7    Administering User Accounts and Groups

Assigning user accounts and organizing user accounts into related groups is the most common way that you provide system resources to users. This chapter describes these user account and group administration topics:

• A discussion of the utilities that you can use to administer accounts and groups, and the user environments in which you can use these utilities (Section 7.1)

• A quick start section, providing brief information on the utilities; you can use the online help to guide you through a task (Section 7.2)

• Information to help you understand general account and group concepts (including LDAP and NIS), and important data items such as the unique identifiers assigned to accounts and groups; this section also describes the contents of the system data files for passwords and groups and how to set the default characteristics of an account or group (Section 7.3)

• Specific instructions on using utilities to perform administrative tasks on user accounts such as adding, modifying, and deleting user accounts and the associated system resources (Section 7.4)

• Specific instructions on using utilities to perform administrative tasks on user groups (Section 7.5)

• Information on administering associated (synchronized) Windows NT domain and UNIX accounts (Section 7.6)

7.1    Account Administration Options and Restrictions

Depending on your local system configuration, the user environment, and your personal preferences, there are several methods and a number of different utilities that you can use to administer user accounts. The following sections introduce and describe these options and identify any restrictions or requirements for their use.

7.1.1    Administrative Utilities

The operating system provides several different utilities that you can use to administer accounts. Not all are described in detail in this chapter. However, the principles of use are the same for all utilities. See the online help and reference pages for each utility for specific information on the options available.

The utilities are listed in Table 7-1. You must be root user on the UNIX system or the Windows NT domain administrator to use these utilities.

Table 7-1:  Utilities for Administering Accounts and Groups

You must install and configure the Advanced Server for UNIX (ASU) software to use the Microsoft Windows-based utilities. Using the ASU utilities is not explained in detail in this chapter, but is discussed only in the context of a UNIX server running the ASU software. See the ASU Installation and Administration Guide for more information on installing and using ASU.

7.1.2    Notes and Restrictions on Using the Utilities

The following restrictions apply when using account management utilities, or when certain system features are enabled:

• Characteristics of the default UNIX account configuration

  You can use only the UNIX command line utilities or Account Manager dxaccounts to configure the default UNIX account and group characteristics.

  See the ASU Installation and Administration Guide for more information on setting default values for PC accounts when ASU is in use.

• Enhanced (C2) security

  When enhanced security is enabled, it places restrictions on account creation and enables additional features such as:

  1. Enhanced password controls

  2. Options for enabling and disabling (or locking) accounts

  3. Options for deleting and retiring accounts

  See the Security Administration manual for more information.

• Network Information Services (NIS)

  NIS enables users to log in to any system on the local network that is running NIS. User data, such as account name and password is shared between all NIS systems, and users use different commands, such as yppasswd, instead of passwd to change passwords.

  When NIS is configured, you have two potential classes of users to manage:

  local users and groups
  NIS users and groups

  Features in the user account administration utilities that support NIS are enabled only when NIS is running. See the Network Administration: Services manual for information on setting up the NIS environment.

• Lightweight Directory Access Protocol (LDAP)

  LDAP is similar in concept to NIS. You have one repository, the LDAP database, against which to authenticate.

  LDAP enables users to log into any system on the local network that is running LDAP. User data, such as the account name and password, is shared among all LDAP systems, and users use different commands; one such example is the use of ypasswd instead of passwd to change passwords.

  When LDAP is configured, you have three potential classes of users to manage:

  local users and groups
  NIS users and groups
  LDAP users and groups

  Features in the user account administration utilities that support LDAP are enabled only when LDAP is running.

  See the OpenLDAP documentation at www.OpenLDAP.org for more information on LDAP.

• Multiple instances of account management utilities

  When invoked, any account management utility creates a lock file, preventing other account management utilities (or two instances of the same utility) from accessing system files such as /etc/passwd. This lock file is located at /etc/.AM_is_running. Creation of the lock file prevents possible corruption of account data in the system files. Under certain circumstances, this lock file may not clear correctly and you must delete it manually. Before you remove a lock file, ensure that it does not relate to a legitimate instance of an account management tool by running the ps -ef command to check for instances of AM_is_running.

  Only the command line utilities and the SysMan Menu tools support LDAP; the Account Manager utility (dxaccounts) does not.

  The SysMan Menu Accounts options are designed to use deferred completion. This means that any data that you enter is stored and not written to a file until you confirm it. Therefore, while you can invoke a SysMan Menu Accounts option while another instance of an account management utility is running, you cannot select Apply or OK to update the system file. When the other instance of an account management utility is closed, the lock file is removed and you can complete the transaction.

  The Division of Privileges (DOP) and distributed administration features enables the root user to easily assign account management privileges to other users. However, only one account management utility can be used by one authorized user at any time.

7.1.3    Related Documentation

Additional documentation on administering accounts can be found in manuals, reference pages, and online help.

7.1.3.1    Manuals

The following lists refers to information on administering accounts in the Tru64 UNIX operating system documentation set.

• Chapter 6 provides information on file systems and user file space.

• The Network Administration: Services manual provides information on NIS user accounts.

• The Security Administration manual provides information on important security considerations when assigning resources to users. Information on account requirements for enhanced security and system auditing is provided in this volume.

• The Common Desktop Environment: Advanced User's and System Administrator's Guide provides information on configuring the CDE environment and setting up system default resources such as printers.

• The ASU documentation kit provides the Concepts and Planning Guide, Installation and Administration Guide, and Release Notes.

7.1.3.2    Reference Pages

Reference pages provide a definitive list of all options and switches supported by commands. The following pages are referenced in this chapter:

• The command line utilities are documented in useradd(8), usermod(8), userdel(8), groupadd(8), groupmod(8), and groupdel(8).

• The SysMan utilities are documented in sysman(8) and sysman_cli(8).

• Invoking the Account Manager (dxaccounts) is documented in dxaccounts(8).

• The system files are documented in passwd(4), group(4), shells(4), and default(4).

• Individual commands are documented in passwd(1), vipw(8), grpck(8), and pwck(8).

7.1.3.3    Online Help

The SysMan Menu Accounts options and Account Manager (dxaccounts) each provide online help that describe all the options and define appropriate data entries.

Some command line routines also provide text help for the command syntax. This help is invoked with the -h or -help command flag.

7.1.4    Related Utilities

The resources in the following list are also useful when administering accounts. These commands and utilities may be useful in correcting system problems when the graphical user environments are unavailable, such as after a system crash, or if you have access to only a character-cell terminal.

vipw

The vipw utility allows you to invoke a text editor to edit the password file manually. Avoid editing system files manually if possible; use one of the available utilities instead. You can use the vipw utility to edit the local password database, but you cannot use it to edit the NIS database, or use it on systems that have enhanced security.

The vipw utility enables you to edit the passwd file and at the same time locks the file to prevent others from modifying it. It also verifies the consistency of the password entry for root and does not allow a corrupted root password to be entered into the passwd file. You can also use the vipw utility to patch a corrupted passwd file when in standalone mode.

See vipw(8) for more information.

who

Provides a list of currently logged in users. See who(1) for more information.

finger

Displays user information from the password file. See finger(1) for more information.

csh, ksh, and sh

The csh, ksh, and sh commands invoke and interpret the C, Korn, and POSIX shells.

grpck

The grpck command enables you to verify the integrity of the group file.

pwck

The pwck utility enables you to verify the integrity of the passwd file.

quotaon

The quotaon command enables you to turn quota information on and off.

passwd, chfn, and chsh

The passwd, chfn, and chsh commands allow users to change their password file information; the passwd allows a user to change his or her password, the chfn allows the user to change his or her full name; the chsh allows a user to change the login shell.

7.2    Account Administration - Quick Start

The following sections provide you with brief instructions on invoking the account administration utilities so that you can create basic accounts quickly. For example, if you have just installed and configured the system as the root user, you may want to set up a nonprivileged user account under your own name using the default account settings. At a later time you can read Section 7.3 and other sections to understand how to configure the system defaults and use the advanced features of account and group administration utilities.

