Chapter 3 Setting Up and Maintaining User Accounts and Groups (Tasks)

This chapter describes the procedures for setting up and maintaining user accounts and groups.

This is a list of the step-by-step instructions in this chapter.

• "How to Customize User Initialization Files"

• "How to Start Admintool"

• "How to Add a Group"

• "How to Add a New User Account"

• "How to Share a User's Home Directory"

• "How to Mount a User's Home Directory"

• "How to Modify a Group"

• "How to Delete a Group"

• "How to Modify a User Account"

• "How to Disable a User Account"

• "How to Change a User's Password"

• "How to Change Password Aging for a User Account"

• "How to Delete a User Account"

• "How to Restart Solaris User Registration"

• "How to Disable User Registration"

For overview information about Managing User Accounts and Groups, see Chapter 2, Managing User Accounts and Groups (Overview).

Becoming Superuser (root)

Most administrative tasks such as adding users require that you log in as root (UID=0) first. The root account is also known as the superuser account because it's used to make system changes and can override user file protection in emergency situations.

The superuser account should be used only to perform administrative tasks to prevent indiscriminate changes to the system.

You can either log into the system as superuser or use the su(1M) command to change to the superuser account.

If you are using role-based access control, you must assume a role (either superuser or some other role) to perform administrative tasks. Roles are assumed by using the su command; you cannot log in to a role directly. See "Role-Based Access Control" in System Administration Guide, Volume 2 for more information.

How to Become Superuser (root)

Become superuser by one of the following methods. Both methods require that you know the root password.

• Change to the superuser account by using the su command.

  % su Password: root_password #

  The pound sign (#) is the Bourne shell prompt for the superuser account.

• Log in as superuser on the system console.

  hostname console: root Password: root_password #

  This method is not enabled by default. You must modify the /etc/default/login file to log in as superuser on the system console. See "Securing Systems (Tasks)" in System Administration Guide, Volume 2 for information on modifying this file.

Setting Up User Accounts Task Map

User Information Data Sheet

You might find it useful to create a form like the one below to gather information about users before adding their accounts.

If you are using role-based access control, you will also need to list any roles, profiles, or authorizations intended for the user account. See "Role-Based Access Control" in System Administration Guide, Volume 2 for more information.

How to Customize User Initialization Files

1. Become superuser on the system where the users' home directories are created and shared.

2. Create a skeleton directory for each type of user.

   # mkdir /shared-dir/skel/user-type

   shared-dir	The name of a directory that is available to other systems on the network.
   user-type	The name of a directory to store initialization files for a type of user.

3. Copy the default user initialization files into the directories you created for different types of users.

   # cp /etc/skel/local.cshrc /shared-dir/skel/user-type/.cshrc # cp /etc/skel/local.login /shared-dir/skel/user-type/.login # cp /etc/skel/local.profile /shared-dir/skel/user-type/.profile

   ---

   Note -

   If the account has profiles assigned to it, then the user has to launch a special version of the shell called a profile shell to use commands (with any security attributes) that are assigned to the profile. There are three profile shells corresponding to the types of shells: pfsh (Bourne shell), pfcsh (C shell), and pfksh (Korn shell).

   ---

4. Edit the user initialization files for each user type and customize them based on your site's needs.

   See "Customizing a User's Work Environment" for a detailed description on the ways to customize the user initialization files.

5. Set the permissions for the user initialization files.

   # chmod 744 /shared-dir/skel/user-type/.*

6. Verify the permissions for the user initialization files are correct with the ls -la command.

Example--Customizing User Initialization Files

The following example customizes the C-shell user initialization file in the /export/skel/enduser directory designated for a particular type of user.

# mkdir /export/skel/enduser
# cp /etc/skel/local.cshrc /export/skel/enduser/.cshrc
 
(Edit .cshrc file-see "Example--.cshrc File ")
# chmod 744 /export/skel/enduser/.*

How to Start Admintool

1. Verify that the following prerequisites are met. To use Admintool, you must:

   • Have a bit-mapped display monitor. The Admintool software can be used only on a system with a console that has a bit-mapped screen such as a standard display monitor that comes with a Sun workstation.

