1smbadm(1M)              System Administration Commands              smbadm(1M)
2
3
4

NAME

6       smbadm  -  configure and manage CIFS local groups and users, and manage
7       domain membership
8

SYNOPSIS

10       smbadm add-member -m member [[-m member] ...] group
11
12
13       smbadm create [-d description] group
14
15
16       smbadm delete group
17
18
19       smbadm disable-user username
20
21
22       smbadm enable-user username
23
24
25       smbadm get [[-p property] ...] group
26
27
28       smbadm join -u username domain
29
30
31       smbadm join -w workgroup
32
33
34       smbadm list
35
36
37       smbadm remove-member -m member [[-m member] ...] group
38
39
40       smbadm rename group new-group
41
42
43       smbadm set -p property=value [[-p property=value] ...] group
44
45
46       smbadm show [-m] [-p] [group]
47
48

DESCRIPTION

50       The smbadm command is used to configure CIFS local groups and to manage
51       domain  membership.  You  can  also use the smbadm command to enable or
52       disable SMB password generation for individual local users.
53
54
55       CIFS local groups can be used when Windows accounts must be members  of
56       some  local  groups  and when Windows style privileges must be granted.
57       Solaris local groups cannot provide these functions.
58
59
60       There are two types of local groups: user defined and built-in.  Built-
61       in  local groups are predefined local groups to support common adminis‐
62       tration tasks.
63
64
65       In order to provide proper identity mapping between CIFS  local  groups
66       and  Solaris  groups,  a  CIFS  local  group  must have a corresponding
67       Solaris group. This requirement has two consequences: first, the  group
68       name  must conform to the intersection of the Windows and Solaris group
69       name rules. Thus, a CIFS local group name can be up to eight (8)  char‐
70       acters  long and contain only lowercase characters and numbers. Second,
71       a Solaris local group has to be created before a CIFS local  group  can
72       be created.
73
74
75       Built-in  groups  are standard Windows groups and are predefined by the
76       CIFS service. The built-in groups cannot be added, removed, or renamed,
77       and these groups do not follow the CIFS local group naming conventions.
78
79
80       When  the  CIFS  server  is  started, the following built-in groups are
81       available:
82
83       Administrators
84
85           Group members can administer the system.
86
87
88       Backup Operators
89
90           Group members can bypass  file  access  controls  to  back  up  and
91           restore files.
92
93
94       Power Users
95
96           Group members can share directories.
97
98
99
100       Solaris local users must have an SMB password for authentication and to
101       gain access to CIFS resources. This password is created  by  using  the
102       passwd(1) command when the pam_smb_password module is added to the sys‐
103       tem's PAM configuration. See the pam_smb_passwd(5) man page.
104
105
106       The disable-user and enable-user subcommands control SMB  password-gen‐
107       eration  for  a  specified  local user. When disabled, the user is pre‐
108       vented from connecting to the Solaris CIFS  service.  By  default,  SMB
109       password-generation is enabled for all local users.
110
111
112       To  reenable  a  disabled user, you must use the enable-user subcommand
113       and then reset the user's password by using  the  passwd  command.  The
114       pam_smb_passwd.so.1 module must be added to the system's PAM configura‐
115       tion to generate an SMB password.
116
117   Escaping Backslash Character
118       For the add-member, remove-member, and join (with -u) subcommands,  the
119       backslash  character  (\)  is  a valid separator between member or user
120       names and domain names. The backslash  character  is  a  shell  special
121       character  and  must be quoted. For example, you might escape the back‐
122       slash character with another backslash character: domain\\username. For
123       more  information  about handling shell special characters, see the man
124       page for your shell.
125

OPERANDS

127       The smbadm command uses the following operands:
128
129       domain
130
131           Specifies the name of an existing Windows domain to join.
132
133
134       group
135
136           Specifies the name of the CIFS local group.
137
138
139       username
140
141           Specifies the name of a Solaris local user.
142
143

