1.\" 2.\" The contents of this file are subject to the terms of the 3.\" Common Development and Distribution License (the "License"). 4.\" You may not use this file except in compliance with the License. 5.\" 6.\" You can obtain a copy of the license at usr/src/OPENSOLARIS.LICENSE 7.\" or http://www.opensolaris.org/os/licensing. 8.\" See the License for the specific language governing permissions 9.\" and limitations under the License. 10.\" 11.\" When distributing Covered Code, include this CDDL HEADER in each 12.\" file and include the License file at usr/src/OPENSOLARIS.LICENSE. 13.\" If applicable, add the following below this CDDL HEADER, with the 14.\" fields enclosed by brackets "[]" replaced with your own identifying 15.\" information: Portions Copyright [yyyy] [name of copyright owner] 16.\" 17.\" 18.\" Copyright (c) 2009, Sun Microsystems, Inc. All Rights Reserved. 19.\" Copyright 2019 Nexenta by DDN, Inc. All rights reserved. 20.\" Copyright 2021 RackTop Systems, Inc. 21.\" 22.Dd Oct 15, 2021 23.Dt SMBADM 8 24.Os 25.Sh NAME 26.Nm smbadm 27.Nd configure and manage SMB local groups and users, and manage domain 28membership 29.Sh SYNOPSIS 30.Nm 31.Cm create 32.Op Fl d Ar description 33.Ar group 34.Nm 35.Cm delete 36.Ar group 37.Nm 38.Cm rename 39.Ar group new-group 40.Nm 41.Cm show 42.Op Fl mp 43.Op Ar group 44.Nm 45.Cm get 46.Oo Fl p Ar property Oc Ns ... 47.Ar group 48.Nm 49.Cm set 50.Fl p Ar property Ns = Ns Ar value 51.Oo Fl p Ar property Ns = Ns Ar value Oc Ns ... 52.Ar group 53.Nm 54.Cm add-member 55.Fl m Ar member Oo Fl m Ar member Oc Ns ... 56.Ar group 57.Nm 58.Cm remove-member 59.Fl m Ar member Oo Fl m Ar member Oc Ns ... 60.Ar group 61.Nm 62.Cm delete-user 63.Ar username 64.Nm 65.Cm disable-user 66.Ar username 67.Nm 68.Cm enable-user 69.Ar username 70.Nm 71.Cm join 72.Op Fl y 73.Op Fl c Ar container 74.Fl u Ar username 75.Ar domain 76.Nm 77.Cm join 78.Op Fl y 79.Fl w Ar workgroup 80.Nm 81.Cm list 82.Nm 83.Cm lookup 84.Ar account-name Oo Ar account-name Oc Ns ... 85.Sh DESCRIPTION 86The 87.Nm 88command is used to configure SMB local groups and users, and to manage domain 89membership. 90You can also use the 91.Nm 92command to enable or disable SMB password generation for individual local users. 93.Pp 94SMB local groups can be used when Windows accounts must be members of some local 95groups and when Windows style privileges must be granted. 96System local groups cannot provide these functions. 97.Pp 98There are two types of local groups: user defined and built-in. 99Built-in local groups are predefined local groups to support common 100administration tasks. 101.Pp 102In order to provide proper identity mapping between SMB local groups and 103system groups, a SMB local group must have a corresponding system group. 104This requirement has two consequences: first, the group name must conform to the 105intersection of the Windows and system group name rules. 106Thus, a SMB local group name can be up to eight (8) characters long and contain 107only lowercase characters and numbers. 108Second, a system local group has to be created before a SMB local group can 109be created. 110.Pp 111Built-in groups are standard Windows groups and are predefined by the SMB 112service. 113The built-in groups cannot be added, removed, or renamed, and these groups do 114not follow the SMB local group naming conventions. 115.Pp 116When the SMB server is started, the following built-in groups are available: 117.Bl -tag -width "Backup Operators" 118.It Sy Administrators 119Group members can administer the system. 120.It Sy Backup Operators 121Group members can bypass file access controls to back up and restore files. 122.It Sy Power Users 123Group members can share directories. 124.El 125.Pp 126System local users must have an SMB password for authentication and to gain 127access to SMB resources. 128This password is created by using the 129.Xr passwd 1 130command when the 131.Sy pam_smb_password 132module is added to the system's PAM configuration. 133See the 134.Xr pam_smb_passwd 7 135man page. 136.Pp 137The 138.Cm disable-user 139and 140.Cm enable-user 141subcommands control SMB password-generation for a specified local user. 142When disabled, the user is prevented from connecting to the SMB service. 143By default, SMB password-generation is enabled for all local users. 144.Pp 145To reenable a disabled user, you must use the 146.Cm enable-user 147subcommand and then reset the user's password by using the 148.Nm passwd 149command. 150The 151.Pa pam_smb_passwd.so.1 152module must be added to the system's PAM configuration to generate an SMB 153password. 