1z0-821 Oracle Solaris 11 System Administration – Administering User Accounts

1. Exam Objectives

So now that we’ve talked about installing Solaris Eleven and managing some things about it, we really need to talk about managing user accounts. Obviously the computer is not there just for its own wellbeing it’s there to be used by users. So we need to create and manage user accounts for the system so that they can get on there, log on, use things like word processing documents, check email, go on the web and so forth and be productive. So the first step in this is to actually set up and administer user accounts. That’s our major objective for this particular series of sessions. And what I’m going to do now is tell you a few of the things we’re going to talk about. First of all, we’re going to explain some key user management concepts.

We’re going to talk about things like what a user account and a group account are and why we need them and some particular things about them. Then we’ll look at setting up user accounts. We’ll look at setting these up using a couple of different methods. First, a new GUI that comes with solaris. Eleven one. And then we’ll also look at command line utilities such as user ad, user mod and so forth. Then we’ll look at managing user accounts and these are changing things about user accounts that already exist using again the GUI and the command line utilities that we have available to us. Again some of the same utilities, user ad, user mod will look at how to manage our roles and assign individuals to roles and give them permission sets, rights and privileges and so forth. Then we’ll look at managing user initialization files.

Now for those files we’re talking about the Bash files and the Corn shell files that basically set up your environment when you first log into the system. We’ll also look at using shell meta characters. Now these can be a little bit confusing at first, but basically they’re used to help you work with the shell. Some of it’s kind of common sense things, some of it’s not. And Unix and Linux have been using shell meta characters for years. So if you’re an older Unix or Linux person you’ve used it for a while, you’re probably familiar with these things. If you’re a new user to Solaris then they may be a little bit tricky for you, but we’ll cover them.

We’re also going to look at configuring user disk quotas misquotes basically determine how much space a user can take up in a given file system. And this is very important when you have many users using one particular system or when you have restricted storage space on different file systems, on the local system or throughout the network. And then finally, to round out this series of sessions on administering user accounts, we’ll look at troubleshooting user account and quota issues because occasionally things can go wrong. But typically with user accounts and quotas there’s not much that can go wrong. So troubleshooting them is not very difficult. Sometimes it requires little knowledge, little experience and a little bit of common sense. And, of course, the right tools. And we’ll show you the right tools to help troubleshoot those user account and quota issues. So, having said that, let’s jump into administering user accounts.

2. Key User Management Concepts pt. 1

Before we delve into administering user accounts, let’s talk about a few key user management concepts. In fact, we have two sessions spread over a several minutes to talk about this topic. Now I understand that probably most of you who are getting into Solaris Eleven probably have some experience in other Unix or Linux or even Windows. So some of this is probably not going to be new to you. I doubt very seriously you’re coming off the street and just jumping into Solaris Eleven for the first time. So some of this is probably going to be old hat, but sometimes Solaris Eleven does a little bit differently of course, and it also serves as a refresher for those of you who maybe haven’t done it in a while or even for those Windows users who are used to the Windows way.

So we’ll go over some of these key user management concepts. Now first of all, each user has a login account and it’s usually designated by username. It doesn’t have to be, but for convention’s sake it usually is. Now these login accounts are basically assigned to a user, but they could also be assigned to other entities such as a service or a demon or so forth. Now, each username or account, sometimes we use those two terms interchangeably, but they’re not really the same thing. Each of these has a unique user ID or UID and the system, allocates these user IDs out on a specific basis. For example, zero through 99 are typically system level accounts. They could be interactive accounts or demon or service accounts, things like root bin, sys. These are typically privileged user accounts that come with the system. Now, one thing you probably ought to know is that root, the root account is always UID zero. So whenever you see something going on, it has a UID zero.

That means the root account is being used. Now for normal users, typical users that you create on the system, there’s a range of user IDs from 100 through some very long number that you see on the screen. And there’s a couple of reasons why that specific number is there. And you probably won’t use user IDs into that range. You’ll probably keep them fairly low and fairly simple and that’s okay. There’s a couple of other specific ranges that we’ll discuss later that are somewhere in that range, such as the nobody user and the no access account. But we’ll talk about those a little bit later. For now you probably need to know that when creating a regular user account you can use any number in that range pretty much with a couple of exceptions, and we’ll go over those later again.

Now these users that we have are organized into groups. And groups basically are just structures, management structures that we can organize users in. And typically it’s by common interest or what functionality they have on the system, maybe what department or group they belong to. What organizational level they belong to, what kind of access they require to a resource, and so forth. So you may have a marketing group, you may have an accounting group, and these groups would contain users that have these things in common. Maybe the accounting group all needs access to an accounting resource such as a shared folder. So you might grant all of these users individual access to a particular resource, but it would be easier to grant it to the group. And you can do that as long as you make the users part of that group. Now, users can belong actually to many different groups. However, they can only belong to one primary group and up to 1024 supplemental groups. And really for the normal user, there’s not a big difference in that how that works.

The default group when you first create account is called staff and it has a group ID of ten. And if you don’t specify a group, then everyone is put into the group staff by default. That’s their primary group. Not really a big deal. You can go ahead and put them into any group you choose as their primary group when you create the account. Again, group IDs apply to groups and they are in the same range as the user IDs as well. And some of them will wind up being group IDs that are in that range that you can’t use again for a user ID. Now let’s look at accounts a little bit more about them. Most users and user accounts are what we call standard users and even the Root is a standard user. Standard user is someone who logs on interactively, gets a desktop, possibly runs programs and things. And it can be locally on the box, sitting physically at the box or remotely through some remote shell like SSH or something like that. In any case, there are interactive users.

