Ignore:
Timestamp:
Oct 30, 2009, 9:39:05 AM (16 years ago)
Author:
Herwig Bauernfeind
Message:

Update 3.3 to 3.3.9

File:
1 edited

Legend:

Unmodified
Added
Removed

  • branches/samba-3.3.x/docs/htmldocs/Samba3-HOWTO/passdb.html

    r274 r342  
    1 <html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 11. Account Information Databases</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.3.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="NetworkBrowsing.html" title="Chapter 10. Network Browsing"><link rel="next" href="groupmapping.html" title="Chapter 12. Group Mapping: MS Windows and UNIX"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 11. Account Information Databases</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NetworkBrowsing.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="groupmapping.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="passdb"></a>Chapter 11. Account Information Databases</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="orgname">The Samba Team</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="orgname">Samba Team</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jerry@samba.org">jerry@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="orgname">Samba Team</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jra@samba.org">jra@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="orgname">SuSE</span> <span class="surname">Deschner</span></h3><span class="contrib">LDAP updates</span> <div class="affiliation"><span class="orgname">SuSE<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:gd@suse.de">gd@suse.de</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Olivier (lem)</span> <span class="orgname">IDEALX</span> <span class="surname">Lemaire</span></h3><div class="affiliation"><span class="orgname">IDEALX<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:olem@IDEALX.org">olem@IDEALX.org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">May 24, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="passdb.html#id2587249">Features and Benefits</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id2587285">Backward Compatibility Account Storage Systems</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2587476">New Account Storage Systems</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#passdbtech">Technical Information</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id2588044">Important Notes About Security</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2588564">Mapping User Identifiers between MS Windows and UNIX</a></span></dt><dt><span class="sect2"><a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2589112">Comments Regarding LDAP</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2589525">LDAP Directories and Windows Computer Accounts</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#acctmgmttools">Account Management Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id2589966">The smbpasswd Tool</a></span></dt><dt><span class="sect2"><a href="passdb.html#pdbeditthing">The pdbedit Tool</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#id2592519">Password Backends</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id2592572">Plaintext</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2592648">smbpasswd: Encrypted Password Database</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2592914">tdbsam</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2593072">ldapsam</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#id2595597">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id2595602">Users Cannot Logon</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2595640">Configuration of auth methods</a></span></dt></dl></dd></dl></div><p>
     1<html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Chapter 11. Account Information Databases</title><link rel="stylesheet" href="../samba.css" type="text/css"><meta name="generator" content="DocBook XSL Stylesheets V1.74.0"><link rel="home" href="index.html" title="The Official Samba 3.3.x HOWTO and Reference Guide"><link rel="up" href="optional.html" title="Part III. Advanced Configuration"><link rel="prev" href="NetworkBrowsing.html" title="Chapter 10. Network Browsing"><link rel="next" href="groupmapping.html" title="Chapter 12. Group Mapping: MS Windows and UNIX"></head><body bgcolor="white" text="black" link="#0000FF" vlink="#840084" alink="#0000FF"><div class="navheader"><table width="100%" summary="Navigation header"><tr><th colspan="3" align="center">Chapter 11. Account Information Databases</th></tr><tr><td width="20%" align="left"><a accesskey="p" href="NetworkBrowsing.html">Prev</a> </td><th width="60%" align="center">Part III. Advanced Configuration</th><td width="20%" align="right"> <a accesskey="n" href="groupmapping.html">Next</a></td></tr></table><hr></div><div class="chapter" lang="en"><div class="titlepage"><div><div><h2 class="title"><a name="passdb"></a>Chapter 11. Account Information Databases</h2></div><div><div class="author"><h3 class="author"><span class="firstname">Jelmer</span> <span class="othername">R.</span> <span class="orgname">The Samba Team</span> <span class="surname">Vernooij</span></h3><div class="affiliation"><span class="orgname">The Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jelmer@samba.org">jelmer@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">John</span> <span class="othername">H.</span> <span class="orgname">Samba Team</span> <span class="surname">Terpstra</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jht@samba.org">jht@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Gerald</span> <span class="othername">(Jerry)</span> <span class="orgname">Samba Team</span> <span class="surname">Carter</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jerry@samba.org">jerry@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Jeremy</span> <span class="orgname">Samba Team</span> <span class="surname">Allison</span></h3><div class="affiliation"><span class="orgname">Samba Team<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:jra@samba.org">jra@samba.org</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Guenther</span> <span class="orgname">SuSE</span> <span class="surname">Deschner</span></h3><span class="contrib">LDAP updates</span> <div class="affiliation"><span class="orgname">SuSE<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:gd@suse.de">gd@suse.de</a>&gt;</code></p></div></div></div></div><div><div class="author"><h3 class="author"><span class="firstname">Olivier (lem)</span> <span class="orgname">IDEALX</span> <span class="surname">Lemaire</span></h3><div class="affiliation"><span class="orgname">IDEALX<br></span><div class="address"><p><code class="email">&lt;<a class="email" href="mailto:olem@IDEALX.org">olem@IDEALX.org</a>&gt;</code></p></div></div></div></div><div><p class="pubdate">May 24, 2003</p></div></div></div><div class="toc"><p><b>Table of Contents</b></p><dl><dt><span class="sect1"><a href="passdb.html#id2587249">Features and Benefits</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id2587285">Backward Compatibility Account Storage Systems</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2587476">New Account Storage Systems</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#passdbtech">Technical Information</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id2588044">Important Notes About Security</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2588564">Mapping User Identifiers between MS Windows and UNIX</a></span></dt><dt><span class="sect2"><a href="passdb.html#idmapbackend">Mapping Common UIDs/GIDs on Distributed Machines</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2589112">Comments Regarding LDAP</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2589525">LDAP Directories and Windows Computer Accounts</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#acctmgmttools">Account Management Tools</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id2589966">The smbpasswd Tool</a></span></dt><dt><span class="sect2"><a href="passdb.html#pdbeditthing">The pdbedit Tool</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#id2592519">Password Backends</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id2592572">Plaintext</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2592648">smbpasswd: Encrypted Password Database</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2592915">tdbsam</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2593072">ldapsam</a></span></dt></dl></dd><dt><span class="sect1"><a href="passdb.html#id2595597">Common Errors</a></span></dt><dd><dl><dt><span class="sect2"><a href="passdb.html#id2595602">Users Cannot Logon</a></span></dt><dt><span class="sect2"><a href="passdb.html#id2595640">Configuration of auth methods</a></span></dt></dl></dd></dl></div><p>
    22<a class="indexterm" name="id2587052"></a>
    3 <a class="indexterm" name="id2587058"></a>
    4 <a class="indexterm" name="id2587065"></a>
     3<a class="indexterm" name="id2587059"></a>
     4<a class="indexterm" name="id2587066"></a>
    55<a class="indexterm" name="id2587072"></a>
    66Early releases of Samba-3 implemented new capability to work concurrently with multiple account backends. This
     
