1 '\" te
2 .\" Copyright 2014 Nexenta Systems, Inc. All rights reserved.
3 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
4 .\" The contents of this file are subject to the terms of the Common Development and Distribution License (the "License"). You may not use this file except in compliance with the License.
5 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE or http://www.opensolaris.org/os/licensing. See the License for the specific language governing permissions and limitations under the License.
6 .\" When distributing Covered Code, include this CDDL HEADER in each file and include the License file at usr/src/OPENSOLARIS.LICENSE. If applicable, add the following below this CDDL HEADER, with the fields enclosed by brackets "[]" replaced with your own identifying information: Portions Copyright [yyyy] [name of copyright owner]
7 .TH SMBADM 1M "April 9, 2016"
8 .SH NAME
9 smbadm \- configure and manage CIFS local groups and users, and manage domain
10 membership
11 .SH SYNOPSIS
12 .LP
13 .nf
14 \fBsmbadm add-member\fR -m \fImember\fR [[-m \fImember\fR] \&.\|.\|.] \fIgroup\fR
15 .fi
16
17 .LP
18 .nf
19 \fBsmbadm create\fR [-d \fIdescription\fR] \fIgroup\fR
20 .fi
21
22 .LP
23 .nf
24 \fBsmbadm delete\fR \fIgroup\fR
25 .fi
26
27 .LP
28 .nf
29 \fBsmbadm disable-user\fR \fIusername\fR
30 .fi
31
32 .LP
33 .nf
34 \fBsmbadm enable-user\fR \fIusername\fR
35 .fi
36
37 .LP
38 .nf
39 \fBsmbadm get\fR [[-p \fIproperty\fR] \&.\|.\|.] \fIgroup\fR
40 .fi
41
42 .LP
43 .nf
44 \fBsmbadm join\fR [-y] -u \fIusername\fR \fIdomain\fR
45 .fi
46
47 .LP
48 .nf
49 \fBsmbadm join\fR [-y] -w \fIworkgroup\fR
50 .fi
51
52 .LP
53 .nf
54 \fBsmbadm list\fR
55 .fi
56
57 .LP
58 .nf
59 \fBsmbadm lookup\fR \fIaccount-name\fR [\fIaccount-name\fR [\&.\|.\|.]]
60 .fi
61
62 .LP
63 .nf
64 \fBsmbadm remove-member\fR -m \fImember\fR [[-m \fImember\fR] \&.\|.\|.] \fIgroup\fR
65 .fi
66
67 .LP
68 .nf
69 \fBsmbadm rename\fR \fIgroup\fR \fInew-group\fR
70 .fi
71
72 .LP
73 .nf
74 \fBsmbadm set\fR -p \fIproperty\fR=\fIvalue\fR [[-p \fIproperty\fR=\fIvalue\fR] \&.\|.\|.] \fIgroup\fR
75 .fi
76
77 .LP
78 .nf
79 \fBsmbadm show\fR [-m] [-p] [\fIgroup\fR]
80 .fi
81
82 .SH DESCRIPTION
83 .LP
84 The \fBsmbadm\fR command is used to configure \fBCIFS\fR local groups and to
85 manage domain membership. You can also use the \fBsmbadm\fR command to enable
86 or disable SMB password generation for individual local users.
87 .sp
88 .LP
89 \fBCIFS\fR local groups can be used when Windows accounts must be members of
90 some local groups and when Windows style privileges must be granted. Solaris
91 local groups cannot provide these functions.
92 .sp
93 .LP
94 There are two types of local groups: user defined and built-in. Built-in local
95 groups are predefined local groups to support common administration tasks.
96 .sp
97 .LP
98 In order to provide proper identity mapping between \fBCIFS\fR local groups and
99 Solaris groups, a \fBCIFS\fR local group must have a corresponding Solaris
100 group. This requirement has two consequences: first, the group name must
101 conform to the intersection of the Windows and Solaris group name rules. Thus,
102 a \fBCIFS\fR local group name can be up to eight (8) characters long and
103 contain only lowercase characters and numbers. Second, a Solaris local group
104 has to be created before a \fBCIFS\fR local group can be created.
105 .sp
106 .LP
107 Built-in groups are standard Windows groups and are predefined by the
108 \fBCIFS\fR service. The built-in groups cannot be added, removed, or renamed,
109 and these groups do not follow the \fBCIFS\fR local group naming conventions.
