1 SMBADM(1M) Maintenance Commands SMBADM(1M)
2
3
4
5 NAME
6 smbadm - configure and manage CIFS local groups and users, and manage
7 domain membership
8
9 SYNOPSIS
10 smbadm add-member -m member [[-m member] ...] group
11
12
13 smbadm create [-d description] group
14
15
16 smbadm delete group
17
18
19 smbadm disable-user username
20
21
22 smbadm enable-user username
23
24
25 smbadm get [[-p property] ...] group
26
27
28 smbadm join [-y] -u username domain
29
30
31 smbadm join [-y] -w workgroup
32
33
34 smbadm list
35
36
37 smbadm lookup account-name [account-name [...]]
38
39
40 smbadm remove-member -m member [[-m member] ...] group
41
42
43 smbadm rename group new-group
44
45
46 smbadm set -p property=value [[-p property=value] ...] group
47
48
49 smbadm show [-m] [-p] [group]
50
51
52 DESCRIPTION
53 The smbadm command is used to configure CIFS local groups and to manage
54 domain membership. You can also use the smbadm command to enable or
55 disable SMB password generation for individual local users.
56
57
58 CIFS local groups can be used when Windows accounts must be members of
59 some local groups and when Windows style privileges must be granted.
60 Solaris local groups cannot provide these functions.
61
62
63 There are two types of local groups: user defined and built-in. Built-
64 in local groups are predefined local groups to support common
65 administration tasks.
66
67
68 In order to provide proper identity mapping between CIFS local groups
69 and Solaris groups, a CIFS local group must have a corresponding
70 Solaris group. This requirement has two consequences: first, the group
71 name must conform to the intersection of the Windows and Solaris group
72 name rules. Thus, a CIFS local group name can be up to eight (8)
73 characters long and contain only lowercase characters and numbers.
74 Second, a Solaris local group has to be created before a CIFS local
75 group can be created.
76
77
78 Built-in groups are standard Windows groups and are predefined by the
79 CIFS service. The built-in groups cannot be added, removed, or renamed,
80 and these groups do not follow the CIFS local group naming conventions.
81
82
83 When the CIFS server is started, the following built-in groups are
84 available:
85
86 Administrators
87
88 Group members can administer the system.
89
90
91 Backup Operators
92
93 Group members can bypass file access controls to back up and
94 restore files.
95
96
97 Power Users
98
99 Group members can share directories.
100
101
102
103 Solaris local users must have an SMB password for authentication and to
104 gain access to CIFS resources. This password is created by using the
105 passwd(1) command when the pam_smb_password module is added to the
106 system's PAM configuration. See the pam_smb_passwd(5) man page.
107
108
109 The disable-user and enable-user subcommands control SMB password-
110 generation for a specified local user. When disabled, the user is
111 prevented from connecting to the Solaris CIFS service. By default, SMB
112 password-generation is enabled for all local users.
113
114
115 To reenable a disabled user, you must use the enable-user subcommand
116 and then reset the user's password by using the passwd command. The
117 pam_smb_passwd.so.1 module must be added to the system's PAM
118 configuration to generate an SMB password.
119
120 Escaping Backslash Character
121 For the add-member, remove-member, and join (with -u) subcommands, the
122 backslash character (\) is a valid separator between member or user
123 names and domain names. The backslash character is a shell special
124 character and must be quoted. For example, you might escape the
125 backslash character with another backslash character: domain\\username.
126 For more information about handling shell special characters, see the
127 man page for your shell.
128
129 OPERANDS
130 The smbadm command uses the following operands:
131
132 domain
133
134 Specifies the name of an existing Windows domain to join.
135
136
137 group
138
139 Specifies the name of the CIFS local group.
140
141
142 username
143
144 Specifies the name of a Solaris local user.
145
146
147 SUBCOMMANDS
148 The smbadm command includes these subcommands:
149
150 add-member -m member [[-m member] ...] group
151
152 Adds the specified member to the specified CIFS local group. The -m
153 member option specifies the name of a CIFS local group member. The
154 member name must include an existing user name and an optional
155 domain name.
156
157 Specify the member name in either of the following formats:
158
159 [domain\]username
160 [domain/]username
161
162
163 For example, a valid member name might be sales\terry or
164 sales/terry, where sales is the Windows domain name and terry is
165 the name of a user in the sales domain.
166
167
168 create [-d description] group
169
170 Creates a CIFS local group with the specified name. You can
171 optionally specify a description of the group by using the -d
172 option.
173
174
175 delete group
176
177 Deletes the specified CIFS local group. The built-in groups cannot
178 be deleted.
