SMBADM(1M) Maintenance Commands SMBADM(1M)

NAME

smbadm - configure and manage CIFS local groups and users, and manage domain membership

SYNOPSIS


smbadm add-member -m member [[-m member] ...] group
 

smbadm create [-d description] group
 

smbadm delete group
 

smbadm disable-user username
 

smbadm enable-user username
 

smbadm get [[-p property] ...] group
 

smbadm join [-y] -u username domain
 

smbadm join [-y] -w workgroup
 

smbadm list
 

smbadm lookup account-name [account-name [...]]
 

smbadm remove-member -m member [[-m member] ...] group
 

smbadm rename group new-group
 

smbadm set -p property=value [[-p property=value] ...] group
 

smbadm show [-m] [-p] [group]
 

DESCRIPTION

The smbadm command is used to configure CIFS local groups and to manage domain membership. You can also use the smbadm command to enable or disable SMB password generation for individual local users.
 
CIFS local groups can be used when Windows accounts must be members of some local groups and when Windows style privileges must be granted. Solaris local groups cannot provide these functions.
 
There are two types of local groups: user defined and built-in. Built-in local groups are predefined local groups to support common administration tasks.
 
In order to provide proper identity mapping between CIFS local groups and Solaris groups, a CIFS local group must have a corresponding Solaris group. This requirement has two consequences: first, the group name must conform to the intersection of the Windows and Solaris group name rules. Thus, a CIFS local group name can be up to eight (8) characters long and contain only lowercase characters and numbers. Second, a Solaris local group has to be created before a CIFS local group can be created.
 
Built-in groups are standard Windows groups and are predefined by the CIFS service. The built-in groups cannot be added, removed, or renamed, and these groups do not follow the CIFS local group naming conventions.
 
When the CIFS server is started, the following built-in groups are available:
 
Administrators
 
Group members can administer the system.
 
 
Backup Operators
 
Group members can bypass file access controls to back up and restore files.
 
 
Power Users
 
Group members can share directories.
 
 
Solaris local users must have an SMB password for authentication and to gain access to CIFS resources. This password is created by using the passwd(1) command when the pam_smb_password module is added to the system's PAM configuration. See the pam_smb_passwd(5) man page.
 
The disable-user and enable-user subcommands control SMB password-generation for a specified local user. When disabled, the user is prevented from connecting to the Solaris CIFS service. By default, SMB password-generation is enabled for all local users.
 
To reenable a disabled user, you must use the enable-user subcommand and then reset the user's password by using the passwd command. The pam_smb_passwd.so.1 module must be added to the system's PAM configuration to generate an SMB password.

Escaping Backslash Character

For the add-member, remove-member, and join (with -u) subcommands, the backslash character ( \) is a valid separator between member or user names and domain names. The backslash character is a shell special character and must be quoted. For example, you might escape the backslash character with another backslash character: domain\\username. For more information about handling shell special characters, see the man page for your shell.

OPERANDS

The smbadm command uses the following operands:
 
domain
 
Specifies the name of an existing Windows domain to join.
 
 
group
 
Specifies the name of the CIFS local group.
 
 
username
 
Specifies the name of a Solaris local user.
 

SUBCOMMANDS

The smbadm command includes these subcommands:
 
add-member -m member [[-m member] ...] group
 
Adds the specified member to the specified CIFS local group. The -m member option specifies the name of a CIFS local group member. The member name must include an existing user name and an optional domain name.
 
Specify the member name in either of the following formats:
 


[domain\]username
[domain/]username

 
 
For example, a valid member name might be sales\terry or sales/terry, where sales is the Windows domain name and terry is the name of a user in the sales domain.
 
 
create [-d description] group
 
Creates a CIFS local group with the specified name. You can optionally specify a description of the group by using the -d option.
 
 
delete group
 
Deletes the specified CIFS local group. The built-in groups cannot be deleted.
 
 
disable username
 
Disables SMB password-generation capabilities for the specified local user. A disabled local user is prevented from accessing the system by means of the CIFS service. When a local user account is disabled, you cannot use the passwd command to modify the user's SMB password until the user account is reenabled.
 
 
enable username
 
Enables SMB password-generation capabilities for the specified local user. After the password-generation capabilities are reenabled, you must use the passwd command to generate the SMB password for the local user before he can connect to the CIFS service.
 
