NAME

smbadm —

SYNOPSIS

smbadm

create [ -d description ] group

smbadm

delete group

smbadm

rename group new-group

smbadm

show [ -mp ] [ group ]

smbadm

get [ -p property ]... group

smbadm

set -p property=value [ -p property=value ]... group

smbadm

add-member -m member [ -m member ]... group

smbadm

remove-member -m member [ -m member ]... group

smbadm

delete-user username

smbadm

disable-user username

smbadm

enable-user username

smbadm

join [ -y ] -u username domain

smbadm

join [ -y ] -w workgroup

smbadm

list

smbadm

lookup account-name [ account-name ]...

DESCRIPTION

The smbadm command is used to configure SMB local groups and users, and to manage domain membership. You can also use the smbadm command to enable or disable SMB password generation for individual local users. SMB local groups can be used when Windows accounts must be members of some local groups and when Windows style privileges must be granted. System local groups cannot provide these functions. There are two types of local groups: user defined and built-in. Built-in local groups are predefined local groups to support common administration tasks. In order to provide proper identity mapping between SMB local groups and system groups, a SMB local group must have a corresponding system group. This requirement has two consequences: first, the group name must conform to the intersection of the Windows and system group name rules. Thus, a SMB local group name can be up to eight (8) characters long and contain only lowercase characters and numbers. Second, a system local group has to be created before a SMB local group can be created. Built-in groups are standard Windows groups and are predefined by the SMB service. The built-in groups cannot be added, removed, or renamed, and these groups do not follow the SMB local group naming conventions. When the SMB server is started, the following built-in groups are available:

 

 

Administrators

Group members can administer the system.

 

 

Backup Operators

Group members can bypass file access controls to back up and restore files.

 

 

Power Users

Group members can share directories.

System local users must have an SMB password for authentication and to gain access to SMB resources. This password is created by using the passwd(1) command when the pam_smb_password module is added to the system's PAM configuration. See the pam_smb_passwd(5) man page. The disable-user and enable-user subcommands control SMB password-generation for a specified local user. When disabled, the user is prevented from connecting to the SMB service. By default, SMB password-generation is enabled for all local users. To reenable a disabled user, you must use the enable-user subcommand and then reset the user's password by using the passwd command. The pam_smb_passwd.so.1 module must be added to the system's PAM configuration to generate an SMB password.

Escaping Backslash Character

For the add-member, remove-member, and join (with -u) subcommands, the backslash character (“\”) is a valid separator between member or user names and domain names. The backslash character is a shell special character and must be quoted. For example, you might escape the backslash character with another backslash character: domain\\username. For more information about handling shell special characters, see the man page for your shell.

OPERANDS

The smbadm command uses the following operands:

 

 

domain

Specifies the name of an existing Windows domain to join.

 

 

group

Specifies the name of the SMB local group.

 

 

username

Specifies the name of a system local user.

SUBCOMMANDS

The smbadm command includes these subcommands:

 

 

create [

-d description

] group

Creates a SMB local group with the specified name. You can optionally specify a description of the group by using the -d option.

 

 

delete group

Deletes the specified SMB local group. The built-in groups cannot be deleted.

 

 

rename group new-group

Renames the specified SMB local group. The group must already exist. The built-in groups cannot be renamed.

 

 

show [

-mp

] [

group

]

Shows information about the specified SMB local group or groups. If no group is specified, information is shown for all groups. If the -m option is specified, the group members are also shown. If the -p option is specified, the group privileges are also shown.

 

 

get [

-p property=value

]... group

Retrieves property values for the specified group. If no property is specified, all property values are shown.

 

 

set -p property=value [

-p property=value

]... group

Sets configuration properties for a SMB local group. The description and the privileges for the built-in groups cannot be changed.

The -p property=value option specifies the list of properties to be set on the specified group.

The group-related properties are as follows:

 

 

backup=on|off

Specifies whether members of the SMB local group can bypass file access controls to back up file system objects.