    88work with only one specified passwd backend.
    99</p><p>
    10 <a class="indexterm" name="id2587086"></a>
    11 <a class="indexterm" name="id2587093"></a>
     10<a class="indexterm" name="id2587087"></a>
     11<a class="indexterm" name="id2587094"></a>
    1212<a class="indexterm" name="id2587100"></a>
    1313<a class="indexterm" name="id2587107"></a>
     
    4343<a class="indexterm" name="id2587277"></a>
    4444</p><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2587285"></a>Backward Compatibility Account Storage Systems</h3></div></div></div><div class="variablelist"><dl><dt><span class="term">Plaintext</span></dt><dd><p>
    45 <a class="indexterm" name="id2587302"></a>
     45<a class="indexterm" name="id2587303"></a>
    4646<a class="indexterm" name="id2587309"></a>
    4747<a class="indexterm" name="id2587316"></a>
     
    103103                        with MS Windows NT4/200x-based systems.
    104104                        </p><p>
    105 <a class="indexterm" name="id2587600"></a>
    106 <a class="indexterm" name="id2587607"></a>
     105<a class="indexterm" name="id2587601"></a>
     106<a class="indexterm" name="id2587608"></a>
    107107<a class="indexterm" name="id2587614"></a>
    108108                        The inclusion of the <span class="emphasis"><em>tdbsam</em></span> capability is a direct
     
    136136                        requests both for capability and greater scalability.
    137137                        </p></dd></dl></div></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="passdbtech"></a>Technical Information</h2></div></div></div><p>
    138 <a class="indexterm" name="id2587773"></a>
     138<a class="indexterm" name="id2587774"></a>
    139139<a class="indexterm" name="id2587780"></a>
    140140        Old Windows clients send plaintext passwords over the wire. Samba can check these
    141141        passwords by encrypting them and comparing them to the hash stored in the UNIX user database.
    142142        </p><p>
    143 <a class="indexterm" name="id2587793"></a>
     143<a class="indexterm" name="id2587794"></a>
    144144<a class="indexterm" name="id2587800"></a>
    145145<a class="indexterm" name="id2587807"></a>
     
