1.\" 2.\" The contents of this file are subject to the terms of the 3.\" Common Development and Distribution License (the "License"). 4.\" You may not use this file except in compliance with the License. 5.\" 6.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 7.\" or http://www.opensolaris.org/os/licensing. 8.\" See the License for the specific language governing permissions 9.\" and limitations under the License. 10.\" 11.\" When distributing Covered Code, include this CDDL HEADER in each 12.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE. 13.\" If applicable, add the following below this CDDL HEADER, with the 14.\" fields enclosed by brackets "[]" replaced with your own identifying 15.\" information: Portions Copyright [yyyy] [name of copyright owner] 16.\" 17.\" 18.\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. 19.\" Copyright 2019 Nexenta by DDN, Inc. All rights reserved. 20.\" 21.Dd June 6, 2019 22.Dt SMBADM 8 23.Os 24.Sh NAME 25.Nm smbadm 26.Nd configure and manage SMB local groups and users, and manage domain 27membership 28.Sh SYNOPSIS 29.Nm 30.Cm create 31.Op Fl d Ar description 32.Ar group 33.Nm 34.Cm delete 35.Ar group 36.Nm 37.Cm rename 38.Ar group new-group 39.Nm 40.Cm show 41.Op Fl mp 42.Op Ar group 43.Nm 44.Cm get 45.Oo Fl p Ar property Oc Ns ... 46.Ar group 47.Nm 48.Cm set 49.Fl p Ar property Ns = Ns Ar value 50.Oo Fl p Ar property Ns = Ns Ar value Oc Ns ... 51.Ar group 52.Nm 53.Cm add-member 54.Fl m Ar member Oo Fl m Ar member Oc Ns ... 55.Ar group 56.Nm 57.Cm remove-member 58.Fl m Ar member Oo Fl m Ar member Oc Ns ... 59.Ar group 60.Nm 61.Cm delete-user 62.Ar username 63.Nm 64.Cm disable-user 65.Ar username 66.Nm 67.Cm enable-user 68.Ar username 69.Nm 70.Cm join 71.Op Fl y 72.Fl u Ar username 73.Ar domain 74.Nm 75.Cm join 76.Op Fl y 77.Fl w Ar workgroup 78.Nm 79.Cm list 80.Nm 81.Cm lookup 82.Ar account-name Oo Ar account-name Oc Ns ... 83.Sh DESCRIPTION 84The 85.Nm 86command is used to configure SMB local groups and users, and to manage domain 87membership. 88You can also use the 89.Nm 90command to enable or disable SMB password generation for individual local users. 91.Pp 92SMB local groups can be used when Windows accounts must be members of some local 93groups and when Windows style privileges must be granted. 94System local groups cannot provide these functions. 95.Pp 96There are two types of local groups: user defined and built-in. 97Built-in local groups are predefined local groups to support common 98administration tasks. 99.Pp 100In order to provide proper identity mapping between SMB local groups and 101system groups, a SMB local group must have a corresponding system group. 102This requirement has two consequences: first, the group name must conform to the 103intersection of the Windows and system group name rules. 104Thus, a SMB local group name can be up to eight (8) characters long and contain 105only lowercase characters and numbers. 106Second, a system local group has to be created before a SMB local group can 107be created. 108.Pp 109Built-in groups are standard Windows groups and are predefined by the SMB 110service. 111The built-in groups cannot be added, removed, or renamed, and these groups do 112not follow the SMB local group naming conventions. 113.Pp 114When the SMB server is started, the following built-in groups are available: 115.Bl -tag -width "Backup Operators" 116.It Sy Administrators 117Group members can administer the system. 118.It Sy Backup Operators 119Group members can bypass file access controls to back up and restore files. 120.It Sy Power Users 121Group members can share directories. 122.El 123.Pp 124System local users must have an SMB password for authentication and to gain 125access to SMB resources. 126This password is created by using the 127.Xr passwd 1 128command when the 129.Sy pam_smb_password 130module is added to the system's PAM configuration. 131See the 132.Xr pam_smb_passwd 7 133man page. 134.Pp 135The 136.Cm disable-user 137and 138.Cm enable-user 139subcommands control SMB password-generation for a specified local user. 140When disabled, the user is prevented from connecting to the SMB service. 141By default, SMB password-generation is enabled for all local users. 142.Pp 143To reenable a disabled user, you must use the 144.Cm enable-user 145subcommand and then reset the user's password by using the 146.Nm passwd 147command. 