Administering User Accounts

Objective:

Explain and perform Solaris 10 OS user administration, and manage user accounts and initialization files.

Access to a system is allowed only through user login accounts that are set up by the system administrator. A user account includes information that a user needs to log in and use a systema user login name, a password, the user's home directory, and login initialization files. Each of these items is described later in this chapter.

The following methods and tools are available in Solaris for adding new user accounts to a system:

• User and Group Manager A graphical user interface (GUI) that is available in the Solaris Management Console.

• The /usr/sadm/bin/smuser command A command that can be executed from the command line.

• The useradd command A command that can be executed from the command line.

As with many Unix commands, the command-line method of adding user accounts can be difficult for inexperienced administrators. For this reason, Sun has added user account administration to the Solaris Management Console (SMC).

Managing User and Group Accounts with the SMC

The SMC is a GUI that is designed to ease several routine system administration tasks. When you use the SMC, you are presented with a menu-like interface that is much easier to use than the ASCII interface supplied at the command prompt. This chapter describes how to use the SMC and the command line to administer user accounts on a system.

Adding User Accounts with the SMC

To perform administrative tasks such as adding user accounts, SMC will prompt you for the root password or an authorized RBAC account before allowing permission to add, create, and modify user accounts. Chapter 11, "Controlling Access and Configuring System Messaging," provides more information on RBAC.

The first step in setting up a new user account is to have the user provide the information you need in order to administer the account. You also need to set up proper permissions so that the user can share information with other members of his or her department. You need to know the user's full name, department, and any groups with which the user will be working. It's a good idea for the system administrator to sit down with the user and compile an information sheet (like the one shown in Table 4.1) so that you have all the information you need when you set up the account.

Table 4.1. User Information Data Sheet

Item
User name:
UID:
Primary group:
Secondary groups:
Comment:
Default shell:
Password status and aging:
Home directory server name:
Home directory path name:
Mail server:
Department name:
Department administrator:
Manager:
Employee name:
Employee title:
Employee status:
Employee number:
Start date:
Desktop system name:

To use the SMC to add a new user login account, you should follow the procedure described in Step by Step 4.1.

