1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�10.�Account Information Databases</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.64.1"><link rel="home" href="index.html" title="The Official Samba-3 HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part�III.�Advanced Configuration"><link rel="previous" href="NetworkBrowsing.html" title="Chapter�9.�Network Browsing"><link rel="next" href="groupmapping.html" title="Chapter�11.�Group Mapping MS Windows and UNIX"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�10.�Account Information Databases</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NetworkBrowsing.html">Prev</a>�</td><th width="60%" align="center">Part�III.�Advanced Configuration</th><td width="20%" align="right">�<a accesskey="n" href="groupmapping.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="passdb"></a>Chapter�10.�Account Information Databases</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jra@samba.org">jra@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><span class="contrib">LDAP updates</span><div class="affiliation"><span class="orgname">SuSE<br></span><div class="address"><p><tt class="email"><<a href="mailto:gd@suse.de">gd@suse.de</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Olivier (lem)</span> <span class="surname">Lemaire</span></h3><div class="affiliation"><span class="orgname">IDEALX<br></span><div class="address"><p><tt class="email"><<a href="mailto:olem@IDEALX.org">olem@IDEALX.org</a>></tt></p></div></div></div></div><div><p class="pubdate">May 24, 2003</p></div></div><div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="passdb.html#id2531605">Features and Benefits</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id2531644">Backward Compatibility Backends</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2531778">New Backends</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#passdbtech">Technical Information</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id2532121">Important Notes About Security</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2532332">Mapping User Identifiers between MS Windows and UNIX</a></span></dt><dt><span class="sect2"><a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#acctmgmttools">Account Management Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id2532630">The smbpasswd Command</a></span></dt><dt><span class="sect2"><a href="passdb.html#pdbeditthing">The pdbedit Command</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#id2533132">Password Backends</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id2533183">Plaintext</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2533217">smbpasswd Encrypted Password Database</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2533321">tdbsam</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2533366">ldapsam</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2535238">MySQL</a></span></dt><dt><span class="sect2"><a href="passdb.html#XMLpassdb">XML</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#id2536247">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id2536253">Users Cannot Logon</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2536287">Users Being Added to the Wrong Backend Database</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2536382">Configuration of auth methods</a></span></dt></dl></dd></dl></div><p>
1
<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter�10.�Account Information Databases</title><link rel="stylesheet" href="samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.66.1"><link rel="start" href="index.html" title="The Official Samba-3 HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part�III.�Advanced Configuration"><link rel="prev" href="NetworkBrowsing.html" title="Chapter�9.�Network Browsing"><link rel="next" href="groupmapping.html" title="Chapter�11.�Group Mapping MS Windows and UNIX"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter�10.�Account Information Databases</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NetworkBrowsing.html">Prev</a>�</td><th width="60%" align="center">Part�III.�Advanced Configuration</th><td width="20%" align="right">�<a accesskey="n" href="groupmapping.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="passdb"></a>Chapter�10.�Account Information Databases</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jelmer@samba.org">jelmer@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jht@samba.org">jht@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jerry@samba.org">jerry@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><tt class="email"><<a href="mailto:jra@samba.org">jra@samba.org</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="surname">Deschner</span></h3><span class="contrib">LDAP updates</span><div class="affiliation"><span class="orgname">SuSE<br></span><div class="address"><p><tt class="email"><<a href="mailto:gd@suse.de">gd@suse.de</a>></tt></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Olivier (lem)</span> <span class="surname">Lemaire</span></h3><div class="affiliation"><span class="orgname">IDEALX<br></span><div class="address"><p><tt class="email"><<a href="mailto:olem@IDEALX.org">olem@IDEALX.org</a>></tt></p></div></div></div></div><div><p class="pubdate">May 24, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="passdb.html#id2551363">Features and Benefits</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id2551402">Backward Compatibility Backends</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2551503">New Backends</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#passdbtech">Technical Information</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id2551903">Important Notes About Security</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2552127">Mapping User Identifiers between MS Windows and UNIX</a></span></dt><dt><span class="sect2"><a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2552383">Regarding LDAP Directories and Windows Computer Accounts</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#acctmgmttools">Account Management Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id2552502">The <span class="emphasis"><em>smbpasswd</em></span> Command</a></span></dt><dt><span class="sect2"><a href="passdb.html#pdbeditthing">The <span class="emphasis"><em>pdbedit</em></span> Command</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#id2553004">Password Backends</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id2553048">Plaintext</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2553082">smbpasswd Encrypted Password Database</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2553186">tdbsam</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2553231">ldapsam</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2555095">MySQL</a></span></dt><dt><span class="sect2"><a href="passdb.html#XMLpassdb">XML</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#id2556101">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id2556106">Users Cannot Logon</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2556141">Users Being Added to the Wrong Backend Database</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2556236">Configuration of <i class="parameter"><tt>auth methods</tt></i></a></span></dt></dl></dd></dl></div><p>
2
2
Samba-3 implements a new capability to work concurrently with multiple account backends.
3
3
The possible new combinations of password backends allows Samba-3 a degree of flexibility
4
4
and scalability that previously could be achieved only with MS Windows Active Directory.
5
5
This chapter describes the new functionality and how to get the most out of it.
6
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2531605"></a>Features and Benefits</h2></div></div><div></div></div><p>
6
</p><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2551363"></a>Features and Benefits</h2></div></div></div><p>
7
7
Samba-3 provides for complete backward compatibility with Samba-2.2.x functionality
9
<a class="indexterm" name="id2531615"></a>
10
<a class="indexterm" name="id2531624"></a>
11
<a class="indexterm" name="id2531633"></a>
12
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2531644"></a>Backward Compatibility Backends</h3></div></div><div></div></div><div class="variablelist"><dl><dt><span class="term">Plain Text</span></dt><dd><p>
13
This option uses nothing but the UNIX/Linux <tt class="filename">/etc/passwd</tt>
14
style backend. On systems that have Pluggable Authentication Modules (PAM)
9
<a class="indexterm" name="id2551373"></a>
10
<a class="indexterm" name="id2551382"></a>
11
<a class="indexterm" name="id2551391"></a>
12
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2551402"></a>Backward Compatibility Backends</h3></div></div></div><div class="variablelist"><dl><dt><span class="term">Plain Text</span></dt><dd><p>
13
This isn't really a backend at all, but is listed here for simplicity. Samba can be
14
configured to pass plaintext authentication requests to the traditional UNIX/Linux
15
<tt class="filename">/etc/passwd</tt> and <tt class="filename">/etc/shadow</tt>
16
style subsystems. On systems that have Pluggable Authentication Modules (PAM)
15
17
support, all PAM modules are supported. The behavior is just as it was with
16
18
Samba-2.2.x, and the protocol limitations imposed by MS Windows clients
17
19
apply likewise. Please refer to <a href="passdb.html#passdbtech" title="Technical Information">Technical Information</a> for more information
33
35
This option is provided primarily as a migration tool, although there is
34
36
no reason to force migration at this time. This tool will eventually
36
</p></dd></dl></div></div><p>
38
</p></dd></dl></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2551503"></a>New Backends</h3></div></div></div><p>
37
39
Samba-3 introduces a number of new password backend capabilities.
38
<a class="indexterm" name="id2531740"></a>
39
<a class="indexterm" name="id2531749"></a>
40
<a class="indexterm" name="id2531759"></a>
41
<a class="indexterm" name="id2531768"></a>
42
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2531778"></a>New Backends</h3></div></div><div></div></div><div class="variablelist"><dl><dt><span class="term">tdbsam</span></dt><dd><p>
40
<a class="indexterm" name="id2551512"></a>
41
<a class="indexterm" name="id2551521"></a>
42
<a class="indexterm" name="id2551530"></a>
43
<a class="indexterm" name="id2551540"></a>
44
</p><div class="variablelist"><dl><dt><span class="term">tdbsam</span></dt><dd><p>
43
45
This backend provides a rich database backend for local servers. This
44
46
backend is not suitable for multiple Domain Controllers (i.e., PDC + one
45
47
or more BDC) installations.
98
105
In addition to differently encrypted passwords, Windows also stores certain data for each
99
106
user that is not stored in a UNIX user database. For example, workstations the user may logon from,
100
107
the location where the user's profile is stored, and so on. Samba retrieves and stores this
101
information using a <a class="indexterm" name="id2531980"></a>passdb backend. Commonly available backends are LDAP, plain text
108
information using a <a class="indexterm" name="id2551761"></a>passdb backend. Commonly available backends are LDAP, plain text
102
109
file, and MySQL. For more information, see the man page for <tt class="filename">smb.conf</tt> regarding the
103
<a class="indexterm" name="id2531995"></a>passdb backend parameter.
110
<a class="indexterm" name="id2551777"></a>passdb backend parameter.