The passwd command manages both the Solaris password and SMB password for this user if the pam_smb_passwd module has been added to the system's PAM configuration.
 
 
get [[-p property=value] ...] group
 
Retrieves property values for the specified group. If no property is specified, all property values are shown.
 
 
join [-y] -u username domain
 
Joins a Windows domain or a workgroup.
 
The default mode for the CIFS service is workgroup mode, which uses the default workgroup name, WORKGROUP.
 
An authenticated user account is required to join a domain, so you must specify the Windows administrative user name with the -u option. If the password is not specified on the command line, the user is prompted for it. This user should be the domain administrator or any user who has administrative privileges for the target domain.
 
username and domain can be entered in any of the following formats:
 


username[+password] domain
domain\username[+password]
domain/username[+password]
username@domain

 
 
...where domain can be the NetBIOS or DNS domain name.
 
If a machine trust account for the system already exists on a domain controller, any authenticated user account can be used when joining the domain. However, if the machine trust account does not already exist, an account that has administrative privileges on the domain is required to join the domain. Specifying -y will bypass the smb service restart prompt.
 
 
join [-y] -w workgroup
 
Joins a Windows domain or a workgroup.
 
The -w workgroup option specifies the name of the workgroup to join when using the join subcommand. Specifying -y will bypass the smb service restart prompt.
 
 
list
 
Shows information about the current workgroup or domain. The information typically includes the workgroup name or the primary domain name. When in domain mode, the information includes domain controller names and trusted domain names.
 
Each entry in the output is identified by one of the following tags:
 
- [*] -
Primary domain
 
 
- [.] -
Local domain
 
 
- [-] -
Other domains
 
 
- [+] -
Selected domain controller
 
 
 
lookup account-name [account-name [...]]
 
 
Lookup the SID for the given account-name, or lookup the account-name for the given SID. This subcommand is primarily for diagnostic use, to confirm whether the server can lookup domain accounts and/or SIDs.
 
 
remove-member -m member [[-m member] ...] group
 
Removes the specified member from the specified CIFS local group. The -m member option specifies the name of a CIFS local group member. The member name must include an existing user name and an optional domain name.
 
Specify the member name in either of the following formats:
 


[domain\]username
[domain/]username

 
 
For example, a valid member name might be sales\terry or sales/terry, where sales is the Windows domain name and terry is the name of a user in the sales domain.
 
 
rename group new-group
 
Renames the specified CIFS local group. The group must already exist. The built-in groups cannot be renamed.
 
 
set -p property=value [[-p property=value] ...] group
 
Sets configuration properties for a CIFS local group. The description and the privileges for the built-in groups cannot be changed.
 
The -p property=value option specifies the list of properties to be set on the specified group.
 
The group-related properties are as follows:
 
backup=[on|off]
 
Specifies whether members of the CIFS local group can bypass file access controls to back up file system objects.
 
 
description=description-text
 
Specifies a text description for the CIFS local group.
 
 
restore=[on|off]
 
Specifies whether members of the CIFS local group can bypass file access controls to restore file system objects.
 
 
take-ownership=[on|off]
 
Specifies whether members of the CIFS local group can take ownership of file system objects.
 
 
 
show [-m] [-p] [group]
 
Shows information about the specified CIFS local group or groups. If no group is specified, information is shown for all groups. If the -m option is specified, the group members are also shown. If the -p option is specified, the group privileges are also shown.
 

EXIT STATUS

The following exit values are returned:
 
0
Successful completion.
 
 
>0
An error occurred.
 

ATTRIBUTES

See the attributes(5) man page for descriptions of the following attributes:
 
 
 
ATTRIBUTE TYPE ATTRIBUTE VALUE
Utility Name and Options Uncommitted
Utility Output Format Not-An-Interface
smbadm join Obsolete
 

SEE ALSO

passwd(1), groupadd(1M), idmap(1M), idmapd(1M), kclient(1M), share(1M), sharectl(1M), sharemgr(1M), smbd(1M), smbstat(1M), smb(4), smbautohome(4), attributes(5), pam_smb_passwd(5), smf(5)
April 9, 2016