| Skip Navigation Links | |
| Exit Print View | |
|
Transitioning From Oracle Solaris 10 to Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
| Skip Navigation Links | |
| Exit Print View | |
|
|
Transitioning From Oracle Solaris 10 to Oracle Solaris 11.1 Oracle Solaris 11.1 Information Library |
1. Transitioning From Oracle Solaris 10 to an Oracle Solaris 11 Release (Overview)
2. Transitioning to an Oracle Solaris 11 Installation Method
6. Managing Software and Boot Environments
7. Managing Network Configuration
8. Managing System Configuration
10. Managing Oracle Solaris Releases in a Virtual Environment
11. Managing User Accounts and User Environments
Commands and Tools for Managing User Accounts
User Account Management Changes
User Password and Login Changes
Sharing Home Directories That Are Created as ZFS File Systems
User Environment Feature Changes
Default Login Shell and PATH Environment Variable
In this release, you can create and manage user accounts from the command line or with the User Manager GUI. The GUI replaces some of the functionality of the Solaris Management Console and its associated command-line. For more information, see Managing User Accounts and User Environments in Oracle Solaris 11.1.
The following features are new or have changed in this release:
Addition of the User Manager GUI – The User Manager GUI is part of the Visual Panels project and is accessible from the desktop. The GUI replaces some of the functionality of the Solaris Management Console. See Chapter 3, Managing User Accounts by Using the User Manager GUI (Tasks), in Managing User Accounts and User Environments in Oracle Solaris 11.1.
Creating user accounts – User account creation has changed in the following ways:
In Oracle Solaris 11, user accounts are created as individual ZFS file systems, which enables users to have their own file system and their own ZFS dataset. Every home directory that is created with the useradd and roleadd commands places the user's home directory on /export/home as an individual ZFS file system.
The useradd command relies on the automount service, svc:/system/filesystem/autofs, to mount home directories. This service should never be disabled. Each home directory entry for a user in the passwd database uses the format, /home/username, which is an autofs trigger that is resolved by the automounter through the auto_home map.
The useradd command automatically creates entries in the auto_home map that correspond to the pathname that is specified by the -d option of this command. If the pathname includes a remote host specification, for example, foobar:/export/home/jdoe, then the home directory for jdoe must be created on the system foobar. The default pathname is localhost:/export/home/user. Because /export/home is the mount point for a ZFS dataset, the user's home directory is created as a child ZFS dataset, with the ZFS permission to take snapshots delegated to the user. If a pathname that does not correspond to a ZFS dataset is specified, then a regular directory is created. If the -S ldap option is specified, then the auto_home map entry is updated on the LDAP server instead of the local auto_home map.
Modifying user accounts – In Oracle Solaris 11, the usermod command works with LDAP and files. All security attributes can be assigned to a user by using this mechanism. For example, an administrator can add a role to a user's account by using the usermod command.
# roleadd -K roleauth=user -P "Network Management" netmgt # usermod -R +netmgt jdoe
See usermod(1M) for additional examples.
Creating and managing groups – An administrator who has the solaris.group.manage authorization can create a group. At group creation, the system assigns the solaris.group.assign/groupname authorization to the administrator, which gives the administrator complete control over that group. The administrator can then modify or delete that groupname, as needed. See the groupadd(1M) and groupmod(1M) man pages.
Creating and managing roles – Roles can be created locally and in an LDAP repository. To create a role and assign an initial password, you must be assigned the User Management rights profile. For instructions on creating a role, see How to Create a Role in Oracle Solaris 11.1 Administration: Security Services.
User password management and login information have changed in the following ways:
Property definition refinements for the password command – This change clarifies which user accounts can and cannot be locked. The primary changes impact the LK and NL property definitions, as follows:
The account is locked for UNIX authentication. The passwd -l command was run, or the account was automatically locked due to the number of authentication failures reaching the configured maximum that is allowed. See the policy.conf(4) and user_attr(4) man pages.
The account is a no login account. The passwd -N command was run.
Failed login count notification – The system now notifies users of failed authentication attempts, even if the user account is not configured to enforce failed logins. Users who fail to authenticate correctly, will see a message similar to following upon successful authentication:
Warning: 2 failed authentication attempts since last successful authentication. The latest at Thu May 24 12:02 2012.
To suppress such notifications, create a ~/.hushlogin file.
Default password hashing algorithm – The default password hashing algorithm is now SHA256. This password hash is similar to the following:
$5$cgQk2iUy$AhHtVGx5Qd0.W3NCKjikb8.KhOiA4DpxsW55sP0UnYD
Also, there is no longer an eight character limitation for user passwords. The eight character limitation only applies to passwords that use the older crypt_unix(5) algorithm, which has been preserved for backwards compatibility with any existing passwd file entries and NIS maps. Starting with Oracle Solaris 11, the crypt_sha256 algorithm is the default
Passwords are encoded by using one of the other crypt(3c) algorithms, including the SHA256 algorithm, which is the default in the policy.conf file. Thus, passwords can now be much longer than eight characters. See policy.conf(4).
An NFS or a SMB share of a ZFS file system is created and then shared as follows:
Oracle Solaris 11: The file system share is created by using the zfs set share command. At this time, specific share properties can be defined. If share properties are not defined, the default property values are used.
The NFS or SMB share is published by setting the sharenfs or sharesmb property. The share is published permanently until the property is set to off.
Oracle Solaris 11.1: The following sharing features are provided on ZFS storage pool version 34:
The share.nfs property replaces the sharenfs property in previous releases to define and publish an NFS share.
The share.smb property replaces the sharesmb property in previous releases to define and publish an SMB share.
ZFS share administration is simplified by leveraging ZFS property inheritance. If you want to share the tank/home file system, use syntax similar to the following:
# zfs set share.nfs=on tank/home
The share.nfs property value is inherited to any descendent file systems.
# zfs create tank/home/userA # zfs create tank/home/userB
Because home directories are created as ZFS file systems in Oracle Solaris 11, you typically do not need to manually mount home directories. The home directory is automatically mounted during its creation and also at boot time from the SMF local file system service. For instructions on manually mounting a user's home directory, see Manually Mounting a User’s Home Directory in Managing User Accounts and User Environments in Oracle Solaris 11.1.
|