    156156        database, and you have to store the LanMan and NT hashes somewhere else.
    157157        </p><p>
    158 <a class="indexterm" name="id2587851"></a>
     158<a class="indexterm" name="id2587852"></a>
    159159<a class="indexterm" name="id2587859"></a>
    160 <a class="indexterm" name="id2587865"></a>
     160<a class="indexterm" name="id2587866"></a>
    161161<a class="indexterm" name="id2587872"></a>
    162162        In addition to differently encrypted passwords, Windows also stores certain data for each
     
    174174        to SIDs</a> diagrams.
    175175        </p><div class="figure"><a name="idmap-uid2sid"></a><p class="title"><b>Figure 11.2. IDMAP: Resolution of UIDs to SIDs.</b></p><div class="figure-contents"><div class="mediaobject"><img src="images/idmap-uid2sid.png" width="270" alt="IDMAP: Resolution of UIDs to SIDs."></div></div></div><br class="figure-break"><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2588044"></a>Important Notes About Security</h3></div></div></div><p>
    176 <a class="indexterm" name="id2588052"></a>
     176<a class="indexterm" name="id2588053"></a>
    177177<a class="indexterm" name="id2588060"></a>
    178178<a class="indexterm" name="id2588067"></a>
    179179<a class="indexterm" name="id2588074"></a>
    180 <a class="indexterm" name="id2588080"></a>
     180<a class="indexterm" name="id2588081"></a>
    181181                The UNIX and SMB password encryption techniques seem similar on the surface. This
    182182                similarity is, however, only skin deep. The UNIX scheme typically sends clear-text
     
    277277                                </p></li><li><p>
    278278<a class="indexterm" name="id2588544"></a>
    279 <a class="indexterm" name="id2588550"></a>
     279<a class="indexterm" name="id2588551"></a>
    280280                                Use of other services (such as Telnet and FTP) that send plaintext passwords over
    281281                                the network makes sending them for SMB not such a big deal.
    282282                                </p></li></ul></div></div></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2588564"></a>Mapping User Identifiers between MS Windows and UNIX</h3></div></div></div><p>
    283 <a class="indexterm" name="id2588572"></a>
     283<a class="indexterm" name="id2588573"></a>
    284284<a class="indexterm" name="id2588579"></a>
    285285<a class="indexterm" name="id2588586"></a>
     
    288288        two means for mapping an MS Windows user to a UNIX/Linux UID.
    289289        </p><p>
    290 <a class="indexterm" name="id2588599"></a>
     290<a class="indexterm" name="id2588600"></a>
    291291<a class="indexterm" name="id2588606"></a>
    292292<a class="indexterm" name="id2588613"></a>
    293293<a class="indexterm" name="id2588619"></a>
    294 <a class="indexterm" name="id2588626"></a>
     294<a class="indexterm" name="id2588627"></a>
    295295        First, all Samba SAM database accounts require a UNIX/Linux UID that the account will map to. As users are
    296296        added to the account information database, Samba will call the <a class="link" href="smb.conf.5.html#ADDUSERSCRIPT" target="_top">add user script</a>
     
    298298        user account.
    299299        </p><p>
    300         <a class="indexterm" name="id2588655"></a>
     300        <a class="indexterm" name="id2588656"></a>
    301301        <a class="indexterm" name="id2588662"></a>
    302         <a class="indexterm" name="id2588668"></a>
     302        <a class="indexterm" name="id2588669"></a>
    303303        <a class="indexterm" name="id2588675"></a>
    304304        <a class="indexterm" name="id2588682"></a>
    305         <a class="indexterm" name="id2588688"></a>
     305        <a class="indexterm" name="id2588689"></a>
    306306        <a class="indexterm" name="id2588696"></a>
    307307        The second way to map Windows SID to UNIX UID is via the <span class="emphasis"><em>idmap uid</em></span> and
     