7.2.1    Creating Primary Accounts During System Setup

On the first root login after a full installation of the operating system, the System Setup utility is displayed automatically to guide you through the options for configuring your system. The Account Manager (dxaccounts) icon included in System Setup enables you to configure initial accounts. This icon invokes an X11-compliant graphical user interface (GUI) that you can run under the Common Desktop Environment (CDE) or other X-windowing environments. See Section 7.5.2 for full information on using the Account Manager. When the Advanced Server for UNIX (ASU) is installed and configured, you can use the Account Manager (dxaccounts) GUI to administer Windows NT domain accounts as described in Section 7.6.

7.2.2    Using the Account Manager (dxaccounts) GUI

The Account Manager (dxaccounts) provides features supported by the CDE environment, such as drag-and-drop and cut-and-paste, to quickly clone new accounts from existing accounts. You can invoke this GUI as follows:

• Use the following command from a terminal to invoke the GUI in any X11-compliant windowing environment:

  # dxaccounts
  

• In CDE, open the Application Manager or the SysMan Applications pop-up menu from the Front Panel. Choose Daily Administration, and click on the Account Manager icon.

The Account Manager GUI (dxaccounts) also provides options for administering Windows NT domain users when ASU is installed. These options are dimmed on the window if ASU is not installed and configured.

You can use the Account Manager GUI (dxaccounts) to configure default options for user accounts, such as the shell and the parent directory. See Section 7.4.2.6 for information.

7.2.3    Using the SysMan Menu Accounts Option

The SysMan Menu Accounts options provide the same functions as dxaccounts, but with limited support for the following features:

• Managing Windows NT domain accounts for PC clients

• Managing accounts under Enhanced (C2) security

Invoke the SysMan Menu Accounts options from the CDE Applications Manager, the CDE Front Panel (SysMan Applications menu), or from the command line as follows:

# sysman accounts

The Accounts options also let you add and modify accounts in NIS (Network Information Service) and Lightweight Directory Access Protocol (LDAP) environments. You can add local users to any system without adding them to the NIS environment. See the Network Administration: Services manual for information on NIS.

To use the Accounts options from the SysMan Menu, invoke the SysMan Menu as described in Chapter 1 and expand the options as follows:

1. Choose the Accounts option to expand the menu. The following menu options are displayed:

   • Manage local users

   • Manage local groups

   • Manage NIS users

   • Manage NIS groups

   • Manage LDAP users

   • Manage LDAP groups

2. Move the pointer (or use the Tab key) to choose an option. Click on mouse button 1 (MB1) or the Enter key to invoke the utility.

3. The first window (or screen) of the utility opens, presenting you with the following options:

   Add...

   Use this option to create a new user account.

   Modify...

   Use this option to modify account details for an existing user account.

   Delete...

   Use this option to remove a user's account, and optionally to delete all their system resources.

   Filter...

   Use this option to filter (search) for a specific user or set of users. You can specify different search criteria such as the user's UID or account comment.

   Options...

   Use this option to define the number of accounts at which filtering starts automatically. You can choose which user data is included in listings of user accounts.

Detailed use of these utilities is described in Section 7.4.1, and in the online help.

7.2.4    Using the Command Line Utilities

The following command line utilities are available for administering accounts and groups:

useradd, usermod, and userdel

Use these commands to add, modify, and delete user accounts, respectively.

groupadd, groupmod, and groupdel

Use these commands to add, modify, and delete groups, respectively.

adduser and addgroup

These utilities, documented in adduser(8) and addgroup(8) are obsolete interactive scripts provided only for backwards compatibility. If you are still using these scripts, you should migrate to one of the newer utilities that provide support for any work environment, including character-cell terminals and Windows NT.

The command line utilities also provide options for administering Windows NT domain accounts when ASU is installed.

7.2.5    Advanced Server for UNIX

Advanced Server for UNIX (ASU) is a layered application that implements Windows NT Version 4.0 server services and functions on a server running the UNIX operating system. To other computers running Windows, the UNIX system appears to be a Windows NT Version 4.0 server. Through ASU, you can share UNIX file systems and printers as shares. By default, the client Windows user must have both a Windows NT domain account and a UNIX account in order to share UNIX resources. When ASU is running, the UNIX account administrative utilities that are described in this chapter can be used to perform certain account administrative tasks, such as creating new accounts.

ASU software is located on the Associated Products Volume 2 CD-ROM and provides two free connects. See the Installation and Administration Guide provided in the software kit.

7.3    Understanding User Accounts and Groups

The administration of user accounts and groups involves managing the contents of the system's password and group files. On standalone systems, the files you manage are /etc/passwd, which is documented in passwd(1), and /etc/group, which is documented in group(4).

On networked systems, typically, the Network Information Service (NIS) or Lightweight Directory Access Protocol (LDAP) is used for central account and group management. NIS and LDAP allow participating systems to share a common set of password and group files. See the Network Administration: Services manual and www.OpenLDAP.org for more information.

If enhanced (C2) security is enabled on your system, you need to administer more than the /etc/passwd file for security. For example, the protected password database is used for security related information such as minimum password lengths and password expiration times. These tasks are documented in the Security Administration manual.

7.3.1    System Files

The following system files may be updated when you perform account administration tasks and should be backed up regularly:

/etc/group

The /etc/group file contains group data. Each row specifies one of the following: the group name; optional encrypted password; numerical group ID; and a list of all users who are members of the secondary group. For example:

system:*:0:root luis
daemon:*:1:daemon
uucp:*:2:uucp
mem:*:3:
kmem:*:3:root
bin:*:4:bin,adm
sec:*:5:
cron:*:14:
.
.
.
users:*:15:billP carsonK raviL annieO
sysadmin:*:16:
tape:*:17:
.
.
.

/etc/passwd

The /etc/passwd file consists of rows of one record (row) per user, containing seven fields of user data. See Section 7.3.3 for more information. Example entries are:

carsonK:6xl6duyF4JaEI:200:15:Kit Carson,3x192,1-6942,
:/usr/users/carsonK:/bin/sh
annieO:.murv3n1pg2Dg:200:15:Annie Olsen,3x782,1-6982,
:/usr/users/annieO:/bin/sh
 
 

The example lines are broken to fit the page, and appear as a single line in the file.

/usr/skel

The /usr/skel directory contains skeleton files for new accounts such as a .login file. Users can edit these files to customize their account to the local environment, by defining environment variables and default paths to programs or project files. The /etc/shells file provides a list of available command shells on the system.

Log files

The log files /var/adm/wtmp and /var/adm/utmp, and log files in the /usr/var/adm/syslog.dated directory provide information about account usage.

If enhanced security is in use, the following security files are relevant:

• /etc/auth/system/default

• /tcb/files/auth.db

• /var/tcb/files/auth.db

If NIS (Network Information Services) is in use, the following NIS files are relevant. Be sure to back up these files on the NIS master database:

• /var/yp/src/group

• /var/yp/src/passwd

• /var/yp/src/prpasswd

LDAP information is stored in the LDAP database; this should be backed up.

The following log files provide information about account use:

• /var/adm/wtmp

• /var/adm/utmp

• The log files in the /usr/var/adm/syslog.dated directory

7.3.2    Understanding Identifiers (UIDs and GIDs)

Each user account is recognized by a unique number called a user identifier (UID). The system also recognizes each user group by a unique number called a group identifier (GID). The system uses these numbers to track user file access permissions and group privileges and to collect user accounting statistics and information.

The maximum number of UIDs and GIDs is 4,294,967,294 (32 bits with 2 reserved values). The maximum number of users that can be logged on is determined by the available system resources, but is of course a much smaller figure. If you intend to use the full range of UIDs and GIDs, be aware that some older utilities and applications do not support the maximum number and you should take the following precautions:

• If you not running the latest versions of your end-user applications, ensure that they support maximum UIDs and GIDs. For example, the widely used Kerberos Version 4.0 does not support UIDs and GIDs beyond a certain range. If you currently use Kerberos Version 4.0, consider upgrading to Kerberos Version 5.0. Similarly, If you use PATHWORKS, consider upgrading to ASU Version 4.0 or higher.

