changing user details
When you add a Unix user, you probably use SMIT. That allows you to set or list user details, such as the user's full name, password restrictions, home directory and so on. If you're doing this for lots of users, you'll probably want to use the command line and ideally do it in a script.
To list a user's details, use the lsuser command. (ls is usually the prefix to list things in AIX, as ch is to change and rm to remove). The default behaviour is to list all details for a user, which can be, well you'll see what I mean:
# lsuser padmin
padmin id=8 pgrp=staff groups=staff home=/home/padmin shell=/usr/bin/rksh login=true su=true rlogin=true daemon=true admin=false sugroups=ALL admgroups= tpath=nosak ttys=ALL expires=0 auth1=SYSTEM auth2=NONE umask=22 registry=files SYSTEM=compat logintimes= loginretries=0 pwdwarntime=0 account_locked=false minage=0 maxage=0 maxexpired=-1 minalpha=0 minother=0 mindiff=0 maxrepeats=8 minlen=0 histexpire=0 histsize=0 pwdchecks= dictionlist= default_roles= fsize=-1 cpu=-1 data=262144 stack=65536 core=2097151 rss=65536 nofiles=2000 time_last_login=1279837000 time_last_unsuccessful_login=1275282560 tty_last_login=/dev/pts/0 tty_last_unsuccessful_login=/dev/pts/3 host_last_login=myhost.mycompany.com host_last_unsuccessful_login=10.10.1.16 unsuccessful_login_count=0 roles=PAdmin
Gorgeous, isn't it?
If you want to list the settings for only one or two fields, you can specify them using the -a parameter, followed by the field name. Let's look at the primary group, the User information and whether the account is locked.
The field for User information is called (famously) "gecos". Of course it is. Welcome to Unix. That name actually comes from General Electric Comprehensive Operating System if Wikipedia's entry for GECOS can be trusted. So let's list the fields now.
# lsuser -a pgrp gecos account_locked padmin
padmin pgrp=staff account_locked=false
Where's my gecos?
Notice something? There's no entry for the gecos field. If we check in SMIT (you could use the fastpath smit user) we'll see the User information field is blank so if lsuser has nothing to report, it reports nothing. So let's add some sort of description for the user. If lsuser lists a user's details, you may know or guess that chuser will change details. We could user SMIT but for the purpose of learning chuser, we'll stick to the command line.
# chuser -a gecos=VIO Server administrator padmin
Usage: chuser [-R load_module] "attr=value" ... user # bad
What was wrong with that? Well, we can see that the User information has spaces in it, so let's try it again with quotes around that information:
# chuser -a gecos="VIO Server administrator" padmin
Usage: chuser [-R load_module] "attr=value" ... user # still bad
Actually, the problem is that the chuser command doesn't take the parameter -a. The reason is simple, when you think about it. We saw with lsuser that you can specify a set of user attributes to display using -a and the attribute name(s). If you don't do that, you just get all details for the user. But there's not much point having that facility for chuser. The chuser command knows you want to change an attribute, so there's no need for a parameter to say so. It expects an attribute. Just running chuser fred to change nothing would be pretty useless, wouldn't it?
Bloggers can be chusers
Finally, let's get it right:
# chuser gecos="VIO Server administrator" padmin
And we see the result of our efforts:
# lsuser -a pgrp gecos account_locked padmin
padmin pgrp=staff gecos=VIO server administrator account_locked=false
Still, it would be nice to have the contents of the fields delimited, so we know where each field starts and finishes. This is especially important if we're going to use a script. You can use colon-separated fields with the -c parameter of lsuser.
# lsuser -ca pgrp gecos account_locked padmin
padmin:staff:VIO server administrator:false
Directory and Unix authentication
The gecos field isn't the only one which may have spaces in its contents. Another one is the SYSTEM field. If you're using AD authentication and you want to have Unix local passwords as a fallback if AD becomes inaccessible, you may need to use:
chuser SYSTEM="KRB5Afiles or compat" fred
That's not all you need for AD authentication. That's another matter altogether. But if you do use two authentication methods for a user, you'll need to know the chuser command. Don't forget just put the attribute name after chuser, because chuser -a won't work.