mkbks creates a BoKS user account. Three types of accounts are supported.
BoKS managed user account on UNIX host. User provisioning, authentication and authorization
is handled by BoKS. By default the user attributes like password, shell etc. are
synchronized between BoKS and local attribute storage (/etc/passwd, /etc/shadow etc).
hash is then set to an invalid hash string ’*no login*’ preventing login when BoKS is
If a user is created without setting a password (-p option) the account is blocked and the
password hash is set to ’*no login*’ until a valid password is set.
BoKS managed user account on Windows host. User provisioning is handled by BoKS as
well as authentication and authorization of BoKS controlled Windows services. The user
password in the local password store (SAM database) is kept synchronized with the password
This account type is used for Windows accounts managed by Active Directory. BoKS
only handles authorization requests for the access to BoKS controlled services. User provisioning
and authentication is handled by Active Directory. Windows domain accounts
are normally not created manually in BoKS but rather imported using the BoKS LDAP
The host prefix specifies to which host(s) the account will be provisioned. If the host prefix is the
that match the account type. The username part is the local account name that is used to login to a
The host prefix must follow the rules for valid characters in host/hostgroup names, see hostadm
(1B) and hgrpadm
(1B). Valid characters for the username part is by default letters from ASCII
character set (A-Z,a-z), digits (0-9), hyphen (-) and underscore (_). Fox Technologies also recommends
that the username part starts with a letter and is maximum 8 characters long as this might
be required by some operating systems. The requirements on usernames can be somewhat relaxed
by using the -F options, see below.
If the host prefix specifies an existing host (not a hostgroup) then the account type must match the
Relax validation rules for username part of BoKS user account name specified by -l option. Username
part may contain any character except control characters, white space, colon or comma. Fox
Technologies recommends not using this option unless needed by external constrains.
Don’t run any hook program defined in $BOKS_etc/ssm_hook_config.
The users full name (comment field). Default is empty.
Users last login date. The default value is set with bksdef (1B).
-P user class
The primary user class that the user is attached to.
-y distinguished name
Set the Distinguished Name for the user. The Distinguished Name should be unique.
-B LDAP domain name
This option is used to set the name of the LDAP domain from which the user was imported when
using the LDAP user synchronization function. The LDAP domain name must already be registered
in BoKS, see ldapdomainadm (1) The LDAP domains are internally referenced by indexes
and the LDAP domain for a user can be set either by name, option -B or by index, see option -L
-L LDAP domain index
Set LDAP domain index for user imported by LDAP user synchronization function, see also
option -B above.
The ENV variable OVERLAPPING_ACCOUNT_CHECK (See ENV.4) can be set to make BoKS
check for overlapping accounts. If checking is turned on, the -V switch can be used to skip this
check when adding a user.
COMMON OPTIONS FOR UNIX AND WINDOWS LOCAL ACCOUNTS
Date when password expires. The default value is set with bksdef (1B).
UNIX ACCOUNT OPTIONS
Primary group. The primary group can be specified as a number, in which case a group with that
number must already exist, or as a name, in which case a group must be uniquely defined by that
name in the BoKS database.
User id. Default is that mkbks creates the user with an unique user id.
User login shell. Default is empty (which will be defaulted to /bin/sh at login).
-h home directory
Users home directory. May be entered as a relative path. The users home directory is then built by
merging the home prefix defined for the host in question and the relative path. E.g., if the user
sale1:bill is created with the relative path bill and the home prefix for the host sale1 is /home then
Bill’s homedir will be /home/bill.
Sets flags for the user. See the man page for modbks(1B).
Clears flags for the user. See the man page for modbks
-o time limit
Timeout value (maximum in-activity time in minutes). Default value is set with bksdef (1B).
Disable/enable check if user attributes (uid, gid and shell) from BoKS and corresponding local
data match. If enabled and a mismatch is detected on platforms where BoKS user attributes can
not be enforced, the login session will fail. Default value is set with bksdef (1B).
Note that the user attribute check must also be enabled for the login host to take effect, see bksdef
(1B) and hostadm (1B)
Assign user to xRole at host or hostgroup. Multiple -j options can be given. The xRole and
host/hostgroup must already be defined. A generic access route for role change using password
authentication will be created.
-m secondary group
Add user to secondary group. Multiple -m options can be given. The secondary group can be
specified as a number, in which case a group with that number must already exist, or as a name, in
which case a group must be uniquely defined by that name.
-p encrypted password
A UNIX crypt encrypted password can be given. This option should only be used to import
already existing local accounts to BoKS. Under normal BoKS administration passwords should be
set using the passwd command. A newly created account is blocked until the password has been
Read a passwd entry from stdin and import it to the hosts in hostgroup. If the user already exists in
the hostgroup there will be an error and the user is not created. However if the user exists in
another hostgroup the user will be created and there will be duplicate (possibly conflicting) user
WINDOWS LOCAL ACCOUNT OPTIONS
-K login script
Windows login script.
-O profile path
-m local windows group
Assign user as member of a local Windows group. Multiple -m options can be given. Use
groupadm -L to display a list of allowed groups. Add custom groups to wingroups.cfg. Custom
groups must be given as a group name, standard Windows groups can be given either as a group
name or as a group SID.
WINDOWS DOMAIN ACCOUNT OPTIONS
-S user SID
Windows Security Identifier (SID) for the domain user. This attribute is needed if the account
should support SSH login to BoKS Client for Windows hosts. The SID value can be either in text
format or base64 encoded binary format.
-W windows domain
Name of the Windows domain the user belong to.
Unless the -H option is given, any ADDUSER program defined in $BOKS_etc/ssm_hook_config will be
executed after a successful user creation.
/etc/passwd, /etc/shadow, $BOKS_etc/ssm_hook_config
modbks(1B), bksdef(1B), hostadm (1B), hgrpadm (1B), groupadm(1B),
ssm_hook_config(4B), ldapdomainadm(1), roleadm(1B), wingroups.cfg(4)