1 SMBADM(1M)                   Maintenance Commands                   SMBADM(1M)
   2 
   3 
   4 
   5 NAME
   6        smbadm - configure and manage CIFS local groups and users, and manage
   7        domain membership
   8 
   9 SYNOPSIS
  10        smbadm add-member -m member [[-m member] ...] group
  11 
  12 
  13        smbadm create [-d description] group
  14 
  15 
  16        smbadm delete group
  17 
  18 
  19        smbadm disable-user username
  20 
  21 
  22        smbadm enable-user username
  23 
  24 
  25        smbadm get [[-p property] ...] group
  26 
  27 
  28        smbadm join [-y] -u username domain
  29 
  30 
  31        smbadm join [-y] -w workgroup
  32 
  33 
  34        smbadm list
  35 
  36 
  37        smbadm lookup account-name [account-name [...]]
  38 
  39 
  40        smbadm remove-member -m member [[-m member] ...] group
  41 
  42 
  43        smbadm rename group new-group
  44 
  45 
  46        smbadm set -p property=value [[-p property=value] ...] group
  47 
  48 
  49        smbadm show [-m] [-p] [group]
  50 
  51 
  52 DESCRIPTION
  53        The smbadm command is used to configure CIFS local groups and to manage
  54        domain membership. You can also use the smbadm command to enable or
  55        disable SMB password generation for individual local users.
  56 
  57 
  58        CIFS local groups can be used when Windows accounts must be members of
  59        some local groups and when Windows style privileges must be granted.
  60        Solaris local groups cannot provide these functions.
  61 
  62 
  63        There are two types of local groups: user defined and built-in. Built-
  64        in local groups are predefined local groups to support common
  65        administration tasks.
  66 
  67 
  68        In order to provide proper identity mapping between CIFS local groups
  69        and Solaris groups, a CIFS local group must have a corresponding
  70        Solaris group. This requirement has two consequences: first, the group
  71        name must conform to the intersection of the Windows and Solaris group
  72        name rules. Thus, a CIFS local group name can be up to eight (8)
  73        characters long and contain only lowercase characters and numbers.
  74        Second, a Solaris local group has to be created before a CIFS local
  75        group can be created.
  76 
  77 
  78        Built-in groups are standard Windows groups and are predefined by the
  79        CIFS service. The built-in groups cannot be added, removed, or renamed,
  80        and these groups do not follow the CIFS local group naming conventions.
  81 
  82 
  83        When the CIFS server is started, the following built-in groups are
  84        available:
  85 
  86        Administrators
  87 
  88            Group members can administer the system.
  89 
  90 
  91        Backup Operators
  92 
  93            Group members can bypass file access controls to back up and
  94            restore files.
  95 
  96 
  97        Power Users
  98 
  99            Group members can share directories.
 100 
 101 
 102 
 103        Solaris local users must have an SMB password for authentication and to
 104        gain access to CIFS resources. This password is created by using the
 105        passwd(1) command when the pam_smb_password module is added to the
 106        system's PAM configuration. See the pam_smb_passwd(5) man page.
 107 
 108 
 109        The disable-user and enable-user subcommands control SMB password-
 110        generation for a specified local user. When disabled, the user is
 111        prevented from connecting to the Solaris CIFS service. By default, SMB
 112        password-generation is enabled for all local users.
 113 
 114 
 115        To reenable a disabled user, you must use the enable-user subcommand
 116        and then reset the user's password by using the passwd command. The
 117        pam_smb_passwd.so.1 module must be added to the system's PAM
 118        configuration to generate an SMB password.
 119 
 120    Escaping Backslash Character
 121        For the add-member, remove-member, and join (with -u) subcommands, the
 122        backslash character (\) is a valid separator between member or user
 123        names and domain names. The backslash character is a shell special
 124        character and must be quoted. For example, you might escape the
 125        backslash character with another backslash character: domain\\username.