104
111
</p><div class="figure"><a name="idmap-sid2uid"></a><p class="title"><b>Figure�10.1.�IDMAP: Resolution of SIDs to UIDs.</b></p><div class="mediaobject"><img src="images/idmap-sid2uid.png" width="270" alt="IDMAP: Resolution of SIDs to UIDs."></div></div><p>
105
<a class="indexterm" name="id2532049"></a>
112
<a class="indexterm" name="id2551831"></a>
106
113
The resolution of SIDs to UIDs is fundamental to correct operation of Samba. In both cases shown, if winbindd is not running, or cannot
107
114
be contacted, then only local SID/UID resolution is possible. See <a href="passdb.html#idmap-sid2uid" title="Figure�10.1.�IDMAP: Resolution of SIDs to UIDs.">resolution of SIDs to UIDs</a> and
108
115
<a href="passdb.html#idmap-uid2sid" title="Figure�10.2.�IDMAP: Resolution of UIDs to SIDs.">resolution of UIDs to SIDs</a> diagrams.
109
</p><div class="figure"><a name="idmap-uid2sid"></a><p class="title"><b>Figure�10.2.�IDMAP: Resolution of UIDs to SIDs.</b></p><div class="mediaobject"><img src="images/idmap-uid2sid.png" width="270" alt="IDMAP: Resolution of UIDs to SIDs."></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2532121"></a>Important Notes About Security</h3></div></div><div></div></div><p>
116
</p><div class="figure"><a name="idmap-uid2sid"></a><p class="title"><b>Figure�10.2.�IDMAP: Resolution of UIDs to SIDs.</b></p><div class="mediaobject"><img src="images/idmap-uid2sid.png" width="270" alt="IDMAP: Resolution of UIDs to SIDs."></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2551903"></a>Important Notes About Security</h3></div></div></div><p>
110
117
The UNIX and SMB password encryption techniques seem similar on the surface. This
111
118
similarity is, however, only skin deep. The UNIX scheme typically sends clear-text
112
119
passwords over the network when logging in. This is bad. The SMB encryption scheme
158
165
only things you can do to stop this is to use SMB encryption.
159
166
</p></li><li><p>Encrypted password support allows automatic share
160
167
(resource) reconnects.</p></li><li><p>Encrypted passwords are essential for PDC/BDC
161
operation.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2532302"></a>Advantages of Non-Encrypted Passwords</h4></div></div><div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Plaintext passwords are not kept
168
operation.</p></li></ul></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2552097"></a>Advantages of Non-Encrypted Passwords</h4></div></div></div><div class="itemizedlist"><ul type="disc"><li><p>Plaintext passwords are not kept
162
169
on disk, and are not cached in memory. </p></li><li><p>Uses same password file as other UNIX
163
170
services such as Login and FTP.</p></li><li><p>Use of other services (such as Telnet and FTP) that
164
171
send plain text passwords over the network, so sending them for SMB
165
is not such a big deal.</p></li></ul></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2532332"></a>Mapping User Identifiers between MS Windows and UNIX</h3></div></div><div></div></div><p>
172
is not such a big deal.</p></li></ul></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2552127"></a>Mapping User Identifiers between MS Windows and UNIX</h3></div></div></div><p>
166
173
Every operation in UNIX/Linux requires a user identifier (UID), just as in
167
174
MS Windows NT4/200x this requires a Security Identifier (SID). Samba provides
168
175
two means for mapping an MS Windows user to a UNIX/Linux UID.
170
177
First, all Samba SAM (Security Account Manager database) accounts require
171
178
a UNIX/Linux UID that the account will map to. As users are added to the account
172
information database, Samba will call the <a class="indexterm" name="id2532351"></a>add user script
179
information database, Samba will call the <a class="indexterm" name="id2552146"></a>add user script
173
180
interface to add the account to the Samba host OS. In essence all accounts in
174
181
the local SAM require a local user account.
176
<a class="indexterm" name="id2532363"></a>
177
<a class="indexterm" name="id2532370"></a>
183
<a class="indexterm" name="id2552159"></a>
184
<a class="indexterm" name="id2552165"></a>
178
185
The second way to effect Windows SID to UNIX UID mapping is via the
179
186
<span class="emphasis"><em>idmap uid</em></span> and <span class="emphasis"><em>idmap gid</em></span> parameters in <tt class="filename">smb.conf</tt>.
180
187
Please refer to the man page for information about these parameters.
181
188
These parameters are essential when mapping users from a remote SAM server.
182
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="idmapbackend"></a>Mapping Common UIDs/GIDs on Distributed Machines</h3></div></div><div></div></div><p>
189
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="idmapbackend"></a>Mapping Common UIDs/GIDs on Distributed Machines</h3></div></div></div><p>
183
190
Samba-3 has a special facility that makes it possible to maintain identical UIDs and GIDs
184
191
on all servers in a distributed network. A distributed network is one where there exists
185
192
a PDC, one or more BDCs and/or one or more Domain Member servers. Why is this important?
186
193
This is important if files are being shared over more than one protocol (e.g., NFS) and where
187
194
users are copying files across UNIX/Linux systems using tools such as <span><b class="command">rsync</b></span>.
189
<a class="indexterm" name="id2532425"></a>
196
<a class="indexterm" name="id2552221"></a>
190
197
The special facility is enabled using a parameter called <i class="parameter"><tt>idmap backend</tt></i>.
191
198
The default setting for this parameter is an empty string. Technically it is possible to use
192
199
an LDAP based idmap backend for UIDs and GIDs, but it makes most sense when this is done for
193
200
network configurations that also use LDAP for the SAM backend. Following
194
201
<a href="passdb.html#idmapbackendexample" title="Example�10.1.�Example configuration with the LDAP idmap backend">example</a> shows that.
196
<a class="indexterm" name="id2532455"></a>
197
</p><div class="example"><a name="idmapbackendexample"></a><p class="title"><b>Example�10.1.�Example configuration with the LDAP idmap backend</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2532497"></a><i class="parameter"><tt>
203
<a class="indexterm" name="id2552251"></a>
204
</p><div class="example"><a name="idmapbackendexample"></a><p class="title"><b>Example�10.1.�Example configuration with the LDAP idmap backend</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2552283"></a><i class="parameter"><tt>
199
idmap backend = ldap:ldap://ldap-server.quenya.org:636</tt></i></td></tr><tr><td><a class="indexterm" name="id2532518"></a><i class="parameter"><tt>
206
idmap backend = ldap:ldap://ldap-server.quenya.org:636</tt></i></td></tr><tr><td># Alternately, this could be specified as:</td></tr><tr><td><a class="indexterm" name="id2552306"></a><i class="parameter"><tt>
201
208
idmap backend = ldap:ldaps://ldap-server.quenya.org</tt></i></td></tr></table></div><p>
212
219
system access authentication.
214
221
<span class="emphasis"><em>idmap_ad:</em></span> An IDMAP backend that supports the Microsoft Services for
215
UNIX RFC 2307 schema available from their web
222
UNIX RFC 2307 schema available from the PADL web
216
223
<a href="http://www.padl.com/download/xad_oss_plugins.tar.gz" target="_top">site</a>.
217
</p></li></ul></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="acctmgmttools"></a>Account Management Tools</h2></div></div><div></div></div><p>
218
<a class="indexterm" name="id2532609"></a>
224
</p></li></ul></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2552383"></a>Regarding LDAP Directories and Windows Computer Accounts</h3></div></div></div><p>
225
Samba doesn't provide a turnkey solution to LDAP. It is best to deal with the design and configuration
226
of an LDAP directory prior to integration with Samba. A working knowledge of LDAP makes Samba integration
227
easy and the lack of a working knowledge of LDAP can make it one a frustrating experience.
229
Computer (machine) accounts can be placed where ever you like in an LDAP directory subject to some
230
constraints that are described in this chapter.
232
The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba.
233
i.e.: Machine accounts are treated inside Samba in the same way that Windows NT4/200X treats
234
them. A user account and a machine account are indistinquishable from each other, except that
235
the machine account ends in a '$' character, as do trust accounts.
237
The need for Windows user, group, machine, trust, etc. accounts to be tied to a valid UNIX uid
238
is a design decision that was made a long way back in the history of Samba development. It is
239
unlikely that this decision will be reversed of changed during the remaining life of the
242
The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that
243
must refer back to the host operating system on which Samba is running. The Name Service
244
Switcher (NSS) is the preferred mechanism that shields applications (like Samba) from the
245
need to know everything about every host OS it runs on.
247
Samba asks the host OS to provide a UID via the “<span class="quote"><span class="emphasis"><em>passwd</em></span></span>”, “<span class="quote"><span class="emphasis"><em>shadow</em></span></span>”
248
and “<span class="quote"><span class="emphasis"><em>group</em></span></span>” facilities in the NSS control (configuration) file. The best tool
249
for achieving this is left up to the UNIX administrator to determine. It is not imposed by
250
Samba. Samba provides winbindd together with its support libraries as one method. It is
251
possible to do this via LDAP - and for that Samba provides the appropriate hooks so that
252
all account entities can be located in an LDAP directory.