179
180
181 disable username
182
183 Disables SMB password-generation capabilities for the specified
184 local user. A disabled local user is prevented from accessing the
185 system by means of the CIFS service. When a local user account is
186 disabled, you cannot use the passwd command to modify the user's
187 SMB password until the user account is reenabled.
188
189
190 enable username
191
192 Enables SMB password-generation capabilities for the specified
193 local user. After the password-generation capabilities are
194 reenabled, you must use the passwd command to generate the SMB
195 password for the local user before he can connect to the CIFS
196 service.
197
198 The passwd command manages both the Solaris password and SMB
199 password for this user if the pam_smb_passwd module has been added
200 to the system's PAM configuration.
201
202
203 get [[-p property=value] ...] group
204
205 Retrieves property values for the specified group. If no property
206 is specified, all property values are shown.
207
208
209 join [-y] -u username domain
210
211 Joins a Windows domain or a workgroup.
212
213 The default mode for the CIFS service is workgroup mode, which uses
214 the default workgroup name, WORKGROUP.
215
216 An authenticated user account is required to join a domain, so you
217 must specify the Windows administrative user name with the -u
218 option. If the password is not specified on the command line, the
219 user is prompted for it. This user should be the domain
220 administrator or any user who has administrative privileges for the
221 target domain.
222
223 username and domain can be entered in any of the following formats:
224
225 username[+password] domain
226 domain\username[+password]
227 domain/username[+password]
228 username@domain
229
230
231 ...where domain can be the NetBIOS or DNS domain name.
232
233 If a machine trust account for the system already exists on a
234 domain controller, any authenticated user account can be used when
235 joining the domain. However, if the machine trust account does not
236 already exist, an account that has administrative privileges on the
237 domain is required to join the domain. Specifying -y will bypass
238 the smb service restart prompt.
239
240
241 join [-y] -w workgroup
242
243 Joins a Windows domain or a workgroup.
244
245 The -w workgroup option specifies the name of the workgroup to join
246 when using the join subcommand. Specifying -y will bypass the smb
247 service restart prompt.
248
249
250 list
251
252 Shows information about the current workgroup or domain. The
253 information typically includes the workgroup name or the primary
254 domain name. When in domain mode, the information includes domain
255 controller names and trusted domain names.
256
257 Each entry in the ouput is identified by one of the following tags:
258
259 - [*] -
260 Primary domain
261
262
263 - [.] -
264 Local domain
265
266
267 - [-] -
268 Other domains
269
270
271 - [+] -
272 Selected domain controller
273
274
275
276 lookup account-name [account-name [...]]
277
278
279 Lookup the SID for the given account-name, or lookup the account-
280 name for the given SID. This subcommand is primarily for
281 diagnostic use, to confirm whether the server can lookup domain
282 accounts and/or SIDs.
283
284
285 remove-member -m member [[-m member] ...] group
286
287 Removes the specified member from the specified CIFS local group.
288 The -m member option specifies the name of a CIFS local group
289 member. The member name must include an existing user name and an
290 optional domain name.
291
292 Specify the member name in either of the following formats:
293
294 [domain\]username
295 [domain/]username
296
297
298 For example, a valid member name might be sales\terry or
299 sales/terry, where sales is the Windows domain name and terry is
300 the name of a user in the sales domain.
301
302
303 rename group new-group
304
305 Renames the specified CIFS local group. The group must already
306 exist. The built-in groups cannot be renamed.
307
308
309 set -p property=value [[-p property=value] ...] group
310
311 Sets configuration properties for a CIFS local group. The
312 description and the privileges for the built-in groups cannot be
313 changed.
314
315 The -p property=value option specifies the list of properties to be
316 set on the specified group.
317
318 The group-related properties are as follows:
319
320 backup=[on|off]
321
322 Specifies whether members of the CIFS local group can bypass
323 file access controls to back up file system objects.
324
325
326 description=description-text
327
328 Specifies a text description for the CIFS local group.
329
330
331 restore=[on|off]
332
333 Specifies whether members of the CIFS local group can bypass
334 file access controls to restore file system objects.
335
336
337 take-ownership=[on|off]
338
339 Specifies whether members of the CIFS local group can take
340 ownership of file system objects.
341
342
343
344 show [-m] [-p] [group]
345
346 Shows information about the specified CIFS local group or groups.
347 If no group is specified, information is shown for all groups. If
348 the -m option is specified, the group members are also shown. If
349 the -p option is specified, the group privileges are also shown.