• The System V file system (S5FS) does not support the maximum range of UIDs and GIDs. Any file system syscall that specifies UIDs and GIDs greater than 65,535 returns an EINVAL error. Users assigned a UID or GID greater than 65,535 cannot create or own files on a System V file system. Consider using the UFS or AdvFS as a solution.

• The behavior of certain commands and utilities change when the maximum UID and GID range is increased. Compare these changes against any local use of these commands, such as in shell scripts:

  • The ls -l command does not display the disk block usage on quota files or sparse files. To display the actual disk block usage for any file, use the ls -s command.

  • The cp command incorrectly copies quota files or other sparse files. To correctly copy quota files or other sparse files, use the dd command with the conv=sparse parameter:

    # dd conv=sparse if=inputfile  of= outputfile
    

  • If you back up a UFS file system that contains quota files or other sparse files using the vdump utility and restore it using the vrestore utility, the quota files or other sparse files are restored as follows:

    • The first page of a file on disk is restored as a fully populated page; that is, empty nonallocated disk blocks are zero filled.

    • Any additional pages on disk are restored sparse.

7.3.3    Understanding the Password File

The passwd file for a standalone system identifies each user (including root) on your system. Each passwd file entry is a single line that contains seven fields. The fields are separated by colons and the last field ends with a newline character. The syntax of each entry and the meaning of each field is as follows:

username:password:user_id:group_id:user_info:login_directory:login_shell

username

The name for the user account. The username must be unique and consist of from one to eight alphanumeric characters.

password

You cannot enter a password directly. Enter an asterisk (*) in the passwd field to disable a login to that account. An empty password field allows anyone who knows the login name to log in to your system as that user.

user_id

The UID for this account. This number must be unique for each user on the system. Reserve the UID 0 for root. Assign each UID in ascending order beginning with 100. Lower numbers are used for pseudousers such as bin or daemon. (See also the /usr/include/limits.h file).

group_id

The GID for this account, which is an integer. See the Technical Overview for information on the limit. Reserve the GID 0 for the system group. Be sure to define the GID in the group file.

user_info (or GECOS data)

This field contains additional user information such as the full user name, office address, telephone extension, and home phone. The finger command reads the information in the user_info field. Users can change the contents of their user_info field with the chfn command. See finger(1) and chfn(1) for more information.

login_directory

The absolute pathname of the directory where the user account is located immediately after login. The login program assigns this pathname to the HOME environment variable. Users can change the value of the HOME variable, but if a user changes the value, then the home directory and the login directory are two different directories. Create the login directory after adding a user account to the passwd file. Typically the user's name is used as the name of the login directory. See chown(1), mkdir(1), chmod(1), and chgrp(1) for more information on creating a login directory.

login_shell

The absolute pathname of the program that starts after the user logs in. If you leave this field empty, the Bourne shell /bin/sh starts. See sh(1b) for information on the Bourne shell. Users can change their login shell by using the chsh command. See chsh(1) for more information.

In windowing (graphical) user environments, utilities such as Account Manager (dxaccounts) can be used to perform all the operations provided by commands such as passwd and mkdir.

You only can set default characteristics for new accounts in some graphical utilities, while the command line utilities enable full access to setting and changing the default characteristics. See Section 7.4.2.6 for an explanation of how to do this with Account Manager (dxaccounts).

When the /etc/passwd file is very large, a performance degradation can occur. If the number of passwd entries exceeds 30,000, mkpasswd sometimes fails to create a hashed (ndbm) database. Because the purpose of this database is to allow for efficient (fast) searches for password file information, failure to build it causes commands that rely on it to do a linear search of /etc/passwd. This results in a serious performance degradation for those commands.

If you use the mkpasswd -s option to avoid this type of failure, a potential database or binary compatibility problem may arise. If an application that accesses the password database created by mkpasswd is built statically (nonshared), that application cannot read from or write to the password database correctly. This causes the application to fail either by generating incorrect results or by possibly dumping core.

Any statically linked application can be affected if it directly or indirectly calls any of the libc ndbm routines documented in ndbm(3) and then accesses the password database. To remedy this situation, you must relink the application. To avoid this compatibility problem, do not use the mkpasswd -s option.

Note

In an NIS environment you can add a user account to either the local passwd file or the NIS distributed passwd file. Accounts added to the local passwd file are visible only to the system to which they are added. Accounts added to the NIS distributed passwd file are visible to all NIS clients that have access to the distributed file. See nis_manual_setup(7) for more information on adding users in a distributed environment.

Similarly, LDAP users are also global.

7.3.4    Understanding the Group File

All users are members of at least one group. The group file identifies the group name for a user. There are two primary reasons to group user accounts:

• Several users work together on the same files and directories; grouping these users together simplifies file and directory access.

• Only certain users are permitted access to system files or directories; grouping them together simplifies the identification of privileged users.

The group file is used for the following purposes:

• To assign a name to a group identification number used in the passwd file

• To allow users to be members of more than one group by adding the user account to the corresponding group entries

Each entry in the group file is a single line that contains four fields. The fields are separated by colons, and the last field ends with a newline character. The syntax of each entry and the meaning of each field is as follows:

groupname: password: group_id: user1 [user2,...,userN]

groupname

The name of the group defined by this entry. The groupname consists of from one to eight alphanumeric characters and must be unique.

password

Place an asterisk (*) in this field. Entries for this field are currently ignored.

group_id

The group identification number (GID) for this group, which is an integer. See the Technical Overview for information on the limits. Reserve the GID 0 for the system. The GID must be unique.

user

The user account belonging to this group, identified by the user name defined in the passwd file. If more than one user belongs to the group, the user accounts are separated by commas. The last user account ends with a newline character. A user can be a member of more than one group.

There is a limit to the number of groups that a user can be in, as documented in group(4). The maximum line length is LINE_MAX as defined in the /usr/include/limits.h file. User accounts should be divided into a number of manageable groups.

You can set defaults for certain GID values using the graphical or command line utilities. See Section 7.4.2.6 for an explanation of how to do this with Account Manager GUI (dxaccounts).

7.4    Administering User Accounts

The following sections describe how to:

• Administer user accounts using the SysMan Menu options. This method also allows you to add users in NIS (Network Information Service) and Lightweight Directory Access Protocol (LDAP) environments. Invoking the SysMan Menu and selecting the Manage Local Users option is described in Section 7.2.3.

• Administer local and NIS users and associated Windows NT domain accounts using the Account Manager GUI (dxaccounts). Invoking the Account Manager GUI is described in Section 7.2.2.

The process for using the useradd command line utility is similar and is documented in the reference pages but does not support NIS accounts. See the Network Administration: Services manual for information on NIS. The SysMan Menu Accounts options can be used from a terminal, X11, or Java client.

Note

Avoid using adduser because it does not provide all the available options and is not sensitive to security settings. To preserve the integrity of system files, avoid using manual methods of adding user accounts.

7.4.1    Using the SysMan Menu Accounts Options

The following sections describe how you create new accounts using SysMan Menu options. The following tasks are described:

• Gathering account information (Section 7.4.1.1)

• Setting account options, which apply to Local, NIS, and LDAP accounts (Section 7.4.1.2)

• Using filter options, which apply to Local, NIS and LDAP accounts, for searching accounts (Section 7.4.1.3)

• Creating or modifying local user accounts (Section 7.4.1.4)

• Deleting local user accounts (Section 7.4.1.5)

• Creating or modifying LDAP and NIS user accounts (Section 7.4.1.6)

• Deleting LDAP and NIS user accounts (Section 7.4.1.7)

For information on how you use the keyboard to enter information into fields on SysMan Menu utilities, invoke the online help.