254
For many the weapon of choice is to use the PADL nss_ldap utility. This utility must
255
be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That
256
is fundamentally an LDAP design question. The information provided on the Samba list and
257
in the documentation is directed at providing working examples only. The design
258
of an LDAP directory is a complex subject that is beyond the scope of this documentation.
259
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="acctmgmttools"></a>Account Management Tools</h2></div></div></div><p>
260
<a class="indexterm" name="id2552481"></a>
219
261
Samba provides two tools for management of user and machine accounts. These tools are
220
262
called <span><b class="command">smbpasswd</b></span> and <span><b class="command">pdbedit</b></span>.
221
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2532630"></a>The <span class="emphasis"><em>smbpasswd</em></span> Command</h3></div></div><div></div></div><p>
263
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2552502"></a>The <span class="emphasis"><em>smbpasswd</em></span> Command</h3></div></div></div><p>
222
264
The smbpasswd utility is similar to the <span><b class="command">passwd</b></span>
223
265
or <span><b class="command">yppasswd</b></span> programs. It maintains the two 32 byte password
224
266
fields in the passdb backend.
267
309
For more details on using <span><b class="command">smbpasswd</b></span>, refer to the man page (the
268
310
definitive reference).
269
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="pdbeditthing"></a>The <span class="emphasis"><em>pdbedit</em></span> Command</h3></div></div><div></div></div><p>
270
<a class="indexterm" name="id2532902"></a>
311
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="pdbeditthing"></a>The <span class="emphasis"><em>pdbedit</em></span> Command</h3></div></div></div><p>
312
<a class="indexterm" name="id2552774"></a>
271
313
<span><b class="command">pdbedit</b></span> is a tool that can be used only by root. It is used to
272
314
manage the passdb backend. <span><b class="command">pdbedit</b></span> can be used to:
273
<a class="indexterm" name="id2532922"></a>
274
<a class="indexterm" name="id2532929"></a>
315
<a class="indexterm" name="id2552794"></a>
316
<a class="indexterm" name="id2552801"></a>
276
318
</p><div class="itemizedlist"><ul type="disc"><li><p>add, remove or modify user accounts.</p></li><li><p>list user accounts.</p></li><li><p>migrate user accounts.</p></li></ul></div><p>
277
<a class="indexterm" name="id2532960"></a>
319
<a class="indexterm" name="id2552832"></a>
278
320
The <span><b class="command">pdbedit</b></span> tool is the only one that can manage the account
279
321
security and policy settings. It is capable of all operations that smbpasswd can
280
322
do as well as a super set of them.
282
<a class="indexterm" name="id2532979"></a>
324
<a class="indexterm" name="id2552851"></a>
283
325
One particularly important purpose of the <span><b class="command">pdbedit</b></span> is to allow
284
326
the migration of account information from one passdb backend to another. See the
285
327
<a href="passdb.html#XMLpassdb" title="XML">XML</a> password backend section of this chapter.
332
374
It is possible to specify not only multiple different password backends, but even multiple
333
375
backends of the same type. For example, to use two different tdbsam databases:
335
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2533158"></a><i class="parameter"><tt>
377
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2553030"></a><i class="parameter"><tt>
337
passdb backend = tdbsam:/etc/samba/passdb.tdb \</tt></i></td></tr><tr><td><i class="parameter"><tt>tdbsam:/etc/samba/old-passdb.tdb</tt></i></td></tr></table><p>
338
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2533183"></a>Plaintext</h3></div></div><div></div></div><p>
379
passdb backend = tdbsam:/etc/samba/passdb.tdb tdbsam:/etc/samba/old-passdb.tdb</tt></i></td></tr></table><p>
380
</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2553048"></a>Plaintext</h3></div></div></div><p>
339
381
Older versions of Samba retrieved user information from the UNIX user database
340
382
and eventually some other fields from the file <tt class="filename">/etc/samba/smbpasswd</tt>
341
383
or <tt class="filename">/etc/smbpasswd</tt>. When password encryption is disabled, no
342
384
SMB specific data is stored at all. Instead all operations are conducted via the way
343
385
that the Samba host OS will access its <tt class="filename">/etc/passwd</tt> database.
344
386
Linux systems For example, all operations are done via PAM.
345
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2533217"></a>smbpasswd Encrypted Password Database</h3></div></div><div></div></div><p>
346
<a class="indexterm" name="id2533228"></a>
347
Traditionally, when configuring <a class="indexterm" name="id2533238"></a>encrypt passwords = yes in Samba's <tt class="filename">smb.conf</tt> file, user account
387
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2553082"></a>smbpasswd Encrypted Password Database</h3></div></div></div><p>
388
<a class="indexterm" name="id2553093"></a>
389
Traditionally, when configuring <a class="indexterm" name="id2553103"></a>encrypt passwords = yes in Samba's <tt class="filename">smb.conf</tt> file, user account
348
390
information such as username, LM/NT password hashes, password change times, and account
349
391
flags have been stored in the <tt class="filename">smbpasswd(5)</tt> file. There are several
350
392
disadvantages to this approach for sites with large numbers of users (counted
411
453
</p><div class="itemizedlist"><ul type="disc"><li><p>The <a href="http://www.unav.es/cti/ldap-smb/ldap-smb-3-howto.html" target="_top">Samba-PDC-LDAP-HOWTO</a>
412
454
maintained by Ignacio Coupeau.</p></li><li><p>The NT migration scripts from <a href="http://samba.idealx.org/" target="_top">IDEALX</a> that are
413
455
geared to manage users and group in such a Samba-LDAP Domain Controller configuration.
414
</p></li></ul></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2533488"></a>Supported LDAP Servers</h4></div></div><div></div></div><p>
456
</p></li></ul></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2553352"></a>Supported LDAP Servers</h4></div></div></div><p>
415
457
The LDAP ldapsam code has been developed and tested using the OpenLDAP 2.0 and 2.1 server and
416
458
client libraries. The same code should work with Netscape's Directory Server and client SDK.
417
459
However, there are bound to be compile errors and bugs. These should not be hard to fix.
418
Please submit fixes via the process outlined in <a href="bugreport.html" title="Chapter�35.�Reporting Bugs">Reporting Bugs</a> chapter.
419
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2533511"></a>Schema and Relationship to the RFC 2307 posixAccount</h4></div></div><div></div></div><p>
460
Please submit fixes via the process outlined in <a href="bugreport.html" title="Chapter�37.�Reporting Bugs">Reporting Bugs</a> chapter.
461
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2553376"></a>Schema and Relationship to the RFC 2307 posixAccount</h4></div></div></div><p>
420
462
Samba-3.0 includes the necessary schema file for OpenLDAP 2.0 in
421
463
<tt class="filename">examples/LDAP/samba.schema</tt>. The sambaSamAccount ObjectClass is given here:
604
646
</p><pre class="screen">
605
647
<tt class="prompt">root# </tt><b class="userinput"><tt>smbpasswd -w <i class="replaceable"><tt>secret</tt></i></tt></b>
607
</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2533926"></a>Configuring Samba</h4></div></div><div></div></div><p>
649
</p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2553801"></a>Configuring Samba</h4></div></div></div><p>
608
650
The following parameters are available in smb.conf only if your
609
651
version of Samba was built with LDAP support. Samba automatically builds with LDAP support if the
610
652
LDAP libraries are found.
611
653
</p><p>LDAP related smb.conf options:
612
<a class="indexterm" name="id2533941"></a>passdb backend = ldapsam:url,
613
<a class="indexterm" name="id2533948"></a>ldap admin dn,
614
<a class="indexterm" name="id2533956"></a>ldap delete dn,
615
<a class="indexterm" name="id2533963"></a>ldap filter,
616
<a class="indexterm" name="id2533970"></a>ldap group suffix,
617
<a class="indexterm" name="id2533978"></a>ldap idmap suffix,
618
<a class="indexterm" name="id2533985"></a>ldap machine suffix,
619
<a class="indexterm" name="id2533993"></a>ldap passwd sync,
620
<a class="indexterm" name="id2534000"></a>ldap ssl,
621
<a class="indexterm" name="id2534007"></a>ldap suffix,
622
<a class="indexterm" name="id2534015"></a>ldap user suffix,
654
<a class="indexterm" name="id2553816"></a>passdb backend = ldapsam:url,
655
<a class="indexterm" name="id2553824"></a>ldap admin dn,
656
<a class="indexterm" name="id2553831"></a>ldap delete dn,
657
<a class="indexterm" name="id2553839"></a>ldap filter,
658
<a class="indexterm" name="id2553846"></a>ldap group suffix,
659
<a class="indexterm" name="id2553853"></a>ldap idmap suffix,
660
<a class="indexterm" name="id2553861"></a>ldap machine suffix,
661
<a class="indexterm" name="id2553868"></a>ldap passwd sync,
662
<a class="indexterm" name="id2553876"></a>ldap ssl,
663
<a class="indexterm" name="id2553883"></a>ldap suffix,
664
<a class="indexterm" name="id2553890"></a>ldap user suffix,
624
666
These are described in the <tt class="filename">smb.conf</tt> man
625
667
page and so will not be repeated here. However, a <a href="passdb.html#confldapex" title="Example�10.2.�Configuration with LDAP">sample <tt class="filename">smb.conf</tt> file</a> for
626
668
use with an LDAP directory could appear as shown below.
