Back to the main page
Managing Solaris user accounts and groups
Note: this story is only for local account, no NIS, etc.
So new employees are coming on board!
First you need to know what to enter for them. I guess you'll get some info from your HR, the rest you'll determine, like username, password, UID, etc.
But let's start with some explanations.
Files that stores users' and groups information are
/etc/passwd
Fields are: user-name:x:uid:gid:comment:home directory:login-shell
| username | Consist of 2-8 letters and numerals. The first one must be a letter, and at least one character must be a lowercase letter. No underscores. |
| password | This is x. The encrypted password is in the shadow file. |
| UID | UIDs for regular users are 100 - 60000. All UID numbers should be unique. |
| GID | This is user's primary group. GID must be between 0 and 60000 (60001 = nobody, 60002 = noaccess) FYI: user can belong up to 16 secondary groups. |
| comment | Only for information, like full name. It is called the GCOS (General Electric Computer Operating System) |
| Home dir | User's home directory pathname. |
| login shell | user's default login shell |
/etc/shadow
Fields are: user-name:password:lastchg:min:max:warn:inactive:expire
| username | Same as /etc/passwd username |
| password | Three options:
13-character encrypted
The string *LK* - account is locked
The string NP, no password setup for this account
|
| lastchg | Number of days between January 1, 1970 and the last password modification date. |
| min | Min number of days required between password changes |
| max | Max number of days password is valid before user has to change it |
| inactive | Number of inactivity days allowed for the user before account is locked. |
| expire | It is absolute date when the user account expires. After this user cannot log in to the system. |
/etc/group
Fileds are: group name:group password:gid:user-list
| groupname | Group name |
| group password | Usually it's empty |
| GID | User groups range from 100 to 60000
60001 = nobody
60002 = noaccess
Below 100 = system default groups
|
| user list | Contains a list of groups and user names. This is users' secondary group (max of 16 secondary groups) |
/etc/default/passwd
In /etc/default/passwd file you setup properties for passwords.
Here are some examples you want to consider.
PASSREQ=yes # yes, user need passwd
PASSLENGTH=8 # min number of characters
MAXWEEKS=12 # max weeks passwd is valid
MINWEEKS=0 # min weeks before user can change passwd
WARNWEEKS=2 # warn user passwd will expire
MAXRETRY=5 # max number to allow failed logins
HISTORY=7 # record number of failed login attempt
User initialization files
Working environment can be adjusted with modifying environment variables in system initialization files.
When user logs in, machine reads these files and is using environment variables to configure system.
Each shell has its own initialization files. The Bourne shell is default Solaris shell. Let's stick with this one in the document.
# echo $SHELL
/sbin/sh (may be different part on your system)
|
JFYI, other popular shell are:
/bin/bash - Bourne Again shell
/bin/csh - C shell
/bin/ksh - Korn shell
/bin/tcsh - TC shell
/bin/zsh - Z shell
Here is what is happening when user logs in.
1. System runs system profile file which is /etc/profile
See system profile files for other shells:
/etc/profile (for Bourne and Korn shell)
/etc/.login (for C shell)
What is this doing?
Define and export some environment variables, define MOTD, setup default permissions with 'umask'
2. System runs user's profile file which is /home/user/.profile
See user's profile file(s) for other popular shells (located in user's home dir).
.profile (for the Bourne and Korn shells)
.bash_profile (for the Bourne Again shell)
.login and .cshrc (for the C shell)
.tcshrc and .cshrc (for the TC shell)
.zlogin and .zshrc (for the Z shell)
3. Use command env to see environment variables currently set on your system
4. Check templates for user's initialization files in /etc/skel directory.
The command useradd copies files from /etc/skel/ to users $HOME and renames them to appropriate name (usually remove local left from dot).
# /etc/skel> ls
total 18
drwxr-xr-x 2 root sys 512 Jul 2 18:12 .
drwxr-xr-x 60 root sys 4096 Aug 20 15:41 ..
-rw-r--r-- 1 root other 144 Mar 17 10:40 .profile
-rw-r--r-- 1 root sys 136 Mar 17 10:40 local.cshrc
-rw-r--r-- 1 root sys 157 Mar 17 10:40 local.login
-rw-r--r-- 1 root sys 174 Mar 17 10:40 local.profile
|
Users' Home directories
Of course I assume the home directories will be placed on central server (I guess with attached storage, say StorEdge 6120).
You may have many home(s) under /export, like home1, home2, etc. each should be separate file system.
And users should access home dir through mounted /home/username.
You can mount them manually in /etc/vfstab file but forget that for now. Use automounter service.
# svcs -xv autofs
svc:/system/filesystem/autofs:default (automounter)
State: online since August 13, 2009 12:59:13 PM PDT
See: man -M /usr/share/man -s 1M automount
See: /var/svc/log/system-filesystem-autofs:default.log
Impact: None.
|
The /etc/auto_master file will have line:
And /etc/auto_home file will have lines
username1 servername:/export/home/username1
username2 servername:/export/home/&
|
Note: ampersand (&) expands to value (in key field) for entry where it occurs - in this case it expands to username !
So when user logs in, automounter mounts /export/home/username1 from server "servername" to /home/username1 on machine where user logged in.
Note:
When automounter is used to mount home dirs, you are not permitted to manually create anything under /home mount point.
Back to the main page