Saturday, July 16, 2011

AIX user administration - mkuser

Adding a new user account : mkuser


The mkuser command creates a new user account. The Name parameter must be a unique 8-byte or less string. By default, the mkuser command creates a standard user account. To create an administrative user account, specify the –a flag.

The mkuser command does not create password information for a user, therefore, the new accounts are disabled until the passwd command is used to add authentication information to the /etc/security/passwd file. The mkuser command only initializes the Password attribute of /etc/passwd file with an * (asterisk). 

You use this command to create the AIX user and set its initial values. There are a few simple rules to remember when creating a user:
  • Users cannot start with a:
    • Dash or minus sign (-)
    • Plus sign (+)
    • At symbol (@)
    • Tilde (~)
  • Users cannot be named ALL or default, as those names are reserved for the operating system.
  • User names cannot include:
    • Colon (:)
    • Quotation marks—single or double (' or ")
    • Pound or hash symbol (#)
    • Comma (,)
    • Equal sign (=)
    • Slashes—back or forward (\ or /)
    • Question mark (?)
    • Back quote or tick (`)
    • White space (space or tab)
    • New-line characters
  • User names can only be eight characters or fewer in AIX version 5.2 and earlier. Starting with AIX version 5.3, IBM increased the maximum number of characters to 255.
To verify the setting in AIX 5.3 and later, you can extract the value from getconf:
# getconf LOGIN_NAME_MAX
9


or lsattr:
# lsattr -El sys0

SW_dist_intr    false              Enable SW distribution of interrupts              True
autorestart     true               Automatically REBOOT OS after a crash             True
boottype        disk               N/A                                               False
capacity_inc    1.00               Processor capacity increment                      False
capped          true               Partition is capped                               False
conslogin       enable             System Console Login                              False
cpuguard        enable             CPU Guard                                         True
dedicated       true               Partition is dedicated                            False
enhanced_RBAC   true               Enhanced RBAC Mode                                True
ent_capacity    1.00               Entitled processor capacity                       False
frequency       2656000000         System Bus Frequency                              False
fullcore        true               Enable full CORE dump                             True
fwversion       IBM,EL340_075      Firmware version and revision levels              False
id_to_partition 0X80000CE988400001 Partition ID                                      False
id_to_system    0X80000CE988400000 System ID                                         False
iostat          false              Continuously maintain DISK I/O history            True
keylock         normal             State of system keylock at boot time              False
log_pg_dealloc  true               Log predictive memory page deallocation events    True
max_capacity    1.00               Maximum potential processor capacity              False
max_logname     9                  Maximum login name length at boot time            True
maxbuf          20                 Maximum number of pages in block I/O BUFFER CACHE True
maxmbuf         0                  Maximum Kbytes of real memory allowed for MBUFS   True
maxpout         0                  HIGH water mark for pending write I/Os per file   True
maxuproc        800                Maximum number of PROCESSES allowed per user      True
min_capacity    1.00               Minimum potential processor capacity              False
minpout         0                  LOW water mark for pending write I/Os per file    True
modelname       IBM,8203-E4A       Machine name                                      False
ncargs          256                ARG/ENV list size in 4K byte blocks               True
nfs4_acl_compat secure             NFS4 ACL Compatibility Mode                       True
pre430core      false              Use pre-430 style CORE dump                       True
pre520tune      disable            Pre-520 tuning compatibility mode                 True
realmem         3784704            Amount of usable physical memory in Kbytes        False
rtasversion     1                  Open Firmware RTAS version                        False
sed_config      select             Stack Execution Disable (SED) Mode                True
systemid        IBM,021082744      Hardware system identifier                        False
variable_weight 0                  Variable processor capacity weight                False


To change the value, simply adjust the v_max_logname parameter (shown as max_logname in lsattr) using chdev to the maximum number of characters desired plus one to accommodate the terminating character. For example, if you want to have user names that are 128 characters long, you would adjust the v_max_logname parameter to 129:
# chdev -l sys0 -a max_logname=129
sys0 changed


Please note that this change will not go into effect until you have rebooted the operating system. Once the server has been rebooted, you can verify that the change has taken effect:
# getconf LOGIN_NAME_MAX
128


Keep in mind, however, that if your environment includes IBM RS/6000® servers prior to AIX version 5.3 or operating systems that cannot handle user names longer than eight characters and you rely on NIS or other authentication measures, it would be wise to continue with the eight-character user names.
To create a user with default settings and allocate the next available UID, simply execute mkuser plus the user name as the root user:
# mkuser xander
# finger xander
Login name: xander
Directory: /home/xander                 Shell: /usr/bin/ksh
No Plan.


Easy, isn't it? Try something a bit more personable. By adding some values found in the chuser man page (man chuser), you can include the user's GECOS information and change his or her core ulimit to 524,288, as shown in Listing 6.

Listing 6. Change a user's core ulimit

 
# mkuser core=524288 gecos="Xander Cormany,317.555.1234" xander
# finger xander
Login name: xander                    In real life: Xander Cormany
Site Info: 317.555.1234
Directory: /home/xander                 Shell: /usr/bin/ksh
No Plan.

# su - xander "-c ulimit -a"
time(seconds)        unlimited
file(blocks)         unlimited
data(kbytes)         unlimited
stack(kbytes)        4194304
memory(kbytes)       unlimited
coredump(blocks)     524288
nofiles(descriptors) unlimited
threads(per process) unlimited
processes(per user)  unlimited


It's worth mentioning that the GECOS, like any other field in /etc/passwd, should not include a colon (:) in the value. By trying to add a colon, the fields will be adjusted, and all expected values would shift to the right. For instance, if the user tried to haveXander:Cormany in the GECOS field in /etc/passwd, Xander would actually be in the correct field, while Cormany would be the value of the field to the right (that is, the home directory). Also, the GECOS field cannot end with !#.
Most administrators do not really use the command line like this, but it is important to understand what utilities like SMIT (man smit or man smitty) are doing behind the scenes. If you would rather continue through SMIT, the process is simple. Here's an example of creating the same user with the same attributes through SMIT. By entering SMIT directly into the user creation screen, you go in using the fastpath mkuser:
# smitty mkuser


Figure shows the SMIT utility in action.
The smitty mkuser process 
When you are finished filling out the user name, GECOS field, and core ulimit, click Enter to create the user. When SMIT returns that the command finished successfully, click F10 or Esc + 0 to exit the program. You can verify the user using the code in below listing

Listing  Verify that SMIT correctly created the user


 
# finger xander
Login name: xander                    In real life: Xander Cormany
Site Info: 317.555.1234
Directory: /home/xander                 Shell: /usr/bin/ksh
No Plan.

# su - xander "-c ulimit -a"
time(seconds)        unlimited
file(blocks)         unlimited
data(kbytes)         unlimited
stack(kbytes)        4194304
memory(kbytes)       unlimited
coredump(blocks)     524288
nofiles(descriptors) unlimited
threads(per process) unlimited
processes(per user)  unlimited

No comments:

Post a Comment