110 .sp
111 .LP
112 When the \fBCIFS\fR server is started, the following built-in groups are
113 available:
114 .sp
115 .ne 2
116 .na
117 \fBAdministrators\fR
118 .ad
119 .sp .6
120 .RS 4n
121 Group members can administer the system.
122 .RE
123
124 .sp
125 .ne 2
126 .na
127 \fBBackup Operators\fR
128 .ad
129 .sp .6
130 .RS 4n
131 Group members can bypass file access controls to back up and restore files.
132 .RE
133
134 .sp
135 .ne 2
136 .na
137 \fBPower Users\fR
138 .ad
139 .sp .6
140 .RS 4n
141 Group members can share directories.
142 .RE
143
144 .sp
145 .LP
146 Solaris local users must have an SMB password for authentication and to gain
147 access to CIFS resources. This password is created by using the \fBpasswd\fR(1)
148 command when the \fBpam_smb_password\fR module is added to the system's PAM
149 configuration. See the \fBpam_smb_passwd\fR(5) man page.
150 .sp
151 .LP
152 The \fBdisable-user\fR and \fBenable-user\fR subcommands control SMB
153 password-generation for a specified local user. When disabled, the user is
154 prevented from connecting to the Solaris CIFS service. By default, SMB
155 password-generation is enabled for all local users.
156 .sp
157 .LP
158 To reenable a disabled user, you must use the \fBenable-user\fR subcommand and
159 then reset the user's password by using the \fBpasswd\fR command. The
160 \fBpam_smb_passwd.so.1\fR module must be added to the system's PAM
161 configuration to generate an SMB password.
162 .SS "Escaping Backslash Character"
163 .LP
164 For the \fBadd-member\fR, \fBremove-member\fR, and \fBjoin\fR (with \fB-u\fR)
165 subcommands, the backslash character (\fB\e\fR) is a valid separator between
166 member or user names and domain names. The backslash character is a shell
167 special character and must be quoted. For example, you might escape the
168 backslash character with another backslash character:
169 \fIdomain\fR\fB\e\e\fR\fIusername\fR. For more information about handling shell
170 special characters, see the man page for your shell.
171 .SH OPERANDS
172 .LP
173 The \fBsmbadm\fR command uses the following operands:
174 .sp
175 .ne 2
176 .na
177 \fB\fIdomain\fR\fR
178 .ad
179 .sp .6
180 .RS 4n
181 Specifies the name of an existing Windows domain to join.
182 .RE
183
184 .sp
185 .ne 2
186 .na
187 \fB\fIgroup\fR\fR
188 .ad
189 .sp .6
190 .RS 4n
191 Specifies the name of the \fBCIFS\fR local group.
192 .RE
193
194 .sp
195 .ne 2
196 .na
197 \fB\fIusername\fR\fR
198 .ad
199 .sp .6
200 .RS 4n
201 Specifies the name of a Solaris local user.
202 .RE
203
204 .SH SUBCOMMANDS
205 .LP
206 The \fBsmbadm\fR command includes these subcommands:
207 .sp
208 .ne 2
209 .na
210 \fB\fBadd-member\fR -m \fImember\fR [[-m \fImember\fR] \&.\|.\|.]
211 \fIgroup\fR\fR
212 .ad
213 .sp .6
214 .RS 4n
215 Adds the specified member to the specified \fBCIFS\fR local group. The \fB-m\fR
216 \fImember\fR option specifies the name of a \fBCIFS\fR local group member. The
217 member name must include an existing user name and an optional domain name.
218 .sp
219 Specify the member name in either of the following formats:
220 .sp
221 .in +2
222 .nf
223 [\fIdomain\fR\e]\fIusername\fR
224 [\fIdomain\fR/]\fIusername\fR
225 .fi
226 .in -2
227 .sp
228
229 For example, a valid member name might be \fBsales\eterry\fR or
230 \fBsales/terry\fR, where \fBsales\fR is the Windows domain name and \fBterry\fR
231 is the name of a user in the \fBsales\fR domain.
