|
Hopefully, this page is exactly what you are looking for, but if not, you can always find further assistance on Unix/Linux Forum!
System Administration Commands smrole(1M)
NAME
smrole - manage roles and users in role accounts
SYNOPSIS
/usr/sadm/bin/smrole subcommand [ auth_args] --
[subcommand_args]
DESCRIPTION
The smrole command manages roles and adds or deletes users
in role accounts.
subcommands
smrole subcommands are:
add Adds a new role entry. To add an entry, the
administrator must have the
solaris.role.write authorization.
delete Deletes one or more roles. To delete an
entry, the administrator must have the
solaris.role.write authorization.
list Lists one or more roles. If you do not
specify a role name, all roles are listed.
To list an entry, the administrator must
have the solaris.admin.usermgr.read authori-
zation.
modify Adds or deletes users from a role account.
To modify an entry, the administrator must
have the solaris.role.write authorization.
OPTIONS
The smrole authentication arguments, auth_args, are derived
from the smc(1M) arg set and are the same regardless of
which subcommand you use. The smrole command requires the
Solaris Management Console to be initialized for the command
to succeed (see smc(1M)). After rebooting the Solaris
Management Console server, the first Solaris Management Con-
sole connection might time out, so you might need to retry
the command.
The subcommand-specific options, subcommand_args, must come
after the auth_args and must be separated from them by the
SunOS 5.10 Last change: 17 Mar 2006 1
System Administration Commands smrole(1M)
-- option.
auth_args
The auth_args are -D, -H, -l, -p, -r, and -u are described
below. They are all optional. These options are a subset of
the full complement of supported options described in
smc(1M).
If no auth_args are specified, certain defaults will be
assumed and the user may be prompted for additional informa-
tion, such as a password for authentication purposes. These
letter options can also be specified by their equivalent
option words preceded by a double dash. For example, you
can use either -D or --domain with the domain argument.
-D | --domain domain
Specifies the default domain that you want to manage.
The syntax of domain is type:/host_name/domain_name,
where type is nis, nisplus, dns, ldap, or file;
host_name is the name of the machine that serves the
domain; and domain_name is the name of the domain you
want to manage. (Note: Do not use nis+ for nisplus.)
If you do not specify this option, the Solaris Manage-
ment Console assumes the file default domain on whatever
server you choose to manage, meaning that changes are
local to the server. Toolboxes can change the domain on
a tool-by-tool basis; this option specifies the domain
for all other tools.
-H | --hostname host_name:port
Specifies the host_name and port to which you want to
connect. If you do not specify a port, the system con-
nects to the default port, 898. If you do not specify
host_name:port, the Solaris Management Console connects
to the local host on port 898. You may still have to
choose a toolbox to load into the console. To override
this behavior, use the smc(1M) -B option, or set your
console preferences to load a "home toolbox" by default.
-l | --rolepassword role_password
Specifies the password for the role_name. If you specify
a role_name but do not specify a role_password, the sys-
tem prompts you to supply a role_password. Passwords
specified on the command line can be seen by any user on
SunOS 5.10 Last change: 17 Mar 2006 2
System Administration Commands smrole(1M)
the system, hence this option is considered insecure.
-p | --password password
Specifies the password for the user_name. If you do not
specify a password, the system prompts you for one.
Passwords specified on the command line can be seen by
any user on the system, hence this option is considered
insecure.
-r | --rolename role_name
Specifies a role name for authentication. If you do not
specify this option, no role is assumed.
-u | --username user_name
Specifies the user name for authentication. If you do
not specify this option, the user identity running the
console process is assumed.
--
This option is required and must always follow the
preceding options. If you do not enter the preceding
options, you must still enter the -- option.
subcommand_args
Note: Descriptions and other arg options that contain white
spaces must be enclosed in double quotes.
To add or change privileges, the administrator must have the
solaris.admin.privilege.write authorization. See
privileges(5).
o For subcommand add:
-a adduser1 -a adduser2 . . .
(Optional) Specifies the user name(s) to add to the
new role. The administrator must have the
solaris.role.assign authorization.
SunOS 5.10 Last change: 17 Mar 2006 3
System Administration Commands smrole(1M)
-c comment
(Optional) Includes a short description of the
role. Consists of a string of up to 256 printable
characters, excluding the colon (:).
-d dir
(Optional) Specifies the home directory of the new
role, limited to 1024 characters.
-F full_name
(Optional) Specifies the full, descriptive name of
the role. The full_name must be unique within a
domain, and can contain alphanumeric characters and
spaces. If you use spaces, you must enclose the
full_name in double quotes.
