Creates a new user account.
The mkuser command creates a new user account. The Name parameter must be a unique string (whose length is administrator-configurable using the chdev command) . You cannot use the ALL or default keywords in the user name. By default, the mkuser command creates a standard user account. To create an administrative user account, specify the -a flag.
To create a user with an alternate Identification and Authentication (I&A) mechanism, you can use the -R flag to specify the I&A load module. If you create users without the -R flag, you create the users locally. Load modules are defined in the /usr/lib/security/methods.cfg file.
The mkuser command does not create password information for a user. It initializes the password field with an * (asterisk). Later, this field is set with the passwd or pwdadm command. New accounts are disabled until the passwd or pwdadm commands are used to add authentication information to the /etc/security/passwd file.
You can use the System Management Interface Tool (SMIT) smit mkuser fast path to run this command.
The mkuser command always checks the target user registry to make sure the ID for the new account is unique to the target registry. You can also configure the mkuser command to check all user registries of the system using the dist_uniqid system attribute. The dist_uniqid system attribute is an attribute of the usw stanza of the /etc/security/login.cfg file, and can be managed using the chsec command.
- never - Does not check for ID collision against the non-target registries. This is the default setting.
- always - Checks for ID collision against all other registries. If collision is detected between the target registry and any other registry account creation or modification fails.
- uniqbyname - Checks for ID collision against all other registries. Collision between registries is allowed only if the account to be created has the same name as the existing account.
The uniqbyname system attribute setting works well against two registries. With more than two registries, and with ID collision already existing between two registries, the behavior of the mkuser command is unspecified when creating a new account in a third registry using colliding ID values. The new account creation might succeed or fail depending the order in which the registries are checked.
The check for ID collision only enforces ID uniqueness between the local registry and remote registries or between remote registries. There is no guarantee of ID uniqueness between the newly created account on the remote registry and existing local users on other systems that make use of the same remote registry. The mkuser command bypasses a remote registry if the remote registry is not reachable at the time the command is run.
Restrictions on Creating User Names
To prevent login inconsistencies, you should avoid composing user names entirely of uppercase alphabetic characters. While the mkuser command supports multi-byte user names, it is recommended that you restrict user names to characters with the POSIX portable filename character set.
To ensure that your user database remains uncorrupted, you must be careful when naming users. User names must not begin with a - (dash), + (plus sign), @ (at sign), or ~ (tilde). You cannot use the keywords ALL or default in a user name. Additionally, do not use any of the following characters within a user-name string:
Finally, the Name parameter cannot contain any space, tab, or new-line characters.
|-a||Specifies that the user is an administrator. Only the root user can use this flag or alter the attributes of an administrative user.|
|username||Specifies that the user is a new user.|
|-R load_module||Specifies the loadable I&A module used to create the user.|
|0||The command runs successfully and all requested changes are made.|
|>0||An error occurred. The printed error message lists further details about the type of failure.|
Access Control: This command should grant execute (x) access only to the root user and members of the security group. This command should be installed as a program in the trusted computing base (TCB). The command should be owned by the root user with the setuid (SUID) bit set.
Creating a user may not be supported by all loadable I&A modules. If the loadable I&A module does not support creating a user, an error is reported.
- To create the davis user account with the default values
in the /usr/lib/security/mkuser.default file, type:
- To create the davis account with davis as an
Only the root user or users with the UserAdmin authorization can create davis as an administrative user.
mkuser -a davis
- To create the davis user account and set the su attribute
to a value of false, type:
mkuser su=false davis
- To create the davis user account that is identified and
authenticated through the LDAP load module, type:
mkuser -R LDAP davis
|0||The command is successful.|
|EINVAL||The username argument is not valid (containing characters not valid).|
|EACCES||The invoker does not have write access to the database files.|
|EPERM||The user identification and authentication fails if the -a flag is specified and the invoker is not root.|
|EEXIST||The user already exists.|
|ENAMETOOLONG||The user name is too long.|
|other errno||There are other system errors.|
|/usr/bin/mkuser||Contains the mkuser command.|
|/usr/lib/security/mkuser.default||Contains the default values for new users.|
|/etc/passwd||Contains the basic attributes of users.|
|/etc/security/user||Contains the extended attributes of users.|
|/etc/security/user.roles||Contains the administrative role attributes of users.|
|/etc/security/passwd||Contains password information.|
|/etc/security/limits||Defines resource quotas and limits for each user.|
|/etc/security/environ||Contains the environment attributes of users.|
|/etc/group||Contains the basic attributes of groups.|
|/etc/security/group||Contains the extended attributes of groups.|
|/etc/security/.ids||Contains standard and administrative user IDs and group IDs.|