232 .RE
233
234 .sp
235 .ne 2
236 .na
237 \fB\fBcreate\fR [\fB-d\fR \fIdescription\fR] \fIgroup\fR\fR
238 .ad
239 .sp .6
240 .RS 4n
241 Creates a \fBCIFS\fR local group with the specified name. You can optionally
242 specify a description of the group by using the \fB-d\fR option.
243 .RE
244
245 .sp
246 .ne 2
247 .na
248 \fB\fBdelete\fR \fIgroup\fR\fR
249 .ad
250 .sp .6
251 .RS 4n
252 Deletes the specified \fBCIFS\fR local group. The built-in groups cannot be
253 deleted.
254 .RE
255
256 .sp
257 .ne 2
258 .na
259 \fB\fBdisable\fR \fIusername\fR\fR
260 .ad
261 .sp .6
262 .RS 4n
263 Disables SMB password-generation capabilities for the specified local user. A
264 disabled local user is prevented from accessing the system by means of the CIFS
265 service. When a local user account is disabled, you cannot use the \fBpasswd\fR
266 command to modify the user's SMB password until the user account is reenabled.
267 .RE
268
269 .sp
270 .ne 2
271 .na
272 \fB\fBenable\fR \fIusername\fR\fR
273 .ad
274 .sp .6
275 .RS 4n
276 Enables SMB password-generation capabilities for the specified local user.
277 After the password-generation capabilities are reenabled, you must use the
278 \fBpasswd\fR command to generate the SMB password for the local user before he
279 can connect to the CIFS service.
280 .sp
281 The \fBpasswd\fR command manages both the Solaris password and SMB password for
282 this user if the \fBpam_smb_passwd\fR module has been added to the system's PAM
283 configuration.
284 .RE
285
286 .sp
287 .ne 2
288 .na
289 \fB\fBget\fR [[\fB-p\fR \fIproperty\fR=\fIvalue\fR] \&.\|.\|.] \fIgroup\fR\fR
290 .ad
291 .sp .6
292 .RS 4n
293 Retrieves property values for the specified group. If no property is specified,
294 all property values are shown.
295 .RE
296
297 .sp
298 .ne 2
299 .na
300 \fB\fBjoin\fR \fB[-y] -u\fR \fIusername\fR \fIdomain\fR\fR
301 .ad
302 .sp .6
303 .RS 4n
304 Joins a Windows domain or a workgroup.
305 .sp
306 The default mode for the \fBCIFS\fR service is workgroup mode, which uses the
307 default workgroup name, \fBWORKGROUP\fR.
308 .sp
309 An authenticated user account is required to join a domain, so you must specify
310 the Windows administrative user name with the \fB-u\fR option. If the password
311 is not specified on the command line, the user is prompted for it. This user
312 should be the domain administrator or any user who has administrative
313 privileges for the target domain.
314 .sp
315 \fIusername\fR and \fIdomain\fR can be entered in any of the following formats:
316 .sp
317 .in +2
318 .nf
319 \fIusername\fR[+\fIpassword\fR] \fIdomain\fR
320 \fIdomain\fR\e\fIusername\fR[+\fIpassword\fR]
321 \fIdomain\fR/\fIusername\fR[+\fIpassword\fR]
322 \fIusername\fR@\fIdomain\fR
323 .fi
324 .in -2
325 .sp
326
327 \&...where \fIdomain\fR can be the NetBIOS or DNS domain name.
328 .sp
329 If a machine trust account for the system already exists on a domain
330 controller, any authenticated user account can be used when joining the domain.
331 However, if the machine trust account does \fBnot\fR already exist, an account
332 that has administrative privileges on the domain is required to join the
333 domain.
334 Specifying \fB-y\fR will bypass the smb service restart prompt.
335 .RE
336
337 .sp
338 .ne 2
339 .na
340 \fB\fBjoin\fR \fB[-y] -w\fR \fIworkgroup\fR\fR
341 .ad
342 .sp .6
343 .RS 4n
344 Joins a Windows domain or a workgroup.
345 .sp
346 The \fB-w\fR \fIworkgroup\fR option specifies the name of the workgroup to join
347 when using the \fBjoin\fR subcommand.
