



          -x idlecmd=LOGOUT|LOCK

              Specifies the command to execute if the system  has
              been  idled. If LOGOUT is specified, idlecmd=logout
              will be recorded in user_attr. If  LOCK  is  speci-
              fied,  idlecmd=lock  will be recorded in user_attr.
              If this option is not specified, the default is the
              IDLECMD in the /etc/security/policy.conf file.



          -x idletime=minutes

              (Optional) Specifies the number of  minutes  before
              the  specified  idle  command  gets  executed.  Any
              integer value in the range from 1 to 120 is  valid.
              This    value   is   recorded   in   user_attr   as
              idletime=val. If this option is not specified,  the
              default      is     the     IDLETIME     in     the
              /etc/security/policy.conf file.



          -x label=labelval

              (Optional)  Specifies  the  user's  minimum  label.
              labelval  can  be a string label or a hex label. If
              this option is not specified, the  default  is  the
              user's  system  default  minimum  label. To set the
              minimum label,  the  administrator  must  have  the
              solaris.admin.usermgr.labels authorization.




          -x labelview=HIDE|SHOW

              (Optional) Specifies the second part of the  label-
              view   key-value   pair.   If  SHOW  is  specified,
              labelview=*showsl will  be  recorded.  If  HIDE  is
              specified,  labelview=*hidesl will be recorded. The
              asterisk portion can be  replaced  by  "internal,",
              "external,",  or  ""(null).  If  this option is not
              specified, the default  is  the  LABELVIEW  in  the
              /etc/security/policy.conf file.



          -x lock=Y|N

              (Optional) Specifies if an account is locked  after
              a  specified number of failed logins. This value is
              recorded in  user_attr  as  lock_after_retries.  If
              this  option  is  not specified, the default is the
              LOCK_AFTER_RETRIES in the /etc/security/policy.conf
              file.



          -x view=INTERNAL|EXTERNAL|DEFAULT

              (Optional) Specifies the label view  type  for  the
              labelview  in  user_attr. If INTERNAL is specified,
              labelview=internal will be recorded; if EXTERNAL is
              specified,  labelview=external will be recorded; if
              DEFAULT is specified, nothing will be  recorded  in
              user_attr.  If  this  option  is not specified, the
              default  action,  that  nothing  gets  recorded  in
              user_attr, is in effect.


       o  For subcommand delete:

          -h

              (Optional) Displays the command's usage statement.



          -n login1

              Specifies the login name of the user  you  want  to
              delete.




          -n login2 . . .

              (Optional) Specifies the additional  login  name(s)
              of the user(s) you want to delete.




       o  For subcommand list:

          -h

              (Optional) Displays the command's usage statement.



          -l

              Displays the output for each user  in  a  block  of
              key:value  pairs (for example, user name:root) fol-
              lowed by a blank line to delimit each  user  block.
              Each  key:value  pair  is  displayed  on a separate
              line. The keys are: autohome setup,  comment,  days
              to  warn,  full name,home directory, home directory
              permissions, login shell,  mail  server,  max  days
              change,  max  days inactive, min days change, pass-
              word expires, password type, primary group, rights,
              roles, secondary groups, server, user ID (UID), and
              user name.



          -n login1

              Specifies the login name of the user  you  want  to
              list.



          -n login2 . . .

              (Optional) Specifies the additional  login  name(s)
              of the user(s) you want to list.




       o  For subcommand modify:

          -a addrole1 -a addrole2 . . .

              (Optional) Specifies the role(s) to add to the user
              account.  To  assign a role to a user, the adminis-
              trator must have the solaris.role.assign authoriza-
              tion or must have the solaris.role.delegate author-
              ization and be a member of each of the roles speci-
              fied.



          -c comment

              (Optional) Describes the changes you  made  to  the
              user  account.  Consists  of  a string of up to 256
              printable characters, excluding the colon (:).



          -d description

              (Optional) Specifies  the  user's  home  directory,
              limited to 1024 characters.



          -e ddmmyyyy

              (Optional) Specifies  the  expiration  date  for  a
              login  in a format appropriate to the locale. After
              this date, no user  can  access  this  login.  This
              option  is  useful  for  creating temporary logins.
              Specify a null value (" ")  to  indicate  that  the
              login is always valid.



          -f inactive

              (Optional) Specifies the  maximum  number  of  days
              allowed between uses of a login ID before the ID is
              declared  invalid.  Normal  values   are   positive
              integers.  Specify  zero to indicate that the login
              account is always active.