    311311        </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="idmapbackend"></a>Mapping Common UIDs/GIDs on Distributed Machines</h3></div></div></div><p>
    312312<a class="indexterm" name="id2588735"></a>
    313 <a class="indexterm" name="id2588741"></a>
     313<a class="indexterm" name="id2588742"></a>
    314314<a class="indexterm" name="id2588748"></a>
    315 <a class="indexterm" name="id2588754"></a>
     315<a class="indexterm" name="id2588755"></a>
    316316<a class="indexterm" name="id2588762"></a>
    317317<a class="indexterm" name="id2588768"></a>
     
    328328<a class="indexterm" name="id2588817"></a>
    329329<a class="indexterm" name="id2588824"></a>
    330 <a class="indexterm" name="id2588830"></a>
    331         <a class="indexterm" name="id2588837"></a>
     330<a class="indexterm" name="id2588831"></a>
     331        <a class="indexterm" name="id2588838"></a>
    332332        The special facility is enabled using a parameter called <em class="parameter"><code>idmap backend</code></em>.
    333333        The default setting for this parameter is an empty string. Technically it is possible to use
     
    336336        <a class="link" href="passdb.html#idmapbackendexample" title="Example 11.1. Example Configuration with the LDAP idmap Backend">Example Configuration with the LDAP idmap Backend</a>
    337337        shows that configuration.
    338         </p><a class="indexterm" name="id2588866"></a><div class="example"><a name="idmapbackendexample"></a><p class="title"><b>Example 11.1. Example Configuration with the LDAP idmap Backend</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2588900"></a><em class="parameter"><code>idmap backend = ldap:ldap://ldap-server.quenya.org:636</code></em></td></tr><tr><td># Alternatively, this could be specified as:</td></tr><tr><td><a class="indexterm" name="id2588916"></a><em class="parameter"><code>idmap backend = ldap:ldaps://ldap-server.quenya.org</code></em></td></tr></table></div></div><br class="example-break"><p>
     338        </p><a class="indexterm" name="id2588867"></a><div class="example"><a name="idmapbackendexample"></a><p class="title"><b>Example 11.1. Example Configuration with the LDAP idmap Backend</b></p><div class="example-contents"><table class="simplelist" border="0" summary="Simple list"><tr><td> </td></tr><tr><td><em class="parameter"><code>[global]</code></em></td></tr><tr><td><a class="indexterm" name="id2588900"></a><em class="parameter"><code>idmap backend = ldap:ldap://ldap-server.quenya.org:636</code></em></td></tr><tr><td># Alternatively, this could be specified as:</td></tr><tr><td><a class="indexterm" name="id2588916"></a><em class="parameter"><code>idmap backend = ldap:ldaps://ldap-server.quenya.org</code></em></td></tr></table></div></div><br class="example-break"><p>
    339339<a class="indexterm" name="id2588932"></a>
    340340<a class="indexterm" name="id2588939"></a>
     
    343343        produced and released to open source an array of tools that might be of interest. These tools include:
    344344        </p><div class="itemizedlist"><ul type="disc"><li><p>
    345 <a class="indexterm" name="id2588962"></a>
     345<a class="indexterm" name="id2588963"></a>
    346346<a class="indexterm" name="id2588969"></a>
    347347<a class="indexterm" name="id2588976"></a>
     
    363363                </p></li><li><p>
    364364<a class="indexterm" name="id2589069"></a>
    365 <a class="indexterm" name="id2589075"></a>
     365<a class="indexterm" name="id2589076"></a>
    366366<a class="indexterm" name="id2589082"></a>
    367367<a class="indexterm" name="id2589089"></a>
     
    372372<a class="indexterm" name="id2589120"></a>
    373373<a class="indexterm" name="id2589130"></a>
    374 <a class="indexterm" name="id2589136"></a>
     374<a class="indexterm" name="id2589137"></a>
    375375<a class="indexterm" name="id2589143"></a>
    376376        There is much excitement and interest in LDAP directories in the information technology world
     
    392392<a class="indexterm" name="id2589205"></a>
    393393<a class="indexterm" name="id2589212"></a>
    394 <a class="indexterm" name="id2589218"></a>
    395 <a class="indexterm" name="id2589225"></a>
     394<a class="indexterm" name="id2589219"></a>
     395<a class="indexterm" name="id2589226"></a>
    396396<a class="indexterm" name="id2589232"></a>
    397397<a class="indexterm" name="id2589239"></a>
     
    402402<a class="indexterm" name="id2589274"></a>
    403403<a class="indexterm" name="id2589281"></a>
    404 <a class="indexterm" name="id2589287"></a>
     404<a class="indexterm" name="id2589288"></a>
    405405        UNIX services can utilize LDAP directory information for authentication and access controls
    406406        through intermediate tools and utilities. The total environment that consists of the LDAP directory
     