-G group1 -G group2 . . .
(Optional) Specifies the new role's supplementary
group membership in the system group database with
the character string names of one or more existing
groups. Note: You cannot assign a primary group to
a role. A role's primary group is always sysadmin
(group 14).
-h
(Optional) Displays the command's usage statement.
-n rolename
Specifies the name of the role you want to create.
-p addprof1 -p addprof2 . . .
(Optional) Specifies the profile(s) to add to the
role. To assign a profile to a role, the
SunOS 5.10 Last change: 17 Mar 2006 4
System Administration Commands smrole(1M)
administrator must have the solaris.profmgr.assign
or solaris.profmgr.delegate authorization.
-P password
(Optional) Specifies the role's password. The pass-
word can contain up to eight characters. If you do
not specify a password, the system prompts you for
one. To set the password, the administrator must
have the solaris.admin.usermgr.pswd authorization.
Note: When you specify a password using the -P
option, you type the password in plain text. Speci-
fying a password using this method introduces a
security gap while the command is running. However,
if you do not specify a password (and the system
prompts you for one), the echo is turned off when
you type in the password.
-s shell
(Optional) Specifies the full pathname of the pro-
gram used as the role's shell on login. Valid
entries are /bin/pfcsh (C shell), /bin/pfksh (Korn
shell), and /bin/pfsh (Bourne shell), the default.
-u uid
(Optional) Specifies the ID of the role you want to
add. If you do not specify this option, the system
assigns the next available unique ID greater than
100.
-x autohome=Y|N
(Optional) Sets the role's home directory. The home
directory path in the password entry is set to
/home/login name.
-x perm=home_perm
(Optional) Sets the permissions on the role's home
directory. perm is interpreted as an octal number,
SunOS 5.10 Last change: 17 Mar 2006 5
System Administration Commands smrole(1M)
and the default is 0775.
-x serv=homedir_server
(Optional) If -D is nis, nisplus, or ldap, use this
option to specify the name of the server where the
user's home directory resides. Users created in a
local scope must have their home directory server
created on their local machines.
-M limit_privs
Specifies the privilege name(s) to add to the new
user_attr(4) entry. The default is all for limit
privilege.
To add or change privileges, the administrator must
have the solaris.admin.privilege.write authoriza-
tion. See privileges(5).
-D default_privs
Specifies the default privilege name(s) to add to
the new user_attr(4) entry.
The options to the add subcommand listed below are
available only if a system is configured with Solaris
Trusted Extensions. See "Using Options that Require
Solaris Trusted Extensions," below.
-x clear=clearanceval
(Optional) Specifies the role's clearance. clearan-
ceval can be a string value or a hex value. If this
option is not specified, the default, admin_high,
is in effect. To set the clearance, the administra-
tor must have the solaris.admin.usermgr.labels
authorization.
SunOS 5.10 Last change: 17 Mar 2006 6
System Administration Commands smrole(1M)
-x label=labelval
(Optional) Specifies the role's minimum label.
labelval can be a string label or a hex label. If
this option is not specified, the default,
admin_low, is in effect. To set the minimum label,
the administrator must have the
solaris.admin.usermgr.labels authorization.
-x labelview=HIDE|SHOW
(Optional) Specifies the second part of the label-
view key-value pair. If SHOW is specified,
labelview=*showsl will be recorded. If HIDE is
specified, labelview=*hidesl will be recorded. The
asterisk portion can be replaced by "internal,",
"external,", or ""(null). If this option is not
specified, the default, SHOW, is in effect.
-x view=INTERNAL|EXTERNAL|DEFAULT
(Optional) Specifies the label view type for the
labelview in user_attr. If INTERNAL is specified,
labelview=internal will be recorded; if EXTERNAL is
specified, labelview=external will be recorded; if
DEFAULT is specified, nothing will be recorded in
user_attr. If this option is not specified, the
default, INTERNAL, is in effect.
o For subcommand delete:
-h
(Optional) Displays the command's usage statement.
-n rolename1 -n rolename2 . . .
Specifies the name of the role(s) you want to
delete.
o For subcommand list:
SunOS 5.10 Last change: 17 Mar 2006 7
System Administration Commands smrole(1M)
-h
(Optional) Displays the command's usage statement.