7.4.1.1    Gathering Account Information

To prepare for administering accounts, gather the information on the worksheet provided in Table 7-2. If enhanced security is in use, the data items must comply with the minimum requirements (such as password length). See the Security Administration manual for more information.

See Section 7.3.3 for an explanation of the passwd file data items.

Table 7-2:  Account Administration Worksheet

* denotes a mandatory field

An example of typical user data is provided in Table 7-3.

Table 7-3:  Account Administration Worksheet with Example Data

* denotes a mandatory field

7.4.1.2    Setting Filter and Display Options

Use SysMan Manage local users Options... to configure filtering (described in Section 7.4.1.3) and display options. To set options, invoke the SysMan Menu and choose the Manage Local Users option as described in Section 7.2.3.

When you select Options... the SysMan Account Management: Program Options window opens and you can configure the following settings. Some option names are truncated here and appear as a descriptive line in the window:

On startup....

Use this option to set a trigger value for the filter feature. The default setting is 200 user accounts.

This feature is useful if you have many hundreds or thousands of user accounts. The more accounts that you have on your system, the longer it takes any SysMan Accounts task to find and display all the accounts. Setting a trigger value causes the SysMan Accounts task to default to enter a filter (search) mode on startup. This enables you to choose a specific account or group of accounts and to greatly reduce the search and display time.

For example, if you set a figure of 300 user accounts, SysMan Accounts defaults to filter mode only when you have more than 300 accounts.

UserName

This checkbox enables display of the user's account name in all account listings.

Userid (UID)

This checkbox enables display of the user identifier (UID) in all account listings.

Comments

This checkbox enables display of any account comments (such as location and telephone number) in all account listings.

Selecting checkboxes affects your filter options. You can filter accounts based only on the data displayed.

7.4.1.3    Using Filter Options

If you have a large number of accounts you can use the Filter... option to quickly find a particular account or group of accounts. You can invoke the filter automatically, depending on the settings in Options... (described in Section 7.4.1.2). Automatic invocation enables you to avoid a delay while the Account Manager finds and loads all the user account data. You can filter both local and NIS accounts using this feature.

To use the search and filter option, invoke the SysMan Menu and choose the Manage Local Users option as described in Section 7.2.3. Select Filter... to open a dialog window titled: Manage Local Users: Show. Using this window, you can perform simple and advanced searches.

To perform a simple search:

Enter a filter (a search string) or a set of filters. All simple searches are based on account names entered as follows:

• An individual user name such as s_kahn

• A wildcard pattern, such as *khan or ?_khan

• A comma-separated list of user names or wildcard patterns, such as *khan, kim, donny_w, tom*

Any accounts matching the filter specification are listed in the Manage Local Users window, with the original filter string identified at the top of the window.

To perform an advanced search:

Select Advanced to display the additional filter options. Activate a search option by selecting the checkbox.

The filter options are:

User name or filter...

Enter a filter as described for the Simple Search option.

User ID range...

Enter either a restricted range of UIDs, such as 1-100, or an open-ended range, such as 100-, to find all accounts with a UID greater than 100, or -100 to find all accounts with a UID less than 100.

Pattern in "comments"...

Enter a search pattern to search on data entered in the Comment (GECOS data) field when the user's account was created.

This may be a telephone number, a physical location, or other user-specific information. You can use the asterisk (*) or question mark (?) wildcards to define a pattern. For example; *string*, such as: *Sub*.

LOCKED or UNLOCKED search criteria...

This option enables you to include (or exclude) locked or unlocked accounts. You can use this option to identify all currently locked accounts.

A warning dialog box opens if you do not clear the contents of the Simple Search before invoking an Advanced Search. If you see this warning dialog box, select OK to accept the Advanced Search. This action supersedes any search criteria that you specified in the Simple Search.

7.4.1.4    Creating or Modifying Local Accounts

To create a new account, invoke the SysMan Menu and choose the Manage local users option as described in Section 7.2.3. A table listing all the existing local user accounts is displayed.

The online help provides explanations for the fields, and defines valid data.

Use the following procedure to add a local user:

1. Select the Add... option to open the Manage Local Users: Add a User dialog box.

2. Complete the data fields using the information from the worksheet in Table 7-2.

3. If additional NIS options are required, select Options.... The Options dialog box opens. Select the appropriate NIS option, then select OK to return to the Add a User window.

4. Select OK to add the new user. If you have made an error, such as a mistyped password confirmation, the utility prompts you to correct it.

5. The Local Users window opens, showing a confirmation message. Select OK to return to the SysMan Menu.

To modify an existing account, invoke the SysMan Menu and choose the Manage local users option as described in Section 7.2.3. The table of local users is displayed, listing all the existing local user accounts.

The online help provides explanations for the fields, and defines valid data.

Use the following procedure to modify a user entry:

1. Scroll through the list of users and select the entry you want to modify.

2. Select Modify... to open the Account Manager: Modify a User window.

3. Change the contents of data fields as needed.

4. If additional NIS options are required, select Options.... The Options dialog box opens. Select the appropriate NIS option, then select OK to return to the Modify a User window.

   To add or modify more than one account, select Apply instead of OK. All changes are deferred until you select OK to exit.

5. Select OK to confirm the changes. If you have made an error, such as a mistyped password confirmation, the utility prompts you to correct it. password confirmations.

6. The Manage Local Users window opens, showing a confirmation message. Select OK to return to the SysMan Menu.

7.4.1.5    Deleting Local Accounts

Before deleting accounts consider the following:

• As an alternative to deletion, you can use Modify... to lock an account. You can transfer the account to another new user using Modify... to change some account details.

• You can invoke the dxarchiver utility before deleting the account to create a compressed archive file of the user's directories and files. See dxarchiver(8) for more information.

To delete an account, choose the Manager Local Users option as described in Section 7.2.3. The table of local users lists all the existing accounts. Use the following process to delete a user:

1. Scroll through the list of users and select the user account that you want to delete.

2. Select Delete... to open the Account Manager: Delete a User dialog box.

3. Optionally, select Delete User's Directory and Files if you want to remove the user's resources and recover the disk space.

4. Select OK to delete the account. The list of local users is updated immediately.

7.4.1.6    Creating or Modifying LDAP and NIS Accounts

To create a new LDAP or NIS account, invoke the SysMan Menu and select the Manage NIS Users option or Manage LDAP Users option as described in Section 7.2.3. The LDAP or NIS Users table lists all the existing local user accounts.

Use the following procedure to create an account for a local user:

1. Select Add... to open the Manage LDAP or NIS Users: Add a User window.

2. Complete the data fields using the information from the worksheet described in Table 7-2.

3. Select OK to add the new user. If you have made an error, such as a mistyped password confirmation, the utility prompts you to correct it. password confirmations.

4. The Manager LDAP or NIS Users window opens, showing a message confirming the successful addition. Select OK to return to the SysMan Menu.

To modify an existing account, invoke the SysMan Menu and choose the Manage LDAP or NIS Users option as described in Section 7.2.3. The LDAP or NIS Users table lists all the existing local user accounts. Use the following procedure to modify a user entry:

1. Scroll through the list of LDAP or NIS users and select the user account that you want to modify.

2. Select Modify... to open the Manage LDAP or NIS Users: Modify a User dialog box.

3. Change the contents of data fields as required.

4. Select OK to confirm the changes. If you have made an error, such as a mistyped password confirmation, the utility prompts you to correct it. password confirmations.

   To add more than one account, select Apply instead of OK. All changes are deferred until you select OK to exit.

5. The Local Users window opens with a message confirming the successful addition. Select OK to return to the SysMan Menu.

The online help provides explanations for the fields, and defines valid data.

7.4.1.7    Deleting LDAP and NIS Accounts

To delete LDAP or NIS accounts, choose the Manage LDAP or NIS Users option as described in Section 7.2.3. The LDAP or NIS Users table lists all the existing accounts.

Use the following process to delete a user:

1. Scroll through the list of users and select the account that you want to delete.

2. Select Delete... to open the Manage LDAP or NIS Users: Delete a User dialog box.

3. Optionally, select Delete User's Directory and Files if you want to remove the user's resources and recover the disk space.