    412412        </p><p>
    413413<a class="indexterm" name="id2589308"></a>
    414 <a class="indexterm" name="id2589314"></a>
    415 <a class="indexterm" name="id2589321"></a>
     414<a class="indexterm" name="id2589315"></a>
     415<a class="indexterm" name="id2589322"></a>
    416416<a class="indexterm" name="id2589328"></a>
    417417<a class="indexterm" name="id2589335"></a>
     
    470470<a class="indexterm" name="id2589534"></a>
    471471<a class="indexterm" name="id2589541"></a>
    472 <a class="indexterm" name="id2589547"></a>
     472<a class="indexterm" name="id2589548"></a>
    473473                Samba doesn't provide a turnkey solution to LDAP. It is best to deal with the design and
    474474                configuration of an LDAP directory prior to integration with Samba. A working knowledge
     
    498498<a class="indexterm" name="id2589661"></a>
    499499<a class="indexterm" name="id2589668"></a>
    500 <a class="indexterm" name="id2589674"></a>
     500<a class="indexterm" name="id2589675"></a>
    501501                The need for Windows user, group, machine, trust, and other accounts to be tied to a valid UNIX
    502502                UID is a design decision that was made a long way back in the history of Samba development. It
     
    529529<a class="indexterm" name="id2589793"></a>
    530530<a class="indexterm" name="id2589800"></a>
    531 <a class="indexterm" name="id2589806"></a>
     531<a class="indexterm" name="id2589807"></a>
    532532<a class="indexterm" name="id2589813"></a>
    533533                For many the weapon of choice is to use the PADL nss_ldap utility. This utility must
     
    538538                </p></div></div><div class="sect1" lang="en"><div class="titlepage"><div><div><h2 class="title" style="clear: both"><a name="acctmgmttools"></a>Account Management Tools</h2></div></div></div><p>
    539539<a class="indexterm" name="id2589844"></a>
    540 <a class="indexterm" name="id2589850"></a>
     540<a class="indexterm" name="id2589851"></a>
    541541<a class="indexterm" name="id2589857"></a>
    542542Samba provides two tools for management of user and machine accounts:
     
    613613                for users who have forgotten their passwords.
    614614                </p><p>
    615 <a class="indexterm" name="id2590294"></a>
     615<a class="indexterm" name="id2590295"></a>
    616616<a class="indexterm" name="id2590301"></a>
    617617<a class="indexterm" name="id2590308"></a>
     
    626626                definitive reference).
    627627                </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="pdbeditthing"></a>The <code class="literal">pdbedit</code> Tool</h3></div></div></div><p>
    628                 <a class="indexterm" name="id2590380"></a>
     628                <a class="indexterm" name="id2590381"></a>
    629629                <a class="indexterm" name="id2590387"></a>
    630630                <a class="indexterm" name="id2590394"></a>
     
    640640                </p><div class="orderedlist"><ol type="1"><li><p>Who has access to information systems that store financial data.</p></li><li><p>How personal and financial information is treated among employees and business
    641641                                partners.</p></li><li><p>How security vulnerabilities are managed.</p></li><li><p>Security and patch level maintenance for all information systems.</p></li><li><p>How information systems changes are documented and tracked.</p></li><li><p>How information access controls are implemented and managed.</p></li><li><p>Auditability of all information systems in respect of change and security.</p></li><li><p>Disciplinary procedures and controls to ensure privacy.</p></li></ol></div><p>
    642                 <a class="indexterm" name="id2590532"></a>
    643                 <a class="indexterm" name="id2590539"></a>
     642                <a class="indexterm" name="id2590533"></a>
     643                <a class="indexterm" name="id2590540"></a>
    644644                In short, the Sarbanes-Oxley Act of 2002 is an instrument that enforces accountability in respect of
    645645                business related information systems so as to ensure the compliance of all information systems that
     
    648648                </p><p>
    649649                <a class="indexterm" name="id2590562"></a>
    650                 <a class="indexterm" name="id2590568"></a>
     650                <a class="indexterm" name="id2590569"></a>
    651651                <a class="indexterm" name="id2590575"></a>
    652652                <a class="indexterm" name="id2590582"></a>
     