348 Specifying \fB-y\fR will bypass the smb service restart prompt.
349 .RE
350
351 .sp
352 .ne 2
353 .na
354 \fB\fBlist\fR\fR
355 .ad
356 .sp .6
357 .RS 4n
358 Shows information about the current workgroup or domain. The information
359 typically includes the workgroup name or the primary domain name. When in
360 domain mode, the information includes domain controller names and trusted
361 domain names.
362 .sp
363 Each entry in the ouput is identified by one of the following tags:
364 .sp
365 .ne 2
366 .na
367 \fB\fB- [*] -\fR\fR
368 .ad
369 .RS 11n
370 Primary domain
371 .RE
372
373 .sp
374 .ne 2
375 .na
376 \fB\fB- [.] -\fR\fR
377 .ad
378 .RS 11n
379 Local domain
380 .RE
381
382 .sp
383 .ne 2
384 .na
385 \fB\fB- [-] -\fR\fR
386 .ad
387 .RS 11n
388 Other domains
389 .RE
390
391 .sp
392 .ne 2
393 .na
394 \fB\fB- [+] -\fR\fR
395 .ad
396 .RS 11n
397 Selected domain controller
398 .RE
399
400 .RE
401
402 .sp
403 .ne 2
404 .na
405 \fB\fBlookup\fR\fR \fIaccount-name\fR [\fIaccount-name\fR [\&.\|.\|.]]
406
407 .ad
408 .sp .6
409 .RS 4n
410 Lookup the SID for the given \fIaccount-name\fR, or lookup the
411 \fIaccount-name\fR for the given SID. This subcommand is
412 primarily for diagnostic use, to confirm whether the server
413 can lookup domain accounts and/or SIDs.
414 .RE
415
416 .sp
417 .ne 2
418 .na
419 \fB\fBremove-member\fR -m \fImember\fR [[-m \fImember\fR] \&.\|.\|.]
420 \fIgroup\fR\fR
421 .ad
422 .sp .6
423 .RS 4n
424 Removes the specified member from the specified \fBCIFS\fR local group. The
425 \fB-m\fR \fImember\fR option specifies the name of a \fBCIFS\fR local group
426 member. The member name must include an existing user name and an optional
427 domain name.
428 .sp
429 Specify the member name in either of the following formats:
430 .sp
431 .in +2
432 .nf
433 [\fIdomain\fR\e]\fIusername\fR
434 [\fIdomain\fR/]\fIusername\fR
435 .fi
436 .in -2
437 .sp
438
439 For example, a valid member name might be \fBsales\eterry\fR or
440 \fBsales/terry\fR, where \fBsales\fR is the Windows domain name and \fBterry\fR
441 is the name of a user in the \fBsales\fR domain.
442 .RE
443
444 .sp
445 .ne 2
446 .na
447 \fB\fBrename\fR \fIgroup\fR \fInew-group\fR\fR
448 .ad
449 .sp .6
450 .RS 4n
451 Renames the specified \fBCIFS\fR local group. The group must already exist. The
452 built-in groups cannot be renamed.
453 .RE
454
455 .sp
456 .ne 2
457 .na
458 \fB\fBset\fR \fB-p\fR \fIproperty\fR=\fIvalue\fR [[\fB-p\fR
459 \fIproperty\fR=\fIvalue\fR] \&.\|.\|.] \fIgroup\fR\fR
460 .ad
461 .sp .6
462 .RS 4n
463 Sets configuration properties for a \fBCIFS\fR local group. The description and
464 the privileges for the built-in groups cannot be changed.
465 .sp
466 The \fB-p\fR \fIproperty\fR\fB=\fR\fIvalue\fR option specifies the list of
467 properties to be set on the specified group.
468 .sp
469 The group-related properties are as follows:
470 .sp
471 .ne 2
472 .na
473 \fB\fBbackup=[on|off]\fR\fR
474 .ad
475 .sp .6
476 .RS 4n
477 Specifies whether members of the \fBCIFS\fR local group can bypass file access
478 controls to back up file system objects.
479 .RE
480
481 .sp
482 .ne 2
483 .na
484 \fB\fBdescription=\fR\fIdescription-text\fR\fR
485 .ad
486 .sp .6
487 .RS 4n
488 Specifies a text description for the \fBCIFS\fR local group.
489 .RE
490
491 .sp
492 .ne 2
493 .na
494 \fB\fBrestore=[on|off]\fR\fR
495 .ad
496 .sp .6
497 .RS 4n
498 Specifies whether members of the \fBCIFS\fR local group can bypass file access
499 controls to restore file system objects.
