Adding User Accounts

Before you add users to the network, the users' systems must be installed and configured. When appropriate, NIS+, LDAP, or NIS software should be installed and running on the network.

Adding users so that they can log in and start working has two parts: setting up the user account and providing the user with a working environment.

When you set up a user account, you perform the following tasks.

Edit the /etc/passwd file.
Define the user's group(s).
Create a home directory.
Define the user's environment.
Create a password.

The next sections provide background information. Refer to the Solaris Management Console Tools book for detailed instructions on how to create and manage user accounts in a networked environment.

Editing the /etc/passwd File

You must be root or have the appropriate rights before you can edit the local /etc/passwd file.

You need the following information for each user you plan to add.

Login name.
User ID (UID).
Primary group ID (GID).
Secondary groups.
Identifying information (name, office, extension, home phone).
Home directory.
Login shell.

User ID Number

A UID is always associated with each user name and is used by systems to identify the owners of files and directories and to identify the user at login. If you create user accounts for a single individual on more than one system, always use the same user name and UID. In that way, the user can easily move and copy files between systems without ownership problems.

A UID must be a whole number less than or equal to 2147483647. The maximum UID was increased from 60000 to 2147483647 starting with the Solaris 2.5.1 release.

UIDs are required for both regular user accounts and special system accounts. Table 33 lists the UIDs that are reserved for user accounts and system accounts.

Table 33. Reserved UIDs
UIDs
Login Accounts
Description
0
root
Root account.
1
daemon
Daemon account.
2
bin
Pseudouser bin account.
3–99
sys, uucp logins, who, tty, and ttytype
System accounts.
100–60000
Regular users
General-purpose accounts.
60001
nobody
Unauthenticated users.
60002
noaccess
Compatibility with previous Solaris and SVR4 releases.
60003–2147483647
Regular users
General-purpose accounts.

CAUTION. Be careful when using UIDs in the 60000 to 2147483647 range. These numbers do not have full functionality and are incompatible with many Solaris subsystems. See Table 34 for more information.

Even though UIDs 0 through 99 are reserved for use by system accounts, you can add a user with one of these UIDs. You should not, however, use these UIDs for regular user accounts. Use the numbers 0 through 99 to assign system accounts, uucp logins, and pseudouser logins.

Large User IDs and Group IDs

Previous Solaris Operating Environments used 32-bit data types to contain UIDs and GIDs. UIDs and GIDs were constrained to a maximum useful value of 60000. The limit on UID and GID values has been raised to the maximum value of a signed integer, or 2147483647 starting with the Solaris 2.5.1 release. Table 34 lists the interoperability issues with the Solaris Operating Environment products and commands.

Table 34. Interoperability Issues for UIDs and GIDs over 60000
Category
Product/Command
Issues/Cautions
NFS Interoperability.
SunOS 4.x NFS software.
SunOS 4.x NFS server and client code truncates large UIDs and GIDs to 16 bits. This truncation can create security problems if SunOS 4.x systems are used in an environment where large UIDs and GIDs are being used. SunOS 4.x and compatible systems require a patch.
Nameservice Interoperability.
NIS nameservice.

File-based nameservice.
Users with UIDs above 60000 can log in and use the su command on systems running the Solaris 2.5 Operating Environment and compatible versions; however, their UIDs and GIDs are set to 60001 (nobody).

NIS+ nameservice.
Users with UIDs above 60000 are denied access on systems running the Solaris 2.5 Operating Environment, compatible versions, and the NIS+ name service.

Table 35 summarizes the limitations of using large UIDs and GIDs.

Table 35. Limitations of Using UIDs and GIDs over 60000
UID/GID Number
Limitation
60003 or greater.
A UID and GID of nobody are assigned to users who log in to systems running the Solaris 2.5 Operating Environment and compatible releases and the NIS or files nameservice.
65536 or greater.
Solaris 2.5 Operating Environment and compatible release systems running the NFS version 2 software truncate UIDs in this category to 16 bits, creating possible security problems.

Using the cpio command with the default archive format to copy files displays an error message for each file, and the UID and GID are set to nobody in the archive.

SPARC-based systems: Systems running the SunOS 4.0 Operating Environment and compatible applications display EOVERFLOW messages from some system calls, and the UID and GID are set to nobody.

IA-based systems: SVR3-compatible applications on an IA system are likely to display EOVERFLOW messages from system calls.