Step By Step 4.1: Adding a New Login Account 1. Start the SMC by typing smc at the command prompt. The SMC Welcome window appears, as shown in Figure 4.1. Figure 4.1. The SMC Welcome window. [View full size image] 2. In the left pane of the Welcome window, click the This Computer icon. The icon expands, displaying five additional icons, as shown in Figure 4.2. Figure 4.2. SMC tools. [View full size image] 3. Click the System Configuration icon, and the system configuration icons appear in the main pane of the window, as shown in Figure 4.3. One of these icons is Users. Figure 4.3. System configuration tools. [View full size image] 4. Click the Users icon. You are prompted to enter a username and password. You can either enter the root password or enter your roll name and password if you have an RBAC account. After you enter the correct name and password, the User Accounts tool is loaded and displayed in the main pane of the window, as shown in Figure 4.4. Figure 4.4. The Users Accounts tool. [View full size image] 5. Click the User Accounts icon. Current user accounts are displayed, then choose the Action menu and Add User, as shown in Figure 4.5. Figure 4.5. Displaying current user accounts. [View full size image] 6. From the top toolbar, select Action, Add User. Slide the mouse to the right, and you see two options for adding users, as shown in Figure 4.6. Select the With Wizard option. Figure 4.6. Adding a new user. [View full size image] The Add User Wizard appears, as shown in Figure 4.7. Figure 4.7. The Add User Wizard. [View full size image] 7. In the first wizard window that appears, all the fields are blank. Table 4.2 describes the information needed in this screen. If you aren't sure how to complete a field, read the Help screen in the left pane after you click on that field. After you enter the information in the first wizard window, click the Next button. Table 4.2. Add User Fields Field Description User Name A unique login name that is entered at the Solaris login prompt. You should choose a name that is unique to the organization. The name can contain two to eight uppercase characters (AZ), lowercase characters (az), or digits (09), but no underscores or spaces. The first character must be a letter, and at least one character must be a lowercase letter. The system allows you to use more than eight characters for the login name, but only the first eight characters are recognized. User ID The unique UID. The SMC automatically assigns the next available UID; however, in a networked environment, you need to make sure this number is not duplicated by another user on another system. All UIDs must be consistent across the network. A UID is typically a number between 100 and 60,002, but it can be as high as 2,147,483,647. Note that Solaris releases prior to Solaris 9 use 32-bit data types to contain the UIDs, but UIDs in those versions are constrained to a maximum useful value of 60,000. Starting with the Solaris 2.5.1 release and compatible versions, the limit on UID values has been raised to the maximum value of a signed integer, or 2,147,483,647. UIDs over 60,000 do not have full functionality and are incompatible with many Solaris features, so you should avoid using UIDs over 60,000. Primary Group The primary group name for the group to which the user will belong. This is the group that the operating system will assign to files created by the user. Group 10 (staff) is a predefined group that is sufficient for most users. Full Name and Description Optional comment fields. You can enter in these fields any comments, such as the full username, employee number, or phone number. Password The password status. You can select the following options: User Account is Locked This is the default. If you choose this option, the user account is created and the account locked. User Must Use This Password at First Login The account will have a password that you set in advance. Home Directory A field that points to an existing directory or specifies a new directory to create. This will be the location of the user's home directory and where the user's personal files will be stored. You should not include the username in this field. The username will automatically be added to the end of the path when the directory is created. Refer to the section "The Home Directory," later in this chapter. 8. Another window appears, asking you to enter a user ID (UID). Enter a UID and click Next. 9. In the third window of the wizard, you can either select to have the account locked or specify the password that the user will use the first time he or she logs in, as shown in Figure 4.8. Then click the Next button at the bottom of the window. Figure 4.8. The Enter the User's Password window. [View full size image] Note Changing a Password from the Command Line A user can type the Unix command passwd at any time from the command prompt to change his or her password. 10. After you enter the user password information, a fourth window opens, asking you to select the primary group for that user. Select a group from the pull-down menu, as shown in Figure 4.9, and click the Next button. Figure 4.9. Selecting the user's primary group. [View full size image] 11. The fifth wizard window asks you to set the user's home directory, as shown in Figure 4.10. Fill in the information for the user's home directory and click the Next button. Figure 4.10. Selecting the user's home directory. [View full size image] 12. The sixth window displays the user's mail server and mailbox information, as shown in Figure 4.11. Click the Next button to continue. Figure 4.11. The user's mailbox and mail server information. [View full size image] 13. The next window displays a summary of the new user information, as shown in Figure 4.12. If the information is correct, click the Finish button, and you are returned to the main SMC window. Otherwise, click Back to go back and re-enter the information. Figure 4.12. New user summary information. [View full size image]

When you use the Add User Wizard to create an account, the following defaults are assigned to the account:

• The default shell is the Bourne shell (/bin/sh).

• No secondary groups are set up.

To modify these settings, refer to the section "Modifying User Accounts with the SMC," later in this chapter.

Refer to the man pages for a description of this command.

Deleting User Accounts with the SMC

When a user account is no longer needed on a system, you need to delete it. Step by Step 4.2 describes how to perform this task.

Step By Step 4.2: Using the SMC to Delete Existing User Accounts 1. Follow the steps in Step by Step 4.1 for adding a new login account through the SMC. When you get to the User Accounts tool (refer to Figure 4.5), right-click the user you want to delete. A pop-up menu appears, as shown in Figure 4.13. Figure 4.13. Deleting a user account. [View full size image] 2. Select Delete from the pop-up menu. A confirmation window appears, as shown in Figure 4.14. Figure 4.14. The Delete User confirmation window. [View full size image] Select whether you want to delete the user's home directory and/or mailbox. Then click the Delete button at the bottom of the window to delete the account.

Modifying User Accounts with the SMC

If a login needs to be modifiedto change a password or disable an account, for exampleyou can use the SMC to modify the user account settings, as described in Step by Step 4.3.

Step By Step 4.3: Modifying User Accounts with the SMC 1. Follow the steps described in Step by Step 4.1 for adding a new login account through the SMC. When you get to the User Accounts tool (refer to Figure 4.5), double-click the user you want to modify. The window shown in Figure 4.15 appears. Figure 4.15. The User Properties window. [View full size image] 2. Modify any of the following items in the User Properties window: Change the username. Change the full name. Change the description of the account. Change the login shell. By default the user is assigned to the Bourne shell (/bin/sh). Change the account availability. This option allows you to specify a date on which the account is locked. Lock an account to prevent logins using this user name. Assign additional groups. Make the user a member of a project. Projects are described later in this chapter. Change the home directory. Share the home directory with other users or groups. Assign roles and grant rights to the account (see Chapter 11). Change the password or set password options, such as how often passwords should be changed, or expire passwords after a specified period of inactivity.