          -F full_name

              (Optional) Specifies the full, descriptive name  of
              the  user.  The  full_name  must be unique within a
              domain and can contain alphanumeric characters  and
              spaces.  If  you  use  spaces, you must enclose the
              full_name in double quotes.

          -g group

              (Optional) Specifies the new user's  primary  group
              membership  in  the  system  group database with an
              existing group's integer ID.



          -G group1 -G group2 . . .

              (Optional) Specifies the new  user's  supplementary
              group  membership in the system group database with
              the character string names of one or more  existing
              groups.  Duplicates of groups specified with the -g
              and -G options are ignored.



          -h

              (Optional) Displays the command's usage statement.



          -n name

              Specifies the user's current login name.



          -N new_name

              (Optional) Specifies the user's new login name. The
              login  name must be unique within a domain, contain
              2-32 alphanumeric characters, begin with a  letter,
              and contain at least one lowercase letter.



          -p addprof1 -p addprof2 . . .

              (Optional) Specifies the profile(s) to add  to  the
              user  account.  To  assign a profile to a user, the
              administrator must have the  solaris.profmgr.assign
              or solaris.profmgr.delegate authorization.



          -P password

              (Optional) Specifies up to an eight-character pass-
              word assigned to the user account.
              When you specify a password, you type the  password
              in  plain  text.  Specifying  a password using this
              method introduces a security gap while the  command
              is running.



          -q delprof1 -q delprof2 . . .

              (Optional) Specifies the profile(s) to delete  from
              the user account.



          -r delrole1 -r delrole2 . . .

              (Optional) Specifies the role(s) to delete from the
              user account.



          -s shell

              (Optional) Specifies the full pathname (limited  to
              1024  characters) of the program used as the user's
              shell on login. Valid entries  are  a  user-defined
              shell,  /bin/csh  (C  shell), bin/ksh (Korn shell),
              and the default, /bin/sh (Bourne shell).l)



          -x autohome=Y|N

              (Optional) Sets up the home directory to  automount
              if  set to Y. The user's home directory path in the
              password entry is set to /home/login name.



          -x pwmax=days

              (Optional) Specifies the  maximum  number  of  days
              that the user's password is valid.



          -x pwmin=days

              (Optional) Specifies the  minimum  number  of  days
              between password changes.


          -x pwwarn=days

              (Optional) Specifies the number of days relative to
              pwmax  that  the  user  is  warned  about  password
              expiration before the password expires.



          -M limit_privs

              Specifies the privilege name(s) to  modify  in  the
              user_attr(4)  entry.  The  default is all for limit
              privilege.

              To add or change privileges, the administrator must
              have  the  solaris.admin.privilege.write authoriza-
              tion. See privileges(5).



          -D default_privs

              Specifies the default privilege name(s)  to  modify
              in the user_attr(4) entry.




          The following options  to  the  modify  subcommand  are
          available  only  if a system is configured with Solaris
          Trusted Extensions. See  "Using  Options  that  Require
          Solaris Trusted Extensions," below.


          -x clear=clearanceval

              (Optional) Specifies the role's clearance. clearan-
              ceval can be a string value or a hex value. If this
              option is not specified, the default is the  user's
              system default clearance. To set the clearance, the
              administrator         must         have         the
              solaris.admin.usermgr.labels authorization.



          -x idlecmd=LOGOUT|LOCK

              Specifies the command to execute if the system  has
              been  idled. If LOGOUT is specified, idlecmd=logout
              will be recorded in user_attr. If  LOCK  is  speci-
              fied,  idlecmd=lock  will be recorded in user_attr.
              If this option is not specified, the default is the
              IDLECMD in the /etc/security/policy.conf file.



          -x idletime=minutes

              (Optional) Specifies the number of  minutes  before
              the  specified  idle  command  gets  executed.  Any
              integer value in the range from 1 to 120 is  valid.
              This    value   is   recorded   in   user_attr   as
              idletime=val. If this option is not specified,  the
              default      is     the     IDLETIME     in     the
              /etc/security/policy.conf file.



          -x label=labelval

              (Optional)  Specifies  the  user's  minimum  label.
              labelval  can  be a string label or a hex label. If
              this option is not specified, the  default  is  the
              user's  system  default  minimum  label. To set the
              minimum label,  the  administrator  must  have  the
              solaris.admin.usermgr.labels authorization.