148The 149.Pa pam_smb_passwd.so.1 150module must be added to the system's PAM configuration to generate an SMB 151password. 152.Ss Escaping Backslash Character 153For the 154.Cm add-member , 155.Cm remove-member , 156and 157.Cm join 158.Po with 159.Fl u 160.Pc 161subcommands, the backslash character 162.Pq Qq \e 163is a valid separator between member or user names and domain names. 164The backslash character is a shell special character and must be quoted. 165For example, you might escape the backslash character with another backslash 166character: 167.Ar domain Ns \e\e Ns Ar username . 168For more information about handling shell special characters, see the man page 169for your shell. 170.Sh OPERANDS 171The 172.Nm 173command uses the following operands: 174.Bl -tag -width "username" 175.It Ar domain 176Specifies the name of an existing Windows domain to join. 177.It Ar group 178Specifies the name of the SMB local group. 179.It Ar username 180Specifies the name of a system local user. 181.El 182.Sh SUBCOMMANDS 183The 184.Nm 185command includes these subcommands: 186.Bl -tag -width Ds 187.It Xo 188.Cm create 189.Op Fl d Ar description 190.Ar group 191.Xc 192Creates a SMB local group with the specified name. 193You can optionally specify a description of the group by using the 194.Fl d 195option. 196.It Xo 197.Cm delete 198.Ar group 199.Xc 200Deletes the specified SMB local group. 201The built-in groups cannot be deleted. 202.It Xo 203.Cm rename 204.Ar group new-group 205.Xc 206Renames the specified SMB local group. 207The group must already exist. 208The built-in groups cannot be renamed. 209.It Xo 210.Cm show 211.Op Fl mp 212.Op Ar group 213.Xc 214Shows information about the specified SMB local group or groups. 215If no group is specified, information is shown for all groups. 216If the 217.Fl m 218option is specified, the group members are also shown. 219If the 220.Fl p 221option is specified, the group privileges are also shown. 222.It Xo 223.Cm get 224.Oo Fl p Ar property Ns = Ns Ar value Oc Ns ... 225.Ar group 226.Xc 227Retrieves property values for the specified group. 228If no property is specified, all property values are shown. 229.It Xo 230.Cm set 231.Fl p Ar property Ns = Ns Ar value 232.Oo Fl p Ar property Ns = Ns Ar value Oc Ns ... 233.Ar group 234.Xc 235Sets configuration properties for a SMB local group. 236The description and the privileges for the built-in groups cannot be changed. 237.Pp 238The 239.Fl p Ar property Ns = Ns Ar value 240option specifies the list of properties to be set on the specified group. 241.Pp 242The group-related properties are as follows: 243.Bl -tag -width Ds 244.It Cm backup Ns = Ns Cm on Ns | Ns Cm off 245Specifies whether members of the SMB local group can bypass file access controls 246to back up file system objects. 247.It Cm description Ns = Ns Ar description-text 248Specifies a text description for the SMB local group. 249.It Cm restore Ns = Ns Cm on Ns | Ns Cm off 250Specifies whether members of the SMB local group can bypass file access controls 251to restore file system objects. 252.It Cm take-ownership Ns = Ns Cm on Ns | Ns Cm off 253Specifies whether members of the SMB local group can take ownership of file 254system objects. 255.It Cm bypass-read Ns = Ns Cm on Ns | Ns Cm off 256Specifies whether members of the SMB local group can always bypass Read access controls. 257.It Cm bypass-write Ns = Ns Cm on Ns | Ns Cm off 258Specifies whether members of the SMB local group can always bypass Write and Delete access controls. 259.El 260.It Xo 261.Cm add-member 262.Fl m Ar member Oo Fl m Ar member Oc Ns ... 263.Ar group 264.Xc 265Adds the specified member to the specified SMB local group. 266The 267.Fl m Ar member 268option specifies the name of a SMB local group member. 269The member name must include an existing user name and an optional domain name. 270.Pp 271Specify the member name in either of the following formats: 272.Bd -literal -offset indent 273[domain\e]username 274[domain/]username 275.Ed 276.Pp 277For example, a valid member name might be 278.Sy sales\eterry 279or 280.Sy sales/terry , 281where 282.Sy sales 283is the Windows domain name and 284.Sy terry 285is the name of a user in the 286.Sy sales 287domain. 288.It Xo 289.Cm remove-member 290.Fl m Ar member Oo Fl m Ar member Oc Ns ... 291.Ar group 292.Xc 293Removes the specified member from the specified SMB local group. 294The 295.Fl m Ar member 296option specifies the name of a SMB local group member. 