 126        For more information about handling shell special characters, see the
 127        man page for your shell.
 128 
 129 OPERANDS
 130        The smbadm command uses the following operands:
 131 
 132        domain
 133 
 134            Specifies the name of an existing Windows domain to join.
 135 
 136 
 137        group
 138 
 139            Specifies the name of the CIFS local group.
 140 
 141 
 142        username
 143 
 144            Specifies the name of a Solaris local user.
 145 
 146 
 147 SUBCOMMANDS
 148        The smbadm command includes these subcommands:
 149 
 150        add-member -m member [[-m member] ...] group
 151 
 152            Adds the specified member to the specified CIFS local group. The -m
 153            member option specifies the name of a CIFS local group member. The
 154            member name must include an existing user name and an optional
 155            domain name.
 156 
 157            Specify the member name in either of the following formats:
 158 
 159              [domain\]username
 160              [domain/]username
 161 
 162 
 163            For example, a valid member name might be sales\terry or
 164            sales/terry, where sales is the Windows domain name and terry is
 165            the name of a user in the sales domain.
 166 
 167 
 168        create [-d description] group
 169 
 170            Creates a CIFS local group with the specified name. You can
 171            optionally specify a description of the group by using the -d
 172            option.
 173 
 174 
 175        delete group
 176 
 177            Deletes the specified CIFS local group. The built-in groups cannot
 178            be deleted.
 179 
 180 
 181        disable username
 182 
 183            Disables SMB password-generation capabilities for the specified
 184            local user. A disabled local user is prevented from accessing the
 185            system by means of the CIFS service. When a local user account is
 186            disabled, you cannot use the passwd command to modify the user's
 187            SMB password until the user account is reenabled.
 188 
 189 
 190        enable username
 191 
 192            Enables SMB password-generation capabilities for the specified
 193            local user.  After the password-generation capabilities are
 194            reenabled, you must use the passwd command to generate the SMB
 195            password for the local user before he can connect to the CIFS
 196            service.
 197 
 198            The passwd command manages both the Solaris password and SMB
 199            password for this user if the pam_smb_passwd module has been added
 200            to the system's PAM configuration.
 201 
 202 
 203        get [[-p property=value] ...] group
 204 
 205            Retrieves property values for the specified group. If no property
 206            is specified, all property values are shown.
 207 
 208 
 209        join [-y] -u username domain
 210 
 211            Joins a Windows domain or a workgroup.
 212 
 213            The default mode for the CIFS service is workgroup mode, which uses
 214            the default workgroup name, WORKGROUP.
 215 
 216            An authenticated user account is required to join a domain, so you
 217            must specify the Windows administrative user name with the -u
 218            option. If the password is not specified on the command line, the
 219            user is prompted for it. This user should be the domain
 220            administrator or any user who has administrative privileges for the
 221            target domain.
 222 
 223            username and domain can be entered in any of the following formats:
 224 
 225              username[+password] domain
 226              domain\username[+password]
 227              domain/username[+password]
 228              username@domain
 229 
 230 
 231            ...where domain can be the NetBIOS or DNS domain name.
 232 
 233            If a machine trust account for the system already exists on a
 234            domain controller, any authenticated user account can be used when
 235            joining the domain.  However, if the machine trust account does not
 236            already exist, an account that has administrative privileges on the
 237            domain is required to join the domain.  Specifying -y will bypass
 238            the smb service restart prompt.
 239 
 240 
 241        join [-y] -w workgroup
 242 
 243            Joins a Windows domain or a workgroup.
 244 
 245            The -w workgroup option specifies the name of the workgroup to join
 246            when using the join subcommand.  Specifying -y will bypass the smb
 247            service restart prompt.
 248 
 249 
 250        list
 251 
 252            Shows information about the current workgroup or domain. The
 253            information typically includes the workgroup name or the primary
 254            domain name. When in domain mode, the information includes domain
 255            controller names and trusted domain names.