628
</p><div class="example"><a name="confldapex"></a><p class="title"><b>Example�10.2.�Configuration with LDAP</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2534073"></a><i class="parameter"><tt>
630
security = user</tt></i></td></tr><tr><td><a class="indexterm" name="id2534089"></a><i class="parameter"><tt>
632
encrypt passwords = yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2534105"></a><i class="parameter"><tt>
634
netbios name = MORIA</tt></i></td></tr><tr><td><a class="indexterm" name="id2534121"></a><i class="parameter"><tt>
636
workgroup = NOLDOR</tt></i></td></tr><tr><td># ldap related parameters</td></tr><tr><td># define the DN to use when binding to the directory servers</td></tr><tr><td># The password for this DN is not stored in smb.conf. Rather it</td></tr><tr><td># must be set by using 'smbpasswd -w <i class="replaceable"><tt>secretpw</tt></i>' to store the</td></tr><tr><td># passphrase in the secrets.tdb file. If the "ldap admin dn" values</td></tr><tr><td># change, this password will need to be reset.</td></tr><tr><td><a class="indexterm" name="id2534183"></a><i class="parameter"><tt>
638
ldap admin dn = "cn=Manager,dc=quenya,dc=org"</tt></i></td></tr><tr><td># Define the SSL option when connecting to the directory</td></tr><tr><td># ('off', 'start tls', or 'on' (default))</td></tr><tr><td><a class="indexterm" name="id2534213"></a><i class="parameter"><tt>
640
ldap ssl = start tls</tt></i></td></tr><tr><td># syntax: passdb backend = ldapsam:ldap://server-name[:port]</td></tr><tr><td><a class="indexterm" name="id2534236"></a><i class="parameter"><tt>
642
passdb backend = ldapsam:ldap://frodo.quenya.org</tt></i></td></tr><tr><td># smbpasswd -x delete the entire dn-entry</td></tr><tr><td><a class="indexterm" name="id2534259"></a><i class="parameter"><tt>
644
ldap delete dn = no</tt></i></td></tr><tr><td># the machine and user suffix added to the base suffix</td></tr><tr><td># wrote WITHOUT quotes. NULL suffixes by default</td></tr><tr><td><a class="indexterm" name="id2534289"></a><i class="parameter"><tt>
646
ldap user suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2534304"></a><i class="parameter"><tt>
648
ldap group suffix = ou=Groups</tt></i></td></tr><tr><td><a class="indexterm" name="id2534320"></a><i class="parameter"><tt>
650
ldap machine suffix = ou=Computers</tt></i></td></tr><tr><td># Trust UNIX account information in LDAP</td></tr><tr><td># (see the smb.conf man page for details)</td></tr><tr><td># specify the base DN to use when searching the directory</td></tr><tr><td><a class="indexterm" name="id2534357"></a><i class="parameter"><tt>
652
ldap suffix = dc=quenya,dc=org</tt></i></td></tr><tr><td># generally the default ldap search filter is ok</td></tr><tr><td><a class="indexterm" name="id2534380"></a><i class="parameter"><tt>
670
</p><div class="example"><a name="confldapex"></a><p class="title"><b>Example�10.2.�Configuration with LDAP</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2553949"></a><i class="parameter"><tt>
672
security = user</tt></i></td></tr><tr><td><a class="indexterm" name="id2553964"></a><i class="parameter"><tt>
674
encrypt passwords = yes</tt></i></td></tr><tr><td><a class="indexterm" name="id2553980"></a><i class="parameter"><tt>
676
netbios name = MORIA</tt></i></td></tr><tr><td><a class="indexterm" name="id2553995"></a><i class="parameter"><tt>
678
workgroup = NOLDOR</tt></i></td></tr><tr><td># ldap related parameters</td></tr><tr><td># define the DN to use when binding to the directory servers</td></tr><tr><td># The password for this DN is not stored in smb.conf. Rather it</td></tr><tr><td># must be set by using 'smbpasswd -w secretpw' to store the</td></tr><tr><td># passphrase in the secrets.tdb file. If the "ldap admin dn" values</td></tr><tr><td># change, this password will need to be reset.</td></tr><tr><td><a class="indexterm" name="id2554053"></a><i class="parameter"><tt>
680
ldap admin dn = "cn=Manager,dc=quenya,dc=org"</tt></i></td></tr><tr><td># Define the SSL option when connecting to the directory</td></tr><tr><td># ('off', 'start tls', or 'on' (default))</td></tr><tr><td><a class="indexterm" name="id2554083"></a><i class="parameter"><tt>
682
ldap ssl = start tls</tt></i></td></tr><tr><td># syntax: passdb backend = ldapsam:ldap://server-name[:port]</td></tr><tr><td><a class="indexterm" name="id2554104"></a><i class="parameter"><tt>
684
passdb backend = ldapsam:ldap://frodo.quenya.org</tt></i></td></tr><tr><td># smbpasswd -x delete the entire dn-entry</td></tr><tr><td><a class="indexterm" name="id2554127"></a><i class="parameter"><tt>
686
ldap delete dn = no</tt></i></td></tr><tr><td># the machine and user suffix added to the base suffix</td></tr><tr><td># wrote WITHOUT quotes. NULL suffixes by default</td></tr><tr><td><a class="indexterm" name="id2554156"></a><i class="parameter"><tt>
688
ldap user suffix = ou=People</tt></i></td></tr><tr><td><a class="indexterm" name="id2554171"></a><i class="parameter"><tt>
690
ldap group suffix = ou=Groups</tt></i></td></tr><tr><td><a class="indexterm" name="id2554186"></a><i class="parameter"><tt>
692
ldap machine suffix = ou=Computers</tt></i></td></tr><tr><td># Trust UNIX account information in LDAP</td></tr><tr><td># (see the smb.conf man page for details)</td></tr><tr><td># specify the base DN to use when searching the directory</td></tr><tr><td><a class="indexterm" name="id2554223"></a><i class="parameter"><tt>
694
ldap suffix = dc=quenya,dc=org</tt></i></td></tr><tr><td># generally the default ldap search filter is ok</td></tr><tr><td><a class="indexterm" name="id2554244"></a><i class="parameter"><tt>
654
696
ldap filter = (uid=%u)</tt></i></td></tr></table></div><p>
655
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2534397"></a>Accounts and Groups Management</h4></div></div><div></div></div><p>
656
<a class="indexterm" name="id2534406"></a>
657
<a class="indexterm" name="id2534412"></a>
697
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2554261"></a>Accounts and Groups Management</h4></div></div></div><p>
698
<a class="indexterm" name="id2554269"></a>
699
<a class="indexterm" name="id2554276"></a>
659
701
As user accounts are managed through the sambaSamAccount objectclass, you should
660
702
modify your existing administration tools to deal with sambaSamAccount attributes.
684
726
on the details of LM/NT password hashes, refer to the
685
727
<a href="passdb.html" title="Chapter�10.�Account Information Databases">Account Information Database</a> section of this chapter.
687
To remedy the first security issue, the <a class="indexterm" name="id2534515"></a>ldap ssl <tt class="filename">smb.conf</tt> parameter defaults
688
to require an encrypted session (<a class="indexterm" name="id2534528"></a>ldap ssl = on) using
729
To remedy the first security issue, the <a class="indexterm" name="id2554379"></a>ldap ssl <tt class="filename">smb.conf</tt> parameter defaults
730
to require an encrypted session (<a class="indexterm" name="id2554392"></a>ldap ssl = on) using
689
731
the default port of <tt class="constant">636</tt>
690
732
when contacting the directory server. When using an OpenLDAP server, it
691
733
is possible to use the StartTLS LDAP extended operation in the place of
692
734
LDAPS. In either case, you are strongly discouraged to disable this security
693
(<a class="indexterm" name="id2534544"></a>ldap ssl = off).
735
(<a class="indexterm" name="id2554407"></a>ldap ssl = off).
695
737
Note that the LDAPS protocol is deprecated in favor of the LDAPv3 StartTLS
696
738
extended operation. However, the OpenLDAP library still provides support for
706
748
by dn="cn=Samba Admin,ou=People,dc=quenya,dc=org" write
709
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2534585"></a>LDAP Special Attributes for sambaSamAccounts</h4></div></div><div></div></div><p> The sambaSamAccount objectclass is composed of the attributes shown in next tables: <a href="passdb.html#attribobjclPartA" title="Table�10.1.�Attributes in the sambaSamAccount objectclass (LDAP) Part A">Part A</a>, and <a href="passdb.html#attribobjclPartB" title="Table�10.2.�Attributes in the sambaSamAccount objectclass (LDAP) Part B">Part B</a>.
