1.\" 2.\" The contents of this file are subject to the terms of the 3.\" Common Development and Distribution License (the "License"). 4.\" You may not use this file except in compliance with the License. 5.\" 6.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 7.\" or http://www.opensolaris.org/os/licensing. 8.\" See the License for the specific language governing permissions 9.\" and limitations under the License. 10.\" 11.\" When distributing Covered Code, include this CDDL HEADER in each 12.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE. 13.\" If applicable, add the following below this CDDL HEADER, with the 14.\" fields enclosed by brackets "[]" replaced with your own identifying 15.\" information: Portions Copyright [yyyy] [name of copyright owner] 16.\" 17.\" 18.\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. 19.\" Copyright 2019 Nexenta by DDN, Inc. All rights reserved. 20.\" Copyright 2021-2023 RackTop Systems, Inc. 21.\" 22.Dd Aug 29, 2025 23.Dt SMBADM 8 24.Os 25.Sh NAME 26.Nm smbadm 27.Nd configure and manage SMB local groups and users, and manage domain 28membership 29.Sh SYNOPSIS 30.Nm 31.Cm create 32.Op Fl d Ar description 33.Ar group 34.Nm 35.Cm delete 36.Ar group 37.Nm 38.Cm rename 39.Ar group new-group 40.Nm 41.Cm show 42.Op Fl mp 43.Op Ar group 44.Nm 45.Cm get 46.Oo Fl p Ar property Oc Ns ... 47.Ar group 48.Nm 49.Cm set 50.Fl p Ar property Ns = Ns Ar value 51.Oo Fl p Ar property Ns = Ns Ar value Oc Ns ... 52.Ar group 53.Nm 54.Cm add-member 55.Fl m Ar member Oo Fl m Ar member Oc Ns ... 56.Ar group 57.Nm 58.Cm remove-member 59.Fl m Ar member Oo Fl m Ar member Oc Ns ... 60.Ar group 61.Nm 62.Cm delete-user 63.Ar username 64.Nm 65.Cm disable-user 66.Ar username 67.Nm 68.Cm enable-user 69.Ar username 70.Nm 71.Cm join 72.Op Fl y 73.Op Fl c Ar container 74.Fl u Ar username 75.Ar domain 76.Nm 77.Cm join 78.Op Fl y 79.Fl w Ar workgroup 80.Nm 81.Cm lookup 82.Op Fl p 83.Ar account-name Oo Ar account-name Oc Ns ... 84.Nm 85.Cm list 86.Nm 87.Cm list-domains 88.Nm 89.Cm list-sessions 90.Op Fl p 91.Op Fl o Ar field,... 92.Nm 93.Cm list-trees 94.Op Fl p 95.Op Fl o Ar field,... 96.Nm 97.Cm list-ofiles 98.Op Fl p 99.Op Fl o Ar field,... 100.Nm 101.Cm close-session 102.Ar client_name 103.Op Ar user_name 104.Nm 105.Cm close-ofile 106.Ar file_ID 107.Sh DESCRIPTION 108The 109.Nm 110command is used to configure SMB local groups and users, and to manage domain 111membership. 112You can also use the 113.Nm 114command to enable or disable SMB password generation for individual local users. 115.Pp 116SMB local groups can be used when Windows accounts must be members of some local 117groups and when Windows style privileges must be granted. 118System local groups cannot provide these functions. 119.Pp 120There are two types of local groups: user defined and built-in. 121Built-in local groups are predefined local groups to support common 122administration tasks. 123.Pp 124In order to provide proper identity mapping between SMB local groups and 125system groups, a SMB local group must have a corresponding system group. 126This requirement has two consequences: first, the group name must conform to the 127intersection of the Windows and system group name rules. 128Thus, a SMB local group name can be up to eight (8) characters long and contain 129only lowercase characters and numbers. 130Second, a system local group has to be created before a SMB local group can 131be created. 132.Pp 133Built-in groups are standard Windows groups and are predefined by the SMB 134service. 135The built-in groups cannot be added, removed, or renamed, and these groups do 136not follow the SMB local group naming conventions. 137.Pp 138When the SMB server is started, the following built-in groups are available: 139.Bl -tag -width "Backup Operators" 140.It Sy Administrators 141Group members can administer the system. 142.It Sy Backup Operators 143Group members can bypass file access controls to back up and restore files. 144.It Sy Power Users 145Group members can share directories. 