3 Replies Latest reply on Nov 6, 2019 1:20 PM by Steffen Moser

    What is the pkg that provides "gpasswd" command, equivalent to Linux "shadow-utils" pkg?

    Brad.S

      Hi,

      We are implementing some Linux/UNIX administrative changes, that ideally need to be consistent across all "unix-like" platforms. We are using the "gpasswd" command in Linux, what is the equivalent for Solaris 11? Solaris 10? I would have expected to find "gpasswd" in /usr/gnu/bin/ on Solaris 11, but alas, it is not there. If there is a "pkg install xxxxxxx" I need to run to provide that - I have been unable to find what the pkg name is.

        • 1. Re: What is the pkg that provides "gpasswd" command, equivalent to Linux "shadow-utils" pkg?
          Darren Moffat-Oracle

          We do not and will not provide the Linux shadow-utils.  It is not compatible with Solaris.  For Solaris they only supported mechanism is to use the Solaris supplied passwd command.  I very strongly recommend against attempting to built and deploy it.  Solaris and Linux do not store exactly the same content on the local shadow file and use of a non Solaris supplied program that directly manipulates the policy and state may cause corruption to the Solaris /etc/shadow file.

           

          Using a third party program to simply change a users password by using pam_chauthtok(3PAM) calls is supported but all password policy setting must be performed using the native Solaris /usr/bin/passwd.

           

          --

          Darren J Moffat - Senior Software Architect - Oracle Solaris Engineering

          • 2. Re: What is the pkg that provides "gpasswd" command, equivalent to Linux "shadow-utils" pkg?
            Brad.S

            Actually, all we need is to be able to dynamically add or remove a user from the wheel group in the LOCAL /etc/group file, regardless of LDAP or AD domain authentication, as these commands do correctly in Linux:

            gpasswd -a <userid> wheel

            gpasswd -d <userid> wheel

             

            If all users were local /etc/passwd members ONLY, the following works great:

            usermod -G +wheel <userid>

            usermod -G -wheel <userid>

             

            But when the host is either an LDAP or AD authenticated client system, the above usermod commands fail with:

            UX: usermod: ERROR: group wheel does not exist.

            ...even group wheel DOES exist locally in /etc/group.

             

            This issue is all due to a hard security requirement to move to a "Just In Time" sudo access model. So, adding the sysadmin user to "wheel" within the entire LDAP or AD domain is unacceptable. It must occur locally on each client system and only as needed.

            • 3. Re: What is the pkg that provides "gpasswd" command, equivalent to Linux "shadow-utils" pkg?
              Steffen Moser

              Couldn't using "groupmod -U +<username> wheel" and "groupmod -U -<username> wheel" be an option?

               

              Kind regards,

              Steffen