NAME

mkbks - create BoKS user account

SYNOPSIS

mkbks -l user -g gid -h home directory [-a UNIX] [-u uid] [-F ] [-H ] [-r name] [-s shell] [-o time limit]
[-b 0/1] [-E date] [-p encrypted password] [-d date] [-A flags] [-D flags] [-j xrole:hhgrp] [-m secondary
gid] [-P user class] [-y distinguished name] [ -B LDAP domain name | -L LDAP domain
index ] [-V ]
mkbks -I hostgroup
mkbks -l user -a WINLOC -m local windows group [-F ] [-H ] [-r name] [-K login script] [-O profile path]
[-R description] [-E date] [-d date] [-P user class] [-y distinguished name] [ -B LDAP domain
name | -L LDAP domain index ] [-V ]
mkbks -l user -a WINDOM [-F ] [-H ] [-r name] [-S user SID] [-W windows domain] [-E date] [-P user
class] [-y distinguished name] [ -B LDAP domain name | -L LDAP domain index ] [-V ]

DESCRIPTION

mkbks creates a BoKS user account. Three types of accounts are supported.

UNIX accounts

BoKS managed user account on UNIX host. User provisioning, authentication and authorization
is handled by BoKS. By default the user attributes like password, shell etc. are
synchronized between BoKS and local attribute storage (/etc/passwd, /etc/shadow etc).
Synchronization of the password can be disabled (see bksdef (1B)). The local password
hash is then set to an invalid hash string ’*no login*’ preventing login when BoKS is
deactivated.
If a user is created without setting a password (-p option) the account is blocked and the
password hash is set to ’*no login*’ until a valid password is set.

Windows local accounts

BoKS managed user account on Windows host. User provisioning is handled by BoKS as
well as authentication and authorization of BoKS controlled Windows services. The user
password in the local password store (SAM database) is kept synchronized with the password
in BoKS.

Windows domain accounts

This account type is used for Windows accounts managed by Active Directory. BoKS
only handles authorization requests for the access to BoKS controlled services. User provisioning
and authentication is handled by Active Directory. Windows domain accounts
are normally not created manually in BoKS but rather imported using the BoKS LDAP
synchronization function.

COMMON OPTIONS

-a type
Specifies the account type for the new account. Valid types are:
UNIX Unix account (Default).
WINLOC Windows local account.
WINDOM Windows domain account.
-l user
The BoKS user account name. It consist of a host prefix and a username part separated by a ’:’.
The host prefix specifies to which host(s) the account will be provisioned. If the host prefix is the
name of a host group (see hgrpadm(1B)) the account is provisioned to all hosts in the host group
that match the account type. The username part is the local account name that is used to login to a
host.
The host prefix must follow the rules for valid characters in host/hostgroup names, see hostadm
(1B) and hgrpadm (1B). Valid characters for the username part is by default letters from ASCII
character set (A-Z,a-z), digits (0-9), hyphen (-) and underscore (_). Fox Technologies also recommends
that the username part starts with a letter and is maximum 8 characters long as this might
be required by some operating systems. The requirements on usernames can be somewhat relaxed
by using the -F options, see below.
If the host prefix specifies an existing host (not a hostgroup) then the account type must match the
host type.
-F
Relax validation rules for username part of BoKS user account name specified by -l option. Username
part may contain any character except control characters, white space, colon or comma. Fox
Technologies recommends not using this option unless needed by external constrains.

-H
Don’t run any hook program defined in $BOKS_etc/ssm_hook_config.
-r name
The users full name (comment field). Default is empty.
-E date
Users last login date. The default value is set with bksdef (1B).

-P user class
The primary user class that the user is attached to.

-y distinguished name
Set the Distinguished Name for the user. The Distinguished Name should be unique.