146.El 147.Pp 148System local users must have an SMB password for authentication and to gain 149access to SMB resources. 150This password is created by using the 151.Xr passwd 1 152command when the 153.Sy pam_smb_password 154module is added to the system's PAM configuration. 155See the 156.Xr pam_smb_passwd 7 157man page. 158.Pp 159The 160.Cm disable-user 161and 162.Cm enable-user 163subcommands control SMB password-generation for a specified local user. 164When disabled, the user is prevented from connecting to the SMB service. 165By default, SMB password-generation is enabled for all local users. 166.Pp 167To reenable a disabled user, you must use the 168.Cm enable-user 169subcommand and then reset the user's password by using the 170.Nm passwd 171command. 172The 173.Pa pam_smb_passwd.so.1 174module must be added to the system's PAM configuration to generate an SMB 175password. 176.Ss Escaping Backslash Character 177For the 178.Cm add-member , 179.Cm remove-member , 180and 181.Cm join 182.Po with 183.Fl u 184.Pc 185subcommands, the backslash character 186.Pq Qq \e 187is a valid separator between member or user names and domain names. 188The backslash character is a shell special character and must be quoted. 189For example, you might escape the backslash character with another backslash 190character: 191.Ar domain Ns \e\e Ns Ar username . 192For more information about handling shell special characters, see the man page 193for your shell. 194.Sh OPERANDS 195The 196.Nm 197command uses the following operands: 198.Bl -tag -width "username" 199.It Ar domain 200Specifies the name of an existing Windows domain to join. 201.It Ar group 202Specifies the name of the SMB local group. 203.It Ar username 204Specifies the name of a system local user. 205.El 206.Sh SUBCOMMANDS 207The 208.Nm 209command includes these subcommands: 210.Bl -tag -width Ds 211.It Xo 212.Cm create 213.Op Fl d Ar description 214.Ar group 215.Xc 216Creates a SMB local group with the specified name. 217You can optionally specify a description of the group by using the 218.Fl d 219option. 220.It Xo 221.Cm delete 222.Ar group 223.Xc 224Deletes the specified SMB local group. 225The built-in groups cannot be deleted. 226.It Xo 227.Cm rename 228.Ar group new-group 229.Xc 230Renames the specified SMB local group. 231The group must already exist. 232The built-in groups cannot be renamed. 233.It Xo 234.Cm show 235.Op Fl mps 236.Op Ar group 237.Xc 238Shows information about the specified SMB local group or groups. 239If no group is specified, information is shown for all groups. 240If the 241.Fl m 242option is specified, the group members are also shown. 243If the 244.Fl p 245option is specified, the group privileges are also shown. 246If the 247.Fl s 248option is specified, group members are listed as SIDs instead of names. 249.It Xo 250.Cm get 251.Oo Fl p Ar property Ns = Ns Ar value Oc Ns ... 252.Ar group 253.Xc 254Retrieves property values for the specified group. 255If no property is specified, all property values are shown. 256.It Xo 257.Cm set 258.Fl p Ar property Ns = Ns Ar value 259.Oo Fl p Ar property Ns = Ns Ar value Oc Ns ... 260.Ar group 261.Xc 262Sets configuration properties for a SMB local group. 263The description and the privileges for the built-in groups cannot be changed. 264.Pp 265The 266.Fl p Ar property Ns = Ns Ar value 267option specifies the list of properties to be set on the specified group. 268.Pp 269The group-related properties are as follows: 270.Bl -tag -width Ds 271.It Cm backup Ns = Ns Cm on Ns | Ns Cm off 272Specifies whether members of the SMB local group can bypass file access controls 273to back up file system objects. 274.It Cm description Ns = Ns Ar description-text 275Specifies a text description for the SMB local group. 276.It Cm restore Ns = Ns Cm on Ns | Ns Cm off 277Specifies whether members of the SMB local group can bypass file access controls 278to restore file system objects. 279.It Cm take-ownership Ns = Ns Cm on Ns | Ns Cm off 280Specifies whether members of the SMB local group can take ownership of file 281system objects. 