4. Select OK to delete the account. The list of LDAP or NIS users is updated immediately.

7.4.2    Using Account Manager (dxaccounts)

Invoke the Account Manager GUI (dxaccounts) as described in the quick start instructions in Section 7.2.2. The Account Manager on <host> window opens first. Use the following procedure to administer accounts, using the data gathered in the Table 7-2 worksheet.

Use the following procedures to add, modify and delete accounts when using the Account Manager GUI. The processes are identical for administering NIS users, except that you also must be authorized to make changes to the NIS databases. (See the Network Administration: Services manual for more information on NIS.)

Most options require root privilege because they affect the user account databases. Options that do not affect the databases are available to all users. An example of such an option is Find, which you use to locate accounts.

When ASU is installed, additional options are displayed in the dxaccounts windows that enable you to administer accounts in Windows NT domains and create associated UNIX accounts simultaneously. See the Installation and Administration Guide for more information on ASU.

If Enhanced (C2) security is enabled, additional options enable you to retire and disable accounts according to the security settings in force. See the Security Administration manual for more information.

7.4.2.1    Adding and Modifying Accounts

You use the Account Manager on <host> window to add or modify user accounts as follows:

• Select Add to create a new account.

• To modify an existing account, double click on the user's icon. If there are many accounts, you use the options described in Section 7.4.2.3 to find accounts.

• You can copy (clone) a new account from an existing account, as described in Section 7.4.2.4.

Use the following procedure to add or modify accounts:

1. If the current view is not Local Users, pull down the View menu and select the Local Users option.

2. Select Add to open the Add/Modify Local User dialog box; select Add.

   (To modify an existing account, double click on the user's icon.)

3. Enter the new user name in the Username field.

4. Either select the next available UID, or enter a new UID.

   If you modify a user's UID with Account Manager, the ownership of the user's files and subdirectories does not change and, under certain circumstances, the home directory ownership may not change either. For example, if you change the UID of user johndoe from 200 to 201, the files and subdirectories under his home directory still belong to UID 200. Furthermore, if johndoe does not own his home directory, the ownership of that directory does not change either. To avoid this problem, use the chown command to change the directory and files, if applicable.

5. Use the pull-down menu to choose the primary group, or clear the text field and type a group name.

   If secondary groups are required, select Secondary Groups.... In the Secondary Groups window, double click on any required local or NIS (if available) groups.

6. Select the preferred shell from the pull-down menu.

7. The home directory is created at the default location of /usr/users/<username>. Enter an alternative path if required.

8. Select Password... to enter an initial password. Use a mixed case or alphanumeric string of length determined by local security settings.

9. Enter any user information (GECOS field data) in the comments fields.

10. You can check the following boxes:

    Automatically create the home directory

    This creates the directory with the correct ownership and protections.

    Lock the account

    This prevents any logins until you clear the field.

11. Select OK to create the account and return to the Account Manager main window. If you have made an error, the utility prompts you to correct it. password confirmations.

    The Current View is updated with an icon for the new user.

7.4.2.2    Deleting Accounts

Invoke the dxaccounts utility as described in Section 7.2.2. The Account Manager on <host> window is displayed first.

1. Double click the icon of the account that you want to delete. If there are many accounts, use the options described in Section 7.4.2.3 to find accounts.

2. Select Delete. The Delete Local UNIX User window opens. You can remove the user's files and directories at this time. (You may want to archive these. See the dxarchiver option.)

3. Select OK to confirm the deletion and return to the Account Manager on <host> window. This window is updated immediately, removing the deleted user account.

7.4.2.3    Finding and Selecting Accounts

The dxaccounts utility provides a useful search feature that you can use to locate user accounts. You can use this feature to choose groups of users to which you want to apply global changes, such as modifying the user shell or password.

Invoke the dxaccounts utility as described in Section 7.2.2. The Account Manager on <host> window opens first.

1. Select Find.

2. Enter a search string (a text string) in one of the fields and select OK.

The Find option enables you to locate and display all accounts where the data in the search field contains the search string. For example:

1. Enter the string ad in the Username field then select OK.

2. The Selected Users window opens, with a list of users who matched the search criteria.

   The matched users include adm, admin, adamK, and wadmanB. These user accounts are highlighted in the Current View.

After you select a group of user accounts, you can choose the modify (or delete) option to perform global operations on the selected users.

7.4.2.4    Copying Accounts

You can use existing accounts as templates to create new accounts, enabling you to clone the account properties. You can create an exact duplicate of one or more accounts using the following procedure:

1. Select the icon for an existing user account to highlight it, or use the mouse to select a group of accounts.

2. Select OK to copy the account.

3. Select Paste to create a clone account. The new icon label has the original name, appended with the string _copyn, where n represents the sequential number of the copy. You can make as many copies as required.

4. Choose each duplicate account in turn to rename it and to modify its properties as described in Section 7.4.2.1.

5. Make the minimum required modifications to the account as follows:

   1. Enter the new user name

   2. Change the UID or choose the next available UID

   3. Change the password

6. Select OK to add the modified account and return to the Account Manager on <host> window. This window is updated immediately with an icon for the new account.

You can use the same procedure to clone groups.

When copying user accounts using cut and paste or drag and drop, the Allow Duplicate UIDs option in the General Preferences dialog box is honored. For example, when making a copy of a user account that has a UID of 200, if the Allow Duplicate UIDs check box is off (the default), a unique UID is generated automatically for the resulting copy. If the Allow Duplicate UIDs check box is on, then the copy has an identical UID. The same rule applies to copying groups.

Using MB1 to drag and drop user accounts, groups, or templates results in a copy operation, not a move operation. This is different from the default CDE behavior, where using MB1 performs a drag and drop move operation and Shift-MB1 performs a copy operation. For example, if you use MB1 to drag a user account from the Local Users view and drop it in the NIS Users view, you create a copy of that user account in NIS. To avoid this problem, delete the original icon after the copy is complete.

7.4.2.5    Using the Password Option

The dxaccounts utility provides a password option enabling you to change or remove passwords for a single user or a group of users. Use this option as follows:

1. Choose the user or users whose passwords you want to change. The Find option may be useful in selecting groups of users.

2. From the Edit menu, choose Password.

3. In the New Password window, enter and confirm the new password.

   Select No Password to remove the current passwords; there are important system security implications when you choose this option.

4. Select OK to confirm the change and return to the Account Manager main window.

7.4.2.6    Account Manager (dxaccounts) General Options

The Account Manager GUI (dxaccounts) enables you to set defaults easily for newly created user accounts. Also, you can set account defaults using the command line (useradd) but you cannot use SysMan Menu Accounts options to set defaults. Use the following procedure to add or modify defaults:

1. From the Options menu, select General.... The General Options window opens, enabling you to set the following defaults:

   Duplicates Policy

   These options enable you to allow duplicate User Identifiers (UID) and Group Identifiers (GID).

   ID Ranges Policy

   These options enable you to control the minimum, next, and maximum UID and GID.

   Default Primary Group

   This option enables you to set the default primary group to a group other than users.

   Default Primary Group

   This option enables you to set the default home directory to a location other than /usr/users.

   Default Shell for User

   This option enables you to set the default login shell.

   Default Primary Group

   This option enables you to set the default skeleton directory path to a location other than /usr/skel.

   Use Hashed Password Database

   This option forces the creation of a hashed (encrypted) password database.

   Require Password For New Accounts

   This option forces the entry of a password each time an account is created.

   Synchronize UNIX and Windows NT domain accounts

   This option forces the automatic creation of an account when the UNIX account is created.

2. After you make the required changes, select OK to update the defaults and return to the Account Manager main window.

7.5    Administering Groups

The following sections describe how to administer groups:

• Using these SysMan Menu Accounts options:

  • Manage local groups

  • Manage NIS groups

  • Manage LDAP groups

• Using the Account Manager GUI (dxaccounts).