Adding Groups with the SMC

As a system administrator, you might need to add a group that does not already exist on the system. Perhaps a new group of users called engrg (from the Engineering Department) needs to be added. Step by Step 4.4 shows how to add this group to the system by using the SMC.

Step By Step 4.4: Adding Groups with the SMC 1. Follow the steps described in Step by Step 4.1 for adding a new login account through the SMC. When you get to the Users tool (refer to Figure 4.4), double-click the Groups icon. The list of groups appears in the Groups tool, as shown in Figure 4.16. Figure 4.16. The Groups tool. [View full size image] 2. From the top toolbar, select Action, Add Group, as shown in Figure 4.17. Figure 4.17. Adding a group. [View full size image] The Add Group window appears, as shown in Figure 4.18. Figure 4.18. The Add Group window. [View full size image] 3. Enter the group name engrg and then enter the unique GID number 200, then click on the OK button, as shown in Figure 4.19. Figure 4.19. Adding the engrg group. [View full size image] 4. Click OK when you're finished, and you are returned to the main SMC window. The list of groups displayed in the Groups window is updated to include the new group. You can modify the group by double-clicking the icon that represents the group that you want to change.

The /usr/sadm/bin/smgroup add command is the command-line equivalent of the SMC tool for adding a new group. For example, to add a group named development with a GID of 300, you enter this:

/usr/sadm/bin/smgroup add  -g 300 -n development

The system responds with this:

Authenticating as user: root
Type /? for help, pressing <enter> accepts the default denoted by [ ]
Please enter a string value for: password :: <Enter the Root Password>
Loading Tool: com.sun.admin.usermgr.cli.group.UserMgrGroupCli from ultra5

Refer to the man pages for a complete description of the smgroup command.

Managing User and Group Accounts from the Command Line

You can manage user accounts from the command line as well as through the SMC. Although using the command line is more complex than using the SMC GUI interface, the command line allows more options and provides a little more flexibility.

Solaris supplies the user administration commands described in Table 4.3 for setting up and managing user accounts.

Table 4.3. Account Administration Commands

Command	Description
useradd	Adds a new user account
userdel	Deletes a user account
usermod	Modifies a user account
groupadd	Adds a new group
groupmod	Modifies a group (for example, changes the GID or name)
groupdel	Deletes a group

Adding User Accounts from the Command Line

You can add new user accounts on the local system by using the useradd command. This command adds an entry for the new user into the /etc/passwd and /etc/shadow files, which are described later in this chapter, in the section "Where User Account Information Is Stored." Just like the SMC, the -m option to the useradd command copies all the user initialization files found in the /etc/skel directory into the new user's home directory. User initialization files are covered in the section "Setting Up Shell Initialization Files," later in this chapter.

The syntax for the useradd command is as follows:

useradd [-c comment] [-d dir] [-e expire]  [-f inactive]  [-g group] \
 [  -G group  [  , group...]] [ -m [-k skel_dir]] [-u uid  [-o]] \
 [-s shell]  [-A  authorization   [,authorization...]]
 [-P profile  [,profile...]] \
[-R role  [,role...]] [-p projname] [-K key=value] <loginname>

Table 4.4 describes these options.

Table 4.4. useradd Command Options

Option	Description
-A <authorization>	One or more comma-separated authorizations.
-b <base-dir>	The default base directory for the system if -d is not specified.
-u <uid>	Sets the unique UID for the user.
-o	Allows a UID to be duplicated. The default is not to let you choose a UID that is already in use.
-g <gid>	Specifies a predefined GID or name for the user that will be the user's primary group.
-G <gid>	Defines the new user's secondary group memberships. You can enter multiple groups, but they must be separated by commas. A user can belong to up to 15 additional groups. The number of groups can be increased to 32 by changing the kernel parameter ngroups_max.
-m	Creates a new home directory if one does not already exist.
-s <shell>	Defines the full pathname for the shell program to be used as the user's login shell. The default is /bin/sh if a shell is not specified.
-c <comment>	Specifies the user's full name, location, and phone number, in a comment.
-d <dir>	Specifies the home directory of the new user. It defaults to <base-dir>/<account-name>, where <base-dir> is the base directory for new login home directories and <account-name> is the new login name.
-D <dir>	Display the default values for group, basedir, skel-dir, and so on.
	When used with the -g, -b, -f, -e, -A, -P, -p, -R, or -K options, the -D option sets the default values for the specified fields.
-e <expiration>	Sets an expiration date on the user account. Specifies the date on which the user can no longer log in and access the account. After the specified date, the account is locked. Use the following format to specify the date: mm/dd/yy.
-f <inactive>	Sets the number of inactive days allowed on a user account. If the account is not logged in to during the specified number of days, the account is locked.
-k <skeldir>	Specifies an alternate location for the user initialization template files. Files from this directory are copied into the user's home directory when the -m option is specified. The default location is /etc/skel.
-p <project-name>	Specifies the name of the project that the user is associated with.
-P <profile>	Specifies an execution profile for the account. See Chapter 11 for information on execution profiles.
-R <role>	Specifies a role for the account. See Chapter 11 for information on roles.
<login-name>	Specifies the user login name to be assigned to this account.

