1.\" 2.\" The contents of this file are subject to the terms of the 3.\" Common Development and Distribution License (the "License"). 4.\" You may not use this file except in compliance with the License. 5.\" 6.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 7.\" or http://www.opensolaris.org/os/licensing. 8.\" See the License for the specific language governing permissions 9.\" and limitations under the License. 10.\" 11.\" When distributing Covered Code, include this CDDL HEADER in each 12.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE. 13.\" If applicable, add the following below this CDDL HEADER, with the 14.\" fields enclosed by brackets "[]" replaced with your own identifying 15.\" information: Portions Copyright [yyyy] [name of copyright owner] 16.\" 17.\" 18.\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. 19.\" Copyright 2019 Nexenta by DDN, Inc. All rights reserved. 20.\" Copyright 2021-2023 RackTop Systems, Inc. 21.\" 22.Dd Jun 20, 2023 23.Dt SMBADM 8 24.Os 25.Sh NAME 26.Nm smbadm 27.Nd configure and manage SMB local groups and users, and manage domain 28membership 29.Sh SYNOPSIS 30.Nm 31.Cm create 32.Op Fl d Ar description 33.Ar group 34.Nm 35.Cm delete 36.Ar group 37.Nm 38.Cm rename 39.Ar group new-group 40.Nm 41.Cm show 42.Op Fl mp 43.Op Ar group 44.Nm 45.Cm get 46.Oo Fl p Ar property Oc Ns ... 47.Ar group 48.Nm 49.Cm set 50.Fl p Ar property Ns = Ns Ar value 51.Oo Fl p Ar property Ns = Ns Ar value Oc Ns ... 52.Ar group 53.Nm 54.Cm add-member 55.Fl m Ar member Oo Fl m Ar member Oc Ns ... 56.Ar group 57.Nm 58.Cm remove-member 59.Fl m Ar member Oo Fl m Ar member Oc Ns ... 60.Ar group 61.Nm 62.Cm delete-user 63.Ar username 64.Nm 65.Cm disable-user 66.Ar username 67.Nm 68.Cm enable-user 69.Ar username 70.Nm 71.Cm join 72.Op Fl y 73.Op Fl c Ar container 74.Fl u Ar username 75.Ar domain 76.Nm 77.Cm join 78.Op Fl y 79.Fl w Ar workgroup 80.Nm 81.Cm lookup 82.Ar account-name Oo Ar account-name Oc Ns ... 83.Nm 84.Cm list 85.Nm 86.Cm list-domains 87.Nm 88.Cm list-sessions 89.Op Fl p 90.Op Fl o Ar field,... 91.Nm 92.Cm list-trees 93.Op Fl p 94.Op Fl o Ar field,... 95.Nm 96.Cm list-ofiles 97.Op Fl p 98.Op Fl o Ar field,... 99.Nm 100.Cm close-session 101.Ar client_name 102.Op Ar user_name 103.Nm 104.Cm close-ofile 105.Ar file_ID 106.Sh DESCRIPTION 107The 108.Nm 109command is used to configure SMB local groups and users, and to manage domain 110membership. 111You can also use the 112.Nm 113command to enable or disable SMB password generation for individual local users. 114.Pp 115SMB local groups can be used when Windows accounts must be members of some local 116groups and when Windows style privileges must be granted. 117System local groups cannot provide these functions. 118.Pp 119There are two types of local groups: user defined and built-in. 120Built-in local groups are predefined local groups to support common 121administration tasks. 122.Pp 123In order to provide proper identity mapping between SMB local groups and 124system groups, a SMB local group must have a corresponding system group. 125This requirement has two consequences: first, the group name must conform to the 126intersection of the Windows and system group name rules. 127Thus, a SMB local group name can be up to eight (8) characters long and contain 128only lowercase characters and numbers. 129Second, a system local group has to be created before a SMB local group can 130be created. 131.Pp 132Built-in groups are standard Windows groups and are predefined by the SMB 133service. 134The built-in groups cannot be added, removed, or renamed, and these groups do 135not follow the SMB local group naming conventions. 136.Pp 137When the SMB server is started, the following built-in groups are available: 138.Bl -tag -width "Backup Operators" 139.It Sy Administrators 140Group members can administer the system. 141.It Sy Backup Operators 142Group members can bypass file access controls to back up and restore files. 143.It Sy Power Users 144Group members can share directories. 