IA-based systems: If users create a file or directory on a mounted System V file system, the System V file system returns an EOVERFLOW error.
100000 or greater.
The ps -l command displays a maximum five-digit UID, so the printed column is not aligned when it includes a UID or GID greater than 99999.
2622144 or greater.
Using the cpio command with -H odc format or the pax -x cpio command to copy files returns an error message for each file, and the UIDs and GIDs are set to nobody in the archive.
10000000 or greater.
The ar command sets UIDs and GIDs to nobody in the archive.
2097152 or greater.
UIDs and GIDs are set to nobody when the tar command, the cpio -H ustar command, or the pax -x tar command is used.

Creating a Home Directory

The home directory is that portion of a file system that is allocated to an individual user for storing private files. The amount of space you allocate for a home directory may vary, depending on the kinds of files the users create and the type of work they do. You should probably allocate at least 15 Mbytes of disk space for each user's home directory.

A user's home directory can be either on the local system or on a remote file server. In either case, by convention the home directory is created as /export/home/ login-name. Note that this convention is new with the Solaris Operating Environment. The server name is no longer included as part of the user's home directory path. On a large server that supports a number of users' home directories, there may be a number of directories under /export—such as home1, home2, home3, and so on—with directories for different users under them. Regardless of where their home directory is located, users access their home directory through a mount point named /home/ login-name.

Always refer to the home directory as $HOME, not as /home/ login-name. In addition, use relative paths to create any symbolic links in a user's home directory (for example, ../../../x/y/x) so that the links are valid no matter where the home directory is mounted.

This section describes the default procedure for the Solaris Operating Environment; the procedure assumes that the user's system is on a network and that the automounter is used to make the home directory accessible. Whether the home directory originates on a server or on the local system, you need to make it accessible to other systems by using the share command to export the file system so that the user can access the home directory from other systems on the network.

In addition, you must define how the home directory is mounted. Use one of the following ways.

Add an entry to the NIS+ Auto_home database, NIS auto.home map, or local /etc/auto_home files so that the home directory is automatically mounted. This method is preferred.
Add an entry in the /etc/vfstab file on the user's system to NFS-mount the home directory.

To support automatic mounting of home directories, the Solaris Operating Environment includes the following entry in the /etc/auto_master file.

/home     auto_home     -nobrowse

This entry tells the automounter to mount the directories specified in the auto_home database onto the /home mount point on the local system. The entries in auto_home use the following format.

login-name   system-name:/export/home/login-name

When a user logs in with login-name, the automounter mounts the specified directory (/export/home/ login-name) from the specified system (system-name) onto the /home/ login-name mount point on the system to which the user is logged in.

This method works even when the home directory is stored on the same system to which the user has logged in. But more importantly, the user can log in to any other system and have his or her home directory mounted on /home/ login-name on that system.

NOTE. When the automounter is used to mount home directories, you are not permitted to create any directories under the /home mount point on the user's system. The system recognizes the special status of /home when the automounter is active.

To create a home directory, you must already have created the user's account. You need the following information.

User's login name and UID.
The name of the system on which to create the home directory. The home directory server and the user's system can be on any network segment.
Use the df command to check the servers to make sure there is enough space for a new home directory.
The name of the directory under which you will create the user's account.
By convention, the home directory is named /export/home. However, on a large file server you may have multiple directories—/export/home1, /export/home2, and so on. Under each directory, different subdirectories are created for different users (for example, /export/home/ login-namea, /export/home/ login-nameb ... /export/home1/ login-namey ... /export/home2/ login-namez, and so forth).

All the following steps apply regardless of whether the home directory is created on the local system or on a remote file server.

Become superuser on the system on which you want to create the home directory.
Type cd /export/ home-root and press Return.

home-root is the name of the directory under which you want to create the user's home directory. The following example changes to the directory /export/home1.
```
# cd /export/home1
```
Type mkdir login-name and press Return.

login-name is the login name of the user. You have created a directory that matches the login name of the user. The following example creates a directory for a user with a login name of ignatz.
```
# mkdir ignatz
```
Type chown login-name login-name and press Return.

The user now owns the home directory. The following example changes the ownership for user ignatz.
```
# chown ignatz ignatz
```
Type chgrp primary-GID login-name and press Return.

The user is assigned to the primary group you specified for the user account. The following example changes the primary group for user ignatz to the staff group.
```
# chgrp staff ignatz
#
```
Type chmod 755 /export/ home-root/login-name and press Return.

