Account Administration

User and group accounts control access to the system. The administration of user accounts and
group accounts along with the passwords associated with these accounts is a key system
administration activity.

User Accounts

User accounts can be added, modified, or deleted using command-line utilities or by using the
admintool(1M) command. Use of the admintool command reduces or eliminates the possible
introduction of typos and other errors that might affect all the user accounts.

However, the admintool command requires a graphical interface and is more time consuming
than using the command-line utilities manually. These command-line utilities are as follows:

 useradd(1M)

 usermod(1M)

 userdel(1M)

Both the admintool command and the command-line utilities are described in this chapter.

Creating an Account Using the admintool Command

When the admintool command is started, the Users window is displayed. To display the Add
User window, select Add from the Edit pull-down menu. The Add User window, consists of
three sections: User Identity, Account Security, and Home Directory.

The User Identity section provides the information that needs to be defined to add a user account.
All this information is stored in the /etc/passwd file, except secondary groups information,
which is stored in the /etc/group file. Table 3.1 lists the fields of the User Identity section.

Table 3.1 User identity Fields of the admintool: Add User Window
Field Description
User Name A unique user account name consisting of a
maximum of eight upper- and lowercase letters
and/or numbers.
User ID The UID associated with the user account. A
unique number, typically between 1000 and
60000. The next available number starting at
1000 is provided automatically.
Primary Group The group to which the user should be assigned.
By default, 10 (staff) is provided. Any specified
 group must exist before members can be added.
Secondary Additional groups (separated by commas) to
Groups which the user should be assigned. Specified
groups must exist before members can be added.
Comment Any text that should be placed in the
/etc/passwd Comment field.
Login Shell The Bourne (default), C, or Korn shell can be
selected. Another shell can be specified by
selecting Other from the pull-down menu and
entering the name of the shell in the field.

The Account Security section provides the information used to determine how the password
should be defined and to set up password aging. All this information is stored in the
/etc/shadow file. Table 3.2 lists the fields of the Account Security section.

Table 3.2 Account Security Fields of the admintool: Add User Window
Field Description
Password The choices are Cleared until first login,
Account is locked, No password—setuid only,
and Normal Password.
Min Change Minimum days required between password
changes.
Max Change Maximum days a password is valid.
Max Inactive Maximum number of days account can be
inactive before password must be changed.
Expiration Date account expires.
Date
Warning Number of days user is warned before password
expires.

The Home Directory section is used to define the home directory of the account and to create it if
necessary. This path is stored in the /etc/passwd file. The appropriate initialization files are
created in the home directory based on the type of login shell selected.

Modifying an Account Using the admintool Command

To modify a user account, start the admintool command if it is not already active. Display the
Users window by selecting Users from the Browse pull-down menu.
Click the desired account entry and then select Modify from the Edit pull-down menu. The
Modify User window is displayed. Change the fields as appropriate and click Apply to save the
changes.

Deleting an Account Using the admintool Command

To delete a user account, start the admintool command if it is not already active. Display the
Users window.

Click the desired account and then select Delete from the Edit pull-down menu. In the Warning
window, select Delete to delete the user account.

CAUTION

Because using the admintool command makes creating, modifying, and deleting user accounts
very easy and intuitive, Exam 310-014 concentrates on using the useradd, usermod, and
userdel commands for administering user accounts.

Creating an Account Using the useradd Command

The useradd(1M) command provides a quick method to add a new user account. At a minimum,
the account name must be specified as a command-line argument. Table 3.3 lists the command-
line arguments supported by the useradd command.

Table 3.3 Command-Line Arguments for the useradd Command

Argument Description
account Specifies the name of the new user account
(required).
-A Specifies one or more authorizations.
authorizations
-b base Defines a base directory. If a home directory (-d)
is not specified, the account name is added to base
and used as the home directory.
-c comment Specifies a comment that is placed in the comment
(gcos) field of the /etc/passwd file.
-d directory Defines the home directory of the account.
-e date Specifies the expiration date for the account. After
the specified date, the account is disabled.
-f days Specifies the maximum number of days the
account can be inactive before it is disabled.
-g group Defines the GID or name of an existing group that
will be the primary group for the user account.
-G group Defines a GID or name of an existing group that
 will be a secondary group for the user account.
-k Specifies the directory that contains a template
template_dir (default) profile used for the user account.
-m Creates the home directory if it doesn't exists. The
home directory is defined by -b and account name
or -d.
-o Allows an existing UID to be specified. That is, it
allows an account to be created with a duplicate
UID (see -u).
p profiles Specifies one or more execution profiles.
-R roles Specifies one or more user roles.
-s shell Specifies the login shell; default is the Bourne
Shell (/bin/sh).
-u uid Specifies the UID of the user account. It must be a
decimal integer. If not specified, the next highest
available UID is assigned.