    670670                </p><p>
    671671                <a class="indexterm" name="id2591012"></a>
    672 <a class="indexterm" name="id2591018"></a>
     672<a class="indexterm" name="id2591019"></a>
    673673<a class="indexterm" name="id2591026"></a>
    674674                One particularly important purpose of the <code class="literal">pdbedit</code> is to allow
     
    678678<a class="indexterm" name="id2591057"></a>
    679679<a class="indexterm" name="id2591064"></a>
    680 <a class="indexterm" name="id2591070"></a>
    681 <a class="indexterm" name="id2591077"></a>
     680<a class="indexterm" name="id2591071"></a>
     681<a class="indexterm" name="id2591078"></a>
    682682<a class="indexterm" name="id2591084"></a>
    683683<a class="indexterm" name="id2591091"></a>
     
    696696                accounts, make certain that a system (POSIX) account has already been created.
    697697                </p><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2591158"></a>Listing User and Machine Accounts</h5></div></div></div><p>
    698 <a class="indexterm" name="id2591166"></a>
     698<a class="indexterm" name="id2591167"></a>
    699699<a class="indexterm" name="id2591173"></a>
    700700                The following is an example of the user account information that is stored in
     
    758758                consists of the following colon separated data:
    759759                </p><div class="itemizedlist"><ul type="disc"><li><p>Login ID.</p></li><li><p>UNIX UID.</p></li><li><p>Microsoft LanManager password hash (password converted to upper-case then hashed.</p></li><li><p>Microsoft NT password hash (hash of the case-preserved password).</p></li><li><p>Samba SAM Account Flags.</p></li><li><p>The LCT data (password last change time).</p></li></ul></div><p>
    760 <a class="indexterm" name="id2591348"></a>
    761 <a class="indexterm" name="id2591355"></a>
     760<a class="indexterm" name="id2591349"></a>
     761<a class="indexterm" name="id2591356"></a>
    762762                The Account Flags parameters are documented in the <code class="literal">pdbedit</code> man page, and are
    763763                briefly documented in <a class="link" href="passdb.html#TOSHARG-acctflags" title="Account Flags Management">the Account Flags Management section</a>.
     
    766766                The LCT data consists of 8 hexadecimal characters representing the time since January 1, 1970, of
    767767                the time when the password was last changed.
    768                 </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2591393"></a>Adding User Accounts</h5></div></div></div><p>
    769 <a class="indexterm" name="id2591401"></a>
     768                </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2591394"></a>Adding User Accounts</h5></div></div></div><p>
     769<a class="indexterm" name="id2591402"></a>
    770770<a class="indexterm" name="id2591408"></a>
    771771<a class="indexterm" name="id2591415"></a>
     
    806806<a class="indexterm" name="id2591489"></a>
    807807<a class="indexterm" name="id2591496"></a>
    808 <a class="indexterm" name="id2591502"></a>
     808<a class="indexterm" name="id2591503"></a>
    809809<a class="indexterm" name="id2591509"></a>
    810810                An account can be deleted from the SambaSAMAccount database
     
    819819                The use of the NT4 domain user manager to delete an account will trigger the <em class="parameter"><code>delete user
    820820                script</code></em>, but not the <code class="literal">pdbedit</code> tool.
    821                 </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2591565"></a>Changing User Accounts</h5></div></div></div><p>
    822 <a class="indexterm" name="id2591573"></a>
     821                </p></div><div class="sect4" lang="en"><div class="titlepage"><div><div><h5 class="title"><a name="id2591566"></a>Changing User Accounts</h5></div></div></div><p>
     822<a class="indexterm" name="id2591574"></a>
    823823                Refer to the <code class="literal">pdbedit</code> man page for a full synopsis of all operations
    824824                that are available with this tool.
     
    853853...
    854854</pre><p>
    855 <a class="indexterm" name="id2591660"></a>
    856 <a class="indexterm" name="id2591667"></a>
     855<a class="indexterm" name="id2591661"></a>
     856<a class="indexterm" name="id2591668"></a>
    857857                The user has recorded 2 bad logon attempts and the next will lock the account, but the
    858858                password is also expired. Here is how this account can be reset:
     
    886886...
    887887</pre><p>
    888 <a class="indexterm" name="id2591731"></a>
     888<a class="indexterm" name="id2591732"></a>
    889889<a class="indexterm" name="id2591738"></a>
    890890                Refer to the strptime man page for specific time format information.
     