The user's home directory permissions are set to rwx for owner, r-x for group, and r-x for other. The following example changes home directory permissions for user ignatz.
```
#chmod 755 /export/home1/ignatz
#
```

The following steps describe how to share a home directory from a Solaris server.

Type share and press Return to find out whether the home directory has already been shared.

If the home directory is listed, information that looks like the following example is displayed.
```
oak% su
Password:
# share
-         /export/home1      rw   ""
#
```
If the home directory root is not listed, perform the following steps to set it up so that it can be shared by other systems. You perform these steps once for each /export/ home-root directory. By convention, these directories are named /export/home, /export/home1, /export/home2, and so on.
Edit the file /etc/dfs/dfstab and add the following line.
```
share -F nfs /export/home-root
```
Type shareall -F nfs and press Return.

All the share commands in the /etc/dfs/dfstab file are executed so you do not need to reboot the system. If you reboot the system, the shareall command is automatically run.
Type ps -ef | grep mountd and press Return.

If the daemon mountd is running, the procedure is complete. The following example shows that mountd is not running. If mountd is not running, follow the next step.
```
# ps -ef | grep mountd
    root    221    218  16  18:07:25 pts/1  0:00 grep mountd
#
```
Type /etc/init.d/nfs.server start and press Return.

The daemons required for sharing file directories are started.

NOTE. If your network is not running NIS, NIS+, or LDAP, you need to add the home directory server's Internet Protocol (IP) address and system name to the /etc/hosts file on the user's system.

After you have created the user's home directory, you must make it available. You make the home directory available by adding it to the appropriate NIS, NIS+, or LDAP database or by adding an entry to the /etc/vfstab file on the user's system for NFS mounting.

NFS-Mounting the Home Directory

If the directory (disk space) for a user's home directory is located on another system and the automounter is not being used to make that space available, use the following steps to NFS-mount the home directory.

Become superuser on the user's system.
Edit the /etc/vfstab file and create an entry for the user's home directory.

For example, to create an entry for user ignatz with a home directory on server oak, you would add the following line to the file.
```
oak:/export/home1/ignatz - /home/ignatz nfs - yes rw,intr
```
To create the mount point on the user's system, type mkdir /home/ login-name and press Return.

NOTE. The home directory does not have the same name on the user's system as it does on the server. For example, /export/home/ignatz on the server is mounted as /home/ignatz on the user's system.
Type chown login-name /home/ login-name and press Return.

The user now owns the home directory.
Type chgrp primary-GID /home/ login-name and press Return.

The user's primary group has permission to access the user's home directory.
Type mountall and press Return.

All entries in the current vfstab file (whose mount at boot fields are set to yes) are mounted.
To verify that all entries are mounted, type mount and press Return.

The file systems that are mounted are displayed.

Defining the User's Environment

To completely set up the user account, you must also perform the following tasks.

Define default initialization files.
Set up a mail account.
Set up a printer.

Defining Initialization Files

When a user logs in, the login program sets a number of variables, such as HOME, LOGNAME, and TZ. Then, the user's shell is launched and runs a file called the system profile (initialization file) to set systemwide defaults such as PATH, message of the day, and umask. Finally, the user profile initialization file (or files) that sets variables specific to the user is run. For example, the user profile can modify the PATH to include applications run by only that user. Each shell has its own initialization file (or files), as shown in Table 36.

Table 36. Shell User Initialization Files
Shell
Initialization File
Purpose
C
$HOME/.login
Define user's environment at login.

$HOME/.cshrc
Define user's environment for all C shells invoked after login shell.
Bourne
$HOME/.profile
Define user's environment at login.
Korn
$HOME/.profile
Define user's environment at login.

$HOME/ksh-env
Define user's environment at login in the file specified by the ksh-env environment variable.

The Solaris Operating Environment provides default user initialization files for each shell in the /etc/skel directory, as shown in Table 37.

Table 37. Default Home Directory Initialization Files
Shell
File Name
C
/etc/skel/local.login
C
/etc/skel/local.cshrc
Bourne or Korn
/etc/skel/local.profile

The default /etc/skel/local.login file is shown below.