/etc/passwd file stores essential information, which is required during login i.e. user account
information.

/etc/passwd is a text file, that contains a list of the system's accounts, giving for each account
some useful information like user ID, group ID, home directory, shell, etc. It should have general
read permission as many utilities, like ls use it to map user IDs to user names, but write access
only for the superuser (root).

Understanding fields in /etc/passwd

The /etc/passwd contains one entry per line for each user (or user account) of the system. All
fields are separated by a colon (:) symbol. Total seven fields as follows.

Generally, passwd file entry looks as follows (click to enlarge image):

1. Username: It is used when user logs in. It should be between 1 and 32 characters in
length.
2. Password: An x character indicates that encrypted password is stored in /etc/shadow file.
 3. User ID (UID): Each user must be assigned a user ID (UID). UID 0 (zero) is reserved for
root and UIDs 1-99 are reserved for other predefined accounts. Further UID 100-999 are
reserved by system for administrative and system accounts/groups.
4. Group ID (GID): The primary group ID (stored in /etc/group file)
5. User ID Info: The comment field. It allow you to add extra information about the users
such as user's full name, phone number etc. This field use by finger command.
6. Home directory: The absolute path to the directory the user will be in when they log in.
If this directory does not exists then users directory becomes /
7. Command/shell: The absolute path of a command or shell (/bin/bash). Typically, this is
a shell. Please note that it does not have to be a shell.

etc/shadow file stores actual password in encrypted format for user's account with additional
properties related to user password i.e. it stores secure user account information. All fields are
separated by a colon (:) symbol. It contains one entry per line for each user listed in /etc/passwd
file Generally, shadow file entry looks as follows (click to enlarge image):

/etc/shadow file fields

(Fig.01: /etc/shadow file fields)

1. User name : It is your login name

2. Password: It your encrypted password. The password should be minimum 6-8 characters
long including special characters/digits
3. Last password change (lastchanged): Days since Jan 1, 1970 that password was last
changed
4. Minimum: The minimum number of days required between password changes i.e. the
number of days left before the user is allowed to change his/her password
5. Maximum: The maximum number of days the password is valid (after that user is forced
to change his/her password)
6. Warn : The number of days before password is to expire that user is warned that his/her
password must be changed
7. Inactive : The number of days after password expires that account is disabled
 8. Expire : days since Jan 1, 1970 that account is disabled i.e. an absolute date specifying
when the login may no longer be used

  Automatic account locking

So far the lock management was done by the system administrator. He or she was responsible for
locking accounts and when needed unlocking accounts as well.

In Solaris 10 it is possible to lock an use account autmatically after a number of failed login
attempts. When an account is automatically locked user may not log in using that account. Only
after the system administrator has unlocked the account, the user is again allowed into the
system.

Define the lock out count

The lock out count defines after how much failed attempts the account is locked. To change the
lock out count, the system administrator needs to set the RETRIES setting in /etc/default/login.

server # vi /etc/default/login
..... Output Skipped .....
# RETRIES determines the number of failed logins that will be
# allowed before login exits. Default is 5 and maximum is 15.
# If account locking is configured (user_attr(4)/policy.conf(4))
# for a local user's account (passwd(4)/shadow(4)), that account
# will be locked if failed logins equals or exceeds RETRIES.
#
RETRIES=3
..... Output Skipped .....

Activate system-wide locking after failed retries

vi /etc/security/policy.conf
..... Output Skipped .....
#
# LOCK_AFTER_RETRIES specifies the default account locking policy for local
# user accounts (passwd(4)/shadow(4)).  The default may be overridden by
# a user's user_attr(4) "lock_after_retries" value.
# YES enables local account locking, NO disables local account locking.
# The default value is NO.
#
LOCK_AFTER_RETRIES=yes