SUB-COMMANDS

145       The smbadm command includes these subcommands:
146
147       add-member -m member [[-m member] ...] group
148
149           Adds the specified member to the specified CIFS local group. The -m
150           member  option specifies the name of a CIFS local group member. The
151           member name must include an existing  user  name  and  an  optional
152           domain name.
153
154           Specify the member name in either of the following formats:
155
156             [domain\]username
157             [domain/]username
158
159
160           For   example,   a  valid  member  name  might  be  sales\terry  or
161           sales/terry, where sales is the Windows domain name  and  terry  is
162           the name of a user in the sales domain.
163
164
165       create [-d description] group
166
167           Creates a CIFS local group with the specified name. You can option‐
168           ally specify a description of the group by using the -d option.
169
170
171       delete group
172
173           Deletes the specified CIFS local group. The built-in groups  cannot
174           be deleted.
175
176
177       disable username
178
179           Disables  SMB  password-generation  capabilities  for the specified
180           local user. A disabled local user is prevented from  accessing  the
181           system  by  means of the CIFS service. When a local user account is
182           disabled, you cannot use the passwd command to  modify  the  user's
183           SMB password until the user account is reenabled.
184
185
186       enable username
187
188           Enables  SMB  password-generation  capabilities  for  the specified
189           local user. After the password-generation  capabilities  are  reen‐
190           abled, you must use the passwd command to generate the SMB password
191           for the local user before he can connect to the CIFS service.
192
193           The passwd command manages both the Solaris password and SMB  pass‐
194           word  for  this user if the pam_smb_passwd module has been added to
195           the system's PAM configuration.
196
197
198       get [[-p property=value] ...] group
199
200           Retrieves property values for the specified group. If  no  property
201           is specified, all property values are shown.
202
203
204       join -u username domain
205
206           Joins a Windows domain or a workgroup.
207
208           The default mode for the CIFS service is workgroup mode, which uses
209           the default workgroup name, WORKGROUP.
210
211           An authenticated user account is required to join a domain, so  you
212           must  specify  the  Windows  administrative  user  name with the -u
213           option. If the password is not specified on the command  line,  the
214           user is prompted for it. This user should be the domain administra‐
215           tor or any user who has administrative privileges  for  the  target
216           domain.
217
218           username and domain can be entered in any of the following formats:
219
220             username[+password] domain
221             domain\username[+password]
222             domain/username[+password]
223             username@domain
224
225
226           ...where domain can be the NetBIOS or DNS domain name.
227
228           If  a  machine  trust  account  for  the system already exists on a
229           domain controller, any authenticated user account can be used  when
230           joining  the domain. However, if the machine trust account does not
231           already exist, an account that has administrative privileges on the
232           domain is required to join the domain.
233
234
235       join -w workgroup
236
237           Joins a Windows domain or a workgroup.
238
239           The -w workgroup option specifies the name of the workgroup to join
240           when using the join subcommand.
241
242
243       list
244
245           Shows information about the current workgroup or domain. The infor‐
246           mation  typically includes the workgroup name or the primary domain
247           name. When in domain mode, the  information  includes  domain  con‐
248           troller names and trusted domain names.
249
250           Each entry in the ouput is identified by one of the following tags:
251
252           - [*] -    Primary domain
253
254
255           - [.] -    Local domain
256
257
258           - [-] -    Other domains
259
260
261           - [+] -    Selected domain controller
262
263
264
265       remove-member -m member [[-m member] ...] group
266
267           Removes  the  specified member from the specified CIFS local group.
268           The -m member option specifies the name of a CIFS local group  mem‐
269           ber.  The  member  name  must  include an existing user name and an
270           optional domain name.
271
272           Specify the member name in either of the following formats:
273
274             [domain\]username
275             [domain/]username
276
277
278           For  example,  a  valid  member  name  might  be   sales\terry   or
279           sales/terry,  where  sales  is the Windows domain name and terry is
280           the name of a user in the sales domain.
281
282
283       rename group new-group
284
285           Renames the specified CIFS local  group.  The  group  must  already
286           exist. The built-in groups cannot be renamed.
287
288
289       set -p property=value [[-p property=value] ...] group
290
291           Sets  configuration properties for a CIFS local group. The descrip‐
292           tion and the privileges for the built-in groups cannot be changed.
293
294           The -p property=value option specifies the list of properties to be
295           set on the specified group.
296
297           The group-related properties are as follows:
298
299           backup=[on|off]
300
301               Specifies  whether  members  of the CIFS local group can bypass
302               file access controls to back up file system objects.
303
304
305           description=description-text
306
307               Specifies a text description for the CIFS local group.
308
309
310           restore=[on|off]
311
312               Specifies whether members of the CIFS local  group  can  bypass
313               file access controls to restore file system objects.
314
315
316           take-ownership=[on|off]
317
318               Specifies whether members of the CIFS local group can take own‐
319               ership of file system objects.
320
321
322
323       show [-m] [-p] [group]
324
325           Shows information about the specified CIFS local group  or  groups.
326           If  no  group is specified, information is shown for all groups. If
327           the -m option is specified, the group members are  also  shown.  If
328           the -p option is specified, the group privileges are also shown.
329
330

EXIT STATUS

332       The following exit values are returned:
333
334       0            Successful completion.
335
336
337       >0           An error occurred.
338
339

ATTRIBUTES

341       See  the  attributes(5)  man  page  for  descriptions  of the following
342       attributes:
343
344
345
346
347       ┌─────────────────────────────┬─────────────────────────────┐
348       │      ATTRIBUTE TYPE         │      ATTRIBUTE VALUE        │
349       ├─────────────────────────────┼─────────────────────────────┤
350       │Availability                 │SUNWsmbsu                    │
351       ├─────────────────────────────┼─────────────────────────────┤
352       │Utility Name and Options     │Uncommitted                  │
353       ├─────────────────────────────┼─────────────────────────────┤
354       │Utility Output Format        │Not-An-Interface             │
355       ├─────────────────────────────┼─────────────────────────────┤
356smbadm join                  │Obsolete                     │
357       └─────────────────────────────┴─────────────────────────────┘
358

SEE ALSO

360       passwd(1), groupadd(1M), idmap(1M), idmapd(1M), kclient(1M), share(1M),
361       sharectl(1M),  sharemgr(1M),  smbd(1M),  smbstat(1M),  smb(4), smbauto‐
362       home(4), attributes(5), pam_smb_passwd(5), smf(5)
363
364
365
366SunOS 5.11                        8 Jan 2009                        smbadm(1M)
Impressum