154.Ss Escaping Backslash Character 155For the 156.Cm add-member , 157.Cm remove-member , 158and 159.Cm join 160.Po with 161.Fl u 162.Pc 163subcommands, the backslash character 164.Pq Qq \e 165is a valid separator between member or user names and domain names. 166The backslash character is a shell special character and must be quoted. 167For example, you might escape the backslash character with another backslash 168character: 169.Ar domain Ns \e\e Ns Ar username . 170For more information about handling shell special characters, see the man page 171for your shell. 172.Sh OPERANDS 173The 174.Nm 175command uses the following operands: 176.Bl -tag -width "username" 177.It Ar domain 178Specifies the name of an existing Windows domain to join. 179.It Ar group 180Specifies the name of the SMB local group. 181.It Ar username 182Specifies the name of a system local user. 183.El 184.Sh SUBCOMMANDS 185The 186.Nm 187command includes these subcommands: 188.Bl -tag -width Ds 189.It Xo 190.Cm create 191.Op Fl d Ar description 192.Ar group 193.Xc 194Creates a SMB local group with the specified name. 195You can optionally specify a description of the group by using the 196.Fl d 197option. 198.It Xo 199.Cm delete 200.Ar group 201.Xc 202Deletes the specified SMB local group. 203The built-in groups cannot be deleted. 204.It Xo 205.Cm rename 206.Ar group new-group 207.Xc 208Renames the specified SMB local group. 209The group must already exist. 210The built-in groups cannot be renamed. 211.It Xo 212.Cm show 213.Op Fl mp 214.Op Ar group 215.Xc 216Shows information about the specified SMB local group or groups. 217If no group is specified, information is shown for all groups. 218If the 219.Fl m 220option is specified, the group members are also shown. 221If the 222.Fl p 223option is specified, the group privileges are also shown. 224.It Xo 225.Cm get 226.Oo Fl p Ar property Ns = Ns Ar value Oc Ns ... 227.Ar group 228.Xc 229Retrieves property values for the specified group. 230If no property is specified, all property values are shown. 231.It Xo 232.Cm set 233.Fl p Ar property Ns = Ns Ar value 234.Oo Fl p Ar property Ns = Ns Ar value Oc Ns ... 235.Ar group 236.Xc 237Sets configuration properties for a SMB local group. 238The description and the privileges for the built-in groups cannot be changed. 239.Pp 240The 241.Fl p Ar property Ns = Ns Ar value 242option specifies the list of properties to be set on the specified group. 243.Pp 244The group-related properties are as follows: 245.Bl -tag -width Ds 246.It Cm backup Ns = Ns Cm on Ns | Ns Cm off 247Specifies whether members of the SMB local group can bypass file access controls 248to back up file system objects. 249.It Cm description Ns = Ns Ar description-text 250Specifies a text description for the SMB local group. 251.It Cm restore Ns = Ns Cm on Ns | Ns Cm off 252Specifies whether members of the SMB local group can bypass file access controls 253to restore file system objects. 254.It Cm take-ownership Ns = Ns Cm on Ns | Ns Cm off 255Specifies whether members of the SMB local group can take ownership of file 256system objects. 257.It Cm bypass-read Ns = Ns Cm on Ns | Ns Cm off 258Specifies whether members of the SMB local group can always bypass Read access controls. 259.It Cm bypass-write Ns = Ns Cm on Ns | Ns Cm off 260Specifies whether members of the SMB local group can always bypass Write and Delete access controls. 261.El 262.It Xo 263.Cm add-member 264.Fl m Ar member Oo Fl m Ar member Oc Ns ... 265.Ar group 266.Xc 267Adds the specified member to the specified SMB local group. 268The 269.Fl m Ar member 270option specifies the name of a SMB local group member. 271The member name must include an existing user name and an optional domain name. 272.Pp 273Specify the member name in either of the following formats: 274.Bd -literal -offset indent 275[domain\e]username 276[domain/]username 277.Ed 278.Pp 279For example, a valid member name might be 280.Sy sales\eterry 281or 282.Sy sales/terry , 283where 284.Sy sales 285is the Windows domain name and 286.Sy terry 287is the name of a user in the 288.Sy sales 289domain. 290.It Xo 291.Cm remove-member 292.Fl m Ar member Oo Fl m Ar member Oc Ns ... 293.Ar group 294.Xc 295Removes the specified member from the specified SMB local group. 296The 297.Fl m Ar member 298option specifies the name of a SMB local group member. 