   • Be running an X Window environment such as CDE.

   • Be a member of the sysadmin group (group 14).

   If you want to perform administration tasks on a system with an ASCII terminal as the console, use Solaris commands instead. See useradd(1M) for more information.

2. Start Admintool.

   $ admintool &

   The Users main window appears.

Example--Starting Admintool

The Users main window enables you to manage user account information.

How to Add a Group

1. Start Admintool, if it's not already running.

   See "How to Start Admintool" for more information on starting Admintool.

2. Choose Groups from the Browse menu.

   The Groups window appears.

3. Select Add from the Edit menu.

   The Add window has several fields. If you need information to complete a field, click the Help button to see field definitions for this window.

4. Type the name of the new group in the Group Name text box.

5. Type the group ID for the new group in the Group ID text box.

   The group ID should be unique.

6. (Optional) Type user names in the Members List text box.

   The list of users will be added to the group. User names must be separated by commas.

7. Click OK.

   The list of groups displayed in the Groups window is updated to include the new group.

Example--Adding a Group

The following example adds a group named users that has a group ID of 101.

How to Add a New User Account

1. (Optional) Fill out the user information data sheet on "User Information Data Sheet".

2. Start Admintool, if it's not already running.

   See "How to Start Admintool" for more information.

3. Choose Add from the Edit menu.

   The Add User window is displayed.

4. Fill in the Add User window.

   If you need information to complete a field, click the Help button to see field definitions for this window.

5. Click OK.

   The list of user accounts displayed in the Users main window is updated to include the new user account.

Where to Go From Here

If you created a user's home directory, you must share the directory so the user's system can remotely mount it. See "How to Share a User's Home Directory" for detailed instructions.

If disk space is limited, you can set up a disk quota for the user in the file system containing the user's home directory. See "Managing Quotas (Tasks)" in System Administration Guide, Volume 2 for information on setting disk quotas.

Example--Adding a New User Account

The following example adds the user kryten to the system.

How to Share a User's Home Directory

1. Become superuser on the system that contains the home directory.

2. Verify that the mountd daemon is running.

   # ps -ef | grep mountd root 176 1 0 May 02 ? 0:19 /usr/lib/nfs/mountd

   The /usr/lib/nfs/mountd line shows whether the mountd daemon is running.

3. If the mountd daemon is not running, start it.

   # /etc/init.d/nfs.server start

4. List the file systems that are shared on the system.

   # share

5. Determine your next step based on whether the file system containing the user's home directory is already shared.

   If the File System Containing the User's Home Directory Is ...	Then ...
   Already shared	Go to the verification step below.
   Not shared	Go to Step 6

6. Edit the /etc/dfs/dfstab file and add the following line.

   share -F nfs /file-system

   file-system

   Is the file system containing the user's home directory that you need to share. By convention, the file system is /export/home.

7. Share the file systems listed in the /etc/dfs/dfstab file.

   # shareall -F nfs

   This command executes all the share commands in the /etc/dfs/dfstab file, so you do not have to wait to reboot the system.

8. Verify that a user's home directory is shared, as follows:

   # share

Where to Go From Here

If the user's home directory is not located on the user's system, you have to mount the user's home directory from the system where it is located. See "How to Mount a User's Home Directory" for detailed instructions.

Example--Sharing a User's Home Directory

# ps -ef | grep mountd
# /etc/init.d/nfs.server start
# share
# vi /etc/dfs/dfstab
 
(The line share -F nfs /export/home is added.)
# shareall -F nfs
# share
-               /usr/dist                ro   "" 
-               /export/home/user-name     rw   ""  

How to Mount a User's Home Directory

1. Make sure that the user's home directory is shared. See "How to Share a User's Home Directory" for more information.

2. Log in as superuser on the user's system.

3. Edit the /etc/vfstab file and create an entry for the user's home directory.

   system-name:/export/home/user-name - /export/home/user-name nfs - yes rw

   system-name	The name of the system where the home directory is located.
   /export/home/user-name	The name of the user's home directory that will be shared. By convention, /export/home contains user's home directories; however, this could be a different file system.
   -	Required placeholders in the entry.
   /export/home/user-name	The name of the directory where the user's home directory will be mounted.