    906906<a class="indexterm" name="id2591823"></a>
    907907<a class="indexterm" name="id2591830"></a>
    908 <a class="indexterm" name="id2591836"></a>
    909 <a class="indexterm" name="id2591843"></a>
     908<a class="indexterm" name="id2591837"></a>
     909<a class="indexterm" name="id2591844"></a>
    910910                The manual adjustment of user, machine (workstation or server) or an inter-domain trust
    911911                account account flgas should not be necessary under normal conditions of use of Samba. On the other hand,
     
    920920                to manage an LDAP directory.
    921921                </p><p>
    922 <a class="indexterm" name="id2591895"></a>
     922<a class="indexterm" name="id2591896"></a>
    923923<a class="indexterm" name="id2591902"></a>
    924924                The account flag field can contain up to 16 characters. Presently, only 11 are in use.
     
    11161116                </p></li></ul></div><p>
    11171117<a class="indexterm" name="id2592838"></a>
    1118 <a class="indexterm" name="id2592844"></a>
     1118<a class="indexterm" name="id2592845"></a>
    11191119<a class="indexterm" name="id2592851"></a>
    11201120<a class="indexterm" name="id2592858"></a>
     
    11281128<a class="indexterm" name="id2592888"></a>
    11291129<a class="indexterm" name="id2592895"></a>
    1130 <a class="indexterm" name="id2592901"></a>
     1130<a class="indexterm" name="id2592902"></a>
    11311131                Samba provides an enhanced set of passdb backends that overcome the deficiencies
    11321132                of the smbpasswd plaintext database. These are tdbsam and ldapsam.
    11331133                Of these, ldapsam will be of most interest to large corporate or enterprise sites.
    1134                 </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2592914"></a>tdbsam</h3></div></div></div><p>
     1134                </p></div><div class="sect2" lang="en"><div class="titlepage"><div><div><h3 class="title"><a name="id2592915"></a>tdbsam</h3></div></div></div><p>
    11351135                <a class="indexterm" name="id2592922"></a>
    1136 <a class="indexterm" name="id2592931"></a>
    1137 <a class="indexterm" name="id2592940"></a>
     1136<a class="indexterm" name="id2592932"></a>
     1137<a class="indexterm" name="id2592941"></a>
    11381138                Samba can store user and machine account data in a &#8220;<span class="quote">TDB</span>&#8221; (trivial database).
    11391139                Using this backend does not require any additional configuration. This backend is
     
    11771177                        a Windows 200x Active Directory server.</p></li><li><p>A means of replacing /etc/passwd.</p></li></ul></div><p>
    11781178<a class="indexterm" name="id2593123"></a>
    1179 <a class="indexterm" name="id2593129"></a>
     1179<a class="indexterm" name="id2593130"></a>
    11801180<a class="indexterm" name="id2593136"></a>
    1181 <a class="indexterm" name="id2593142"></a>
     1181<a class="indexterm" name="id2593143"></a>
    11821182                The second item can be accomplished by using LDAP NSS and PAM modules. LGPL versions of these libraries can be
    11831183                obtained from <a class="ulink" href="http://www.padl.com/" target="_top">PADL Software</a>.  More information about the
     
    11851185                <span class="emphasis"><em>LDAP, System Administration</em></span> by Gerald Carter, Chapter 6, Replacing NIS"</a>.
    11861186                </p><p>
    1187 <a class="indexterm" name="id2593173"></a>
     1187<a class="indexterm" name="id2593174"></a>
    11881188<a class="indexterm" name="id2593180"></a>
    11891189<a class="indexterm" name="id2593187"></a>
     
    12131213<a class="indexterm" name="id2593328"></a>
    12141214<a class="indexterm" name="id2593335"></a>
    1215 <a class="indexterm" name="id2593341"></a>
     1215<a class="indexterm" name="id2593342"></a>
    12161216<a class="indexterm" name="id2593348"></a>
    12171217                        The LDAP ldapsam code was developed and tested using the OpenLDAP 2.x server and
     
    12511251<a class="indexterm" name="id2593479"></a>
    12521252<a class="indexterm" name="id2593486"></a>
    1253 <a class="indexterm" name="id2593492"></a>
     1253<a class="indexterm" name="id2593493"></a>
    12541254                        Just as the smbpasswd file is meant to store information that provides information
    12551255                        additional to  a user's <code class="filename">/etc/passwd</code> entry, so is the sambaSamAccount
     