 

 

description=description-text

Specifies a text description for the SMB local group.

 

 

restore=on|off

Specifies whether members of the SMB local group can bypass file access controls to restore file system objects.

 

 

take-ownership=on|off

Specifies whether members of the SMB local group can take ownership of file system objects.

 

 

add-member -m member [

-m member

]... group

Adds the specified member to the specified SMB local group. The -m member option specifies the name of a SMB local group member. The member name must include an existing user name and an optional domain name.

Specify the member name in either of the following formats:

[domain\]username 
[domain/]username
    

For example, a valid member name might be sales\terry or sales/terry, where sales is the Windows domain name and terry is the name of a user in the sales domain.

 

 

remove-member -m member [

-m member

]... group

Removes the specified member from the specified SMB local group. The -m member option specifies the name of a SMB local group member. The member name must include an existing user name and an optional domain name.

Specify the member name in either of the following formats:

[domain\]username 
[domain/]username
    

For example, a valid member name might be sales\terry or sales/terry, where sales is the Windows domain name and terry is the name of a user in the sales domain.

 

 

delete-user username

Deletes SMB password for the specified local user effectively preventing the access by means of the SMB service. Use passwd command to create the SMB password and re-enable access.

 

 

disable-user username

Disables SMB password-generation capabilities for the specified local user effectively preventing access by means of the SMB service. When a local user account is disabled, you cannot use the passwd command to modify the user's SMB password until the user account is re-enabled.

 

 

enable-user username

Enables SMB password-generation capabilities for the specified local user and re-enables access. After the password-generation capabilities are re-enabled, use the passwd command to generate the SMB password for the local user.

The passwd command manages both the system password and SMB password for this user if the pam_smb_passwd module has been added to the system's PAM configuration.

 

 

join [

-y

] -u username domain

Joins a Windows domain.

An authenticated user account is required to join a domain, so you must specify the Windows administrative user name with the -u option. If the password is not specified on the command line, the user is prompted for it. This user should be the domain administrator or any user who has administrative privileges for the target domain.

username and domain can be entered in any of the following formats:

username[+password] domain 
domain\username[+password] 
domain/username[+password] 
username@domain
    

...where domain can be the NetBIOS or DNS domain name.

If a machine trust account for the system already exists on a domain controller, any authenticated user account can be used when joining the domain. However, if the machine trust account does not already exist, an account that has administrative privileges on the domain is required to join the domain. Specifying -y will bypass the SMB service restart prompt.

 

 

join [

-y

] -w workgroup

Joins a Windows workgroup.

The default mode for the SMB service is workgroup mode, which uses the default workgroup name, “WORKGROUP”.

The -w workgroup option specifies the name of the workgroup to join when using the join subcommand. Specifying -y will bypass the SMB service restart prompt.

 

 

list

Shows information about the current workgroup or domain. The information typically includes the workgroup name or the primary domain name. When in domain mode, the information includes domain controller names and trusted domain names.

Each entry in the ouput is identified by one of the following tags:

 

 

[*]

Primary domain

 

 

[.]

Local domain

 

 

[-]

Other domains

 

 

[+]

Selected domain controller

 

 

lookup account-name [

account-name

]...

Lookup the SID for the given account-name, or lookup the account-name for the given SID. This subcommand is primarily for diagnostic use, to confirm whether the server can lookup domain accounts and/or SIDs.

EXIT STATUS

The smbadm utility exits 0 on success, and >0 if an error occurs.

INTERFACE STABILITY

Utility name and options are Uncommitted. Utility output format is Not-An-Interface.

SEE ALSO

passwd(1), groupadd(1M), idmap(1M), idmapd(1M), kclient(1M), share(1M), sharectl(1M), sharemgr(1M), smbd(1M), smbstat(1M), smb(4), smbautohome(4), attributes(5), pam_smb_passwd(5), smf(5)