1 SMBADM(1M) Maintenance Commands SMBADM(1M) 2 3 4 5 NAME 6 smbadm - configure and manage CIFS local groups and users, and manage 7 domain membership 8 9 SYNOPSIS 10 smbadm add-member -m member [[-m member] ...] group 11 12 13 smbadm create [-d description] group 14 15 16 smbadm delete group 17 18 19 smbadm disable-user username 20 21 22 smbadm enable-user username 23 24 25 smbadm get [[-p property] ...] group 26 27 28 smbadm join [-y] -u username domain 29 30 31 smbadm join [-y] -w workgroup 32 33 34 smbadm list 35 36 37 smbadm lookup account-name [account-name [...]] 38 39 40 smbadm remove-member -m member [[-m member] ...] group 41 42 43 smbadm rename group new-group 44 45 46 smbadm set -p property=value [[-p property=value] ...] group 47 48 49 smbadm show [-m] [-p] [group] 50 51 52 DESCRIPTION 53 The smbadm command is used to configure CIFS local groups and to manage 54 domain membership. You can also use the smbadm command to enable or 55 disable SMB password generation for individual local users. 56 57 58 CIFS local groups can be used when Windows accounts must be members of 59 some local groups and when Windows style privileges must be granted. 60 Solaris local groups cannot provide these functions. 61 62 63 There are two types of local groups: user defined and built-in. Built- 64 in local groups are predefined local groups to support common 65 administration tasks. 66 67 68 In order to provide proper identity mapping between CIFS local groups 69 and Solaris groups, a CIFS local group must have a corresponding 70 Solaris group. This requirement has two consequences: first, the group 71 name must conform to the intersection of the Windows and Solaris group 72 name rules. Thus, a CIFS local group name can be up to eight (8) 73 characters long and contain only lowercase characters and numbers. 74 Second, a Solaris local group has to be created before a CIFS local 75 group can be created. 76 77 78 Built-in groups are standard Windows groups and are predefined by the 79 CIFS service. The built-in groups cannot be added, removed, or renamed, 80 and these groups do not follow the CIFS local group naming conventions. 81 82 83 When the CIFS server is started, the following built-in groups are 84 available: 85 86 Administrators 87 88 Group members can administer the system. 89 90 91 Backup Operators 92 93 Group members can bypass file access controls to back up and 94 restore files. 95 96 97 Power Users 98 99 Group members can share directories. 100 101 102 103 Solaris local users must have an SMB password for authentication and to 104 gain access to CIFS resources. This password is created by using the 105 passwd(1) command when the pam_smb_password module is added to the 106 system's PAM configuration. See the pam_smb_passwd(5) man page. 107 108 109 The disable-user and enable-user subcommands control SMB password- 110 generation for a specified local user. When disabled, the user is 111 prevented from connecting to the Solaris CIFS service. By default, SMB 112 password-generation is enabled for all local users. 113 114 115 To reenable a disabled user, you must use the enable-user subcommand 116 and then reset the user's password by using the passwd command. The 117 pam_smb_passwd.so.1 module must be added to the system's PAM 118 configuration to generate an SMB password. 119 120 Escaping Backslash Character 121 For the add-member, remove-member, and join (with -u) subcommands, the 122 backslash character (\) is a valid separator between member or user 123 names and domain names. The backslash character is a shell special 124 character and must be quoted. For example, you might escape the 125 backslash character with another backslash character: domain\\username. 126 For more information about handling shell special characters, see the 127 man page for your shell. 128 129 OPERANDS 130 The smbadm command uses the following operands: 131 132 domain 133 134 Specifies the name of an existing Windows domain to join. 135 136 137 group 138 139 Specifies the name of the CIFS local group. 140 141 142 username 143 144 Specifies the name of a Solaris local user. 145 146 147 SUBCOMMANDS 148 The smbadm command includes these subcommands: 149 150 add-member -m member [[-m member] ...] group 151 152 Adds the specified member to the specified CIFS local group. The -m 153 member option specifies the name of a CIFS local group member. The 154 member name must include an existing user name and an optional 155 domain name. 156 157 Specify the member name in either of the following formats: 158 159 [domain\]username 160 [domain/]username 161 162 163 For example, a valid member name might be sales\terry or 164 sales/terry, where sales is the Windows domain name and terry is 165 the name of a user in the sales domain. 166 167 168 create [-d description] group 169 170 Creates a CIFS local group with the specified name. You can 171 optionally specify a description of the group by using the -d 172 option. 173 174 175 delete group 176 177 Deletes the specified CIFS local group. The built-in groups cannot 178 be deleted. 179 180 181 disable username 182 183 Disables SMB password-generation capabilities for the specified 184 local user. A disabled local user is prevented from accessing the 185 system by means of the CIFS service. When a local user account is 186 disabled, you cannot use the passwd command to modify the user's 187 SMB password until the user account is reenabled. 188 189 190 enable username 191 192 Enables SMB password-generation capabilities for the specified 193 local user. After the password-generation capabilities are 194 reenabled, you must use the passwd command to generate the SMB 195 password for the local user before he can connect to the CIFS 196 service. 