282.It Cm bypass-read Ns = Ns Cm on Ns | Ns Cm off 283Specifies whether members of the SMB local group can always bypass Read access controls. 284.It Cm bypass-write Ns = Ns Cm on Ns | Ns Cm off 285Specifies whether members of the SMB local group can always bypass Write and Delete access controls. 286.El 287.It Xo 288.Cm add-member 289.Fl m Ar member Oo Fl m Ar member Oc Ns ... 290.Ar group 291.Xc 292Adds the specified member to the specified SMB local group. 293The 294.Fl m Ar member 295option specifies the name of a SMB local group member. 296The member name must include an existing user name and an optional domain name. 297.Pp 298Specify the member name in either of the following formats: 299.Bd -literal -offset indent 300[domain\e]username 301[domain/]username 302.Ed 303.Pp 304For example, a valid member name might be 305.Sy sales\eterry 306or 307.Sy sales/terry , 308where 309.Sy sales 310is the Windows domain name and 311.Sy terry 312is the name of a user in the 313.Sy sales 314domain. 315.It Xo 316.Cm remove-member 317.Fl m Ar member Oo Fl m Ar member Oc Ns ... 318.Ar group 319.Xc 320Removes the specified member from the specified SMB local group. 321The 322.Fl m Ar member 323option specifies the name of a SMB local group member. 324The member name must include an existing user name and an optional domain name. 325.Pp 326Specify the member name in either of the following formats: 327.Bd -literal -offset indent 328[domain\e]username 329[domain/]username 330.Ed 331.Pp 332For example, a valid member name might be 333.Sy sales\eterry 334or 335.Sy sales/terry , 336where 337.Sy sales 338is the Windows domain name and 339.Sy terry 340is the name of a user in the 341.Sy sales 342domain. 343.It Xo 344.Cm delete-user 345.Ar username 346.Xc 347Deletes SMB password for the specified local user effectively preventing the 348access by means of the SMB service. 349Use 350.Nm passwd 351command to create the SMB password and re-enable access. 352.It Xo 353.Cm disable-user 354.Ar username 355.Xc 356Disables SMB password-generation capabilities for the specified local user 357effectively preventing access by means of the SMB service. 358When a local user account is disabled, you cannot use the 359.Nm passwd 360command to modify the user's SMB password until the user account is re-enabled. 361.It Xo 362.Cm enable-user 363.Ar username 364.Xc 365Enables SMB password-generation capabilities for the specified local user and 366re-enables access. 367After the password-generation capabilities are re-enabled, use the 368.Nm passwd 369command to generate the SMB password for the local user. 370.Pp 371The 372.Nm passwd 373command manages both the system password and SMB password for this user if the 374.Pa pam_smb_passwd 375module has been added to the system's PAM configuration. 376.It Xo 377.Cm join 378.Op Fl y 379.Op Fl c Ar container 380.Fl u Ar username 381.Ar domain 382.Xc 383Joins a Windows domain. 384.Pp 385An authenticated user account is required to join a domain, so you must specify 386the Windows administrative user name with the 387.Fl u 388option. 389If the password is not specified on the command line, the user is prompted for 390it. 391This user should be the domain administrator or any user who has administrative 392privileges for the target domain. 393.Pp 394.Ar username 395and 396.Ar domain 397can be entered in any of the following formats: 398.Bd -literal -offset indent 399username[+password] domain 400domain\eusername[+password] 401domain/username[+password] 402username@domain 403.Ed 404.Pp 405\&...where 406.Ar domain 407can be the NetBIOS or DNS domain name. 408.Pp 409The optional 410.Ar container 411string specifies the Relative Distinguished Name (RDN) of the 412Active Directory Container in which the machine trust account 413should be created. 414If unspecified, the RDN used is: 415.Bd -literal -offset indent 416CN=Computers 417.Ed 418.Pp 419If a machine trust account for the system already exists on a domain controller, 420any authenticated user account can be used when joining the domain. 