350
351
352 EXIT STATUS
353 The following exit values are returned:
354
355 0
356 Successful completion.
357
358
359 >0
360 An error occurred.
361
362
363 ATTRIBUTES
364 See the attributes(5) man page for descriptions of the following
365 attributes:
366
367
368
369
370 +-------------------------+------------------+
371 | ATTRIBUTE TYPE | ATTRIBUTE VALUE |
372 +-------------------------+------------------+
373 |Utility Name and Options | Uncommitted |
374 +-------------------------+------------------+
375 |Utility Output Format | Not-An-Interface |
376 +-------------------------+------------------+
377 |smbadm join | Obsolete |
378 +-------------------------+------------------+
379
380 SEE ALSO
381 passwd(1), groupadd(1M), idmap(1M), idmapd(1M), kclient(1M), share(1M),
382 sharectl(1M), sharemgr(1M), smbd(1M), smbstat(1M), smb(4),
383 smbautohome(4), attributes(5), pam_smb_passwd(5), smf(5)
384
385
386
387 April 9, 2016 SMBADM(1M)
|
1 SMBADM(1M) Maintenance Commands SMBADM(1M)
2
3 NAME
4 smbadm - configure and manage SMB local groups and users, and manage
5 domain membership
6
7 SYNOPSIS
8 smbadm create [-d description] group
9 smbadm delete group
10 smbadm rename group new-group
11 smbadm show [-mp] [group]
12 smbadm get [-p property]... group
13 smbadm set -p property=value [-p property=value]... group
14 smbadm add-member -m member [-m member]... group
15 smbadm remove-member -m member [-m member]... group
16 smbadm delete-user username
17 smbadm disable-user username
18 smbadm enable-user username
19 smbadm join [-y] -u username domain
20 smbadm join [-y] -w workgroup
21 smbadm list
22 smbadm lookup account-name [account-name]...
23
24 DESCRIPTION
25 The smbadm command is used to configure SMB local groups and users, and
26 to manage domain membership. You can also use the smbadm command to
27 enable or disable SMB password generation for individual local users.
28
29 SMB local groups can be used when Windows accounts must be members of
30 some local groups and when Windows style privileges must be granted.
31 System local groups cannot provide these functions.
32
33 There are two types of local groups: user defined and built-in. Built-in
34 local groups are predefined local groups to support common administration
35 tasks.
36
37 In order to provide proper identity mapping between SMB local groups and
38 system groups, a SMB local group must have a corresponding system group.
39 This requirement has two consequences: first, the group name must conform
40 to the intersection of the Windows and system group name rules. Thus, a
41 SMB local group name can be up to eight (8) characters long and contain
42 only lowercase characters and numbers. Second, a system local group has
43 to be created before a SMB local group can be created.
44
45 Built-in groups are standard Windows groups and are predefined by the SMB
46 service. The built-in groups cannot be added, removed, or renamed, and
47 these groups do not follow the SMB local group naming conventions.
48
49 When the SMB server is started, the following built-in groups are
50 available:
51
52 Administrators Group members can administer the system.
53
54 Backup Operators Group members can bypass file access controls to back
55 up and restore files.
56
57 Power Users Group members can share directories.
58
59 System local users must have an SMB password for authentication and to
60 gain access to SMB resources. This password is created by using the
61 passwd(1) command when the pam_smb_password module is added to the
62 system's PAM configuration. See the pam_smb_passwd(5) man page.
63
64 The disable-user and enable-user subcommands control SMB password-
65 generation for a specified local user. When disabled, the user is
66 prevented from connecting to the SMB service. By default, SMB password-
67 generation is enabled for all local users.
68
69 To reenable a disabled user, you must use the enable-user subcommand and
70 then reset the user's password by using the passwd command. The
71 pam_smb_passwd.so.1 module must be added to the system's PAM
72 configuration to generate an SMB password.
73
74 Escaping Backslash Character
75 For the add-member, remove-member, and join (with -u) subcommands, the
76 backslash character ("\") is a valid separator between member or user
77 names and domain names. The backslash character is a shell special
78 character and must be quoted. For example, you might escape the
79 backslash character with another backslash character: domain\\username.
80 For more information about handling shell special characters, see the man
81 page for your shell.
82
83 OPERANDS
84 The smbadm command uses the following operands:
85
86 domain Specifies the name of an existing Windows domain to join.
87
88 group Specifies the name of the SMB local group.
89
90 username Specifies the name of a system local user.
91
92 SUBCOMMANDS
93 The smbadm command includes these subcommands:
94
95 create [-d description] group
96 Creates a SMB local group with the specified name. You can
97 optionally specify a description of the group by using the -d
98 option.
99
100 delete group
101 Deletes the specified SMB local group. The built-in groups
102 cannot be deleted.
103
104 rename group new-group
105 Renames the specified SMB local group. The group must already
106 exist. The built-in groups cannot be renamed.
107
108 show [-mp] [group]
109 Shows information about the specified SMB local group or groups.
110 If no group is specified, information is shown for all groups.
111 If the -m option is specified, the group members are also shown.
112 If the -p option is specified, the group privileges are also
113 shown.
114
115 get [-p property=value]... group
116 Retrieves property values for the specified group. If no
117 property is specified, all property values are shown.
