Maintenance Commands passwd2sam(1M)
NAME
passwd2sam - add Solaris user accounts to, or delete them
from, an NT Domain Security Accounts Manager (SAM) database
SYNOPSIS
passwd2sam -l logon -p password [-h] [-i file] [-m connect]
[-n local path] [-o file] [-s logon script] [-u user
profile] [-y password]
passwd2sam -l logon -p password -r file [-h]
passwd2sam -l logon -p password -f [-h]
DESCRIPTION
The passwd2sam user account management utility enumerates
user accounts stored in a Solaris name service (FILES, NIS,
NIS+) into the SunLink Server Security Accounts Manager
(SAM) database.
All input files to passwd2sam must be formatted as
/etc/passwd entries. See passwd(4) for details.
passwd2sam bridges Solaris name services and Windows NT
Domain services. The bridge can only be established if you
log on to the Windows NT Domain as Administrator and run
passwd2sam as superuser. SunLink Server software must be up
and running for passwd2sam to execute.
passwd2sam supports three modes of operation:
1. Add Solaris user accounts into the SunLink Server Secu-
rity Accounts Manager database (default).
2. Delete Solaris user accounts from the SunLink Server
Security Accounts Manager database (see the -r option).
3. Find and disable Windows NT Domain user accounts added
by passwd2sam, that subsequently have been deleted from
a Solaris name service (see the -f option).
Mode 1, adding Solaris user accounts into the SunLink Server
Security Accounts Manager database, can be performed using
two methods. The default method is to enumerate non-
privileged user accounts in the running Solaris name service
(FILES, NIS, NIS+), and to add each user account into the
SunLink Server Security Accounts Manager database.
Another, more selective, method of adding Solaris user
accounts to the SunLink Server Security Accounts Manager
database is to use an input file formatted in the same way
as /etc/passwd passwd(4).
Options for the passwd2sam utility support the User Proper-
ties of Windows NT Server's User Manager for Domains
administration interface.
Mode 2, deleting Solaris user accounts from the SunLink
Server Security Accounts Manager database, involves creating
an input file of user accounts formatted in the same way as
/etc/passwd passwd(4), and inputting this input file to
passwd2sam using the -r option.
Mode 3 is used to find and disable Windows NT Domain user
accounts that were added by the passwd2sam user account
management utility, and later deleted from the Solaris name
service. Using the passwd2sam utility in this mode produces
an output file called
/var/opt/lanman/dirsync/passwd2sam.disabled. This output
file can be used as an input file to passwd2sam's delete
operation (mode 2). This mode disables SunLink Server user
accounts but does not delete them.
By default, passwd2sam produces randomly generated
alphanumeric passwords for each user account and writes them
to the transaction log
/var/opt/lanman/dirsync/passwd2sam.log. The -y password
option overrides this default behavior allowing an adminis-
trator to assign a specific password to all user accounts,
or no password at all.
All transactions, errors, and datafiles (except user-
specified output files) are written to
/var/opt/lanman/dirsync and prefixed with passwd2sam.
OPTIONS
The passwd2sam user account management utility supports the
following options:
-f Runs passwd2sam in mode 3, finding and disabling Sun-
Link Server user accounts that were added by
passwd2sam, but subsequently deleted from the Solaris
name service.
Using this option disables SunLink Server user accounts
but does not delete them. This option produces an out-
put file called
/var/opt/lanman/dirsync/passwd2sam.disabled, which is
formatted the same way as /etc/passwd passwd(4). The
output file contains a list of disabled SunLink Server
user accounts to delete. You cannot use this option in
conjunction with the -m, -n, -o, -r, -s, -u, or -y
options.
-h Displays a passwd2sam usage message.
-i file
Runs passwd2sam in mode 1, adding user accounts speci-
fied by an input file to the SunLink Server Security
Accounts Manager database. Using this option overrides
the default behavior of enumerating all user accounts
from the running Solaris name service and adding each
user account to the SunLink Server Security Accounts
Manager database. You cannot use this option with the
-r option.
-l logon
Specifies a SunLink Server Administrator logon, and is
required for all operations.
-m connect
Creates a global SunLink Server home directory for each
user account passwd2sam adds.
The connect argument is a global home Directory path,
which is a Universal Naming Convention (UNC) path pre-
fixed by a drive letter and colon. The drive letter
and colon must be specified (for instance, H:). The
UNC path can be a local or remote LAN Manager path to
an existing network shared directory.
Each user's logon name is automatically appended to the
end of the Home Directory Connect path if not speci-
fied. Alternatively, using the %USERNAME% wildcard
appends each user's logon name to the end of the UNC
path. This option applies to all accounts in the add
operation. You cannot use this option in conjunction
with the -n option.
NOTE: When specifying UNC paths, you must substitute
two backslashes for each backslash, to support Solaris
command line shells (for instance, -m
H:\\\\SERVER\\USERS\\%USERNAME%).