299The member name must include an existing user name and an optional domain name. 300.Pp 301Specify the member name in either of the following formats: 302.Bd -literal -offset indent 303[domain\e]username 304[domain/]username 305.Ed 306.Pp 307For example, a valid member name might be 308.Sy sales\eterry 309or 310.Sy sales/terry , 311where 312.Sy sales 313is the Windows domain name and 314.Sy terry 315is the name of a user in the 316.Sy sales 317domain. 318.It Xo 319.Cm delete-user 320.Ar username 321.Xc 322Deletes SMB password for the specified local user effectively preventing the 323access by means of the SMB service. 324Use 325.Nm passwd 326command to create the SMB password and re-enable access. 327.It Xo 328.Cm disable-user 329.Ar username 330.Xc 331Disables SMB password-generation capabilities for the specified local user 332effectively preventing access by means of the SMB service. 333When a local user account is disabled, you cannot use the 334.Nm passwd 335command to modify the user's SMB password until the user account is re-enabled. 336.It Xo 337.Cm enable-user 338.Ar username 339.Xc 340Enables SMB password-generation capabilities for the specified local user and 341re-enables access. 342After the password-generation capabilities are re-enabled, use the 343.Nm passwd 344command to generate the SMB password for the local user. 345.Pp 346The 347.Nm passwd 348command manages both the system password and SMB password for this user if the 349.Pa pam_smb_passwd 350module has been added to the system's PAM configuration. 351.It Xo 352.Cm join 353.Op Fl y 354.Op Fl c Ar container 355.Fl u Ar username 356.Ar domain 357.Xc 358Joins a Windows domain. 359.Pp 360An authenticated user account is required to join a domain, so you must specify 361the Windows administrative user name with the 362.Fl u 363option. 364If the password is not specified on the command line, the user is prompted for 365it. 366This user should be the domain administrator or any user who has administrative 367privileges for the target domain. 368.Pp 369.Ar username 370and 371.Ar domain 372can be entered in any of the following formats: 373.Bd -literal -offset indent 374username[+password] domain 375domain\eusername[+password] 376domain/username[+password] 377username@domain 378.Ed 379.Pp 380\&...where 381.Ar domain 382can be the NetBIOS or DNS domain name. 383.Pp 384The optional 385.Ar container 386string specifies the Relative Distinguished Name (RDN) of the 387Active Directory Container in which the machine trust account 388should be created. 389If unspecified, the RDN used is: 390.Bd -literal -offset indent 391CN=Computers 392.Ed 393.Pp 394If a machine trust account for the system already exists on a domain controller, 395any authenticated user account can be used when joining the domain. 396However, if the machine trust account does 397.Em not 398already exist, an account that has administrative privileges on the domain is 399required to join the domain. 400Specifying 401.Fl y 402will bypass the SMB service restart prompt. 403.It Xo 404.Cm join 405.Op Fl y 406.Fl w Ar workgroup 407.Xc 408Joins a Windows workgroup. 409.Pp 410The default mode for the SMB service is workgroup mode, which uses the default 411workgroup name, 412.Qq WORKGROUP . 413.Pp 414The 415.Fl w Ar workgroup 416option specifies the name of the workgroup to join when using the 417.Cm join 418subcommand. 419Specifying 420.Fl y 421will bypass the SMB service restart prompt. 422.It Cm list 423Shows information about the current workgroup or domain. 424The information typically includes the workgroup name or the primary domain 425name. 426When in domain mode, the information includes domain controller names and 427trusted domain names. 428.Pp 429Each entry in the output is identified by one of the following tags: 430.Bl -tag -width "[*]" 431.It Sy [*] 432Primary domain 433.It Sy [.] 434Local domain 435.It Sy [-] 436Other domains 437.It Sy [+] 438Selected domain controller 439.El 440.It Xo 441.Cm lookup 442.Ar account-name Oo Ar account-name Oc Ns ... 443.Xc 444Lookup the SID for the given 445.Ar account-name , 446or lookup the 447.Ar account-name 448for the given SID. 449This subcommand is primarily for diagnostic use, to confirm whether the server 450can lookup domain accounts and/or SIDs. 451.El 452.Sh EXIT STATUS 453.Ex -std 454.Sh INTERFACE STABILITY 455Utility name and options are 456.Sy Uncommitted . 457Utility output format is 458.Sy Not-An-Interface . 459.Sh SEE ALSO 460.Xr passwd 1 , 461.Xr smb 5 , 462.Xr smbautohome 5 , 463.Xr attributes 7 , 464.Xr pam_smb_passwd 7 , 465.Xr smf 7 , 466.Xr groupadd 8 , 467.Xr idmap 8 , 468.Xr idmapd 8 , 469.Xr kclient 8 , 470.Xr share 8 , 471.Xr sharectl 8 , 472.Xr sharemgr 8 , 473.Xr smbd 8 , 474.Xr smbstat 8 475