118
119 set -p property=value [-p property=value]... group
120 Sets configuration properties for a SMB local group. The
121 description and the privileges for the built-in groups cannot be
122 changed.
123
124 The -p property=value option specifies the list of properties to
125 be set on the specified group.
126
127 The group-related properties are as follows:
128
129 backup=on|off
130 Specifies whether members of the SMB local group can
131 bypass file access controls to back up file system
132 objects.
133
134 description=description-text
135 Specifies a text description for the SMB local group.
136
137 restore=on|off
138 Specifies whether members of the SMB local group can
139 bypass file access controls to restore file system
140 objects.
141
142 take-ownership=on|off
143 Specifies whether members of the SMB local group can take
144 ownership of file system objects.
145
146 add-member -m member [-m member]... group
147 Adds the specified member to the specified SMB local group. The
148 -m member option specifies the name of a SMB local group member.
149 The member name must include an existing user name and an
150 optional domain name.
151
152 Specify the member name in either of the following formats:
153
154 [domain\]username
155 [domain/]username
156
157 For example, a valid member name might be sales\terry or
158 sales/terry, where sales is the Windows domain name and terry is
159 the name of a user in the sales domain.
160
161 remove-member -m member [-m member]... group
162 Removes the specified member from the specified SMB local group.
163 The -m member option specifies the name of a SMB local group
164 member. The member name must include an existing user name and
165 an optional domain name.
166
167 Specify the member name in either of the following formats:
168
169 [domain\]username
170 [domain/]username
171
172 For example, a valid member name might be sales\terry or
173 sales/terry, where sales is the Windows domain name and terry is
174 the name of a user in the sales domain.
175
176 delete-user username
177 Deletes SMB password for the specified local user effectively
178 preventing the access by means of the SMB service. Use passwd
179 command to create the SMB password and re-enable access.
180
181 disable-user username
182 Disables SMB password-generation capabilities for the specified
183 local user effectively preventing access by means of the SMB
184 service. When a local user account is disabled, you cannot use
185 the passwd command to modify the user's SMB password until the
186 user account is re-enabled.
187
188 enable-user username
189 Enables SMB password-generation capabilities for the specified
190 local user and re-enables access. After the password-generation
191 capabilities are re-enabled, use the passwd command to generate
192 the SMB password for the local user.
193
194 The passwd command manages both the system password and SMB
195 password for this user if the pam_smb_passwd module has been
196 added to the system's PAM configuration.
197
198 join [-y] -u username domain
199 Joins a Windows domain.
200
201 An authenticated user account is required to join a domain, so
202 you must specify the Windows administrative user name with the -u
203 option. If the password is not specified on the command line,
204 the user is prompted for it. This user should be the domain
205 administrator or any user who has administrative privileges for
206 the target domain.
207
208 username and domain can be entered in any of the following
209 formats:
210
211 username[+password] domain
212 domain\username[+password]
213 domain/username[+password]
214 username@domain
215
216 ...where domain can be the NetBIOS or DNS domain name.
217
218 If a machine trust account for the system already exists on a
219 domain controller, any authenticated user account can be used
220 when joining the domain. However, if the machine trust account
221 does not already exist, an account that has administrative
222 privileges on the domain is required to join the domain.
223 Specifying -y will bypass the SMB service restart prompt.
224
225 join [-y] -w workgroup
226 Joins a Windows workgroup.
227
228 The default mode for the SMB service is workgroup mode, which
229 uses the default workgroup name, "WORKGROUP".
230
231 The -w workgroup option specifies the name of the workgroup to
232 join when using the join subcommand. Specifying -y will bypass
233 the SMB service restart prompt.
234
235 list Shows information about the current workgroup or domain. The
236 information typically includes the workgroup name or the primary
237 domain name. When in domain mode, the information includes
238 domain controller names and trusted domain names.
239
240 Each entry in the ouput is identified by one of the following
241 tags:
242
243 [*] Primary domain
244
245 [.] Local domain
246
247 [-] Other domains
248
249 [+] Selected domain controller
250
251 lookup account-name [account-name]...
252 Lookup the SID for the given account-name, or lookup the
253 account-name for the given SID. This subcommand is primarily for
254 diagnostic use, to confirm whether the server can lookup domain
255 accounts and/or SIDs.
256
257 EXIT STATUS
258 The smbadm utility exits 0 on success, and >0 if an error occurs.
259
260 INTERFACE STABILITY
261 Utility name and options are Uncommitted. Utility output format is
262 Not-An-Interface.
263
264 SEE ALSO
265 passwd(1), groupadd(1M), idmap(1M), idmapd(1M), kclient(1M), share(1M),
266 sharectl(1M), sharemgr(1M), smbd(1M), smbstat(1M), smb(4),
267 smbautohome(4), attributes(5), pam_smb_passwd(5), smf(5)
268
269 illumos November 18, 2017 illumos
|