297The member name must include an existing user name and an optional domain name. 298.Pp 299Specify the member name in either of the following formats: 300.Bd -literal -offset indent 301[domain\e]username 302[domain/]username 303.Ed 304.Pp 305For example, a valid member name might be 306.Sy sales\eterry 307or 308.Sy sales/terry , 309where 310.Sy sales 311is the Windows domain name and 312.Sy terry 313is the name of a user in the 314.Sy sales 315domain. 316.It Xo 317.Cm delete-user 318.Ar username 319.Xc 320Deletes SMB password for the specified local user effectively preventing the 321access by means of the SMB service. 322Use 323.Nm passwd 324command to create the SMB password and re-enable access. 325.It Xo 326.Cm disable-user 327.Ar username 328.Xc 329Disables SMB password-generation capabilities for the specified local user 330effectively preventing access by means of the SMB service. 331When a local user account is disabled, you cannot use the 332.Nm passwd 333command to modify the user's SMB password until the user account is re-enabled. 334.It Xo 335.Cm enable-user 336.Ar username 337.Xc 338Enables SMB password-generation capabilities for the specified local user and 339re-enables access. 340After the password-generation capabilities are re-enabled, use the 341.Nm passwd 342command to generate the SMB password for the local user. 343.Pp 344The 345.Nm passwd 346command manages both the system password and SMB password for this user if the 347.Pa pam_smb_passwd 348module has been added to the system's PAM configuration. 349.It Xo 350.Cm join 351.Op Fl y 352.Fl u Ar username 353.Ar domain 354.Xc 355Joins a Windows domain. 356.Pp 357An authenticated user account is required to join a domain, so you must specify 358the Windows administrative user name with the 359.Fl u 360option. 361If the password is not specified on the command line, the user is prompted for 362it. 363This user should be the domain administrator or any user who has administrative 364privileges for the target domain. 365.Pp 366.Ar username 367and 368.Ar domain 369can be entered in any of the following formats: 370.Bd -literal -offset indent 371username[+password] domain 372domain\eusername[+password] 373domain/username[+password] 374username@domain 375.Ed 376.Pp 377\&...where 378.Ar domain 379can be the NetBIOS or DNS domain name. 380.Pp 381If a machine trust account for the system already exists on a domain controller, 382any authenticated user account can be used when joining the domain. 383However, if the machine trust account does 384.Em not 385already exist, an account that has administrative privileges on the domain is 386required to join the domain. 387Specifying 388.Fl y 389will bypass the SMB service restart prompt. 390.It Xo 391.Cm join 392.Op Fl y 393.Fl w Ar workgroup 394.Xc 395Joins a Windows workgroup. 396.Pp 397The default mode for the SMB service is workgroup mode, which uses the default 398workgroup name, 399.Qq WORKGROUP . 400.Pp 401The 402.Fl w Ar workgroup 403option specifies the name of the workgroup to join when using the 404.Cm join 405subcommand. 406Specifying 407.Fl y 408will bypass the SMB service restart prompt. 409.It Cm list 410Shows information about the current workgroup or domain. 411The information typically includes the workgroup name or the primary domain 412name. 413When in domain mode, the information includes domain controller names and 414trusted domain names. 415.Pp 416Each entry in the output is identified by one of the following tags: 417.Bl -tag -width "[*]" 418.It Sy [*] 419Primary domain 420.It Sy [.] 421Local domain 422.It Sy [-] 423Other domains 424.It Sy [+] 425Selected domain controller 426.El 427.It Xo 428.Cm lookup 429.Ar account-name Oo Ar account-name Oc Ns ... 430.Xc 431Lookup the SID for the given 432.Ar account-name , 433or lookup the 434.Ar account-name 435for the given SID. 436This subcommand is primarily for diagnostic use, to confirm whether the server 437can lookup domain accounts and/or SIDs. 438.El 439.Sh EXIT STATUS 440.Ex -std 441.Sh INTERFACE STABILITY 442Utility name and options are 443.Sy Uncommitted . 444Utility output format is 445.Sy Not-An-Interface . 446.Sh SEE ALSO 447.Xr passwd 1 , 448.Xr smb 5 , 449.Xr smbautohome 5 , 450.Xr attributes 7 , 451.Xr pam_smb_passwd 7 , 452.Xr smf 7 , 453.Xr groupadd 8 , 454.Xr idmap 8 , 455.Xr idmapd 8 , 456.Xr kclient 8 , 457.Xr share 8 , 458.Xr sharectl 8 , 459.Xr sharemgr 8 , 460.Xr smbd 8 , 461.Xr smbstat 8 462