You also can use the groupadd, groupmod, and groupdel commands to administer groups. See the documentation specified in Section 7.1.3 for more information on command line options.

Note

Avoid using the addgroup utility as it does not provide all the available options and is not sensitive to security settings.

To preserve system file integrity, avoid using manual methods of adding user accounts.

7.5.1    Using the SysMan Menu Accounts Group Options

The following sections describe how to administer groups using SysMan Menu options. The following tasks are described in this section:

• Creating a new local, LDAP, or NIS group

• Modifying an existing local, LDAP, or NIS group

• Deleting a local, LDAP, or NIS group

For information on how to use the keyboard to enter information into fields on SysMan Menu screens, invoke the online help.

7.5.1.1    Gathering Group Information

To prepare for administering groups, gather the information in the worksheet provided in Table 7-4. If enhanced security is in use, the data items must comply with the minimum requirements. See the Security Administration manual for more information.

See Section 7.3.4 for an explanation of the group file data items. In the SysMan Menu options, you can specify default values for NIS groups. See the Network Administration: Services manual for information on configuring NIS.

In Table 7-4 the data items marked O are optional. You must specify at least one user account.

Table 7-4:  Group Administration Worksheet

* denotes a mandatory field

7.5.1.2    Creating or Modifying Groups

To create a new group, invoke the SysMan Menu and choose the Manage local groups option as described in Section 7.2.3. The Local Groups table is displayed, listing all the existing local groups. The process for adding NIS groups is identical, except that you choose the Manage NIS groups option.

Use the following procedure to create a group:

1. Select Add... to open the Add a Group dialog box.

2. Complete the data fields using the information from the worksheet in Table 7-4.

3. Optionally, in the Members panel, highlight the names of users who are the initial members of the new group.

4. Select OK to add the new user. If you have made an error, the utility prompts you to correct it.

5. The Local Groups table dialog box opens, with a message confirming the successful addition. Select OK to return to the SysMan Menu.

To modify an existing group, invoke the SysMan Menu and choose the Manage local groups option as described in Section 7.2.3. The Local Groups table is displayed, listing all the existing local groups. Use the following procedure to modify a group entry:

1. Scroll through the list of groups and choose the group that you want to modify.

2. Choose Modify... to open the Manage Local Groups: Modify a Group window.

3. Change the contents of data fields as required. For example, you can scroll through the list of users and add new users to the group.

4. Select OK to confirm the changes.

   To modify more than one group, select Apply instead of OK. All changes are deferred until you select OK to exit.

5. The Local Groups window opens, with a message confirming the successful modification. Select OK to return to the SysMan Menu.

Online help provides explanations for the fields, and defines valid data.

7.5.2    Using Account Manager (dxaccounts)

Invoke the Account Manager (dxaccounts) utility as described in Section 7.2.2. The Account Manager on <host> window opens first. Using the data from the worksheet in Table 7-4, use the procedures in the following sections to add, modify, and delete groups when using dxaccounts. The process for administering NIS groups is identical to the process for administering Local Groups, except that you must be authorized to change the NIS databases. You can still use any options, such as Find, that do not change the databases.

If there are many groups on your system, use the Find option described in Section 7.5.2.4 to locate groups that you want to modify or delete.

The Account Manager utility does not administer LDAP groups.

7.5.2.1    Adding Groups

Add a group as follows:

1. Pull down the View menu and choose the Local Groups option.

2. Select Add to open the Add/Modify Local UNIX group window.

3. Enter the new group name in the Name field.

4. Choose the next available GID or enter a new GID.

5. Double click on any user name to add that user to the group. This action is optional.

6. Select OK to add the group and return to the Account Manager on <host> window. This window is immediately updated with an icon for the new group.

An alternative method of adding a new group is to clone it from an existing group as follows:

1. Select an existing group icon to highlight it.

2. Select Copy to copy the group.

3. Select Paste to create a new version of the group. The new icon label has the original name, appended with the string _copyn, where n represents the sequential number of the copy. You can make as many copies as required.

4. Double click on the newly copied icon to highlight it and display the Add/Modify Local UNIX group window. Modify is selected automatically.

5. Make any required modifications to the group as follows:

   • Enter the new group name

   • Change the GID, or choose the next available GID

   • Add or delete members

6. Select OK to add the group and return to the Account Manager on <host> window. This window is updated immediately with an icon for the new group.

7.5.2.2    Modifying Groups

Invoke the dxaccounts utility as described in Section 7.2.2. The Account Manager on <host> window opens first. Use the following procedure to modify a group:

1. Double click on the group that you want to modify. The Add/Modify Local UNIX group window opens.

2. Make any required modifications to the group. For example:

   • Rename the group

   • Change the GID

   • Add or delete members

3. Select OK to confirm the changes and return to the Account Manager on <host> window. This window is updated immediately with any changes for the group.

7.5.2.3    Deleting Groups

Invoke the dxaccounts utility as described in Section 7.2.2. The Account Manager on <host> window opens first. Use the following procedure to delete a group:

1. Select the group that you want to delete.

2. Select Delete. The utility prompts you for a confirmation that you want to delete this group.

3. Select Yes to confirm the deletion and return to the Account Manager on <host> window. This window is updated immediately, removing the deleted group.

7.5.2.4    Finding Groups

The Account Manager utility (dxaccounts) enables you to locate groups and users who are members of groups.

Invoke the dxaccounts utility as described in Section 7.2.2. The Account Manager on <host> window opens first. To find a group:

1. Select Find.

2. Enter one of the following search strings:

   A group name or name fragment (text string)

   The Find option selects and displays all groups where the group name contains this string. For example, the string mem is matched to groups mem and kmem.

   A GID (integer)

   Any number entered is treated as a string. The Find option selects and displays all groups where the GID contains this string. For example, the string 20 is matched to groups 20 and 220.

   A user name (text string)

   The Find option selects and displays all groups with users whose user name contains this string. For example, the string wal is matched to groups containing users named wallyB and cadwalZ.

7.6    Administering Windows Domain Accounts and Groups

When the Advanced Server for UNIX (ASU) is running, the account management utilities can be configured to support the creation and administration of Windows domain accounts. For information on installing and configuring ASU, see the ASU Installation and Administration Guide. When ASU is installed, you can use the account management utilities to perform certain operations on associated (synchronized) accounts. These are accounts for the same user that exist both in the Windows domain and the UNIX environment, and are referred to as synchronized accounts in the UNIX utilities. For specific information on Windows 2000, see Section 7.6.2.

To configure a UNIX system to create associated Windows NT domain and UNIX accounts, and to set the default account creation options, you must set the account environment variables using the usermod (or useradd) command as shown in Example 7-1.

Note

When ASU is installed and configured, the creation of associated Windows NT domain and UNIX accounts is enabled by default. All account management utilities have their PC support features enabled. The value of the Synchronized UNIX/PC Accts environment variable is one (1), which indicates that the setting is on.

Example 7-1:  Changing the Default Environment Variables Using usermod

# usermod -D [1]
 
Local                           = 1
Distributed                     = 0
Minimum User ID                 = 12
Next User ID                    = 200
Maximum User ID                 = 4294967293
Duplicate User ID               = 0
Use Hashed Database             = 0
Max Groups Per User             = 32
Base Home Directory             = /usr/users  [2]
Administrative Lock             = 1
Primary Group                   = users
Skeleton Directory              = /usr/skel
Shell                           = /bin/sh
Synchronized UNIX/PC Accts      = 0
PC Minimum Password Length      = 0
PC Minimum Password Age         = 0
PC Maximum Password Age         = 42
PC Password Uniqueness          = 0
PC Force Logoff After           = Never
 
# usermod -D -x pc_synchronize=1 pc_passwd_uniqueness=1 \
pc_max_passwd_age=60 [3]
 
# usermod -D
.
.
.
Synchronized UNIX/PC Accts      = 1
PC Minimum Password Length      = 0
PC Minimum Password Age         = 0   [4]
PC Maximum Password Age         = 60
PC Password Uniqueness          = 1
PC Force Logoff After           = Never
 
 

1. This command displays the current default environment variables. [Return to example]

2. The output from the usermod command is a list of default values for the environment variables. When you create an account, these values are assigned to the new account. For example, all new accounts are created in the base home directory of /usr/users. [Return to example]

3. This command specifies new default values for three environment variables that apply only to Windows NT domain accounts. [Return to example]

4. This (truncated) list shows the new default values for the environment variables, which are as follows:

   pc_synchronize=1

   Creates associated Windows NT domain and UNIX accounts if ASU is running

   pc_passwd_uniqueness=1

   Forces validation of the password for uniqueness

   pc_max_passwd_age=60

   Specifies the maximum number of days that can elapse before a password must be changed by the user

   [Return to example]

At the command line prompt, you can enter -h after each command to open a help screen showing the various command options. In ASU User Manager for Domains, you perform a similar task when you edit the default policy, which establishes similar default environment variables for newly created accounts.