# @(#)local.login 1.5     98/10/03 SMI
stty -istrip
# setenv TERM `tset -Q -`

#
# if possible, start the windows system. Give user a chance to bail out
#
if ( "'tty'" == "/dev/console" ) then
     
     if ( "$TERM" == "sun" || "$TERM" == "sun-color" || "$TERM" == "AT386" )
  then
        
          if ( ${?OPENWINHOME} == 0 ) then
               setenv OPENWINHOME /usr/openwin
          endif
         
          echo ""
          echo -n "Starting OpenWindows in 5 seconds (type Control-C to interrupt)"
          sleep 5
          echo ""
          $OPENWINHOME/bin/openwin
          clear          # get rid of annoying cursor rectangle
          logout         # logout after leaving windows system

     endif
  
endif

The default /etc/skel/local.cshrc file is shown below.

# @(#)cshrc 1.11 89/11/29 SMI
umask 022
set path=(/bin /usr/bin /usr/ucb /etc .)
if ( $?prompt ) then
        set history=32
endif

The default /etc/skel/local.profile file is shown below.

# @(#)local.profile 1.8     99/03/26 SMI
stty istrip
PATH=/usr/bin:/usr/ucb:/etc:.
export PATH

#
# If possible, start the windows system
#
if [ "`tty`" = "/dev/console" ] ; then
     if [ "$TERM" = "sun" -o "$TERM" = "sun-color" -o "$TERM" = "AT386" ]
     then

          if [ ${OPENWINHOME:-""} = "" ] ; then
               OPENWINHOME=/usr/openwin
               export OPENWINHOME
          fi

          echo ""
          echo "Starting OpenWindows in 5 seconds (type Control-C to interrupt)"
          sleep 5
          echo ""
          $OPENWINHOME/bin/openwin

          clear          # get rid of annoying cursor rectangle
          exit           # logout after leaving windows system

     fi
fi

As you can see, these files define a minimal environment. To minimize the need to edit the customization files for each user, you can customize the files in /etc/skel to set as many systemwide default variables as you want.

Creating Site Initialization Files

It is important that both the administrator and the user are able to customize the user initialization files. You can create site initialization files by locating the initialization files centrally and distributing them globally. With site initialization files, you can continue to introduce new functionality to the user's work environment and also enable the user to customize individual user initialization files.

You create a site initialization file and add a reference to it in the user's initialization file. When you reference a site initialization file in a user initialization file, all updates to the site initialization file are automatically reflected when the user logs in to the system or when a user starts a new shell.

You can do any customization in a site initialization file that you can do in a user initialization file. Site initialization files typically reside on a server or a set of servers and appear as the first statement in a user initialization file. Each site initialization file must be the same type of shell script as the user initialization file that references it. Thus, you have site initialization files for each shell used at your site.

To reference a site initialization file for a C shell user initialization file, put a line similar to the following example at the beginning of the user initialization file.

source /home/site-files/site-init-files

To reference a site initialization file in a Bourne or Korn shell user initialization file, put a line similar to the following example at the beginning of the user initialization file.

. /home/site-files/site-init-files

Example of a Site Initialization File

The following example shows a C shell site initialization file named site.login in which a user can choose a particular version of an application.

# @(#)site.login
main:
echo "Application Environment Selection"
echo ""
echo "1. Application, Version 1"
echo "2. Application, Version 2"
echo ""
echo -n "Type 1 or 2 and press Return to set your
application environment: "
set choice = $<
if ( $choice !~ [1-2] ) then
goto main
endif
switch ($choice)
case "1":
setenv APPHOME /opt/app-v.1
breaksw
case "2":
setenv APPHOME /opt/app-v.2
endsw

You would reference the site.login site initialization file located on a server named server2 in a user's .cshrc file (C shell users only) with the following line. The automounter must be running on the user's system.

source /home/site-init-files/site.login

Avoiding Local System References in Site Initialization Files

Do not add specific references to the local system in the user's initialization file. Instructions in a user initialization file should be valid regardless of the system to which the user logs in.

To make a user's home directory available anywhere on the network, always refer to the home directory with the variable $HOME. For example, use $HOME/bin instead of /home/ login-name/ bin. $HOME automounts the user's home directory when the user logs in to another system.

To access files on a local disk, create an indirect map that mounts only this file system, for example /home/site-init-files or /site/init-files. Such directories can be mounted automatically on any system to which the user logs in, assuming the system is running the automounter.

Setting Up User Initialization Files

To set up user initialization files, you must already have created the user's home directory and know which shell (C, Bourne, or Korn) is set in the user's account entry in the Passwd database. Use the following steps to set up the user's initialization files.

Become superuser on the system with the user's home directory.
Type cd /home/ login-name and press Return.

Focus is in the user's home directory. The following example changes to user ignatz 's directory, which is in /export/home.
```
# cd /home/ignatz
#
```
Type cp /etc/skel/local.* . and press Return.