          -x labelview=HIDE|SHOW

              (Optional) Specifies the second part of the  label-
              view   key-value   pair.   If  SHOW  is  specified,
              labelview=*showsl will  be  recorded.  If  HIDE  is
              specified,  labelview=*hidesl will be recorded. The
              asterisk portion can be  replaced  by  "internal,",
              "external,",  or  ""(null).  If  this option is not
              specified, the default  is  the  LABELVIEW  in  the
              /etc/security/policy.conf file.



          -x lock=Y|N

              (Optional) Specifies if an account is locked  after
              a  specified number of failed logins. This value is
              recorded in  user_attr  as  lock_after_retries.  If
              this  option  is  not specified, the default is the
              LOCK_AFTER_RETRIES in the /etc/security/policy.conf
              file.




          -x view=INTERNAL|EXTERNAL|DEFAULT

              (Optional) Specifies the label view  type  for  the
              labelview  in  user_attr. If INTERNAL is specified,
              labelview=internal will be recorded; if EXTERNAL is
              specified,  labelview=external will be recorded; if
              DEFAULT is specified, nothing will be  recorded  in
              user_attr.  If  this  option  is not specified, the
              default  action,  that  nothing  gets  recorded  in
              user_attr, is in effect.



  Using Options that Require Solaris Trusted Extensions
     To use an option that requires the  Solaris  Trusted  Exten-
     sions feature, you must use the -B toolbox option to specify
     a toolbox that contains support for Trusted Extensions.  For
     example:

     # smuser add -H myhost -p mypasswd -x idlecmd=LOGOUT \
     -B http://<server>/toolboxes/tsol_files.tbx


     In the command above, <server> is the name  of  the  machine
     running  the  Solaris  Management Console. See smc(1M) for a
     description of the -B option.

EXAMPLES
     Example 1: Creating a New User Account

     The following creates a new user account on the  local  file
     system.  The account name is user1, and the full name is Joe
     Smith. The comment field verifies that the  account  is  for
     Joe Smith. The system will assign the next available user ID
     greater than 100 to this account. There is no  password  set
     for  this  account,  so when Joe Smith logs in for the first
     time, he will be prompted to enter a password.


     ./smuser add -H myhost -p mypasswd -u root -- -F "Joe Smith" \
                  -n user1 -c "Joe's account"


     Example 2: Deleting a User Account

     The following deletes the user1 account from the local  file
     system:


     ./smuser delete -H myhost -p mypasswd -u root -- -n user1


     Example 3: Listing All User Accounts

     The following lists all user accounts on the local file sys-
     tem in summary form:


     ./smuser list -H myhost -p mypasswd -u root --


     Example 4: Modifying a User Account

     The following modifies the user1 account  to  default  to  a
     Korn  shell,  and assigns the account to the qa_group secon-
     dary group.


     ./smuser modify -H myhost -p mypasswd -u root -- -n user1 \
                  -s /bin/ksh -G qa_group


ENVIRONMENT VARIABLES
     See environ(5) for a description of the  JAVA_HOME  environ-
     ment  variable,  which  affects  the execution of the smuser
     command.  If this environment variable is not specified, the
     /usr/java location is used. See smc(1M).

EXIT STATUS
     The following exit values are returned:

     0        Successful completion.



     1        Invalid command syntax. A usage message displays.



     2        An error occurred while executing the  command.  An
              error message displays.



FILES
     The following files are used by the smuser command:

     /etc/aliases                    Mail      aliases.       See
                                     aliases(4).



     /etc/auto_home                  Automatic mount points.  See
                                     automount(1M).

     /etc/group                      Group file. See group(4).



     /etc/passwd                     Password      file.      See
                                     passwd(4).



     /etc/security/policy.conf       Configuration file for secu-
                                     rity       policy.       See
                                     policy.conf(4).



     /etc/shadow                     Shadow  password  file.  See
                                     shadow(4).



     /etc/user_attr                  Extended   user    attribute
                                     database. See user_attr(4).



ATTRIBUTES
     See attributes(5) for descriptions of the  following  attri-
     butes:

     ____________________________________________________________
    |       ATTRIBUTE TYPE        |       ATTRIBUTE VALUE       |
    |_____________________________|_____________________________|
    | Availability                | SUNWmga                     |
    |_____________________________|_____________________________|
    | Interface Stability         | Evolving                    |
    |_____________________________|_____________________________|


SEE ALSO
     automount(1M),  smc(1M),  aliases(4),  group(4),  passwd(4),
     policy.conf(4),   shadow(4),   user_attr(4),  attributes(5),
     environ(5)










Man pages from Solaris 10 Update 8. See docs.sun.com and www.oracle.com for further documentation and Solaris information.
Comments