   See Chapter 36, Mounting and Unmounting File Systems (Tasks) for more information about adding an entry to the /etc/vfstab file.

4. Create the mount point for the user's home directory.

   # mkdir -p /export/home/user-name

5. Mount the user's home directory.

   # mountall

   All entries in the current vfstab file (whose mount at boot fields are set to yes) are mounted.

6. Use the mount command to verify that the home directory is mounted.

Example--Mounting a User's Home Directory

# vi /etc/vfstab
 
(The line  venus:/export/home/ripley - /export/home/ripley
nfs - yes rw is added.)
# mkdir -p /export/home/ripley
# mountall
# mount
/ on /dev/dsk/c0t0d0s0 read/write/setuid/intr/largefiles/onerror=panic on Fri ...
/usr on /dev/dsk/c0t0d0s6 read/write/setuid/intr/largefiles/onerror=panic on Fri ...
/proc on /proc read/write/setuid on Fri Sep 10 16:09:48 1999
/dev/fd on fd read/write/setuid on Fri Sep 10 16:09:51 1999
/etc/mnttab on mnttab read/write/setuid on Fri Sep 10 16:10:06 1999
/var/run on swap read/write/setuid on Fri Sep 10 16:10:06 1999
/tmp on swap read/write/setuid on Fri Sep 10 16:10:09 1999
/export/home/ripley on venus:/export/home/ripley /read/write/remote on ...

Maintaining User Accounts Task Map

How to Modify a Group

1. Start Admintool, if it is not already running. Select Groups from the Browse menu.

   See "How to Start Admintool" for more information.

2. Select the group entry you want to modify from the Groups window.

3. Choose Modify from the Edit menu.

   The Modify Group window contains the selected group entry.

4. Modify either the group's name or the users in the group.

   User names must be separated by commas. If you need information to complete a field, click the Help button to see field definitions for this window.

5. Click OK.

   The group information displayed in the Groups window is updated.

Example--Modifying a Group

The following example adds the users r2d2, holly, and kryten to the staff group.

How to Delete a Group

1. Start Admintool, if it's not already running. Select Groups from the Browse menu.

   See "How to Start Admintool" for more information.

2. Select the group entry you want to delete from Groups window.

3. Choose Delete from the Edit menu.

   A window asks you to confirm the deletion.

4. Click OK.

   The group entry is deleted from the Groups window.

How to Modify a User Account

1. Start Admintool, if it's not already running. Select Users from the Browse menu.

   See "How to Start Admintool" for more information.

2. Select the user account entry to modify from the Users window.

3. Choose Modify from the Edit menu.

   The Modify window contains the selected user account entry.

4. Modify the user account.

   If you need information to complete a field, click the Help button to see field definitions for this window. You can change any of the Account Security fields, which includes changing a password or changing password aging. See the following tasks for detailed step-by-step instructions:

   • "How to Disable a User Account"

   • "How to Change a User's Password"

   • "How to Change Password Aging for a User Account"

5. Click OK.

6. To verify that the modifications were made, double-click the modified user account entry in the Users window, then click Cancel to close the window without making any modifications.

Example--Modifying a User Account

The following example adds the secondary group membership lp to the rimmer user account.

How to Disable a User Account

You can enable the user account by changing the password status to Normal Password or Cleared Until First Login.

1. Start Admintool, if it's not already running. Select Users from the Browse menu, if necessary.

   See "How to Start Admintool" for more information.

2. Select the user account entry to be disabled.

3. Choose Modify from the Edit menu.

   The Modify Users window contains the selected user account entry.

4. Choose Account Is Locked from the Password menu.

   This selects the locked password status, which disables the user account.

5. Click OK.

6. Verify that you have disabled the user account by attempting to log in with the disabled user account.

Example--Disabling a User Account

The following example disables the rimmer user account.