197 198 The passwd command manages both the Solaris password and SMB 199 password for this user if the pam_smb_passwd module has been added 200 to the system's PAM configuration. 201 202 203 get [[-p property=value] ...] group 204 205 Retrieves property values for the specified group. If no property 206 is specified, all property values are shown. 207 208 209 join [-y] -u username domain 210 211 Joins a Windows domain or a workgroup. 212 213 The default mode for the CIFS service is workgroup mode, which uses 214 the default workgroup name, WORKGROUP. 215 216 An authenticated user account is required to join a domain, so you 217 must specify the Windows administrative user name with the -u 218 option. If the password is not specified on the command line, the 219 user is prompted for it. This user should be the domain 220 administrator or any user who has administrative privileges for the 221 target domain. 222 223 username and domain can be entered in any of the following formats: 224 225 username[+password] domain 226 domain\username[+password] 227 domain/username[+password] 228 username@domain 229 230 231 ...where domain can be the NetBIOS or DNS domain name. 232 233 If a machine trust account for the system already exists on a 234 domain controller, any authenticated user account can be used when 235 joining the domain. However, if the machine trust account does not 236 already exist, an account that has administrative privileges on the 237 domain is required to join the domain. Specifying -y will bypass 238 the smb service restart prompt. 239 240 241 join [-y] -w workgroup 242 243 Joins a Windows domain or a workgroup. 244 245 The -w workgroup option specifies the name of the workgroup to join 246 when using the join subcommand. Specifying -y will bypass the smb 247 service restart prompt. 248 249 250 list 251 252 Shows information about the current workgroup or domain. The 253 information typically includes the workgroup name or the primary 254 domain name. When in domain mode, the information includes domain 255 controller names and trusted domain names. 256 257 Each entry in the output is identified by one of the following 258 tags: 259 260 - [*] - 261 Primary domain 262 263 264 - [.] - 265 Local domain 266 267 268 - [-] - 269 Other domains 270 271 272 - [+] - 273 Selected domain controller 274 275 276 277 lookup account-name [account-name [...]] 278 279 280 Lookup the SID for the given account-name, or lookup the account- 281 name for the given SID. This subcommand is primarily for 282 diagnostic use, to confirm whether the server can lookup domain 283 accounts and/or SIDs. 284 285 286 remove-member -m member [[-m member] ...] group 287 288 Removes the specified member from the specified CIFS local group. 289 The -m member option specifies the name of a CIFS local group 290 member. The member name must include an existing user name and an 291 optional domain name. 292 293 Specify the member name in either of the following formats: 294 295 [domain\]username 296 [domain/]username 297 298 299 For example, a valid member name might be sales\terry or 300 sales/terry, where sales is the Windows domain name and terry is 301 the name of a user in the sales domain. 302 303 304 rename group new-group 305 306 Renames the specified CIFS local group. The group must already 307 exist. The built-in groups cannot be renamed. 308 309 310 set -p property=value [[-p property=value] ...] group 311 312 Sets configuration properties for a CIFS local group. The 313 description and the privileges for the built-in groups cannot be 314 changed. 315 316 The -p property=value option specifies the list of properties to be 317 set on the specified group. 318 319 The group-related properties are as follows: 320 321 backup=[on|off] 322 323 Specifies whether members of the CIFS local group can bypass 324 file access controls to back up file system objects. 325 326 327 description=description-text 328 329 Specifies a text description for the CIFS local group. 330 331 332 restore=[on|off] 333 334 Specifies whether members of the CIFS local group can bypass 335 file access controls to restore file system objects. 336 337 338 take-ownership=[on|off] 339 340 Specifies whether members of the CIFS local group can take 341 ownership of file system objects. 342 343 344 345 show [-m] [-p] [group] 346 347 Shows information about the specified CIFS local group or groups. 348 If no group is specified, information is shown for all groups. If 349 the -m option is specified, the group members are also shown. If 350 the -p option is specified, the group privileges are also shown. 351 352 353 EXIT STATUS 354 The following exit values are returned: 355 356 0 357 Successful completion. 358 359 360 >0 361 An error occurred. 362 363 364 ATTRIBUTES 365 See the attributes(5) man page for descriptions of the following 366 attributes: 367 368 369 370 371 +-------------------------+------------------+ 372 | ATTRIBUTE TYPE | ATTRIBUTE VALUE | 373 +-------------------------+------------------+ 374 |Utility Name and Options | Uncommitted | 375 +-------------------------+------------------+ 376 |Utility Output Format | Not-An-Interface | 377 +-------------------------+------------------+ 378 |smbadm join | Obsolete | 379 +-------------------------+------------------+ 380 381 SEE ALSO 382 passwd(1), groupadd(1M), idmap(1M), idmapd(1M), kclient(1M), share(1M), 383 sharectl(1M), sharemgr(1M), smbd(1M), smbstat(1M), smb(4), 384 smbautohome(4), attributes(5), pam_smb_passwd(5), smf(5) 385 386 387 388 April 9, 2016 SMBADM(1M)