-l
(Optional) Displays the output for each user in a
block of key:value pairs (for example, user
name:root), followed by a blank line that delimits
each user block. Each key:value pair is displayed
on a separate line. The keys are: autohome setup,
comment, home directory, login shell, primary
group, secondary groups, server, user ID (UID), and
user name.
-n role1 -n role2 . . .
(Optional) Specifies the role(s) that you want to
list. If you do not specify a role name, all roles
are listed.
o For subcommand modify:
-a adduser1 -a adduser2 . . .
(Optional) Specifies the user name(s) to add to the
new role. The administrator must have the
solaris.role.assign authorization, or must have the
solaris.role.delegate authorization and be a member
of the role being modified.
-c comment
(Optional) Includes a short description of the
role. Consists of a string of up to 256 printable
characters, excluding the colon (:).
-d dir
(Optional) Specifies the home directory of the new
role, limited to 1024 characters.
SunOS 5.10 Last change: 17 Mar 2006 8
System Administration Commands smrole(1M)
-F full_name
(Optional) Specifies the full, descriptive name of
the role. The full_name must be unique within a
domain, and can contain alphanumeric characters and
spaces. If you use spaces, you must enclose the
full_name in double quotes.
-G group1 -G group2 . . .
(Optional) Specifies the new role's secondary group
membership in the system group database with the
character string names of one or more existing
groups. Note: You cannot assign a primary group to
a role. A role's primary group is always sysadmin
(group 14).
-h
(Optional) Displays the command's usage statement.
-n rolename
Specifies the name of the role you want to modify.
-N new_rolename
(Optional) Specifies the new name of the role.
-p addprof1 -p addprof2 . . .
(Optional) Specifies the profile(s) to add to the
role. To assign a profile to a role, the adminis-
trator must have the solaris.profmgr.assign or
solaris.profmgr.delegate authorization.
-P password
(Optional) Specifies the role's password. The pass-
word can contain up to eight characters. To set the
SunOS 5.10 Last change: 17 Mar 2006 9
System Administration Commands smrole(1M)
password, the administrator must have the
solaris.admin.usermgr.pswd authorization. Note:
When you specify a password, you type the password
in plain text. Specifying a password using this
method introduces a security gap while the command
is running.
-q delprof1 -q delprof2 . . .
(Optional) Specifies the profile(s) to delete from
the role.
-r deluser1 -r deluser2 . . .
(Optional) Specifies the user name(s) to delete
from the role.
-s shell
(Optional) Specifies the full pathname of the pro-
gram used as the role's shell on login. Valid
entries are /bin/pfcsh (C shell), /bin/pfksh (Korn
shell), and /bin/pfsh (Bourne shell), the default.
-x autohome=Y|N
(Optional) Sets the role's home directory. The home
directory path in the password entry is set to
/home/login_name.
-x perm=home_perm
(Optional) Sets the permissions on the role's home
directory. perm is interpreted as an octal number,
and the default is 0775.
-M limit_privs
Specifies the privilege name(s) to modify in a
user_attr(4) entry.
SunOS 5.10 Last change: 17 Mar 2006 10
System Administration Commands smrole(1M)
To add or change privileges, the administrator must
have the solaris.admin.privilege.write authoriza-
tion. See privileges(5).
-D default_privs
Specifies the default privilege name(s) to modify
in a user_attr(4) entry.
The options to the modify subcommand listed below are
available only if a system is configured with Solaris
Trusted Extensions. See "Using Options that Require
Solaris Trusted Extensions," below.
-x clear=clearanceval
(Optional) Specifies the role's clearance. clearan-
ceval can be a string value or a hex value. If this
option is not specified, the default, admin_high,
is in effect. To set the clearance, the administra-
tor must have the solaris.admin.usermgr.labels
authorization.
-x label=labelval
(Optional) Specifies the role's minimum label.
labelval can be a string label or a hex label. If
this option is not specified, the default,
admin_low, is in effect. To set the minimum label,
the administrator must have the
solaris.admin.usermgr.labels authorization.
-x labelview=HIDE|SHOW
(Optional) Specifies the second part of the label-
view key-value pair. If SHOW is specified,
labelview=*showsl will be recorded. If HIDE is
specified, labelview=*hidesl will be recorded. The
asterisk portion can be replaced by "internal,",
"external,", or ""(null). If this option is not
specified, the default, SHOW, is in effect.
SunOS 5.10 Last change: 17 Mar 2006 11
System Administration Commands smrole(1M)
-x view=INTERNAL|EXTERNAL|DEFAULT
(Optional) Specifies the label view type for the
labelview in user_attr. If INTERNAL is specified,
labelview=internal will be recorded; if EXTERNAL is
specified, labelview=external will be recorded; if
DEFAULT is specified, nothing will be recorded in
user_attr. If this option is not specified, the
default, INTERNAL, is in effect.