You have copied all of the default user initialization files to the user's home directory.
Type chmod 744 local.* and press Return.

Permissions are set for the initialization files.
Type chown login-name * and press Return.

The user now owns the initialization files.
```
# chown ignatz *
#
```
Type chgrp primary-GID local.* and press Return.

The files are assigned to the primary group (for example, staff) you specified in the Passwd database for the user account.
```
# chgrp staff local.*
#
```
Rename the shell initialization files. If the user's shell is the C shell, type mv local.login .login; mv local.cshrc .cshrc and press Return. If the user's shell is the Korn or Bourne shell, type mv local.profile .profile and press Return.
Type rm local.* and press Return.

You have removed the unused shell initialization files.
On the user's system, log in as the user.
Assign the user an interim password.

See "Creating a Password" on page 162 for information on how to create passwords.
Check to make sure the user's environment is set up correctly.
Edit the user's initialization file (or files) and make changes as needed.

Use the following steps to edit the user's initialization file (or files).

Set the user's default path to include any additional directories or mount points for the user's windowing environment and applications. For the Bourne, Bourne Again, or Korn shell, type PATH=/ dirname1:/dirname2:/ dirname3...:.;export PATH. For example, enter a line such as the following in the user's $HOME/.profile file.
```
PATH=/usr/openwin/bin:/usr/dt/bin:/usr/bin:/$HOME/bin:/lib:/usr/lib:.; export
  PATH
```

To check that the PATH environment variable is set correctly, type echo $PATH and press Return.

paperbark% echo $PATH
/usr/openwin/bin:/usr/dt/bin:/usr/bin:/export/home/winsor/bin:/lib:/usr/lib:.
paperbark%

Add or change the settings of environment variables. For the C shell, type setenv VARIABLE value (or set variable=value for the path and term variables).

NOTE. Set environment variables in the .login file for the C and TC shells and .profile for the Bourne, Bourne Again, and Korn shells.

The following example sets the history to the last 100 commands.
```
setenv HISTORY 100
```
For the Bourne or Korn shell, type VARIABLE=value; export VARIABLE.

The following example sets the user's default mail directory.
```
MAIL=/var/mail/ignatz;export MAIL
```
Check the umask setting. If you need to change it, type umask nnn and press Return. You can either include or omit leading zeros.

For example, to set file permissions to 644, type umask 022 and press Return. Table 38 shows the file permissions that are created for each of the octal values of umask.

Table 38. Permissions for umask Values
Octal Value
File Permissions
0
rwx
1
rw-
2
r-x
3
r--
4
-wx
5
-w-
6
--x
7
---(none)

The LANG variable and LC environment variables determine the locale-specific conversions and conventions the shell uses. These conversions and conventions include time zones, collation orders, and formats of dates, time, currency, and numbers. If necessary, set these variables in the user's initialization file. LANG sets all possible conversions and conventions for a given locale. If you have special needs, you can set various aspects of localization separately by using the LC variables LC_COLLATE, LC_CTYPE, LC_MESSAGES, and LC_NUMERIC. Table 39 shows the values for several locales.

Table 39. Values for LANG and LC Variables
Value
Locale
de
German
fr
French
iso_8895_1
English and European
it
Italian
japanese
Japanese
korean
Korean
sv
Swedish
tchinese
Taiwanese

If the system needs to support multibyte characters (for example, Japanese), add the following command to the system initialization file (/etc/profile or /etc/.login).

stty cs8 defeucw

The preceding command sets character size to the maximum (cs8) and sets the width of multibyte characters to the default values for the locale specified by LC_CTYPE.

When the initialization files are complete, log out of the user's account.

Setting Up a User's Mail Account

Each user has a mailbox either on a local system or on a mail server and a mail alias in the /etc/mail/aliases file or in an NIS, NIS+, or LDAP nameservice database that points to the location of the mailbox. Use the following steps to set up a mail client with a mailbox on a mail server.

Become superuser on the mail client's system.
Create a /var/mail mount point on the mail client's system.
Create a direct automounter map or edit the /etc/vfstab file and add an entry for the /var/mail directory on the mail server, mounting it on the local /var/mail directory. Use the actimeo=0 option, as shown in the following example; otherwise, locking of the mailbox files fails.
```
server:/var/mail - /var/mail nfs - no rw,hard,actimeo=0
```
The client's mailbox is automatically mounted any time the system is rebooted.
Type mount -a to mount the mailbox.