751
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2554448"></a>LDAP Special Attributes for sambaSamAccounts</h4></div></div></div><p> The sambaSamAccount objectclass is composed of the attributes shown in next tables: <a href="passdb.html#attribobjclPartA" title="Table�10.1.�Attributes in the sambaSamAccount objectclass (LDAP) Part A">Part A</a>, and <a href="passdb.html#attribobjclPartB" title="Table�10.2.�Attributes in the sambaSamAccount objectclass (LDAP) Part B">Part B</a>.
711
</p><div class="table"><a name="attribobjclPartA"></a><p class="title"><b>Table�10.1.�Attributes in the sambaSamAccount objectclass (LDAP) Part A</b></p><table summary="Attributes in the sambaSamAccount objectclass (LDAP) Part A" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left"><tt class="constant">sambaLMPassword</tt></td><td align="justify">The LANMAN password 16-byte hash stored as a character
712
representation of a hexadecimal string.</td></tr><tr><td align="left"><tt class="constant">sambaNTPassword</tt></td><td align="justify">The NT password hash 16-byte stored as a character
713
representation of a hexadecimal string.</td></tr><tr><td align="left"><tt class="constant">sambaPwdLastSet</tt></td><td align="justify">The integer time in seconds since 1970 when the
753
</p><div class="table"><a name="attribobjclPartA"></a><p class="title"><b>Table�10.1.�Attributes in the sambaSamAccount objectclass (LDAP) Part A</b></p><table summary="Attributes in the sambaSamAccount objectclass (LDAP) Part A" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="justify"><tt class="constant">sambaLMPassword</tt></td><td align="justify">The LANMAN password 16-byte hash stored as a character
754
representation of a hexadecimal string.</td></tr><tr><td align="justify"><tt class="constant">sambaNTPassword</tt></td><td align="justify">The NT password hash 16-byte stored as a character
755
representation of a hexadecimal string.</td></tr><tr><td align="justify"><tt class="constant">sambaPwdLastSet</tt></td><td align="justify">The integer time in seconds since 1970 when the
714
756
<tt class="constant">sambaLMPassword</tt> and <tt class="constant">sambaNTPassword</tt> attributes were last set.
715
</td></tr><tr><td align="left"><tt class="constant">sambaAcctFlags</tt></td><td align="justify">String of 11 characters surrounded by square brackets []
757
</td></tr><tr><td align="justify"><tt class="constant">sambaAcctFlags</tt></td><td align="justify">String of 11 characters surrounded by square brackets []
716
758
representing account flags such as U (user), W (workstation), X (no password expiration),
717
759
I (Domain trust account), H (Home dir required), S (Server trust account),
718
and D (disabled).</td></tr><tr><td align="left"><tt class="constant">sambaLogonTime</tt></td><td align="justify">Integer value currently unused</td></tr><tr><td align="left"><tt class="constant">sambaLogoffTime</tt></td><td align="justify">Integer value currently unused</td></tr><tr><td align="left"><tt class="constant">sambaKickoffTime</tt></td><td align="justify">Specifies the time (UNIX time format) when the user
760
and D (disabled).</td></tr><tr><td align="justify"><tt class="constant">sambaLogonTime</tt></td><td align="justify">Integer value currently unused</td></tr><tr><td align="justify"><tt class="constant">sambaLogoffTime</tt></td><td align="justify">Integer value currently unused</td></tr><tr><td align="justify"><tt class="constant">sambaKickoffTime</tt></td><td align="justify">Specifies the time (UNIX time format) when the user
719
761
will be locked down and cannot login any longer. If this attribute is omitted, then the account will never expire.
720
762
If you use this attribute together with `shadowExpire' of the `shadowAccount' objectClass, will enable accounts to
721
expire completely on an exact date.</td></tr><tr><td align="left"><tt class="constant">sambaPwdCanChange</tt></td><td align="justify">Specifies the time (UNIX time format) from which on the user is allowed to
722
change his password. If attribute is not set, the user will be free to change his password whenever he wants.</td></tr><tr><td align="left"><tt class="constant">sambaPwdMustChange</tt></td><td align="justify">Specifies the time (UNIX time format) since when the user is
763
expire completely on an exact date.</td></tr><tr><td align="justify"><tt class="constant">sambaPwdCanChange</tt></td><td align="justify">Specifies the time (UNIX time format) from which on the user is allowed to
764
change his password. If attribute is not set, the user will be free to change his password whenever he wants.</td></tr><tr><td align="justify"><tt class="constant">sambaPwdMustChange</tt></td><td align="justify">Specifies the time (UNIX time format) since when the user is
723
765
forced to change his password. If this value is set to `0', the user will have to change his password at first login.
724
If this attribute is not set, then the password will never expire.</td></tr><tr><td align="left"><tt class="constant">sambaHomeDrive</tt></td><td align="justify">Specifies the drive letter to which to map the
766
If this attribute is not set, then the password will never expire.</td></tr><tr><td align="justify"><tt class="constant">sambaHomeDrive</tt></td><td align="justify">Specifies the drive letter to which to map the
725
767
UNC path specified by sambaHomePath. The drive letter must be specified in the form “<span class="quote"><span class="emphasis"><em>X:</em></span></span>”
726
768
where X is the letter of the drive to map. Refer to the “<span class="quote"><span class="emphasis"><em>logon drive</em></span></span>” parameter in the
727
smb.conf(5) man page for more information.</td></tr><tr><td align="left"><tt class="constant">sambaLogonScript</tt></td><td align="justify">The sambaLogonScript property specifies the path of
769
smb.conf(5) man page for more information.</td></tr><tr><td align="justify"><tt class="constant">sambaLogonScript</tt></td><td align="justify">The sambaLogonScript property specifies the path of
728
770
the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. The path
729
is relative to the netlogon share. Refer to the <a class="indexterm" name="id2534784"></a>logon script parameter in the
730
<tt class="filename">smb.conf</tt> man page for more information.</td></tr><tr><td align="left"><tt class="constant">sambaProfilePath</tt></td><td align="justify">Specifies a path to the user's profile.
771
is relative to the netlogon share. Refer to the <a class="indexterm" name="id2554647"></a>logon script parameter in the
772
<tt class="filename">smb.conf</tt> man page for more information.</td></tr><tr><td align="justify"><tt class="constant">sambaProfilePath</tt></td><td align="justify">Specifies a path to the user's profile.
731
773
This value can be a null string, a local absolute path, or a UNC path. Refer to the
732
<a class="indexterm" name="id2534808"></a>logon path parameter in the <tt class="filename">smb.conf</tt> man page for more information.</td></tr><tr><td align="left"><tt class="constant">sambaHomePath</tt></td><td align="justify">The sambaHomePath property specifies the path of
774
<a class="indexterm" name="id2554672"></a>logon path parameter in the <tt class="filename">smb.conf</tt> man page for more information.</td></tr><tr><td align="justify"><tt class="constant">sambaHomePath</tt></td><td align="justify">The sambaHomePath property specifies the path of
733
775
the home directory for the user. The string can be null. If sambaHomeDrive is set and specifies
734
776
a drive letter, sambaHomePath should be a UNC path. The path must be a network
735
777
UNC path of the form <tt class="filename">\\server\share\directory</tt>. This value can be a null string.
736
778
Refer to the <span><b class="command">logon home</b></span> parameter in the <tt class="filename">smb.conf</tt> man page for more information.
737
779
</td></tr></tbody></table></div><p>
739
</p><div class="table"><a name="attribobjclPartB"></a><p class="title"><b>Table�10.2.�Attributes in the sambaSamAccount objectclass (LDAP) Part B</b></p><table summary="Attributes in the sambaSamAccount objectclass (LDAP) Part B" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="left"><tt class="constant">sambaUserWorkstations</tt></td><td align="justify">Here you can give a comma-separated list of machines
781
</p><div class="table"><a name="attribobjclPartB"></a><p class="title"><b>Table�10.2.�Attributes in the sambaSamAccount objectclass (LDAP) Part B</b></p><table summary="Attributes in the sambaSamAccount objectclass (LDAP) Part B" border="1"><colgroup><col align="left"><col align="justify"></colgroup><tbody><tr><td align="justify"><tt class="constant">sambaUserWorkstations</tt></td><td align="justify">Here you can give a comma-separated list of machines
740
782
on which the user is allowed to login. You may observe problems when you try to connect to an Samba Domain Member.
741
783
Because Domain Members are not in this list, the Domain Controllers will reject them. Where this attribute is omitted,
742
784
the default implies no restrictions.
743
</td></tr><tr><td align="left"><tt class="constant">sambaSID</tt></td><td align="justify">The security identifier(SID) of the user.