500 .RE
501
502 .sp
503 .ne 2
504 .na
505 \fB\fBtake-ownership=[on|off]\fR\fR
506 .ad
507 .sp .6
508 .RS 4n
509 Specifies whether members of the \fBCIFS\fR local group can take ownership of
510 file system objects.
511 .RE
512
513 .RE
514
515 .sp
516 .ne 2
517 .na
518 \fB\fBshow\fR [\fB-m\fR] [\fB-p\fR] [\fIgroup\fR]\fR
519 .ad
520 .sp .6
521 .RS 4n
522 Shows information about the specified \fBCIFS\fR local group or groups. If no
523 group is specified, information is shown for all groups. If the \fB-m\fR option
524 is specified, the group members are also shown. If the \fB-p\fR option is
525 specified, the group privileges are also shown.
526 .RE
527
528 .SH EXIT STATUS
529 .LP
530 The following exit values are returned:
531 .sp
532 .ne 2
533 .na
534 \fB0\fR
535 .ad
536 .RS 13n
537 Successful completion.
538 .RE
539
540 .sp
541 .ne 2
542 .na
543 \fB>0\fR
544 .ad
545 .RS 13n
546 An error occurred.
547 .RE
548
549 .SH ATTRIBUTES
550 .LP
551 See the \fBattributes\fR(5) man page for descriptions of the following
552 attributes:
553 .sp
554
555 .sp
556 .TS
557 box;
558 c | c
559 l | l .
560 ATTRIBUTE TYPE ATTRIBUTE VALUE
561 _
562 Utility Name and Options Uncommitted
563 _
564 Utility Output Format Not-An-Interface
565 _
566 \fBsmbadm join\fR Obsolete
567 .TE
568
569 .SH SEE ALSO
570 .LP
571 \fBpasswd\fR(1), \fBgroupadd\fR(1M), \fBidmap\fR(1M), \fBidmapd\fR(1M),
572 \fBkclient\fR(1M), \fBshare\fR(1M), \fBsharectl\fR(1M), \fBsharemgr\fR(1M),
573 \fBsmbd\fR(1M), \fBsmbstat\fR(1M), \fBsmb\fR(4), \fBsmbautohome\fR(4),
574 \fBattributes\fR(5), \fBpam_smb_passwd\fR(5), \fBsmf\fR(5)
|
1 .\"
2 .\" The contents of this file are subject to the terms of the
3 .\" Common Development and Distribution License (the "License").
4 .\" You may not use this file except in compliance with the License.
5 .\"
6 .\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE
7 .\" or http://www.opensolaris.org/os/licensing.
8 .\" See the License for the specific language governing permissions
9 .\" and limitations under the License.
10 .\"
11 .\" When distributing Covered Code, include this CDDL HEADER in each
12 .\" file and include the License file at usr/src/OPENSOLARIS.LICENSE.
13 .\" If applicable, add the following below this CDDL HEADER, with the
14 .\" fields enclosed by brackets "[]" replaced with your own identifying
15 .\" information: Portions Copyright [yyyy] [name of copyright owner]
16 .\"
17 .\"
18 .\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved.
19 .\" Copyright 2017 Nexenta Systems, Inc.
20 .\"
21 .Dd November 18, 2017
22 .Dt SMBADM 1M
23 .Os
24 .Sh NAME
25 .Nm smbadm
26 .Nd configure and manage SMB local groups and users, and manage domain
27 membership
28 .Sh SYNOPSIS
29 .Nm
30 .Cm create
31 .Op Fl d Ar description
32 .Ar group
33 .Nm
34 .Cm delete
35 .Ar group
36 .Nm
37 .Cm rename
38 .Ar group new-group
39 .Nm
40 .Cm show
41 .Op Fl mp
42 .Op Ar group
43 .Nm
44 .Cm get
45 .Oo Fl p Ar property Oc Ns ...
46 .Ar group
47 .Nm
48 .Cm set
49 .Fl p Ar property Ns = Ns Ar value
50 .Oo Fl p Ar property Ns = Ns Ar value Oc Ns ...
51 .Ar group
52 .Nm
53 .Cm add-member
54 .Fl m Ar member Oo Fl m Ar member Oc Ns ...