145.El 146.Pp 147System local users must have an SMB password for authentication and to gain 148access to SMB resources. 149This password is created by using the 150.Xr passwd 1 151command when the 152.Sy pam_smb_password 153module is added to the system's PAM configuration. 154See the 155.Xr pam_smb_passwd 7 156man page. 157.Pp 158The 159.Cm disable-user 160and 161.Cm enable-user 162subcommands control SMB password-generation for a specified local user. 163When disabled, the user is prevented from connecting to the SMB service. 164By default, SMB password-generation is enabled for all local users. 165.Pp 166To reenable a disabled user, you must use the 167.Cm enable-user 168subcommand and then reset the user's password by using the 169.Nm passwd 170command. 171The 172.Pa pam_smb_passwd.so.1 173module must be added to the system's PAM configuration to generate an SMB 174password. 175.Ss Escaping Backslash Character 176For the 177.Cm add-member , 178.Cm remove-member , 179and 180.Cm join 181.Po with 182.Fl u 183.Pc 184subcommands, the backslash character 185.Pq Qq \e 186is a valid separator between member or user names and domain names. 187The backslash character is a shell special character and must be quoted. 188For example, you might escape the backslash character with another backslash 189character: 190.Ar domain Ns \e\e Ns Ar username . 191For more information about handling shell special characters, see the man page 192for your shell. 193.Sh OPERANDS 194The 195.Nm 196command uses the following operands: 197.Bl -tag -width "username" 198.It Ar domain 199Specifies the name of an existing Windows domain to join. 200.It Ar group 201Specifies the name of the SMB local group. 202.It Ar username 203Specifies the name of a system local user. 204.El 205.Sh SUBCOMMANDS 206The 207.Nm 208command includes these subcommands: 209.Bl -tag -width Ds 210.It Xo 211.Cm create 212.Op Fl d Ar description 213.Ar group 214.Xc 215Creates a SMB local group with the specified name. 216You can optionally specify a description of the group by using the 217.Fl d 218option. 219.It Xo 220.Cm delete 221.Ar group 222.Xc 223Deletes the specified SMB local group. 224The built-in groups cannot be deleted. 225.It Xo 226.Cm rename 227.Ar group new-group 228.Xc 229Renames the specified SMB local group. 230The group must already exist. 231The built-in groups cannot be renamed. 232.It Xo 233.Cm show 234.Op Fl mps 235.Op Ar group 236.Xc 237Shows information about the specified SMB local group or groups. 238If no group is specified, information is shown for all groups. 239If the 240.Fl m 241option is specified, the group members are also shown. 242If the 243.Fl p 244option is specified, the group privileges are also shown. 245If the 246.Fl s 247option is specified, group members are listed as SIDs instead of names. 248.It Xo 249.Cm get 250.Oo Fl p Ar property Ns = Ns Ar value Oc Ns ... 251.Ar group 252.Xc 253Retrieves property values for the specified group. 254If no property is specified, all property values are shown. 255.It Xo 256.Cm set 257.Fl p Ar property Ns = Ns Ar value 258.Oo Fl p Ar property Ns = Ns Ar value Oc Ns ... 259.Ar group 260.Xc 261Sets configuration properties for a SMB local group. 262The description and the privileges for the built-in groups cannot be changed. 263.Pp 264The 265.Fl p Ar property Ns = Ns Ar value 266option specifies the list of properties to be set on the specified group. 267.Pp 268The group-related properties are as follows: 269.Bl -tag -width Ds 270.It Cm backup Ns = Ns Cm on Ns | Ns Cm off 271Specifies whether members of the SMB local group can bypass file access controls 272to back up file system objects. 273.It Cm description Ns = Ns Ar description-text 274Specifies a text description for the SMB local group. 275.It Cm restore Ns = Ns Cm on Ns | Ns Cm off 276Specifies whether members of the SMB local group can bypass file access controls 277to restore file system objects. 