-B LDAP domain name
This option is used to set the name of the LDAP domain from which the user was imported when
using the LDAP user synchronization function. The LDAP domain name must already be registered
in BoKS, see ldapdomainadm (1) The LDAP domains are internally referenced by indexes
and the LDAP domain for a user can be set either by name, option -B or by index, see option -L
below.
-L LDAP domain index
Set LDAP domain index for user imported by LDAP user synchronization function, see also
option -B above.
-V
The ENV variable OVERLAPPING_ACCOUNT_CHECK (See ENV.4) can be set to make BoKS
check for overlapping accounts. If checking is turned on, the -V switch can be used to skip this
check when adding a user.

COMMON OPTIONS FOR UNIX AND WINDOWS LOCAL ACCOUNTS

-d date
Date when password expires. The default value is set with bksdef (1B).

UNIX ACCOUNT OPTIONS

-g gid
Primary group. The primary group can be specified as a number, in which case a group with that
number must already exist, or as a name, in which case a group must be uniquely defined by that
name in the BoKS database.
-u uid
User id. Default is that mkbks creates the user with an unique user id.

-s shell
User login shell. Default is empty (which will be defaulted to /bin/sh at login).

-h home directory
Users home directory. May be entered as a relative path. The users home directory is then built by
merging the home prefix defined for the host in question and the relative path. E.g., if the user
sale1:bill is created with the relative path bill and the home prefix for the host sale1 is /home then
Bill’s homedir will be /home/bill.

-D flags
Sets flags for the user. See the man page for modbks(1B).

-A flags
Clears flags for the user. See the man page for modbks(1B).

-o time limit
Timeout value (maximum in-activity time in minutes). Default value is set with bksdef (1B).

-b 0/1
Disable/enable check if user attributes (uid, gid and shell) from BoKS and corresponding local
data match. If enabled and a mismatch is detected on platforms where BoKS user attributes can
not be enforced, the login session will fail. Default value is set with bksdef (1B).
Note that the user attribute check must also be enabled for the login host to take effect, see bksdef
(1B) and hostadm (1B)

-j xrole:host/hostgroup
Assign user to xRole at host or hostgroup. Multiple -j options can be given. The xRole and
host/hostgroup must already be defined. A generic access route for role change using password
authentication will be created.

-m secondary group
Add user to secondary group. Multiple -m options can be given. The secondary group can be
specified as a number, in which case a group with that number must already exist, or as a name, in
which case a group must be uniquely defined by that name.
-p encrypted password
A UNIX crypt encrypted password can be given. This option should only be used to import
already existing local accounts to BoKS. Under normal BoKS administration passwords should be
set using the passwd command. A newly created account is blocked until the password has been
set.
-I hostgroup
Read a passwd entry from stdin and import it to the hosts in hostgroup. If the user already exists in
the hostgroup there will be an error and the user is not created. However if the user exists in
another hostgroup the user will be created and there will be duplicate (possibly conflicting) user
entries.

WINDOWS LOCAL ACCOUNT OPTIONS

-K login script
Windows login script.
-O profile path
Profile path.
-R description
Account description.
-m local windows group
Assign user as member of a local Windows group. Multiple -m options can be given. Use
groupadm -L to display a list of allowed groups. Add custom groups to wingroups.cfg. Custom
groups must be given as a group name, standard Windows groups can be given either as a group
name or as a group SID.

WINDOWS DOMAIN ACCOUNT OPTIONS

-S user SID
Windows Security Identifier (SID) for the domain user. This attribute is needed if the account
should support SSH login to BoKS Client for Windows hosts. The SID value can be either in text
format or base64 encoded binary format.
-W windows domain
Name of the Windows domain the user belong to.

NOTES

Unless the -H option is given, any ADDUSER program defined in $BOKS_etc/ssm_hook_config will be
executed after a successful user creation.

FILES

/etc/passwd, /etc/shadow, $BOKS_etc/ssm_hook_config

SEE ALSO

modbks(1B), bksdef(1B), hostadm (1B), hgrpadm (1B), groupadm(1B),
ssm_hook_config(4B), ldapdomainadm(1), roleadm(1B), wingroups.cfg(4)

Still have questions? We can help. Submit a case to Technical Support.

Last Modified On: March 21, 2019