55 .Ar group
56 .Nm
57 .Cm remove-member
58 .Fl m Ar member Oo Fl m Ar member Oc Ns ...
59 .Ar group
60 .Nm
61 .Cm delete-user
62 .Ar username
63 .Nm
64 .Cm disable-user
65 .Ar username
66 .Nm
67 .Cm enable-user
68 .Ar username
69 .Nm
70 .Cm join
71 .Op Fl y
72 .Fl u Ar username
73 .Ar domain
74 .Nm
75 .Cm join
76 .Op Fl y
77 .Fl w Ar workgroup
78 .Nm
79 .Cm list
80 .Nm
81 .Cm lookup
82 .Ar account-name Oo Ar account-name Oc Ns ...
83 .Sh DESCRIPTION
84 The
85 .Nm
86 command is used to configure SMB local groups and users, and to manage domain
87 membership.
88 You can also use the
89 .Nm
90 command to enable or disable SMB password generation for individual local users.
91 .Pp
92 SMB local groups can be used when Windows accounts must be members of some local
93 groups and when Windows style privileges must be granted.
94 System local groups cannot provide these functions.
95 .Pp
96 There are two types of local groups: user defined and built-in.
97 Built-in local groups are predefined local groups to support common
98 administration tasks.
99 .Pp
100 In order to provide proper identity mapping between SMB local groups and
101 system groups, a SMB local group must have a corresponding system group.
102 This requirement has two consequences: first, the group name must conform to the
103 intersection of the Windows and system group name rules.
104 Thus, a SMB local group name can be up to eight (8) characters long and contain
105 only lowercase characters and numbers.
106 Second, a system local group has to be created before a SMB local group can
107 be created.
108 .Pp
109 Built-in groups are standard Windows groups and are predefined by the SMB
110 service.
111 The built-in groups cannot be added, removed, or renamed, and these groups do
112 not follow the SMB local group naming conventions.
113 .Pp
114 When the SMB server is started, the following built-in groups are available:
115 .Bl -tag -width "Backup Operators"
116 .It Sy Administrators
117 Group members can administer the system.
118 .It Sy Backup Operators
119 Group members can bypass file access controls to back up and restore files.
120 .It Sy Power Users
121 Group members can share directories.
122 .El
123 .Pp
124 System local users must have an SMB password for authentication and to gain
125 access to SMB resources.
126 This password is created by using the
127 .Xr passwd 1
128 command when the
129 .Sy pam_smb_password
130 module is added to the system's PAM configuration.
131 See the
132 .Xr pam_smb_passwd 5
133 man page.
134 .Pp
135 The
136 .Cm disable-user
137 and
138 .Cm enable-user
139 subcommands control SMB password-generation for a specified local user.
140 When disabled, the user is prevented from connecting to the SMB service.
141 By default, SMB password-generation is enabled for all local users.
142 .Pp
143 To reenable a disabled user, you must use the
144 .Cm enable-user
145 subcommand and then reset the user's password by using the
146 .Nm passwd
147 command.
148 The
149 .Pa pam_smb_passwd.so.1
150 module must be added to the system's PAM configuration to generate an SMB
151 password.
152 .Ss Escaping Backslash Character
153 For the
154 .Cm add-member ,
155 .Cm remove-member ,
156 and
157 .Cm join
158 .Po with
159 .Fl u
160 .Pc
161 subcommands, the backslash character
162 .Pq Qq \e
163 is a valid separator between member or user names and domain names.
164 The backslash character is a shell special character and must be quoted.
165 For example, you might escape the backslash character with another backslash
166 character:
167 .Ar domain Ns \e\e Ns Ar username .
168 For more information about handling shell special characters, see the man page
169 for your shell.
170 .Sh OPERANDS
171 The
172 .Nm
173 command uses the following operands:
174 .Bl -tag -width "username"
175 .It Ar domain
176 Specifies the name of an existing Windows domain to join.
177 .It Ar group
178 Specifies the name of the SMB local group.
179 .It Ar username
180 Specifies the name of a system local user.
181 .El
182 .Sh SUBCOMMANDS
183 The
184 .Nm
185 command includes these subcommands:
186 .Bl -tag -width Ds
187 .It Xo
188 .Cm create
189 .Op Fl d Ar description
190 .Ar group
191 .Xc
192 Creates a SMB local group with the specified name.
193 You can optionally specify a description of the group by using the
194 .Fl d
195 option.