Now, the user account is typically based upon the user’s name. For example, on the system that we’re working on, my user name is Bobby, and that’s just for convention’s sake. It doesn’t have to be that way, whatever your organization requires. The users that are standard users typically run programs. They also typically have a home directory associated with them. The Windows users will closely associate this with a My documents directory.

That’s kind of the same thing as what a home directory is for a Unix user. Now, these system accounts are used by the system to run processes, applications and services. They’re typically not interactive users, they don’t access remotely, they typically don’t have home directories. Now, one account obviously that you need to be aware of is the Root account. It’s the super user account. It can do everything on the box. You typically try not to log in directly to Root because it’s typically a security issue and Root owns most of the binaries and configuration files. I’ll talk just a brief second about roles RBAC, role based access control. This allows you to give privileges and duties to different standard users in the guise of defined roles. You don’t have to give them directly privileges and rights. You create a role, and then you assign roles to those users. Now, there’s really one role that exists that you probably ought to be familiar with, and that’s the root role. And we’ll discuss that as we go through the rest of the course.

3. Key User Management Concepts pt. 2

During the second part of our explanation on key user management concepts, I’d like to just demonstrate some key commands that we use that can give general information on users, groups and roles that are assigned to users. Now these commands are by and large used throughout Unix and Linux, so you’ve probably seen some of them before. There’s a variation or two here and there, but you’ll use these commands like ID, groups, roles and so forth, just to get information at the command line interface for the accounts or groups you’re looking at.

So let’s go ahead and take a look at some of those. All right, we’re in a command line interface or shell prompt at solaris eleven. And one of the things I want to show you I’m logged in as a normal user right now as Bobby, and the first thing I’m going to do is an ID command and it shows you what my user ID is, and that’s 60,004 in this case. And it shows my username and it shows my group ID of my primary group. Now, staff group ID of Ten is the default group on Solaris Eleven. If you don’t specify a group when you create the user account, you automatically get put into the staff group. Everybody does.

It doesn’t have to be that way. You can specify a group, but it’s that way if you don’t specify anything. Another command that’s useful if you repeatedly change users and so forth. Back and forth to root and other users is to determine who you are at the moment and who am I gives me my user account. Now there’s another command that’s kind of unique to Solaris Eleven and it looks really weird.

Who am I? One word is pretty much used across Unix and Linux. Who am I? As in three words, is basically on Solaris Eleven. And if you use that, you’ll get this information a little bit more. And in fact, there’s actually options that go along with this. And if you, for example, put the Z option there, you’ll get even more information. So there’s some different things you can do with who am I versus who am I that you might want to look at. Now there’s also a command called Groups, and this tells you all the groups that are assigned right now, and the only one so far is staff, obviously. Now there’s also a command called Roles, and if we look at roles, Bobby, it gives you all the roles I have been assigned and right now only one, the root role. Now a little bit more about roles later.

But essentially roles are constructs that you can use. They’re not the same thing as groups. Groups you can use to put people into, to give them permissions to a resource. Roles have rights and privileges to actually do things on the system, for example. And you can create roles. There’s one role that comes by default and that’s root and you probably shouldn’t overuse that. You should probably create a role that just has lesser privileges that can only do certain things, like create user accounts, for example. And we’ll talk about that a little bit later. For right now, using the Roles command, we can see that that’s the only role the user Bobby has assigned. Now, one thing we probably want to do, if we need to do some privileged things, is change to the root account. And we can use Su to do that.

And I need to type in root’s password. Let me do that real quick. And it tells us that we failed at authentication the last time we tried this because I put in a faulty password. But now we show that our prompt change that went from a dollar sign to a sharp sign. There a number sign that tells us we’re probably in Bash. And let me clear this screen a little bit so we can have a little bit more room here. Now. If I do ID, I get UID of root and group ID of root. That’s the default group for the root account. Now? What if I say, who am I? I get root and who am I? We had the z on there and we get a little bit more information and actually we get something different than you might think. You would think you’d get the root account just the same as you did with Who Am I? But it’s different. Who am I? One word gives you what user account you’re currently active in. The who am I? Means who is your true user, regardless of who you’re suing into or what are the role you’re using at the moment. So that’s an important thing to know.

Now, a couple of other things I want to show you really quick. Most of your user account information is stored in the etsy password file. This has been around for quite a while. Your passwords, on the other hand, are stored in the Etsy shadow file, which only root has access to, and they’re encrypted. You can’t read the passwords. So if I actually do a cat of the Etsy password file, I’ll see all kinds of accounts there. And a lot of these are service accounts. Not just regular accounts, standard accounts. And you can see mine there near the bottom, the Bobby account with a UID of 6004, a G ID of ten, and the X there means that my password is encrypted. Another way that you can look at that, and it might make more sense, is to use the get int command. If we say get int to password, we get a lot of the same things. It’s usually formatted just a little bit differently. Unfortunately, the formatting on the screen is not very helpful. If you go up to the top here, you’ll see that we get a lot of the same information and get in is probably a better way to do it than catting the password file.

And we can do this the same thing with the shadow file as well. I’ll show you that a little bit later when we get more into user security. So these are some commands that you can use at the shell prompt, at the command line interface that will give you some really good information about the users themselves. And you may use these in your day to day administration tests if you need to know what particular UID a user has, or what groups they’re assigned to, or what roles are assigned to them. So this will start you out with user accounts, and then we’ll get in some more detailed information when we start actually creating and managing user accounts.

• Category: Uncategorized