Many additional options are available, although most of them are not used as often as the ones in Table 4.4. Additional options to the useradd command apply specifically to RBAC accounts and are described in Chapter 11. You can also refer to the man pages to find a listing of all the options to the useradd command.

The following example creates a new login account for Bill Calkins:

useradd -u 3000 -g other -d /export/home/bcalkins -m -s /bin/sh \
 -c "Bill Calkins, ext. 2345" bcalkins

The login name is bcalkins, the UID is 3000, and the group is other. In this example, you instruct the system to create a home directory named /export/home/bcalkins. The default shell is /bin/sh, and the initialization files are to be copied from the /etc/skel directory.

The /usr/sadm/bin/smuser add command is the command-line equivalent of the SMC tool for adding a new user. The advantage of using smuser over the useradd command is that smuser interacts with naming services, can use autohome functionality, and is well suited for remote management.

The smuser command has several subcommands and options. The syntax to add a user using smuser is

smuser add  [ auth args ] - [subcommand args]

A few of the more common arguments that can be used with the add subcommand are described in Table 4.5.

Table 4.5. add Subcommand Arguments

Argument	Description
-c <comment>	A short description of the login, typically the user's name and phone extension. This string can be up to 256 characters.
-d <directory>	Specifies the home directory of the new user. This string is limited to 1,024 characters.
-g <group>	Specifies the user's primary group membership.
-G <group>	Specifies the user's secondary group membership.
-n <login>	Specifies the user's login name.
-s <shell>	Specifies the user's login shell.
-u <uid>	Specifies the user ID of the user you want to add. If you do not specify this option, the system assigns the next available unique UID greater than 100.
-x autohome=Y|N	Sets the home directory to automount if set to Y.

The following example adds a new user named "bcalkins" and a comment field of "Bill Calkins ext. 100":

# /usr/sadm/bin/smuser add  -n bcalkins -c "Bill Calkins Ext 100"
Authenticating as user: root

Type /? for help, pressing <enter> accepts the default denoted by [ ]
Please enter a string value for: password :: <ENTER ROOT PASSWORD>
Loading Tool: com.sun.admin.usermgr.cli.user.UserMgrCli from smokey
Login to smokey as user root was successful.
Download of com.sun.admin.usermgr.cli.user.UserMgrCli from smokey
was successful.

After you press Enter, the system asks for the root password to authenticate Bill Calkins before adding the new login account. The next step would be to set a password for the account using the passwd command as follows:

# passwd bcalkins
passwd: Changing password for bcalkins
New Password: <ENTER PASSWORD>
Re-enter new Password: <RE_ENTER PASSWD>
passwd: password successfully changed for bcalkins

Options that can be used with the passwd command are described in Table 4.6.

Table 4.6. passwd Options

Option	Description
-s <name>	Shows password attributes for a particular user. When used with the -a option, attributes for all user accounts are displayed.
-d <name>	Deletes password for name and unlocks the account. The login name is not prompted for a password.
-e <name>	Changes the login shell, in the /etc/passwd file, for a user.
-f <name>	Forces the user to change passwords at the next login by expiring the password.
-h <name>	Changes the home directory, in the /etc/passwd file, for a user.
-l <name>	Lock a user's account. Use the -d or -u option to unlock the account.
-N <name>	Makes the password entry for <name> a value that cannot be used for login but does not lock the account.
-u <name>	Unlocks a locked account.