How to Change a User's Password

1. Start Admintool, if it's not already running. Select Users from the Browse menu.

   See "How to Start Admintool" for more information.

2. Select the user account entry that needs the password changed.

3. Choose Modify from the Edit menu.

   The Modify User window is displayed containing the selected user account entry.

4. Choose Normal Password from the Password menu.

5. Click OK.

Example--Changing a User's Password

This is the pop-up window used to change user's passwords which is available from the Add User or Modify User windows.

How to Change Password Aging for a User Account

1. Start Admintool, if it is not already running. Select Users from the Browse menu.

   See "How to Start Admintool" for more information.

2. Select the user account entry that needs its password aging changed.

3. Choose Modify from the Edit menu.

   The Modify window contains the selected user account entry.

4. Change the following fields that affect password aging:

   • Min Change

   • Max Change

   • Max Inactive

   • Expiration Date

   • Warning

   If you need information about the password aging fields that are part of the Account Security category, click the Help button.

5. Click OK.

Example--Changing Password Aging for a User Account

In the following example, the user must keep a new password for at least one day (Min Change) , and must change the password every 60 days (Max Change). The user must change the password if the account is inactive for more than 10 days (Max Inactive).

How to Delete a User Account

1. Start Admintool, if it's not already running. Select Users from the Browse menu, if necessary.

   See "How to Start Admintool" for more information.

2. Select the user account entry to remove from the Users window.

3. Choose Delete from the Edit menu.

   The Delete window is displayed to confirm the removal of the user account.

4. (Optional) Click the check box to delete the user's home directory and its contents.

5. Click OK when you are ready to delete the user account. The user account entry is deleted from the Users main window.

Example--Deleting a User Account

The account for user kryten and the /export/home/kryten directory is removed.

Solaris User Registration

Solaris User Registration is a tool for getting information about new Solaris releases, upgrade offers, and promotions. This graphical user interface (GUI) starts automatically when you first log into your desktop. The GUI lets you register now, later, or never. The registration process also provides Sun with the user's Solaris version, survey type, platform, hardware, and locale.

Accessing Solaris Solve^SM

Completing the Solaris User Registration process provides access to Solaris Solve, an exclusive web site that offers valuable Solaris product information and solutions--all in one convenient location. It provides a quick and easy method for getting the most recent information on what's happening around the latest Solaris release. Solaris Solve also provides a preview to additional Sun contract and service opportunities.

Basically, the steps for completing Solaris User Registration and accessing Solaris Solve are:

1. Fill in the electronic Solaris User Registration profile.

2. Submit the profile by email or print the profile to fax or mail.

3. Create your login ID and password to access the Solaris Solve site.

   Even if you do not access the Solaris Solve site immediately, we recommend that you create your Solaris Solve login ID and password during the Solaris User Registration process. A Solaris Solve login ID and password should contain six to eight alphanumeric characters without spaces and colons.

4. Access the Solaris Solve site.

Solaris User Registration is not invoked if the system administrator or user is logged in as superuser.

If you choose to register, a copy of the completed form is stored in $HOME/.solregis/uprops. If you choose to never register and change your mind later, you can start User Registration by:

• Typing /usr/dt/bin/solregis at any command line prompt

• Clicking the Registration icon in the Application Manager's desktop tools folder (Common Desktop Environment desktop only)

See solregis(1) for more information.

Troubleshooting Solaris User Registration Problems

This section provides troubleshooting tips for solving Solaris User Registration problems.

The following table describes problems that might occur when you try to register, and actions required to resolve these conflicts.

How to Restart Solaris User Registration

Use the following procedure to restart the Solaris User Registration process.

1. Change to the $HOME/.solregis directory.

   % cd $HOME/.solregis

2. Remove the uprops file.

   % rm uprops

3. Restart the registration process.

   % /usr/dt/bin/solregis &

How to Disable User Registration

The table below shows how to disable User Registration before and after installing Solaris software. Before disabling Solaris User Registration, system administrators should register for their organization.