744
The Windows equivalent of UNIX UIDs.</td></tr><tr><td align="left"><tt class="constant">sambaPrimaryGroupSID</tt></td><td align="justify">The Security IDentifier (SID) of the primary group
745
of the user.</td></tr><tr><td align="left"><tt class="constant">sambaDomainName</tt></td><td align="justify">Domain the user is part of.</td></tr></tbody></table></div><p>
785
</td></tr><tr><td align="justify"><tt class="constant">sambaSID</tt></td><td align="justify">The security identifier(SID) of the user.
786
The Windows equivalent of UNIX UIDs.</td></tr><tr><td align="justify"><tt class="constant">sambaPrimaryGroupSID</tt></td><td align="justify">The Security IDentifier (SID) of the primary group
787
of the user.</td></tr><tr><td align="justify"><tt class="constant">sambaDomainName</tt></td><td align="justify">Domain the user is part of.</td></tr></tbody></table></div><p>
747
789
The majority of these parameters are only used when Samba is acting as a PDC of
748
790
a domain (refer to <a href="samba-pdc.html" title="Chapter�4.�Domain Control">Domain Control</a>, for details on
751
793
</p><div class="itemizedlist"><ul type="disc"><li><p>sambaHomePath</p></li><li><p>sambaLogonScript</p></li><li><p>sambaProfilePath</p></li><li><p>sambaHomeDrive</p></li></ul></div><p>
752
794
These attributes are only stored with the sambaSamAccount entry if
753
795
the values are non-default values. For example, assume MORIA has now been
754
configured as a PDC and that <a class="indexterm" name="id2534987"></a>logon home = \\%L\%u was defined in
796
configured as a PDC and that <a class="indexterm" name="id2554845"></a>logon home = \\%L\%u was defined in
755
797
its <tt class="filename">smb.conf</tt> file. When a user named “<span class="quote"><span class="emphasis"><em>becky</em></span></span>” logons to the domain,
756
the <a class="indexterm" name="id2535006"></a>logon home string is expanded to \\MORIA\becky.
798
the <a class="indexterm" name="id2554864"></a>logon home string is expanded to \\MORIA\becky.
757
799
If the smbHome attribute exists in the entry “<span class="quote"><span class="emphasis"><em>uid=becky,ou=People,dc=samba,dc=org</em></span></span>”,
758
800
this value is used. However, if this attribute does not exist, then the value
759
of the <a class="indexterm" name="id2535021"></a>logon home parameter is used in its place. Samba
801
of the <a class="indexterm" name="id2554879"></a>logon home parameter is used in its place. Samba
760
802
will only write the attribute value to the directory entry if the value is
761
803
something other than the default (e.g., <tt class="filename">\\MOBY\becky</tt>).
762
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2535039"></a>Example LDIF Entries for a sambaSamAccount</h4></div></div><div></div></div><p>
804
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2554897"></a>Example LDIF Entries for a sambaSamAccount</h4></div></div></div><p>
763
805
The following is a working LDIF that demonstrates the use of the SambaSamAccount objectclass:
810
852
sambaNTPassword: 878D8014606CDA29677A44EFA1353FC7
813
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2535096"></a>Password Synchronization</h4></div></div><div></div></div><p>
855
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2554953"></a>Password Synchronization</h4></div></div></div><p>
814
856
Samba-3 and later can update the non-samba (LDAP) password stored with an account. When
815
857
using pam_ldap, this allows changing both UNIX and Windows passwords at once.
816
</p><p>The <a class="indexterm" name="id2535110"></a>ldap passwd sync options can have the values shown in
858
</p><p>The <a class="indexterm" name="id2554968"></a>ldap passwd sync options can have the values shown in
817
859
<a href="passdb.html#ldappwsync" title="Table�10.3.�Possible ldap passwd sync values">the next table</a>.</p><div class="table"><a name="ldappwsync"></a><p class="title"><b>Table�10.3.�Possible <span class="emphasis"><em>ldap passwd sync</em></span> values</b></p><table summary="Possible ldap passwd sync values" border="1"><colgroup><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Value</th><th align="center">Description</th></tr></thead><tbody><tr><td align="left">yes</td><td align="justify"><p>When the user changes his password, update
818
860
<tt class="constant">SambaNTPassword</tt>, <tt class="constant">SambaLMPassword</tt>
819
861
and the <tt class="constant">password</tt> fields.</p></td></tr><tr><td align="left">no</td><td align="justify"><p>Only update <tt class="constant">SambaNTPassword</tt> and <tt class="constant">SambaLMPassword</tt>.</p></td></tr><tr><td align="left">only</td><td align="justify"><p>Only update the LDAP password and let the LDAP server worry about the other fields.
820
862
This option is only available on some LDAP servers. Only when the LDAP server
821
supports LDAP_EXOP_X_MODIFY_PASSWD.</p></td></tr></tbody></table></div><p>More information can be found in the <tt class="filename">smb.conf</tt> man page.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2535238"></a>MySQL</h3></div></div><div></div></div><p>
822
<a class="indexterm" name="id2535245"></a>
863
supports LDAP_EXOP_X_MODIFY_PASSWD.</p></td></tr></tbody></table></div><p>More information can be found in the <tt class="filename">smb.conf</tt> man page.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2555095"></a>MySQL</h3></div></div></div><p>
864
<a class="indexterm" name="id2555103"></a>
823
865
Every so often someone will come along with a great new idea. Storing user accounts in a
824
866
SQL backend is one of them. Those who want to do this are in the best position to know what the
825
867
specific benefits are to them. This may sound like a cop-out, but in truth we cannot attempt
826
868
to document every little detail why certain things of marginal utility to the bulk of
827
869
Samba users might make sense to the rest. In any case, the following instructions should help
828
870
the determined SQL user to implement a working system.
829
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2535264"></a>Creating the Database</h4></div></div><div></div></div><p>
871
</p><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2555122"></a>Creating the Database</h4></div></div></div><p>
830
872
You can set up your own table and specify the field names to pdb_mysql (see below
831
873
for the column names) or use the default table. The file <tt class="filename">examples/pdb/mysql/mysql.dump</tt>
832
874
contains the correct queries to create the required tables. Use the command:
835
877
<tt class="prompt">$ </tt><b class="userinput"><tt>mysql -u<i class="replaceable"><tt>username</tt></i> -h<i class="replaceable"><tt>hostname</tt></i> -p<i class="replaceable"><tt>password</tt></i> \
836
878
<i class="replaceable"><tt>databasename</tt></i> < <tt class="filename">/path/to/samba/examples/pdb/mysql/mysql.dump</tt></tt></b>
838
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2535320"></a>Configuring</h4></div></div><div></div></div><p>This plug-in lacks some good documentation, but here is some brief information. Add the following to the
839
<a class="indexterm" name="id2535330"></a>passdb backend variable in your <tt class="filename">smb.conf</tt>:
840
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2535349"></a><i class="parameter"><tt>
880
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2555178"></a>Configuring</h4></div></div></div><p>This plug-in lacks some good documentation, but here is some brief information. Add the following to the
881
<a class="indexterm" name="id2555188"></a>passdb backend variable in your <tt class="filename">smb.conf</tt>:
882
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2555207"></a><i class="parameter"><tt>
842
884
passdb backend = [other-plugins] mysql:identifier [other-plugins]</tt></i></td></tr></table><p>
843
885
</p><p>The identifier can be any string you like, as long as it does not collide with
844
886
the identifiers of other plugins or other instances of pdb_mysql. If you
845
specify multiple pdb_mysql.so entries in <a class="indexterm" name="id2535373"></a>passdb backend, you also need to
887
specify multiple pdb_mysql.so entries in <a class="indexterm" name="id2555230"></a>passdb backend, you also need to
846
888
use different identifiers.
848
890
Additional options can be given through the <tt class="filename">smb.conf</tt> file in the <i class="parameter"><tt>[global]</tt></i> section.
853
895
</p></div><p>Names of the columns are given in <a href="passdb.html#moremysqlpdbe" title="Table�10.5.�MySQL field names for MySQL passdb backend">the next table</a>.
854
896
The default column names can be found in the example table dump.