-n local_path
Specifies a user's local home directory on the Windows
workstation where the user logs on. This local direc-
tory path must be prefixed by a drive letter and colon
(for instance, -n C:\\USERS\\%USERNAME%).
Each user's logon name is automatically appended to the
end of the local directory if not specified. Alterna-
tively, using the %USERNAME% wildcard appends each
user's logon name to the end of the UNC path. This add
invocation parameter applies to all accounts in the add
operation. You cannot use this invocation parameter in
conjunction with the -m invocation parameter.
-o file
Produces a user-specified output file that is formatted
the same as /etc/passwd. This file contains a list of
all Solaris user accounts added into the SunLink Server
Security Accounts Manager database. This file can be
used later to remove Solaris accounts from the SunLink
Server Security Accounts Manager database. You cannot
use this option in conjunction with the -f or -r
options.
-p password
Specifies a SunLink Server Administrator password, and
is required for all operations.
-r file
Runs the passwd2sam utility in mode 2, enumerating an
input file and removing each user account specified
from the SunLink Server Security Accounts Manager data-
base. This option deletes user accounts but does not
delete users' home directories or files. You cannot
use this option in conjunction with the -f or -i
options.
-s logon_script
Sets up a network logon script that runs each time a
user successfully logs on to SunLink Server software.
The logon_script argument is a file name (for instance,
-s NETLOGON.CMD) that contains commands to execute upon
successful user logon. A network logon script is
defined using relative pathing and pertains only to the
authenicating SunLink Server. When a user logs on, the
authenicating SunLink Server computer finds the speci-
fied logon script by following the SunLink Server logon
script path \\SERVER\NETLOGON. This option applies to
all accounts added by the passwd2sam user account
management utility. You cannot use this option in con-
junction with the -f or -r options.
-u user_profile
Specifies the User Profile Path, which is a Universal
Naming Convention (UNC) path, that points to a roaming
or mandatory user profile. The UNC path can be a local
or remote LAN Manager path.
Each user's logon name is automatically appended to the
end of the User path if not specified. Alternatively,
use the %USERNAME% wildcard to append each user's logon
name to the end of the UNC path (for instance, -u
\\\\SERVER\\PROFILES\\%USERNAME%). This option applies
to all accounts added by the passwd2sam user account
management utility, and cannot be used in conjunction
with the -f or -r options.
-y password
Overrides the default randomly generated alphanumeric
password and assigns a specified password to all Sun-
Link Server accounts added by the passwd2sam user
account management utility. Specifying NULL (for
instance, -y NULL) assigns no password to user
accounts. Specifying a password assigns the specified
password to all user accounts added by passwd2sam.
Password lengths are managed from Windows NT Server's
User Manager for Domains administration interface under
the Policies, Account panel. Assigning NULL passwords
will only be successful if the radio button Permit
Blank Password is enabled.
All user account passwords are written to the
passwd2sam transaction log
/var/opt/lanman/dirsync/passwd2sam.log. These pass-
words are readable only by the superuser.
SunLink Server users will be prompted to change their
password on the first successful SunLink Server logon.
This option applies to all accounts added by the
passwd2sam user account management utility. You cannot
use this option in conjunction with the -f or -r
options.
EXAMPLES
The examples below illustrate passwd2sam's three modes of
operation.
# passwd2sam -l Administrator -p password -m
H:\\\\SERVER\\USERS\\%USERNAME% -s NETLOGON.CMD
This example adds all Solaris user accounts found in
the running Solaris name service (for instance, FILES,
NIS, NISPLUS) into the SunLink Server Security Accounts
Manager database. The -m invocation parameter creates
a global home directory for each user at the specified
UNC path. User account passwords are randomly gen-
erated characters. In addition, each SunLink Server
user account will execute the network logon script
specified by the -s invocation parameter upon success-
ful logon.
# passwd2sam -l Administrator -p password -r
passwd2sam.disabled
This example deletes all SunLink Server user accounts
specified in the input file passwd2sam.disabled. This
input file must be formatted in the same way as
/etc/passwd. See passwd(4) for details.
passwd2sam -l Administrator -p password -f
This example disables SunLink Server user accounts that
cannot be found in the running Solaris name service.
This example also produces an output file
/var/opt/lanman/dirsync/passwd2sam.disabled, which con-
tains a list of the disabled SunLink Server user
accounts. Directories and files owned by a disabled
SunLink Server account are not deleted.
FILES
/var/opt/lanman/dirsync/passwd2sam.log passwd2sam
transaction
log.
/var/opt/lanman/dirsync/passwd2sam.errors passwd2sam
error log.
/var/opt/lanman/dirsync/passwd2sam.disabled List of dis-
abled SunLink
Server user
accounts.
SEE ALSO
passwd(4), mapuname(1), sam2passwd(1M), nisaddent(1M),
ypcat(1), nsswitch.conf(4)
NOTES
When using passwd2sam arguments containing backslashes, you
must substitute two backslashes for each backslash, to sup-
port Solaris command line shells.