196 .It Xo
197 .Cm delete
198 .Ar group
199 .Xc
200 Deletes the specified SMB local group.
201 The built-in groups cannot be deleted.
202 .It Xo
203 .Cm rename
204 .Ar group new-group
205 .Xc
206 Renames the specified SMB local group.
207 The group must already exist.
208 The built-in groups cannot be renamed.
209 .It Xo
210 .Cm show
211 .Op Fl mp
212 .Op Ar group
213 .Xc
214 Shows information about the specified SMB local group or groups.
215 If no group is specified, information is shown for all groups.
216 If the
217 .Fl m
218 option is specified, the group members are also shown.
219 If the
220 .Fl p
221 option is specified, the group privileges are also shown.
222 .It Xo
223 .Cm get
224 .Oo Fl p Ar property Ns = Ns Ar value Oc Ns ...
225 .Ar group
226 .Xc
227 Retrieves property values for the specified group.
228 If no property is specified, all property values are shown.
229 .It Xo
230 .Cm set
231 .Fl p Ar property Ns = Ns Ar value
232 .Oo Fl p Ar property Ns = Ns Ar value Oc Ns ...
233 .Ar group
234 .Xc
235 Sets configuration properties for a SMB local group.
236 The description and the privileges for the built-in groups cannot be changed.
237 .Pp
238 The
239 .Fl p Ar property Ns = Ns Ar value
240 option specifies the list of properties to be set on the specified group.
241 .Pp
242 The group-related properties are as follows:
243 .Bl -tag -width Ds
244 .It Cm backup Ns = Ns Cm on Ns | Ns Cm off
245 Specifies whether members of the SMB local group can bypass file access controls
246 to back up file system objects.
247 .It Cm description Ns = Ns Ar description-text
248 Specifies a text description for the SMB local group.
249 .It Cm restore Ns = Ns Cm on Ns | Ns Cm off
250 Specifies whether members of the SMB local group can bypass file access controls
251 to restore file system objects.
252 .It Cm take-ownership Ns = Ns Cm on Ns | Ns Cm off
253 Specifies whether members of the SMB local group can take ownership of file
254 system objects.
255 .El
256 .It Xo
257 .Cm add-member
258 .Fl m Ar member Oo Fl m Ar member Oc Ns ...
259 .Ar group
260 .Xc
261 Adds the specified member to the specified SMB local group.
262 The
263 .Fl m Ar member
264 option specifies the name of a SMB local group member.
265 The member name must include an existing user name and an optional domain name.
266 .Pp
267 Specify the member name in either of the following formats:
268 .Bd -literal -offset indent
269 [domain\e]username
270 [domain/]username
271 .Ed
272 .Pp
273 For example, a valid member name might be
274 .Sy sales\eterry
275 or
276 .Sy sales/terry ,
277 where
278 .Sy sales
279 is the Windows domain name and
280 .Sy terry
281 is the name of a user in the
282 .Sy sales
283 domain.
284 .It Xo
285 .Cm remove-member
286 .Fl m Ar member Oo Fl m Ar member Oc Ns ...
287 .Ar group
288 .Xc
289 Removes the specified member from the specified SMB local group.
290 The
291 .Fl m Ar member
292 option specifies the name of a SMB local group member.
293 The member name must include an existing user name and an optional domain name.
294 .Pp
295 Specify the member name in either of the following formats:
296 .Bd -literal -offset indent
297 [domain\e]username
298 [domain/]username
299 .Ed
300 .Pp
301 For example, a valid member name might be
302 .Sy sales\eterry
303 or
304 .Sy sales/terry ,
305 where
306 .Sy sales
307 is the Windows domain name and
308 .Sy terry
309 is the name of a user in the
310 .Sy sales
311 domain.
312 .It Xo
313 .Cm delete-user
314 .Ar username
315 .Xc
316 Deletes SMB password for the specified local user effectively preventing the
317 access by means of the SMB service.
318 Use
319 .Nm passwd
320 command to create the SMB password and re-enable access.