278.It Cm take-ownership Ns = Ns Cm on Ns | Ns Cm off 279Specifies whether members of the SMB local group can take ownership of file 280system objects. 281.It Cm bypass-read Ns = Ns Cm on Ns | Ns Cm off 282Specifies whether members of the SMB local group can always bypass Read access controls. 283.It Cm bypass-write Ns = Ns Cm on Ns | Ns Cm off 284Specifies whether members of the SMB local group can always bypass Write and Delete access controls. 285.El 286.It Xo 287.Cm add-member 288.Fl m Ar member Oo Fl m Ar member Oc Ns ... 289.Ar group 290.Xc 291Adds the specified member to the specified SMB local group. 292The 293.Fl m Ar member 294option specifies the name of a SMB local group member. 295The member name must include an existing user name and an optional domain name. 296.Pp 297Specify the member name in either of the following formats: 298.Bd -literal -offset indent 299[domain\e]username 300[domain/]username 301.Ed 302.Pp 303For example, a valid member name might be 304.Sy sales\eterry 305or 306.Sy sales/terry , 307where 308.Sy sales 309is the Windows domain name and 310.Sy terry 311is the name of a user in the 312.Sy sales 313domain. 314.It Xo 315.Cm remove-member 316.Fl m Ar member Oo Fl m Ar member Oc Ns ... 317.Ar group 318.Xc 319Removes the specified member from the specified SMB local group. 320The 321.Fl m Ar member 322option specifies the name of a SMB local group member. 323The member name must include an existing user name and an optional domain name. 324.Pp 325Specify the member name in either of the following formats: 326.Bd -literal -offset indent 327[domain\e]username 328[domain/]username 329.Ed 330.Pp 331For example, a valid member name might be 332.Sy sales\eterry 333or 334.Sy sales/terry , 335where 336.Sy sales 337is the Windows domain name and 338.Sy terry 339is the name of a user in the 340.Sy sales 341domain. 342.It Xo 343.Cm delete-user 344.Ar username 345.Xc 346Deletes SMB password for the specified local user effectively preventing the 347access by means of the SMB service. 348Use 349.Nm passwd 350command to create the SMB password and re-enable access. 351.It Xo 352.Cm disable-user 353.Ar username 354.Xc 355Disables SMB password-generation capabilities for the specified local user 356effectively preventing access by means of the SMB service. 357When a local user account is disabled, you cannot use the 358.Nm passwd 359command to modify the user's SMB password until the user account is re-enabled. 360.It Xo 361.Cm enable-user 362.Ar username 363.Xc 364Enables SMB password-generation capabilities for the specified local user and 365re-enables access. 366After the password-generation capabilities are re-enabled, use the 367.Nm passwd 368command to generate the SMB password for the local user. 369.Pp 370The 371.Nm passwd 372command manages both the system password and SMB password for this user if the 373.Pa pam_smb_passwd 374module has been added to the system's PAM configuration. 375.It Xo 376.Cm join 377.Op Fl y 378.Op Fl c Ar container 379.Fl u Ar username 380.Ar domain 381.Xc 382Joins a Windows domain. 383.Pp 384An authenticated user account is required to join a domain, so you must specify 385the Windows administrative user name with the 386.Fl u 387option. 388If the password is not specified on the command line, the user is prompted for 389it. 390This user should be the domain administrator or any user who has administrative 391privileges for the target domain. 392.Pp 393.Ar username 394and 395.Ar domain 396can be entered in any of the following formats: 397.Bd -literal -offset indent 398username[+password] domain 399domain\eusername[+password] 400domain/username[+password] 401username@domain 402.Ed 403.Pp 404\&...where 405.Ar domain 406can be the NetBIOS or DNS domain name. 407.Pp 408The optional 409.Ar container 410string specifies the Relative Distinguished Name (RDN) of the 411Active Directory Container in which the machine trust account 412should be created. 