The client's mailbox is mounted.

NOTE. Thesendmail program automatically creates mailboxes in the /var/mail directory the first time a message is delivered. You do not need to create individual mailboxes for your mail clients.

If you are using NIS+, use the following steps to set up mail aliases for the user.

Compile a list of each of your mail clients, the locations of their mailboxes, and the names of the mail server systems.
Become superuser on any system.
For each alias, type aliasadm -a alias expanded-alias [options comments] and press Return.

The alias is added to the NIS+ aliases table. The following example adds an alias for user iggy.ignatz.
```
# aliasadm -a iggy iggy.ignatz "Iggy Ignatz"
#
```
Type aliasadm -m alias and press Return.

The entry you created is displayed.
Check the entry to be sure it is correct.

Alternatively, when you have created a nameservice domain toolbox for SMC, you can use SMC/System Configuration/Users/Mailing Lists to edit network mail aliases.

Setting Up a User's Printer

After adding users to a system, make sure they have access to a printer. See Chapter 11, "Administering Printing," for information on how to set up printing services.

Creating a Password

Passwords are an important part of system security. Each user account should be assigned a password of 6 to 10 characters as a combination of letters and numbers.

You can assign and manage passwords with the SMC Users tool. By default, SMC manages accounts on the local system. You can create a nameservice domain toolbox to manage accounts in the LDAP, DNS, NIS+, or NIS nameservices. Refer to the Solaris Management Console Tools book available from Sun Microsystems Press and Prentice Hall for instructions on how to create a nameservice domain toolbox.

Table 40 lists the commands that you use to manage passwords in the passwd and shadow databases in nameservice domains.

Table 40. Nameservice Commands for Managing Passwords
Nameservice
Commands
files
passwd [-r files] username
NIS
passwd -r nis username (replacement for yppasswd(1).)
NIS+
passwd -r nisplus username (replacement for nispasswd(1).)
LDAP
passwd -r ldap username

In the Solaris Operating Environment, the encrypted password and associated password aging information are stored in the nameservice password or shadow database or in the local /etc/shadow file. Permissions for the /etc/shadow file are -r--------. Only root can read the /etc/shadow file, and only the passwd command can write to the file.

The following example shows the contents of an /etc/shadow file.

root:4ZfnV.kupl.SA:11081::::::
daemon:NP:6445::::::
bin:NP:6445::::::
sys:NP:6445::::::
adm:NP:6445::::::
lp:NP:6445::::::
uucp:NP:6445::::::
nuucp:NP:6445::::::
listen:*LK*:::::::
nobody:NP:6445::::::
noaccess:NP:6445::::::
nobody4:NP:6445::::::
winsor:OVHZsESoDAEwk:11081::::::
ray::::::::
des::::::::
rob::11080::::::
ppp:*LK*:::::::
ignatz::::::::

Users can create or change their own passwords at any time. You must be root to create the initial password for any other user. In addition, to create a nameservice password, you must have the appropriate privileges and you must have established the necessary networkwide credentials.

Use the following steps to create a local password.

Become superuser on the local system.
Type passwd login-name and press Return.

The prompt New password: is displayed.
Type the new password and press Return.

The prompt Re-enter new password: is displayed.
Retype the password and press Return.

The password is assigned, as shown in the following example, and added to the /etc/shadow file.
```
oak% su
# passwd smallberries
New password:
Re-enter new password:
#
```

NOTE. You can also use passwd to define, change, and view password attributes, such as password aging. You can use password aging for the file, NIS+, and LDAP nameservices, but not for NIS. See the passwd (1) manual page for more information.

Changing a local password is similar to adding a new password. When prompted to do so, type the old password, and then type the new password two times, as prompted.

To create or change passwords in NIS, NIS+, and LDAP nameservice environments, use the passwd -r (repository) option to specify an nis, nisplus, or ldap repository.

Disabling User Accounts

Occasionally, you may need to temporarily or permanently disable a login account. You should have good reason for taking such action. For example, the user may be on leave of absence or you may have strong evidence that the account is being misused or security is being violated.

The easiest way to disable a login account is to lock the account. You can lock an account in SMC from the General tab of the user properties for the user account. Refer to the Solaris Management Console Tools book for instructions.

On a local system, you can control access to a user's account by requiring password aging, by setting an expiration date for the login account, or by requiring that a user access the account at regular intervals. Another way that you can disable a login is to temporarily change the password.

[ Team LiB ]