321 .It Xo
322 .Cm disable-user
323 .Ar username
324 .Xc
325 Disables SMB password-generation capabilities for the specified local user
326 effectively preventing access by means of the SMB service.
327 When a local user account is disabled, you cannot use the
328 .Nm passwd
329 command to modify the user's SMB password until the user account is re-enabled.
330 .It Xo
331 .Cm enable-user
332 .Ar username
333 .Xc
334 Enables SMB password-generation capabilities for the specified local user and
335 re-enables access.
336 After the password-generation capabilities are re-enabled, use the
337 .Nm passwd
338 command to generate the SMB password for the local user.
339 .Pp
340 The
341 .Nm passwd
342 command manages both the system password and SMB password for this user if the
343 .Pa pam_smb_passwd
344 module has been added to the system's PAM configuration.
345 .It Xo
346 .Cm join
347 .Op Fl y
348 .Fl u Ar username
349 .Ar domain
350 .Xc
351 Joins a Windows domain.
352 .Pp
353 An authenticated user account is required to join a domain, so you must specify
354 the Windows administrative user name with the
355 .Fl u
356 option.
357 If the password is not specified on the command line, the user is prompted for
358 it.
359 This user should be the domain administrator or any user who has administrative
360 privileges for the target domain.
361 .Pp
362 .Ar username
363 and
364 .Ar domain
365 can be entered in any of the following formats:
366 .Bd -literal -offset indent
367 username[+password] domain
368 domain\eusername[+password]
369 domain/username[+password]
370 username@domain
371 .Ed
372 .Pp
373 \&...where
374 .Ar domain
375 can be the NetBIOS or DNS domain name.
376 .Pp
377 If a machine trust account for the system already exists on a domain controller,
378 any authenticated user account can be used when joining the domain.
379 However, if the machine trust account does
380 .Em not
381 already exist, an account that has administrative privileges on the domain is
382 required to join the domain.
383 Specifying
384 .Fl y
385 will bypass the SMB service restart prompt.
386 .It Xo
387 .Cm join
388 .Op Fl y
389 .Fl w Ar workgroup
390 .Xc
391 Joins a Windows workgroup.
392 .Pp
393 The default mode for the SMB service is workgroup mode, which uses the default
394 workgroup name,
395 .Qq WORKGROUP .
396 .Pp
397 The
398 .Fl w Ar workgroup
399 option specifies the name of the workgroup to join when using the
400 .Cm join
401 subcommand.
402 Specifying
403 .Fl y
404 will bypass the SMB service restart prompt.
405 .It Cm list
406 Shows information about the current workgroup or domain.
407 The information typically includes the workgroup name or the primary domain
408 name.
409 When in domain mode, the information includes domain controller names and
410 trusted domain names.
411 .Pp
412 Each entry in the ouput is identified by one of the following tags:
413 .Bl -tag -width "[*]"
414 .It Sy [*]
415 Primary domain
416 .It Sy [.]
417 Local domain
418 .It Sy [-]
419 Other domains
420 .It Sy [+]
421 Selected domain controller
422 .El
423 .It Xo
424 .Cm lookup
425 .Ar account-name Oo Ar account-name Oc Ns ...
426 .Xc
427 Lookup the SID for the given
428 .Ar account-name ,
429 or lookup the
430 .Ar account-name
431 for the given SID.
432 This subcommand is primarily for diagnostic use, to confirm whether the server
433 can lookup domain accounts and/or SIDs.
434 .El
435 .Sh EXIT STATUS
436 .Ex -std
437 .Sh INTERFACE STABILITY
438 Utility name and options are
439 .Sy Uncommitted .
440 Utility output format is
441 .Sy Not-An-Interface .
442 .Sh SEE ALSO
443 .Xr passwd 1 ,
444 .Xr groupadd 1M ,
445 .Xr idmap 1M ,
446 .Xr idmapd 1M ,
447 .Xr kclient 1M ,
448 .Xr share 1M ,
449 .Xr sharectl 1M ,
450 .Xr sharemgr 1M ,
451 .Xr smbd 1M ,
452 .Xr smbstat 1M ,
453 .Xr smb 4 ,
454 .Xr smbautohome 4 ,
455 .Xr attributes 5 ,
456 .Xr pam_smb_passwd 5 ,
457 .Xr smf 5
|