1 SMBADM(1M) Maintenance Commands SMBADM(1M)
2
3 NAME
4 smbadm - configure and manage SMB local groups and users, and manage
5 domain membership
6
7 SYNOPSIS
8 smbadm create [-d description] group
9 smbadm delete group
10 smbadm rename group new-group
11 smbadm show [-mp] [group]
12 smbadm get [-p property]... group
13 smbadm set -p property=value [-p property=value]... group
14 smbadm add-member -m member [-m member]... group
15 smbadm remove-member -m member [-m member]... group
16 smbadm delete-user username
17 smbadm disable-user username
18 smbadm enable-user username
19 smbadm join [-y] -u username domain
20 smbadm join [-y] -w workgroup
21 smbadm list
22 smbadm lookup account-name [account-name]...
23
24 DESCRIPTION
25 The smbadm command is used to configure SMB local groups and users, and
26 to manage domain membership. You can also use the smbadm command to
27 enable or disable SMB password generation for individual local users.
28
29 SMB local groups can be used when Windows accounts must be members of
30 some local groups and when Windows style privileges must be granted.
31 System local groups cannot provide these functions.
32
33 There are two types of local groups: user defined and built-in. Built-in
34 local groups are predefined local groups to support common administration
35 tasks.
36
37 In order to provide proper identity mapping between SMB local groups and
38 system groups, a SMB local group must have a corresponding system group.
39 This requirement has two consequences: first, the group name must conform
40 to the intersection of the Windows and system group name rules. Thus, a
41 SMB local group name can be up to eight (8) characters long and contain
42 only lowercase characters and numbers. Second, a system local group has
43 to be created before a SMB local group can be created.
44
45 Built-in groups are standard Windows groups and are predefined by the SMB
46 service. The built-in groups cannot be added, removed, or renamed, and
47 these groups do not follow the SMB local group naming conventions.
48
49 When the SMB server is started, the following built-in groups are
50 available:
51
52 Administrators Group members can administer the system.
53
54 Backup Operators Group members can bypass file access controls to back
55 up and restore files.
56
57 Power Users Group members can share directories.
58
59 System local users must have an SMB password for authentication and to
60 gain access to SMB resources. This password is created by using the
61 passwd(1) command when the pam_smb_password module is added to the
62 system's PAM configuration. See the pam_smb_passwd(5) man page.
63
64 The disable-user and enable-user subcommands control SMB password-
65 generation for a specified local user. When disabled, the user is
66 prevented from connecting to the SMB service. By default, SMB password-
67 generation is enabled for all local users.
68
69 To reenable a disabled user, you must use the enable-user subcommand and
70 then reset the user's password by using the passwd command. The
71 pam_smb_passwd.so.1 module must be added to the system's PAM
72 configuration to generate an SMB password.
73
74 Escaping Backslash Character
75 For the add-member, remove-member, and join (with -u) subcommands, the
76 backslash character ("\") is a valid separator between member or user
77 names and domain names. The backslash character is a shell special
78 character and must be quoted. For example, you might escape the
79 backslash character with another backslash character: domain\\username.
80 For more information about handling shell special characters, see the man
81 page for your shell.
82
83 OPERANDS
84 The smbadm command uses the following operands:
85
86 domain Specifies the name of an existing Windows domain to join.
87
88 group Specifies the name of the SMB local group.
89
90 username Specifies the name of a system local user.
91
92 SUBCOMMANDS
93 The smbadm command includes these subcommands:
94
95 create [-d description] group
96 Creates a SMB local group with the specified name. You can
97 optionally specify a description of the group by using the -d
98 option.
99
100 delete group
101 Deletes the specified SMB local group. The built-in groups
102 cannot be deleted.
103
104 rename group new-group
105 Renames the specified SMB local group. The group must already
106 exist. The built-in groups cannot be renamed.
107
108 show [-mp] [group]
109 Shows information about the specified SMB local group or groups.
110 If no group is specified, information is shown for all groups.
111 If the -m option is specified, the group members are also shown.
112 If the -p option is specified, the group privileges are also
113 shown.
114
115 get [-p property=value]... group
116 Retrieves property values for the specified group. If no
117 property is specified, all property values are shown.
118
119 set -p property=value [-p property=value]... group
120 Sets configuration properties for a SMB local group. The
121 description and the privileges for the built-in groups cannot be
122 changed.
123
124 The -p property=value option specifies the list of properties to
125 be set on the specified group.
126
127 The group-related properties are as follows:
128
129 backup=on|off
130 Specifies whether members of the SMB local group can
131 bypass file access controls to back up file system
132 objects.