To force a user to change his or her password at the next login, type

# passwd -f bcalkins
passwd: password information changed for bcalkins
#

To change a user's home directory, type

# passwd -h bcalkins

The system responds with

Default values are printed inside of '[]'.
To accept the default, type <return>.
To have a blank entry, type the word 'none'.

Enter the new home directory when prompted:

Home Directory [/home/wcalkins]: /home/bcalkins
passwd: password information changed for bcalkins

Modifying User Accounts from the Command Line

You use the usermod command to modify existing user accounts from the command line. You can use usermod to modify most of the options that were used when the account was originally created.

The following is the syntax for the usermod command:

usermod [ -u uid [-o]] [-g group] [ -G group [ ,  group...]]
[  -d dir  [-m]]  [-s shell]  [-c comment]  [-l new_name] [-f inactive]
[-e expire]  [-A  authorization2   [,  authorization]]  [-P  profile
[,  profile]] [-R role  [, role]] [-K key=value] <loginname>

The options used with the usermod command are the same as those described for the useradd command, except for those listed in Table 4.7.

Table 4.7. usermod Command Options

Option	Description
-l <new-login-name>	Changes a user's login name on a specified account
-m	Moves the user's home directory to the new location specified with the -d option

Additional options to the usermod command apply specifically to RBAC accounts and are described in Chapter 11.

The following example changes the login name for user bcalkins to wcalkins:

usermod -d /export/home/wcalkins -m -s /bin/ksh -l wcalkins bcalkins

This example also changes the home directory to /export/home/wcalkins and default shell to /bin/ksh.

To set a user's account expiration date, you enter this:

usermod -e 10/15/2006 wcalkins

The account is now set to expire October 15, 2006. Notice the entry made to the /etc/shadow file:

wcalkins:1luzXWgmH3LeA:13005::::::

The syntax of the /etc/shadow file is described later in this chapter, in the section "Where User Account Information Is Stored."

The /usr/sadm/bin/smuser modify command is the command-line equivalent of the SMC tool for modifying an existing user account.

Deleting User Accounts from the Command Line

You use the userdel command to delete a user's login account from the system. You can specify options to save or remove the user's home directory. The syntax for the userdel command is as follows:

userdel [-r] <login-name>

-r removes the user's home directory from the local file system. If this option is not specified, only the login is removed; the home directory remains intact.

The following example removes the login account for bcalkins but does not remove the home directory:

userdel bcalkins

The /usr/sadm/bin/smuser delete command is the command-line equivalent of the SMC tool for deleting an existing user account.

Adding Group Accounts from the Command Line

You use the groupadd command to add new group accounts on the local system. This command adds an entry to the /etc/group file. The syntax for the groupadd command is as follows:

groupadd [-g <gid>] -o <group-name>

Table 4.8 describes the groupadd command options.

Table 4.8. groupadd Command Options

Option	Description
-g <gid>	Assigns the GID <gid> for the new group.
-o	Allows the GID to be duplicated. In other words, more than one group with group-name can share the same GID.

The following example adds to the system a new group named acct with a GID of 1000:

groupadd -g 1000 acct

The /usr/sadm/bin/smgroup add command is the command-line equivalent of the SMC tool for creating a new group.

Modifying Group Accounts from the Command Line

You use the groupmod command to modify the definitions of a specified group. The syntax for the groupmod command is as follows:

groupmod [-g <gid>] -o [-n <name>] <group-name>

Table 4.9 describes the groupmod command options.

Table 4.9. groupmod Command Options

Option	Description
-g <gid>	Assigns the new GID <gid> for the group.
-o	Allows the GID to be duplicated. In other words, more than one group with group-name can share the same GID.
-n <name>	Specifies a new name for the group.

The following example changes the engrg group GID from 200 to 2000:

groupmod -g 2000 engrg

Any files that had the group ownership of "engrg" are now without a group name. A long listing would show a group ownership of 200 on these files, the previous GID for the engrg group. The group 200 no longer exists on the system, so only the GID is displayed in a long listing.

The /usr/sadm/bin/smgroup modify command is the command-line equivalent of the SMC tool for modifying an existing group.

Deleting Group Accounts from the Command Line

You use the groupdel command to delete a group account from the local system. The syntax for the groupdel command is as follows:

groupdel <group-name>

The following example deletes the group named acct from the local system:

groupdel acct

The /usr/sadm/bin/smgroup delete command is the command-line equivalent of the SMC tool for deleting an existing group.