856
</p><div class="table"><a name="moremysqlpdbe"></a><p class="title"><b>Table�10.5.�MySQL field names for MySQL passdb backend</b></p><table summary="MySQL field names for MySQL passdb backend" border="1"><colgroup><col align="left"><col align="left"><col align="justify"></colgroup><thead><tr><th align="left">Field</th><th align="left">Type</th><th align="justify">Contents</th></tr></thead><tbody><tr><td align="left">logon time column</td><td align="left">int(9)</td><td align="justify">UNIX time stamp of last logon of user</td></tr><tr><td align="left">logoff time column</td><td align="left">int(9)</td><td align="justify">UNIX time stamp of last logoff of user</td></tr><tr><td align="left">kickoff time column</td><td align="left">int(9)</td><td align="justify">UNIX time stamp of moment user should be kicked off workstation (not enforced)</td></tr><tr><td align="left">pass last set time column</td><td align="left">int(9)</td><td align="justify">UNIX time stamp of moment password was last set</td></tr><tr><td align="left">pass can change time column</td><td align="left">int(9)</td><td align="justify">UNIX time stamp of moment from which password can be changed</td></tr><tr><td align="left">pass must change time column</td><td align="left">int(9)</td><td align="justify">UNIX time stamp of moment on which password must be changed</td></tr><tr><td align="left">username column</td><td align="left">varchar(255)</td><td align="justify">UNIX username</td></tr><tr><td align="left">domain column</td><td align="left">varchar(255)</td><td align="justify">NT domain user belongs to</td></tr><tr><td align="left">nt username column</td><td align="left">varchar(255)</td><td align="justify">NT username</td></tr><tr><td align="left">fullname column</td><td align="left">varchar(255)</td><td align="justify">Full name of user</td></tr><tr><td align="left">home dir column</td><td align="left">varchar(255)</td><td align="justify">UNIX homedir path (equivalent of the <a class="indexterm" name="id2535686"></a>logon home parameter.</td></tr><tr><td align="left">dir drive column</td><td align="left">varchar(2)</td><td align="justify">Directory drive path (e.g., “<span class="quote"><span class="emphasis"><em>H:</em></span></span>”)</td></tr><tr><td align="left">logon script column</td><td align="left">varchar(255)</td><td align="justify">Batch file to run on client side when logging on</td></tr><tr><td align="left">profile path column</td><td align="left">varchar(255)</td><td align="justify">Path of profile</td></tr><tr><td align="left">acct desc column</td><td align="left">varchar(255)</td><td align="justify">Some ASCII NT user data</td></tr><tr><td align="left">workstations column</td><td align="left">varchar(255)</td><td align="justify">Workstations user can logon to (or NULL for all)</td></tr><tr><td align="left">unknown string column</td><td align="left">varchar(255)</td><td align="justify">Unknown string</td></tr><tr><td align="left">munged dial column</td><td align="left">varchar(255)</td><td align="justify">Unknown</td></tr><tr><td align="left">user sid column</td><td align="left">varchar(255)</td><td align="justify">NT user SID</td></tr><tr><td align="left">group sid column</td><td align="left">varchar(255)</td><td align="justify">NT group SID</td></tr><tr><td align="left">lanman pass column</td><td align="left">varchar(255)</td><td align="justify">Encrypted lanman password</td></tr><tr><td align="left">nt pass column</td><td align="left">varchar(255)</td><td align="justify">Encrypted nt passwd</td></tr><tr><td align="left">plain pass column</td><td align="left">varchar(255)</td><td align="justify">Plaintext password</td></tr><tr><td align="left">acct ctrl column</td><td align="left">int(9)</td><td align="justify">NT user data</td></tr><tr><td align="left">unknown 3 column</td><td align="left">int(9)</td><td align="justify">Unknown</td></tr><tr><td align="left">logon divs column</td><td align="left">int(9)</td><td align="justify">Unknown</td></tr><tr><td align="left">hours len column</td><td align="left">int(9)</td><td align="justify">Unknown</td></tr><tr><td align="left">bad password count column</td><td align="left">int(5)</td><td align="justify">Number of failed password tries before disabling an account</td></tr><tr><td align="left">logon count column</td><td align="left">int(5)</td><td align="justify">Number of logon attempts</td></tr><tr><td align="left">unknown 6 column</td><td align="left">int(9)</td><td align="justify">Unknown</td></tr></tbody></table></div><p>
898
</p><div class="table"><a name="moremysqlpdbe"></a><p class="title"><b>Table�10.5.�MySQL field names for MySQL passdb backend</b></p><table summary="MySQL field names for MySQL passdb backend" border="1"><colgroup><col align="left"><col align="left"><col align="justify"></colgroup><thead><tr><th align="justify">Field</th><th align="justify">Type</th><th align="justify">Contents</th></tr></thead><tbody><tr><td align="justify">logon time column</td><td align="justify">int(9)</td><td align="justify">UNIX time stamp of last logon of user</td></tr><tr><td align="justify">logoff time column</td><td align="justify">int(9)</td><td align="justify">UNIX time stamp of last logoff of user</td></tr><tr><td align="justify">kickoff time column</td><td align="justify">int(9)</td><td align="justify">UNIX time stamp of moment user should be kicked off workstation (not enforced)</td></tr><tr><td align="justify">pass last set time column</td><td align="justify">int(9)</td><td align="justify">UNIX time stamp of moment password was last set</td></tr><tr><td align="justify">pass can change time column</td><td align="justify">int(9)</td><td align="justify">UNIX time stamp of moment from which password can be changed</td></tr><tr><td align="justify">pass must change time column</td><td align="justify">int(9)</td><td align="justify">UNIX time stamp of moment on which password must be changed</td></tr><tr><td align="justify">username column</td><td align="justify">varchar(255)</td><td align="justify">UNIX username</td></tr><tr><td align="justify">domain column</td><td align="justify">varchar(255)</td><td align="justify">NT domain user belongs to</td></tr><tr><td align="justify">nt username column</td><td align="justify">varchar(255)</td><td align="justify">NT username</td></tr><tr><td align="justify">fullname column</td><td align="justify">varchar(255)</td><td align="justify">Full name of user</td></tr><tr><td align="justify">home dir column</td><td align="justify">varchar(255)</td><td align="justify">UNIX homedir path (equivalent of the <a class="indexterm" name="id2555543"></a>logon home parameter.</td></tr><tr><td align="justify">dir drive column</td><td align="justify">varchar(2)</td><td align="justify">Directory drive path (e.g., “<span class="quote"><span class="emphasis"><em>H:</em></span></span>”)</td></tr><tr><td align="justify">logon script column</td><td align="justify">varchar(255)</td><td align="justify">Batch file to run on client side when logging on</td></tr><tr><td align="justify">profile path column</td><td align="justify">varchar(255)</td><td align="justify">Path of profile</td></tr><tr><td align="justify">acct desc column</td><td align="justify">varchar(255)</td><td align="justify">Some ASCII NT user data</td></tr><tr><td align="justify">workstations column</td><td align="justify">varchar(255)</td><td align="justify">Workstations user can logon to (or NULL for all)</td></tr><tr><td align="justify">unknown string column</td><td align="justify">varchar(255)</td><td align="justify">Unknown string</td></tr><tr><td align="justify">munged dial column</td><td align="justify">varchar(255)</td><td align="justify">Unknown</td></tr><tr><td align="justify">user sid column</td><td align="justify">varchar(255)</td><td align="justify">NT user SID</td></tr><tr><td align="justify">group sid column</td><td align="justify">varchar(255)</td><td align="justify">NT group SID</td></tr><tr><td align="justify">lanman pass column</td><td align="justify">varchar(255)</td><td align="justify">Encrypted lanman password</td></tr><tr><td align="justify">nt pass column</td><td align="justify">varchar(255)</td><td align="justify">Encrypted nt passwd</td></tr><tr><td align="justify">plain pass column</td><td align="justify">varchar(255)</td><td align="justify">Plaintext password</td></tr><tr><td align="justify">acct ctrl column</td><td align="justify">int(9)</td><td align="justify">NT user data</td></tr><tr><td align="justify">unknown 3 column</td><td align="justify">int(9)</td><td align="justify">Unknown</td></tr><tr><td align="justify">logon divs column</td><td align="justify">int(9)</td><td align="justify">Unknown</td></tr><tr><td align="justify">hours len column</td><td align="justify">int(9)</td><td align="justify">Unknown</td></tr><tr><td align="justify">bad password count column</td><td align="justify">int(5)</td><td align="justify">Number of failed password tries before disabling an account</td></tr><tr><td align="justify">logon count column</td><td align="justify">int(5)</td><td align="justify">Number of logon attempts</td></tr><tr><td align="justify">unknown 6 column</td><td align="justify">int(9)</td><td align="justify">Unknown</td></tr></tbody></table></div><p>
858
900
You can put a colon (:) after the name of each column, which
859
901
should specify the column to update when updating the table. One can also specify nothing behind the colon, in which case the field data will not be updated. Setting a column name to <i class="parameter"><tt>NULL</tt></i> means the field should not be used.