133
134 description=description-text
135 Specifies a text description for the SMB local group.
136
137 restore=on|off
138 Specifies whether members of the SMB local group can
139 bypass file access controls to restore file system
140 objects.
141
142 take-ownership=on|off
143 Specifies whether members of the SMB local group can take
144 ownership of file system objects.
145
146 add-member -m member [-m member]... group
147 Adds the specified member to the specified SMB local group. The
148 -m member option specifies the name of a SMB local group member.
149 The member name must include an existing user name and an
150 optional domain name.
151
152 Specify the member name in either of the following formats:
153
154 [domain\]username
155 [domain/]username
156
157 For example, a valid member name might be sales\terry or
158 sales/terry, where sales is the Windows domain name and terry is
159 the name of a user in the sales domain.
160
161 remove-member -m member [-m member]... group
162 Removes the specified member from the specified SMB local group.
163 The -m member option specifies the name of a SMB local group
164 member. The member name must include an existing user name and
165 an optional domain name.
166
167 Specify the member name in either of the following formats:
168
169 [domain\]username
170 [domain/]username
171
172 For example, a valid member name might be sales\terry or
173 sales/terry, where sales is the Windows domain name and terry is
174 the name of a user in the sales domain.
175
176 delete-user username
177 Deletes SMB password for the specified local user effectively
178 preventing the access by means of the SMB service. Use passwd
179 command to create the SMB password and re-enable access.
180
181 disable-user username
182 Disables SMB password-generation capabilities for the specified
183 local user effectively preventing access by means of the SMB
184 service. When a local user account is disabled, you cannot use
185 the passwd command to modify the user's SMB password until the
186 user account is re-enabled.
187
188 enable-user username
189 Enables SMB password-generation capabilities for the specified
190 local user and re-enables access. After the password-generation
191 capabilities are re-enabled, use the passwd command to generate
192 the SMB password for the local user.
193
194 The passwd command manages both the system password and SMB
195 password for this user if the pam_smb_passwd module has been
196 added to the system's PAM configuration.
197
198 join [-y] -u username domain
199 Joins a Windows domain.
200
201 An authenticated user account is required to join a domain, so
202 you must specify the Windows administrative user name with the -u
203 option. If the password is not specified on the command line,
204 the user is prompted for it. This user should be the domain
205 administrator or any user who has administrative privileges for
206 the target domain.
207
208 username and domain can be entered in any of the following
209 formats:
210
211 username[+password] domain
212 domain\username[+password]
213 domain/username[+password]
214 username@domain
215
216 ...where domain can be the NetBIOS or DNS domain name.
217
218 If a machine trust account for the system already exists on a
219 domain controller, any authenticated user account can be used
220 when joining the domain. However, if the machine trust account
221 does not already exist, an account that has administrative
222 privileges on the domain is required to join the domain.
223 Specifying -y will bypass the SMB service restart prompt.
224
225 join [-y] -w workgroup
226 Joins a Windows workgroup.
227
228 The default mode for the SMB service is workgroup mode, which
229 uses the default workgroup name, "WORKGROUP".
230
231 The -w workgroup option specifies the name of the workgroup to
232 join when using the join subcommand. Specifying -y will bypass
233 the SMB service restart prompt.
234
235 list Shows information about the current workgroup or domain. The
236 information typically includes the workgroup name or the primary
237 domain name. When in domain mode, the information includes
238 domain controller names and trusted domain names.
239
240 Each entry in the ouput is identified by one of the following
241 tags:
242
243 [*] Primary domain
244
245 [.] Local domain
246
247 [-] Other domains
248
249 [+] Selected domain controller
250
251 lookup account-name [account-name]...
252 Lookup the SID for the given account-name, or lookup the
253 account-name for the given SID. This subcommand is primarily for
254 diagnostic use, to confirm whether the server can lookup domain
255 accounts and/or SIDs.
256
257 EXIT STATUS
258 The smbadm utility exits 0 on success, and >0 if an error occurs.
259
260 INTERFACE STABILITY
261 Utility name and options are Uncommitted. Utility output format is
262 Not-An-Interface.
263
264 SEE ALSO
265 passwd(1), groupadd(1M), idmap(1M), idmapd(1M), kclient(1M), share(1M),
266 sharectl(1M), sharemgr(1M), smbd(1M), smbstat(1M), smb(4),
267 smbautohome(4), attributes(5), pam_smb_passwd(5), smf(5)
268
269 illumos November 18, 2017 illumos