421However, if the machine trust account does 422.Em not 423already exist, an account that has administrative privileges on the domain is 424required to join the domain. 425Specifying 426.Fl y 427will bypass the SMB service restart prompt. 428.It Xo 429.Cm join 430.Op Fl y 431.Fl w Ar workgroup 432.Xc 433Joins a Windows workgroup. 434.Pp 435The default mode for the SMB service is workgroup mode, which uses the default 436workgroup name, 437.Qq WORKGROUP . 438.Pp 439The 440.Fl w Ar workgroup 441option specifies the name of the workgroup to join when using the 442.Cm join 443subcommand. 444Specifying 445.Fl y 446will bypass the SMB service restart prompt. 447.It Xo 448.Cm lookup 449.Op Fl p 450.Ar account-name Oo Ar account-name Oc Ns ... 451.Xc 452Lookup the SID for the given 453.Ar account-name , 454or lookup the 455.Ar account-name 456for the given SID. 457Specifying 458.Fl p 459will produce parsable output. 460This subcommand is primarily for diagnostic use, to confirm whether the server 461can lookup domain accounts and/or SIDs. 462.It Xo 463.Cm list 464.Xc 465Deprecated, alias for 466.Cm list-domains . 467.It Xo 468.Cm list-domains 469.Xc 470Shows information about the current workgroup or domain. 471The information typically includes the workgroup name or the primary domain 472name. 473When in domain mode, the information includes domain controller names and 474trusted domain names. 475.Pp 476Each entry in the output is identified by one of the following tags: 477.Bl -tag -width "[*]" 478.It Sy [*] 479Primary domain 480.It Sy [.] 481Local domain 482.It Sy [-] 483Other domains 484.It Sy [+] 485Selected domain controller 486.El 487.It Xo 488.Cm list-sessions 489.Op Fl p 490.Op Fl o Ar field,... 491.Xc 492List SMB sessions (connections and logons). 493Output may be customized using 494.Fl o Ar field,... 495where fields are: ID, DOMAIN, ACCT, USER, UID, COMPUTER, IP, 496OS, LOGON, AGE, NOPEN, FLAGS. 497If the 498.Fl o 499option is not specified, the default field list is: 500IP,USER,NOPEN,AGE,FLAGS 501.It Xo 502.Cm list-trees 503.Op Fl p 504.Op Fl o Ar field,... 505.Xc 506List SMB "trees" (connected SMB shares). 507Output may be customized using 508.Fl o Ar field,... 509where fields are: ID, TYPE, NOPEN, NUSER, TIME, AGE, USER, SHARE. 510If the 511.Fl o 512option is not specified, the default field list is: 513TYPE,SHARE,USER,NOPEN,AGE 514Note that this does not list available shares. 515For that, use: 516.Cm sharemgr show -v -P smb 517.It Xo 518.Cm list-ofiles 519.Op Fl p 520.Op Fl o Ar field,... 521.Xc 522List SMB open files. 523Output may be customized using 524.Fl o Ar field,... 525where fields are: ID, UNIQID, PERM, NLOCK, PATH, USER. 526If the 527.Fl o 528option is not specified, the default field list is: 529UNIQID,PATH,USER,NLOCK,PERM 530.It Xo 531.Cm close-session 532.Ar computer 533.Op Ar user 534.Xc 535Terminate session(s) connected from 536.Ar computer , 537optionally filtered by 538.Ar user . 539The 540.Ar computer 541may be specified by either the "IP" or "COMPUTER" values from the columns 542with those headings as shown by the 543.Cm list-sessions 544command. 545(Usually those columns are the same.) 546The 547.Ar user 548argument is optional, and if specified should be in 549.Ar user@domain 550format. 551.It Xo 552.Cm close-ofile 553.Ar file_ID 554.Xc 555Close the SMB open file identified by 556.Ar file_ID 557(obtained from the UNIQID column of the 558.Cm list-ofiles 559output). 560.El 561.Sh EXIT STATUS 562.Ex -std 563.Sh INTERFACE STABILITY 564Utility name and options are 565.Sy Uncommitted . 566Utility output format is 567.Sy Not-An-Interface . 568.Sh SEE ALSO 569.Xr passwd 1 , 570.Xr smb 5 , 571.Xr smbautohome 5 , 572.Xr attributes 7 , 573.Xr pam_smb_passwd 7 , 574.Xr smf 7 , 575.Xr groupadd 8 , 576.Xr idmap 8 , 577.Xr idmapd 8 , 578.Xr kclient 8 , 579.Xr share 8 , 580.Xr sharectl 8 , 581.Xr sharemgr 8 , 582.Xr smbd 8 , 583.Xr smbstat 8 584