860
902
</p><p><a href="passdb.html#mysqlsam" title="Example�10.3.�Example configuration for the MySQL passdb backend">An example configuration</a> looks like:
861
</p><div class="example"><a name="mysqlsam"></a><p class="title"><b>Example�10.3.�Example configuration for the MySQL passdb backend</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2535933"></a><i class="parameter"><tt>
863
passdb backend = mysql:foo</tt></i></td></tr><tr><td><a class="indexterm" name="id2535949"></a><i class="parameter"><tt>
865
foo:mysql user = samba</tt></i></td></tr><tr><td><a class="indexterm" name="id2535965"></a><i class="parameter"><tt>
867
foo:mysql password = abmas</tt></i></td></tr><tr><td><a class="indexterm" name="id2535981"></a><i class="parameter"><tt>
869
foo:mysql database = samba</tt></i></td></tr><tr><td># domain name is static and can't be changed</td></tr><tr><td><a class="indexterm" name="id2536004"></a><i class="parameter"><tt>
871
foo:domain column = 'MYWORKGROUP':</tt></i></td></tr><tr><td># The fullname column comes from several other columns</td></tr><tr><td><a class="indexterm" name="id2536028"></a><i class="parameter"><tt>
873
foo:fullname column = CONCAT(firstname,' ',surname):</tt></i></td></tr><tr><td># Samba should never write to the password columns</td></tr><tr><td><a class="indexterm" name="id2536051"></a><i class="parameter"><tt>
875
foo:lanman pass column = lm_pass:</tt></i></td></tr><tr><td><a class="indexterm" name="id2536067"></a><i class="parameter"><tt>
877
foo:nt pass column = nt_pass:</tt></i></td></tr><tr><td># The unknown 3 column is not stored</td></tr><tr><td><a class="indexterm" name="id2536090"></a><i class="parameter"><tt>
879
foo:unknown 3 column = NULL</tt></i></td></tr></table></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2536106"></a>Using Plaintext Passwords or Encrypted Password</h4></div></div><div></div></div><p>
880
<a class="indexterm" name="id2536115"></a>
903
</p><div class="example"><a name="mysqlsam"></a><p class="title"><b>Example�10.3.�Example configuration for the MySQL passdb backend</b></p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td><a class="indexterm" name="id2555791"></a><i class="parameter"><tt>
905
passdb backend = mysql:foo</tt></i></td></tr><tr><td><a class="indexterm" name="id2555806"></a><i class="parameter"><tt>
907
foo:mysql user = samba</tt></i></td></tr><tr><td><a class="indexterm" name="id2555822"></a><i class="parameter"><tt>
909
foo:mysql password = abmas</tt></i></td></tr><tr><td><a class="indexterm" name="id2555838"></a><i class="parameter"><tt>
911
foo:mysql database = samba</tt></i></td></tr><tr><td># domain name is static and can't be changed</td></tr><tr><td><a class="indexterm" name="id2555861"></a><i class="parameter"><tt>
913
foo:domain column = 'MYWORKGROUP':</tt></i></td></tr><tr><td># The fullname column comes from several other columns</td></tr><tr><td><a class="indexterm" name="id2555883"></a><i class="parameter"><tt>
915
foo:fullname column = CONCAT(firstname,' ',surname):</tt></i></td></tr><tr><td># Samba should never write to the password columns</td></tr><tr><td><a class="indexterm" name="id2555906"></a><i class="parameter"><tt>
917
foo:lanman pass column = lm_pass:</tt></i></td></tr><tr><td><a class="indexterm" name="id2555922"></a><i class="parameter"><tt>
919
foo:nt pass column = nt_pass:</tt></i></td></tr><tr><td># The unknown 3 column is not stored</td></tr><tr><td><a class="indexterm" name="id2555944"></a><i class="parameter"><tt>
921
foo:unknown 3 column = NULL</tt></i></td></tr></table></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2555960"></a>Using Plaintext Passwords or Encrypted Password</h4></div></div></div><p>
922
<a class="indexterm" name="id2555969"></a>
881
923
I strongly discourage the use of plaintext passwords, however, you can use them.
883
925
If you would like to use plaintext passwords, set
888
930
If you use encrypted passwords, set the 'identifier:plain pass
889
931
column' to 'NULL' (without the quotes). This is the default.
890
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2536138"></a>Getting Non-Column Data from the Table</h4></div></div><div></div></div><p>
932
</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2555992"></a>Getting Non-Column Data from the Table</h4></div></div></div><p>
891
933
It is possible to have not all data in the database by making some `constant'.
893
935
For example, you can set `identifier:fullname column' to
894
936
something like <span><b class="command">CONCAT(Firstname,' ',Surname)</b></span>
896
938
Or, set `identifier:workstations column' to:
897
<span><b class="command">NULL</b></span></p><p>See the MySQL documentation for more language constructs.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="XMLpassdb"></a>XML</h3></div></div><div></div></div><p>
898
<a class="indexterm" name="id2536188"></a>
939
<span><b class="command">NULL</b></span></p><p>See the MySQL documentation for more language constructs.</p></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="XMLpassdb"></a>XML</h3></div></div></div><p>
940
<a class="indexterm" name="id2556042"></a>
899
941
This module requires libxml2 to be installed.</p><p>The usage of pdb_xml is fairly straightforward. To export data, use:
901
<a class="indexterm" name="id2536206"></a>
943
<a class="indexterm" name="id2556060"></a>
902
944
<tt class="prompt">$ </tt> <b class="userinput"><tt>pdbedit -e xml:filename</tt></b>
904
946
(where filename is the name of the file to put the data in)
906
948
To import data, use:
907
949
<tt class="prompt">$ </tt> <b class="userinput"><tt>pdbedit -i xml:filename</tt></b>
908
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2536247"></a>Common Errors</h2></div></div><div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2536253"></a>Users Cannot Logon</h3></div></div><div></div></div><p>“<span class="quote"><span class="emphasis"><em>I've installed Samba, but now I can't log on with my UNIX account! </em></span></span>”</p><p>Make sure your user has been added to the current Samba <a class="indexterm" name="id2536268"></a>passdb backend.
909
Read the section <a href="passdb.html#acctmgmttools" title="Account Management Tools">Account Management Tools</a> for details.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2536287"></a>Users Being Added to the Wrong Backend Database</h3></div></div><div></div></div><p>
950
</p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="id2556101"></a>Common Errors</h2></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2556106"></a>Users Cannot Logon</h3></div></div></div><p>“<span class="quote"><span class="emphasis"><em>I've installed Samba, but now I can't log on with my UNIX account! </em></span></span>”</p><p>Make sure your user has been added to the current Samba <a class="indexterm" name="id2556122"></a>passdb backend.
951
Read the section <a href="passdb.html#acctmgmttools" title="Account Management Tools">Account Management Tools</a> for details.</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2556141"></a>Users Being Added to the Wrong Backend Database</h3></div></div></div><p>
910
952
A few complaints have been received from users that just moved to Samba-3. The following
911
953
<tt class="filename">smb.conf</tt> file entries were causing problems, new accounts were being added to the old
912
954
smbpasswd file, not to the tdbsam passdb.tdb file:
914
</p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td>...</td></tr><tr><td><a class="indexterm" name="id2536326"></a><i class="parameter"><tt>
956
</p><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><i class="parameter"><tt>[global]</tt></i></td></tr><tr><td>...</td></tr><tr><td><a class="indexterm" name="id2556180"></a><i class="parameter"><tt>
916
958
passdb backend = smbpasswd, tdbsam</tt></i></td></tr><tr><td>...</td></tr></table><p>
918
960
Samba will add new accounts to the first entry in the <span class="emphasis"><em>passdb backend</em></span>
919
961
parameter entry. If you want to update to the tdbsam, then change the entry to:
921
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2536364"></a><i class="parameter"><tt>
963
</p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2556217"></a><i class="parameter"><tt>
923
965
passdb backend = tdbsam, smbpasswd</tt></i></td></tr></table><p>
924
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2536382"></a>Configuration of <i class="parameter"><tt>auth methods</tt></i></h3></div></div><div></div></div><p>
925
When explicitly setting an <a class="indexterm" name="id2536395"></a>auth methods parameter,
966
</p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2556236"></a>Configuration of <i class="parameter"><tt>auth methods</tt></i></h3></div></div></div><p>
967
When explicitly setting an <a class="indexterm" name="id2556249"></a>auth methods parameter,
926
968
<i class="parameter"><tt>guest</tt></i> must be specified as the first entry on the line,
927
for example, <a class="indexterm" name="id2536410"></a>auth methods = guest sam.
929
This is the exact opposite of the requirement for the <a class="indexterm" name="id2536422"></a>passdb backend
930
option, where it must be the <span class="emphasis"><em>LAST</em></span> parameter on the line.
969
for example, <a class="indexterm" name="id2556263"></a>auth methods = guest sam.
931
970
</p></div></div></div><div class="navfooter"><hr><table width="100%" summary="Navigation footer"><tr><td width="40%" align="left"><a accesskey="p" href="NetworkBrowsing.html">Prev</a>�</td><td width="20%" align="center"><a accesskey="u" href="optional.html">Up</a></td><td width="40%" align="right">�<a accesskey="n" href="groupmapping.html">Next</a></td></tr><tr><td width="40%" align="left" valign="top">Chapter�9.�Network Browsing�</td><td width="20%" align="center"><a accesskey="h" href="index.html">Home</a></td><td width="40%" align="right" valign="top">�Chapter�11.�Group Mapping MS Windows and UNIX</td></tr></table></div></body></html>