You cannot use ASU account management utilities to perform operations on UNIX accounts only, or use UNIX utilities to perform operations on accounts that exist only in the Windows NT domain. The following sections provide information on how the UNIX and ASU account administration utilities behave when ASU is running and when you are administering synchronized accounts.

7.6.1    Administering Synchronized Accounts

If you have set up ASU and configured the creation of synchronized accounts, certain features in the account administration utilities are enabled automatically. The following sections describe how those features appear in the different account management utilities.

A lock file prevents you from using two different utilities (or two instances of the same utility) at the same time. This scenario easily could arise in large installations with many administrators managing many accounts. This lock file is at /etc/.AM_is_running. If the lock file exists, only one process can access the system files that relate to user and group data. If you attempt to invoke a second instance of any UNIX account management utility, an error message informs you that the data files are locked.

When using the ASU utilities to add accounts, ASU detects the presence of the lock file, and is unable to create an associated UNIX account. It only creates a Windows NT domain account. No lock file error message is displayed, and you do not receive a confirmation that the associated account was not created. When using ASU tools, verify the creation of an associated UNIX account by examining the contents of the /etc/passwd file.

7.6.1.1    Using SysMan Menu Accounts and Groups Options

The user interfaces for SysMan Menu Accounts utilities do not display any visual differences when ASU is running. If synchronized accounts are enabled, there are no differences in the windows and screens. However the following changes in behavior should be noted:

Add a user

You can choose from several DOS---- groups when assigning the account holder to a group as part of account creation (the Primary Group option).

If the creation of associated Windows NT domain accounts is enabled as described in Example 7-1, the associated account is created automatically and you cannot override its creation.

Delete a user

The associated Windows NT domain account is deleted automatically. You cannot override this deletion. If you want to retain the users' Windows NT domain account, do not perform this operation.

Add/Modify a group

Several DOS---- groups are included in the selection list of groups, showing the default Windows NT domain accounts, such as lanman and lmxadmin.

See Chapter 1 for information on using the SysMan Menu.

7.6.1.2    Using Account Manager (dxaccounts)

The Account Manager utility (dxaccounts) is an X11-compliant GUI and as such can be used only in an X-window user environment such as CDE. The dxaccounts main window provides an option to create PC (Windows NT domain) accounts. This option is dimmed and unusable unless ASU is running. When ASU is running, the following features are available:

• When creating an account in one user environment, such as the Windows NT domain, you can choose to create a synchronized account in the other user environment, such as the UNIX environment.

• You can choose not to create an associated Windows NT domain account or UNIX account, even if creation is enabled by default as shown in Example 7-1.

• Additional options appear on the View menu, enabling you to open all Windows NT domain accounts and groups. When you choose these options, the PC (Windows NT domain) user and group accounts icons are displayed. You can add, modify, and delete PC accounts and groups as if they were UNIX accounts.

• From the Options menu, you can use the PC Defaults option to set characteristics that are inherited by any newly created account. You use the General Options menu item to set account synchronization and to set characteristics for UNIX accounts.

• When removing accounts with Delete, you are prompted to choose the UNIX account, the PC account, or both.

• When using the View menu, Local Groups option, the PC groups (DOS----) are visible and you can perform administrative tasks on these groups.

• When using the View menu, PC Groups option, the PC domain groups are visible and you can perform administrative tasks on these groups.

You use the processes described in Section 7.5.2 to perform administrative operations on PC accounts and groups.

The advantage of using dxaccounts is that it is a native X11 application and can use the features of the windowing environment, such as dragging and dropping icons or cutting aand pasting icons, to clone new user accounts and groups from existing entities easily. However, unlike the portable SysMan Menu Account utilities, it runs only in an X-window user environment such as CDE.

The Account Manager utility does not administer LDAP groups.

7.6.1.3    Using Command Line Utilities

The command line utilities for administering user and group accounts are used to configure the default account characteristics also, as shown in Example 7-1. These characteristics are applied to all newly created accounts, and are referred to as the account policy in the ASU utilities. Unlike the graphical utilities, when using the commands you can choose to override the default environment variables and specify customized values for new accounts.

When ASU is installed, the following account and group creation options become available for use:

• useradd, usermod - The following extended options are provided to set the default Windows NT domain account characteristics using the -D option. Also shown are the default values:

  pc_synchronize= (value: 1, on)

  Use this option to determine whether synchronized accounts are created by default when a new account is created either for the Windows NT domain or on a UNIX system. Synchronized accounts are not created if this value is zero.

  pc_min_password_age= (value: 0, off)

  Use this option to specify how many days must elapse before a password can be changed. The user is not allowed to change passwords more frequently than this.

  pc_max_password_age= (value: 42 days)

  Use this option to specify how many days can elapse before a password must be changed. The user must change passwords at least this frequently.

  pc_passwd_uniqueness= (value: 0, off)

  Use this option to force verification of user-supplied passwords, ensuring that users do not reuse passwords.

  pc_force_logoff= (value: Never, off)

  Use this option to set up temporary accounts where the account holder is logged out automatically after a certain time when the account expires.

  You invoke these extended options with the -D -x options, as shown in Example 7-1. To override the default characteristic, you specify the extended option with the -x flag during an account administration operation, such as account creation:

  # useradd -x pc_passwd_uniqueness=1 guest9 
  

  The following command options are not extended options and do not set default account characteristics. These account characteristics can also be created using the ASU utilities. Use these command options when adding a new account:

• pc_username=name_string

  The user account name in the Windows NT domain. This can be identical to, or different from, the user's UNIX account name.

• pc_unix_username=login_name

  The synchronized UNIX account name. If no name is entered, it is the same as the Windows NT domain account name.

• pc_fullname=text_string

  The full name of the user or a description of the account.

• pc_comment=text_string

  A brief description of the account that can be changed only by the administrator.

• pc_usercomment=text_string

  A brief description of the account. This string can be changed by the user.

• pc_homedir=pathname

  The path to the user's home directory, specified as a Windows NT share format.

• pc_primary_group=group

  The primary group (Windows NT domain) to which the user belongs.

• pc_secondary_groups=group,group....

  The secondary Windows NT domains to which the user belongs. This value is specified as a comma-delimited list.

• pc_logon_workstations=client_name

  A list of client host systems from which the user can log on. This value is specified as a comma-delimited list. A null value (" ") means that the user can log on from all workstations.

• pc_logon_script=pathname

  The directory where the default logon script is located. (This directory is created during ASU configuration.)

• pc_account_type=local|global

  Specifies whether the account is a local or global account in the Windows NT domain.

• pc_account_expiration=date_string

  Specifies the date on which the account expires and logins are prevented.

• pc_logon_hours=Dd0000-0000,Dd0000-0000....

  Specifies the days of the week and hours of the day during which logins expire and logins are permitted or denied.

• pc_user_profile_path=pathname

  Specifies the pathname to the default user profile directory.

• pc_disable_account=0|1

  Specifies whether the account is locked initially, disabling logins.