 256 
 257            Each entry in the output is identified by one of the following
 258            tags:
 259 
 260            - [*] -
 261                       Primary domain
 262 
 263 
 264            - [.] -
 265                       Local domain
 266 
 267 
 268            - [-] -
 269                       Other domains
 270 
 271 
 272            - [+] -
 273                       Selected domain controller
 274 
 275 
 276 
 277        lookup account-name [account-name [...]]
 278 
 279 
 280            Lookup the SID for the given account-name, or lookup the account-
 281            name for the given SID.  This subcommand is primarily for
 282            diagnostic use, to confirm whether the server can lookup domain
 283            accounts and/or SIDs.
 284 
 285 
 286        remove-member -m member [[-m member] ...] group
 287 
 288            Removes the specified member from the specified CIFS local group.
 289            The -m member option specifies the name of a CIFS local group
 290            member. The member name must include an existing user name and an
 291            optional domain name.
 292 
 293            Specify the member name in either of the following formats:
 294 
 295              [domain\]username
 296              [domain/]username
 297 
 298 
 299            For example, a valid member name might be sales\terry or
 300            sales/terry, where sales is the Windows domain name and terry is
 301            the name of a user in the sales domain.
 302 
 303 
 304        rename group new-group
 305 
 306            Renames the specified CIFS local group. The group must already
 307            exist. The built-in groups cannot be renamed.
 308 
 309 
 310        set -p property=value [[-p property=value] ...] group
 311 
 312            Sets configuration properties for a CIFS local group. The
 313            description and the privileges for the built-in groups cannot be
 314            changed.
 315 
 316            The -p property=value option specifies the list of properties to be
 317            set on the specified group.
 318 
 319            The group-related properties are as follows:
 320 
 321            backup=[on|off]
 322 
 323                Specifies whether members of the CIFS local group can bypass
 324                file access controls to back up file system objects.
 325 
 326 
 327            description=description-text
 328 
 329                Specifies a text description for the CIFS local group.
 330 
 331 
 332            restore=[on|off]
 333 
 334                Specifies whether members of the CIFS local group can bypass
 335                file access controls to restore file system objects.
 336 
 337 
 338            take-ownership=[on|off]
 339 
 340                Specifies whether members of the CIFS local group can take
 341                ownership of file system objects.
 342 
 343 
 344 
 345        show [-m] [-p] [group]
 346 
 347            Shows information about the specified CIFS local group or groups.
 348            If no group is specified, information is shown for all groups. If
 349            the -m option is specified, the group members are also shown. If
 350            the -p option is specified, the group privileges are also shown.
 351 
 352 
 353 EXIT STATUS
 354        The following exit values are returned:
 355 
 356        0
 357                     Successful completion.
 358 
 359 
 360        >0
 361                     An error occurred.
 362 
 363 
 364 ATTRIBUTES
 365        See the attributes(5) man page for descriptions of the following
 366        attributes:
 367 
 368 
 369 
 370 
 371        +-------------------------+------------------+
 372        |     ATTRIBUTE TYPE      | ATTRIBUTE VALUE  |
 373        +-------------------------+------------------+
 374        |Utility Name and Options | Uncommitted      |
 375        +-------------------------+------------------+
 376        |Utility Output Format    | Not-An-Interface |
 377        +-------------------------+------------------+
 378        |smbadm join              | Obsolete         |
 379        +-------------------------+------------------+
 380 
 381 SEE ALSO
 382        passwd(1), groupadd(1M), idmap(1M), idmapd(1M), kclient(1M), share(1M),
 383        sharectl(1M), sharemgr(1M), smbd(1M), smbstat(1M), smb(4),
 384        smbautohome(4), attributes(5), pam_smb_passwd(5), smf(5)
 385 
 386 
 387 
 388                                  April 9, 2016                      SMBADM(1M)