We do not and will not provide the Linux shadow-utils. It is not compatible with Solaris. For Solaris they only supported mechanism is to use the Solaris supplied passwd command. I very strongly recommend against attempting to built and deploy it. Solaris and Linux do not store exactly the same content on the local shadow file and use of a non Solaris supplied program that directly manipulates the policy and state may cause corruption to the Solaris /etc/shadow file.
Using a third party program to simply change a users password by using pam_chauthtok(3PAM) calls is supported but all password policy setting must be performed using the native Solaris /usr/bin/passwd.
Darren J Moffat - Senior Software Architect - Oracle Solaris Engineering
Actually, all we need is to be able to dynamically add or remove a user from the wheel group in the LOCAL /etc/group file, regardless of LDAP or AD domain authentication, as these commands do correctly in Linux:
gpasswd -a <userid> wheel
gpasswd -d <userid> wheel
If all users were local /etc/passwd members ONLY, the following works great:
usermod -G +wheel <userid>
usermod -G -wheel <userid>
But when the host is either an LDAP or AD authenticated client system, the above usermod commands fail with:
UX: usermod: ERROR: group wheel does not exist.
...even group wheel DOES exist locally in /etc/group.
This issue is all due to a hard security requirement to move to a "Just In Time" sudo access model. So, adding the sysadmin user to "wheel" within the entire LDAP or AD domain is unacceptable. It must occur locally on each client system and only as needed.
Couldn't using "groupmod -U +<username> wheel" and "groupmod -U -<username> wheel" be an option?