• pc_passwd0|1

  A text string used as the initial account password. You must precede this option with the -x flag and you are prompted to enter a password, and then confirm the entry. The password is not be echoed to the display.

• pc_passwd_choose_own=0|1

  Controls whether users can set their own passwords.

• pc_passwd_change_required=0|1

  Forces the user to change the password at the initial login.

• userdel - The only supported PC (Windows NT domain) option you can use with this command is Synchronized UNIX/PC Accts.

  Use this option to delete synchronized accounts, as follows:

  # userdel -r -x pc_synchronize=1 studentB
  

• groupadd, groupmod

  The following extended options can be used with the -x flag to administer groups in Windows NT domains:

  pc_group_description=string

  Specifies a text string that provides a description of the group.

  pc_group_members=user,user....

  Specifies a comma-delimited list of group members.

The advantage of using the command line is that it offers complete control over administrative tasks, enabling you to specify any and all command options and override the default account environment variables.

Commands can be used as part of a shell script to customize and automate account creation. However, the command options can be lengthy, so it is often easier to set up an account using the graphical utilities.

See useradd(8) and groupadd(8), and the related reference pages identified therein.

7.6.1.4    Using the ASU User Manager for Domains

ASU provides its own utility for administering Windows NT domains, domain user accounts, and groups. This application must be installed on and can only be used from a system running Windows NT. It provides the same features as the net command line options.

You can specify default environment variables for all newly created accounts. These environment variables are referred to as account policies in the Windows NT domain. You cannot set the default environment variables for synchronized UNIX accounts when using the User Manager for Domains (usrmgr.exe).

See the ASU Installation and Administration Guide and the User Manager for Domains online help for more information.

7.6.1.5    Using ASU net Commands

ASU provides an extensive set of net commands that you enter on the UNIX command line or from a DOS window on a Windows NT server.

For example, the following command displays the help for net user, the command you can use to add, modify, or delete user accounts:

# net help user | more
 
The syntax of this command is:
 
NET USER [username [password | \*] [options]]
          username [password | \*] /ADD [options]
          username [/DELETE]
.
.
.
# net user josef /add

Enter the following command to display a list of net command options:

# net help view

See the Installation and Administration Guide for more information on using net commands.

7.6.2    Windows 2000 Single Sign-On

If your local computing environment consists of UNIX servers and Windows 2000 client systems, and you have one or more domain controllers in the environment, you can configure the optional Windows 2000 Single Sign-On (SSO) software. The SSO software enables account holders in the Windows 2000 domain to access computing resources on the UNIX server without needing a separate UNIX account.

The SSO software modifies the Windows Active Directory and the associated Windows account management utilities. These modifications enable administrators in the Windows 2000 domain to record UNIX account information in the user's Windows 2000 account records. The UNIX server systems have secure access to the account holder's data and can read the account holder's UNIX login information, such as password or GID.

You can create SSO user groups using the same software and administrative tools.

7.6.2.1    Single Sign-On Installation Requirements

Configuration and use of this feature has the following installation prerequisites:

• You must have root access to the UNIX system and be an administrator of every Windows 2000 domain controller on which the SSO software is to be installed. You must run an installation procedure on the UNIX system and at least one domain controller.

• The UNIX system cannot be running C2 level security. See the Security Administration manual for more information on security levels.

• You need the Associated Products Volume 2 CD-ROM on which you find the SSO software kit. The Windows 2000 Single Sign-On Installation and Administration Guide is included in the kit in the /doc directory.

• You need the following information:

  • The domain name, such as sso.w2k.com.

  • The domain controller host name, such as w2kserv.sso.w2k.com.

  • The account name and password of a privileged domain account. This account should belong to the Administrators group and hold administrative privileges, but should not be the main Administrator account. If no such account exists, create one before starting the installation.

7.6.2.2    Installing the Single Sign-On Software

Install the software as follows:

1. Load the CD-ROM into the reader.

2. Create a mount point and mount the CD-ROM using commands similar to the following:

   # mkdir /apcd
   # mount -r /dev/disk/cdrom4c /apcd
   

3. Locate the installation kits and documentation as follows:

   # ls /apcd/Windows2000_SSO
    
    
   

4. Use the setld command to install the software subset named W2KSS0100. The configuration script, /usr/sbin/w2ksetup, runs automatically when the installation is complete. Complete the configuration as described in the Windows 2000 Single Sign-On Installation and Administration Guide.

7.6.2.3    UNIX Requirements for Creating Single Sign-On Accounts

The following requirements for UNIX account characteristics apply to SSO accounts:

• You can create SSO user accounts in the Windows 2000 user environment using a modified version of the standard Windows 2000 user management tools only. You cannot create SSO accounts using UNIX tools such as dxaccounts or useradd.

  You can upgrade existing Windows 2000 accounts to provide account holders with SSO privileges for UNIX resources.

• There are terminology differences between UNIX accounts and Windows 2000 accounts. For example, user account data that describe the characteristics of an account are referred to as properties in Windows 2000 and attributes in the UNIX operating system. In the UNIX environment, this information is called GECOS data. The data is used by certain UNIX commands and utilities to perform account operations or to identify users. See Section 7.3.3 and subsequent sections for a description of UNIX account attributes.

  Prepare the following account data for each user or group. If necessary, use the UNIX account management tools described in this chapter to ensure that the account data is of an appropriate format and is unique for each user:

  Username

  In Windows 2000, the Username is the user logon name. For SSO it must meet two requirements; length and uniqueness. This also applies to group names.

  Windows 2000 can support very long user names although in practice most users prefer short adaptations of their name and initials, which are easier to remember and type. The maximum length of the user name is determined by the current restriction to eight characters in the UNIX environment.

  The actual name can be as short as the user's initials but must be unique on both systems for every user. If a user with only a UNIX account has the user name chs, you cannot assign that name to an SSO account.

  Password

  Each user requires a password. You determine the length of the password by the current settings on the UNIX system. These settings can vary depending on the security mechanisms in force. See the Security Administration manual for more information.

  UID and GID

  Each account requires a unique identification integer called a UID and each group has a GID. See Section 7.3.2 and Section 7.3.4 for a description of these identifiers.

  User Comment

  This field enables you to enter a text description of the GECOS data for future reference.

  Home Directory

  In the UNIX environment, the user's home directory is synonymous with a disk share on Windows 2000 system. The home directory is a section of the /usr UNIX file system that is reserved for user accounts, typically using the user's account name in the path to the directory. For example, /usr/staff/songch or /usr/users/chs.

  Shell

  This is the user's default UNIX command environment that is invoked when the user logs on, such as the Bourne shell (sh) or Korn shell (ksh). See the shells(4) and Section 7.3.1 for more information.

7.6.2.4    Creating Single Sign-On Accounts and Groups

Using the information prepared in Section 7.6.2.3, create SSO accounts as follows:

1. Log in to your administrator's account on the Windows 2000 domain controller.

2. Invoke the Microsoft Management Console (MMC) interface and open the Active Directory Users and Computers Window.

3. Open the Users folder and either choose an existing user or open the Action menu and choose the New option then the User option.

4. Three dialog boxes open in succession. You are prompted to enter the following information for each new user account:

   • The user account details, such as name.

   • The initial password for the account and any password characteristics.

   • The UNIX account properties. Use the information identified in Section 7.6.2.3, such as the UID and GID.

To create an SSO group use the same procedure, selecting the New and Group menu options in step 3.

7.6.2.5    Single Sign-On System Files

When you install and configure the software, the following system files are created:

• The ldapcd daemon, which is the connection to the registry of account information on the domain server. If the daemon is killed or stopped accidentally, restart it using the following command:

  #  /sbin/init/dldapw2k restart
  

• The /etc/ldapcd.conf configuration file, which contains settings for the ldapcd daemon.

• The /etc/w2kusers.deny configuration file, which forces UNIX authentication only for the named users.

See the file headers and the Windows 2000 Single Sign-On Installation and Administration Guide for more information on these files.