Using Options that Require Solaris Trusted Extensions
To use an option that requires the Solaris Trusted Exten-
sions feature, you must use the -B toolbox option to specify
a toolbox that contains support for Trusted Extensions. For
example:
# smrole add -H myhost -p mypasswd -u root -- -n role1 \
-F "Engineering Admin" -P abc123 -x clear=clearanceval \
-B http://<server>/toolboxes/tsol_files.tbx
In the command above, <server> is the name of the machine
running the Solaris Management Console. See smc(1M) for a
description of the -B option.
EXAMPLES
Example 1: Creating a Role Account
The following creates the role1 account with a full name of
Engineering Admin and a password of abc123 on the local file
system, and assigns user1 and user2 to the role. This role
has Name Service Security and Audit Review rights. The sys-
tem assigns the next available unique UID greater than 100.
./smrole add -H myhost -p mypasswd -u root -- -n role1 \
-F "Engineering Admin" -P abc123 -a user1 -a user2 \
-p "Name Service Security" -p "Audit Review"
Example 2: Deleting Role Accounts
The following deletes the role1 and role2 accounts from the
local file system.
./smrole delete -H myhost -p mypasswd -u root -- -n role1 -n role2
SunOS 5.10 Last change: 17 Mar 2006 12
System Administration Commands smrole(1M)
Example 3: Listing Role Accounts
The following lists all role accounts on the local file sys-
tem in summary form.
./smrole list -H myhost -p mypasswd -u root --
Example 4: Modifying a Role Account
The following modifies the role1 account so the role
defaults to the Korn shell, includes the user3 account, and
does not include the user2 account.
./smrole modify -H myhost -p mypasswd -u root -- -n role1 \
-s /bin/pfksh -a user3 -r user2
ENVIRONMENT VARIABLES
See environ(5) for a description of the JAVA_HOME environ-
ment variable, which affects the execution of the smrole
command. If this environment variable is not specified, the
/usr/java location is used. See smc(1M).
EXIT STATUS
The following exit values are returned:
0 Successful completion.
1 Invalid command syntax. A usage message displays.
2 An error occurred while executing the command. An
error message displays.
FILES
The following files are used by the smrole command:
/etc/aliases Mail aliases. See
aliases(4).
/etc/auto_home Automatic mount points. See
automount(1M).
SunOS 5.10 Last change: 17 Mar 2006 13
System Administration Commands smrole(1M)
/etc/group Group file. See group(4).
/etc/passwd Password file. See
passwd(4).
/etc/security/policy.conf Configuration file for secu-
rity policy. See
policy.conf(4).
/etc/shadow Shadow password file. See
shadow(4).
/etc/user_attr Extended user attribute
database. See user_attr(4).
ATTRIBUTES
See attributes(5) for descriptions of the following attri-
butes:
____________________________________________________________
| ATTRIBUTE TYPE | ATTRIBUTE VALUE |
|_____________________________|_____________________________|
| Availability | SUNWmga |
|_____________________________|_____________________________|
| Interface Stability | Evolving |
|_____________________________|_____________________________|
SEE ALSO
automount(1M), smc(1M), aliases(4), group(4), passwd(4),
policy.conf(4), shadow(4), user_attr(4), attributes(5),
environ(5)
SunOS 5.10 Last change: 17 Mar 2006 14
Man(1) output converted with
man2html and wrapped by fishsponge
This page was generated on Wed Sep 12 11:26:37 GMT 2007
|
Your favourite pages:
No pages logged yet.
Trying to save cookie... Top 10 most popular pages:
sqlite3 man page (5334 hits)
(openSUSE 10.2)
svn man page (5209 hits)
(FreeBSD 6.2)
adv_cap_autoneg man page (4870 hits)
(Solaris 10 11_06)
CPAN man page (4607 hits)
(Suse Linux 10.1)
ssh man page (4342 hits)
(Suse Linux 10.1)
ssh-socks5-proxy-connect man page (2885 hits)
(Solaris 10 11_06)
netcat man page (2717 hits)
(Suse Linux 10.1)
pprosetup man page (2492 hits)
(Solaris 10 11_06)
startproc man page (2471 hits)
(Suse Linux 10.1)
signal man page (2408 hits)
(Suse Linux 10.1)
|
Man Pages 
