Download this book in PDF (9905 KB)

smbadm(1M)

Name | Synopsis | Description | Operands | Sub-commands | Exit Status | Attributes | See Also

Name

smbadm– configure and manage CIFS local groups and users, and manage domain membership

Synopsis

smbadm add-member -m member [[-m member] …] group

smbadm create [-d description] group

smbadm delete group

smbadm disable-user username

smbadm enable-user username

smbadm get [[-p property] …] group

smbadm join -u username domain

smbadm join -w workgroup

smbadm list

smbadm remove-member -m member [[-m member] …] group

smbadm rename group new-group

smbadm set -p property=value [[-p property=value] …] group

smbadm show [-m] [-p] [group]

Description

The smbadm command is used to configure CIFS local groups and to manage domain membership. You can also use the smbadm command to enable or disable SMB password generation for individual local users.

CIFS local groups can be used when Windows accounts must be members of some local groups and when Windows style privileges must be granted. Solaris local groups cannot provide these functions.

There are two types of local groups: user defined and built-in. Built-in local groups are predefined local groups to support common administration tasks.

In order to provide proper identity mapping between CIFS local groups and Solaris groups, a CIFS local group must have a corresponding Solaris group. This requirement has two consequences: first, the group name must conform to the intersection of the Windows and Solaris group name rules. Thus, a CIFS local group name can be up to eight (8) characters long and contain only lowercase characters and numbers. Second, a Solaris local group has to be created before a CIFS local group can be created.

Built-in groups are standard Windows groups and are predefined by the CIFS service. The built-in groups cannot be added, removed, or renamed, and these groups do not follow the CIFS local group naming conventions.

When the CIFS server is started, the following built-in groups are available:

Administrators

Group members can administer the system.

Backup Operators

Group members can bypass file access controls to back up and restore files.

Power Users

Group members can share directories.

Solaris local users must have an SMB password for authentication and to gain access to CIFS resources. This password is created by using the passwd(1) command when the pam_smb_password module is added to the system's PAM configuration. See the pam_smb_passwd(5) man page.

The disable-user and enable-user subcommands control SMB password-generation for a specified local user. When disabled, the user is prevented from connecting to the Solaris CIFS service. By default, SMB password-generation is enabled for all local users.

To reenable a disabled user, you must use the enable-user subcommand and then reset the user's password by using the passwd command. The pam_smb_passwd.so.1 module must be added to the system's PAM configuration to generate an SMB password.

Escaping Backslash Character

For the add-member, remove-member, and join (with -u) subcommands, the backslash character (\) is a valid separator between member or user names and domain names. The backslash character is a shell special character and must be quoted. For example, you might escape the backslash character with another backslash character: domain\\username. For more information about handling shell special characters, see the man page for your shell.

Operands

The smbadm command uses the following operands:

domain

Specifies the name of an existing Windows domain to join.

group

Specifies the name of the CIFS local group.

username

Specifies the name of a Solaris local user.

Sub-commands

The smbadm command includes these subcommands:

add-member -m member [[-m member] …] group

Adds the specified member to the specified CIFS local group. The -m member option specifies the name of a CIFS local group member. The member name must include an existing user name and an optional domain name.

Specify the member name in either of the following formats:

[domain\]username [domain/]username

For example, a valid member name might be sales\terry or sales/terry, where sales is the Windows domain name and terry is the name of a user in the sales domain.

create [-d description] group

Creates a CIFS local group with the specified name. You can optionally specify a description of the group by using the -d option.

delete group

Deletes the specified CIFS local group. The built-in groups cannot be deleted.

disable username

Disables SMB password-generation capabilities for the specified local user. A disabled local user is prevented from accessing the system by means of the CIFS service. When a local user account is disabled, you cannot use the passwd command to modify the user's SMB password until the user account is reenabled.

enable username

Enables SMB password-generation capabilities for the specified local user. After the password-generation capabilities are reenabled, you must use the passwd command to generate the SMB password for the local user before he can connect to the CIFS service.

The passwd command manages both the Solaris password and SMB password for this user if the pam_smb_passwd module has been added to the system's PAM configuration.

get [[-p property=value] …] group

Retrieves property values for the specified group. If no property is specified, all property values are shown.

join -u username domain

Joins a Windows domain or a workgroup.

The default mode for the CIFS service is workgroup mode, which uses the default workgroup name, WORKGROUP.

An authenticated user account is required to join a domain, so you must specify the Windows administrative user name with the -u option. If the password is not specified on the command line, the user is prompted for it. This user should be the domain administrator or any user who has administrative privileges for the target domain.

username and domain can be entered in any of the following formats:

username[+password] domain domain\username[+password] domain/username[+password] username@domain

...where domain can be the NetBIOS or DNS domain name.

If a machine trust account for the system already exists on a domain controller, any authenticated user account can be used when joining the domain. However, if the machine trust account does not already exist, an account that has administrative privileges on the domain is required to join the domain.

join -w workgroup

Joins a Windows domain or a workgroup.

The -w workgroup option specifies the name of the workgroup to join when using the join subcommand.

list

Shows information about the current workgroup or domain. The information typically includes the workgroup name or the primary domain name. When in domain mode, the information includes domain controller names and trusted domain names.

Each entry in the ouput is identified by one of the following tags:

- [*] -

Primary domain

- [.] -

Local domain

- [-] -

Other domains

- [+] -

Selected domain controller

remove-member -m member [[-m member] …] group

Removes the specified member from the specified CIFS local group. The -m member option specifies the name of a CIFS local group member. The member name must include an existing user name and an optional domain name.

Specify the member name in either of the following formats:

[domain\]username [domain/]username

For example, a valid member name might be sales\terry or sales/terry, where sales is the Windows domain name and terry is the name of a user in the sales domain.

rename group new-group

Renames the specified CIFS local group. The group must already exist. The built-in groups cannot be renamed.

set -p property=value [[-p property=value] …] group

Sets configuration properties for a CIFS local group. The description and the privileges for the built-in groups cannot be changed.

The -p property=value option specifies the list of properties to be set on the specified group.

The group-related properties are as follows:

backup=[on|off]

Specifies whether members of the CIFS local group can bypass file access controls to back up file system objects.

description=description-text

Specifies a text description for the CIFS local group.

restore=[on|off]

Specifies whether members of the CIFS local group can bypass file access controls to restore file system objects.

take-ownership=[on|off]

Specifies whether members of the CIFS local group can take ownership of file system objects.

show [-m] [-p] [group]

Shows information about the specified CIFS local group or groups. If no group is specified, information is shown for all groups. If the -m option is specified, the group members are also shown. If the -p option is specified, the group privileges are also shown.

Exit Status

The following exit values are returned:

0

Successful completion.

>0

An error occurred.

Attributes

See the attributes(5) man page for descriptions of the following attributes:

ATTRIBUTE TYPE	ATTRIBUTE VALUE
Availability	SUNWsmbsu
Utility Name and Options	Uncommitted
Utility Output Format	Not-An-Interface
smbadm join	Obsolete

See Also

passwd(1), groupadd(1M), idmap(1M), idmapd(1M), kclient(1M), share(1M), sharectl(1M), sharemgr(1M), smbd(1M), smbstat(1M), smb(4), smbautohome(4), attributes(5), pam_smb_passwd(5), smf(5)

Name | Synopsis | Description | Operands | Sub-commands | Exit Status | Attributes | See Also