413If unspecified, the RDN used is: 414.Bd -literal -offset indent 415CN=Computers 416.Ed 417.Pp 418If a machine trust account for the system already exists on a domain controller, 419any authenticated user account can be used when joining the domain. 420However, if the machine trust account does 421.Em not 422already exist, an account that has administrative privileges on the domain is 423required to join the domain. 424Specifying 425.Fl y 426will bypass the SMB service restart prompt. 427.It Xo 428.Cm join 429.Op Fl y 430.Fl w Ar workgroup 431.Xc 432Joins a Windows workgroup. 433.Pp 434The default mode for the SMB service is workgroup mode, which uses the default 435workgroup name, 436.Qq WORKGROUP . 437.Pp 438The 439.Fl w Ar workgroup 440option specifies the name of the workgroup to join when using the 441.Cm join 442subcommand. 443Specifying 444.Fl y 445will bypass the SMB service restart prompt. 446.It Xo 447.Cm lookup 448.Ar account-name Oo Ar account-name Oc Ns ... 449.Xc 450Lookup the SID for the given 451.Ar account-name , 452or lookup the 453.Ar account-name 454for the given SID. 455This subcommand is primarily for diagnostic use, to confirm whether the server 456can lookup domain accounts and/or SIDs. 457.It Xo 458.Cm list 459.Xc 460Deprecated, alias for 461.Cm list-domains . 462.It Xo 463.Cm list-domains 464.Xc 465Shows information about the current workgroup or domain. 466The information typically includes the workgroup name or the primary domain 467name. 468When in domain mode, the information includes domain controller names and 469trusted domain names. 470.Pp 471Each entry in the output is identified by one of the following tags: 472.Bl -tag -width "[*]" 473.It Sy [*] 474Primary domain 475.It Sy [.] 476Local domain 477.It Sy [-] 478Other domains 479.It Sy [+] 480Selected domain controller 481.El 482.It Xo 483.Cm list-sessions 484.Op Fl p 485.Op Fl o Ar field,... 486.Xc 487List SMB sessions (connections and logons). 488Output may be customized using 489.Fl o Ar field,... 490where fields are: ID, DOMAIN, ACCT, USER, UID, COMPUTER, IP, 491OS, LOGON, AGE, NOPEN, FLAGS. 492If the 493.Fl o 494option is not specified, the default field list is: 495IP,USER,NOPEN,AGE,FLAGS 496.It Xo 497.Cm list-trees 498.Op Fl p 499.Op Fl o Ar field,... 500.Xc 501List SMB "trees" (connected SMB shares). 502Output may be customized using 503.Fl o Ar field,... 504where fields are: ID, TYPE, NOPEN, NUSER, TIME, AGE, USER, SHARE. 505If the 506.Fl o 507option is not specified, the default field list is: 508TYPE,SHARE,USER,NOPEN,AGE 509Note that this does not list available shares. 510For that, use: 511.Cm sharemgr show -v -P smb 512.It Xo 513.Cm list-ofiles 514.Op Fl p 515.Op Fl o Ar field,... 516.Xc 517List SMB open files. 518Output may be customized using 519.Fl o Ar field,... 520where fields are: ID, UNIQID, PERM, NLOCK, PATH, USER. 521If the 522.Fl o 523option is not specified, the default field list is: 524UNIQID,PATH,USER,NLOCK,PERM 525.It Xo 526.Cm close-session 527.Ar computer 528.Op Ar user 529.Xc 530Terminate session(s) connected from 531.Ar computer , 532optionally filtered by 533.Ar user . 534The 535.Ar computer 536may be specified by either the "IP" or "COMPUTER" values from the columns 537with those headings as shown by the 538.Cm list-sessions 539command. 540(Usually those columns are the same.) 541The 542.Ar user 543argument is optional, and if specified should be in 544.Ar user@domain 545format. 546.It Xo 547.Cm close-ofile 548.Ar file_ID 549.Xc 550Close the SMB open file identified by 551.Ar file_ID 552(obtained from the UNIQID column of the 553.Cm list-ofiles 554output). 555.El 556.Sh EXIT STATUS 557.Ex -std 558.Sh INTERFACE STABILITY 559Utility name and options are 560.Sy Uncommitted . 561Utility output format is 562.Sy Not-An-Interface . 563.Sh SEE ALSO 564.Xr passwd 1 , 565.Xr smb 5 , 566.Xr smbautohome 5 , 567.Xr attributes 7 , 568.Xr pam_smb_passwd 7 , 569.Xr smf 7 , 570.Xr groupadd 8 , 571.Xr idmap 8 , 572.Xr idmapd 8 , 573.Xr kclient 8 , 574.Xr share 8 , 575.Xr sharectl 8 , 576.Xr sharemgr 8 , 577.Xr smbd 8 , 578.Xr smbstat 8 579