mkuser Command

Purpose

Creates a new user account.

Syntax

mkuser [ -R load_module ] [-a ] [ Attribute=Value ... ] Name

Description

The mkuser command creates a new user account. The Name parameter must be a unique string (whose length is administrator-configurable using the chdev command) . You cannot use the ALL or default keywords in the user name. By default, the mkuser command creates a standard user account. To create an administrative user account, specify the -a flag.

To create a user with an alternate Identification and Authentication (I&A) mechanism, you can use the -R flag to specify the I&A load module. If you create users without the -R flag, you create the users locally. Load modules are defined in the /usr/lib/security/methods.cfg file.

The mkuser command does not create password information for a user. It initializes the password field with an * (asterisk). Later, this field is set with the passwd or pwdadm command. New accounts are disabled until the passwd or pwdadm commands are used to add authentication information to the /etc/security/passwd file.

You can use the Users application in Web-based System Manager to change user characteristics. You can also use the System Management Interface Tool (SMIT) smit mkuser fast path to run this command.

The mkuser command always checks the target user registry to make sure the ID for the new account is unique to the target registry. You can also configure the mkuser command to check all user registries of the system using the dist_uniqid system attribute. The dist_uniqid system attribute is an attribute of the usw stanza of the /etc/security/login.cfg file, and can be managed using the chsec command.

The dist_uniqid system attribute has the following values:

never - Does not check for ID collision against the non-target registries. This is the default setting.
always - Checks for ID collision against all other registries. If collision is detected between the target registry and any other registry account creation or modification fails.
uniqbyname - Checks for ID collision against all other registries. Collision between registries is allowed only if the account to be created has the same name as the existing account.

Note: ID collision detection in the target registry is always enforced regardless of the dist_uniqid system attribute.

The uniqbyname system attribute setting works well against two registries. With more than two registries, and with ID collision already existing between two registries, the behavior of the mkuser command is unspecified when creating a new account in a third registry using colliding ID values. The new account creation might succeed or fail depending the order in which the registries are checked.

The check for ID collision only enforces ID uniqueness between the local registry and remote registries or between remote registries. There is no guarantee of ID uniqueness between the newly created account on the remote registry and existing local users on other systems that make use of the same remote registry. The mkuser command bypasses a remote registry if the remote registry is not reachable at the time the command is run.

See the section "Administering a PowerHA® cluster" in the PowerHA SystemMirror Administration Guide, 7.1 or later, for a discussion of the behavior of this command in a PowerHA cluster.

Restrictions on Creating User Names

To prevent login inconsistencies, you should avoid composing user names entirely of uppercase alphabetic characters. While the mkuser command supports multi-byte user names, it is recommended that you restrict user names to characters with the POSIX portable filename character set.

To ensure that your user database remains uncorrupted, you must be careful when naming users. User names must not begin with a - (dash), + (plus sign), @ (at sign), or ~ (tilde). You cannot use the keywords ALL or default in a user name. Additionally, do not use any of the following characters within a user-name string:

Item	Description
:	Colon
"	Double quote
#	Pound sign
,	Comma
=	Equal sign
\	Back slash
/	Slash
?	Question mark
'	Single quote
`	Back quote

Finally, the Name parameter cannot contain any space, tab, or new-line characters.

Flags

Item	Description
-a	Specifies that the user is an administrator. Only the root user can use this flag or alter the attributes of an administrative user.
username	Specifies that the user is a new user.
-R load_module	Specifies the loadable I&A module used to create the user.

Parameters

Item	Description
Attribute=Value	Initializes a user attribute. Refer to the chuser command for the valid attributes and values.
Name	Specifies a unique string. The length of this string is set by an administrator by using the chdev command.

Exit Status

This command returns the following exit values:

Item	Description
0	The command runs successfully and all requested changes are made.
>0	An error occurred. The printed error message lists further details about the type of failure.

Security

Access Control: This command should grant execute (x) access only to the root user and members of the security group. This command should be installed as a program in the trusted computing base (TCB). The command should be owned by the root user with the setuid (SUID) bit set.

Attention RBAC users and Trusted AIX users: This command can perform privileged operations. Only privileged users can run privileged operations. For more information about authorizations and privileges, see Privileged Command Database in AIX® Version 7.1 Security. For a list of privileges and the authorizations associated with this command, see the lssecattr command or the getcmdattr subcommand.

To get the full functionality of the command, besides the accessauths, the role should also have the following authorizations:

aix.security.user.audit
aix.security.role.assign
aix.security.group.change
aix.security.user.change

Files Accessed:

Mode	File
rw	/etc/passwd
rw	/etc/security/user
rw	/etc/security/user.roles
rw	/etc/security/limits
rw	/etc/security/environ
rw	/etc/group
rw	/etc/security/group
r	/usr/lib/security/mkuser.default
x	/usr/lib/security/mkuser.sys

Auditing Events:

Event	Information
USER_Create	user

Limitations

Creating a user may not be supported by all loadable I&A modules. If the loadable I&A module does not support creating a user, an error is reported.

Examples

To create the davis user account with the default values in the /usr/lib/security/mkuser.default file, type:
```
mkuser davis
```
To create the davis account with davis as an administrator, type:
```
mkuser -a davis
```
Only the root user or users with the UserAdmin authorization can create davis as an administrative user.
To create the davis user account and set the su attribute to a value of false, type:
```
mkuser su=false davis
```
To create the davis user account that is identified and authenticated through the LDAP load module, type:
```
mkuser -R LDAP davis
```

Error Codes

Item	Description
0	The command is successful.
EINVAL	The username argument is not valid (containing characters not valid).
EACCES	The invoker does not have write access to the database files.
EPERM	The user identification and authentication fails if the -a flag is specified and the invoker is not root.
EEXIST	The user already exists.
ENAMETOOLONG	The user name is too long.
other errno	There are other system errors.

Files

Item	Description
/usr/bin/mkuser	Contains the mkuser command.
/usr/lib/security/mkuser.default	Contains the default values for new users.
/etc/passwd	Contains the basic attributes of users.
/etc/security/user	Contains the extended attributes of users.
/etc/security/user.roles	Contains the administrative role attributes of users.
/etc/security/passwd	Contains password information.
/etc/security/limits	Defines resource quotas and limits for each user.
/etc/security/environ	Contains the environment attributes of users.
/etc/group	Contains the basic attributes of groups.
/etc/security/group	Contains the extended attributes of groups.
/etc/security/.ids	Contains standard and administrative user IDs and group IDs.