    12671267<a class="indexterm" name="id2593556"></a>
    12681268<a class="indexterm" name="id2593563"></a>
    1269 <a class="indexterm" name="id2593569"></a>
     1269<a class="indexterm" name="id2593570"></a>
    12701270<a class="indexterm" name="id2593576"></a>
    12711271                        In order to store all user account information (UNIX and Samba) in the directory,
     
    12921292<a class="indexterm" name="id2593667"></a>
    12931293<a class="indexterm" name="id2593674"></a>
    1294 <a class="indexterm" name="id2593680"></a>
    1295 <a class="indexterm" name="id2593687"></a>
     1294<a class="indexterm" name="id2593681"></a>
     1295<a class="indexterm" name="id2593688"></a>
    12961296<a class="indexterm" name="id2593694"></a>
    12971297<a class="indexterm" name="id2593701"></a>
     
    13201320<a class="indexterm" name="id2593790"></a>
    13211321<a class="indexterm" name="id2593797"></a>
    1322 <a class="indexterm" name="id2593803"></a>
     1322<a class="indexterm" name="id2593804"></a>
    13231323                It is recommended that you maintain some indices on some of the most useful attributes,
    13241324                as in the following example, to speed up searches made on sambaSamAccount ObjectClasses
     
    13591359</pre><p>
    13601360                </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2593873"></a>Initialize the LDAP Database</h4></div></div></div><p>
    1361 <a class="indexterm" name="id2593881"></a>
     1361<a class="indexterm" name="id2593882"></a>
    13621362<a class="indexterm" name="id2593888"></a>
    13631363<a class="indexterm" name="id2593895"></a>
     
    14481448</pre><p>
    14491449                </p></div></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2594059"></a>Configuring Samba</h4></div></div></div><p>
    1450 <a class="indexterm" name="id2594066"></a>
     1450<a class="indexterm" name="id2594067"></a>
    14511451<a class="indexterm" name="id2594073"></a>
    14521452                        The following parameters are available in <code class="filename">smb.conf</code> only if your version of Samba was built with
     
    14681468                        and libraries were not found during compilation.
    14691469                        </p><p>LDAP-related smb.conf options include these:
    1470                         </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2594130"></a><em class="parameter"><code>passdb backend = ldapsam:url</code></em></td></tr><tr><td><a class="indexterm" name="id2594142"></a></td></tr><tr><td><a class="indexterm" name="id2594149"></a></td></tr><tr><td><a class="indexterm" name="id2594156"></a></td></tr><tr><td><a class="indexterm" name="id2594162"></a></td></tr><tr><td><a class="indexterm" name="id2594169"></a></td></tr><tr><td><a class="indexterm" name="id2594176"></a></td></tr><tr><td><a class="indexterm" name="id2594183"></a></td></tr><tr><td><a class="indexterm" name="id2594190"></a></td></tr><tr><td><a class="indexterm" name="id2594197"></a></td></tr><tr><td><a class="indexterm" name="id2594204"></a></td></tr><tr><td><a class="indexterm" name="id2594211"></a></td></tr><tr><td><a class="indexterm" name="id2594218"></a></td></tr><tr><td><a class="indexterm" name="id2594225"></a></td></tr></table><p>
     1470                        </p><table class="simplelist" border="0" summary="Simple list"><tr><td><a class="indexterm" name="id2594130"></a><em class="parameter"><code>passdb backend = ldapsam:url</code></em></td></tr><tr><td><a class="indexterm" name="id2594142"></a></td></tr><tr><td><a class="indexterm" name="id2594149"></a></td></tr><tr><td><a class="indexterm" name="id2594156"></a></td></tr><tr><td><a class="indexterm" name="id2594163"></a></td></tr><tr><td><a class="indexterm" name="id2594170"></a></td></tr><tr><td><a class="indexterm" name="id2594176"></a></td></tr><tr><td><a class="indexterm" name="id2594183"></a></td></tr><tr><td><a class="indexterm" name="id2594190"></a></td></tr><tr><td><a class="indexterm" name="id2594197"></a></td></tr><tr><td><a class="indexterm" name="id2594204"></a></td></tr><tr><td><a class="indexterm" name="id2594211"></a></td></tr><tr><td><a class="indexterm" name="id2594218"></a></td></tr><tr><td><a class="indexterm" name="id2594225"></a></td></tr></table><p>
    14711471                        </p><p>
    14721472                        These are described in the <code class="filename">smb.conf</code> man page and so are not repeated here. However, an example
     
    14891489                        configuration file).
    14901490                        </p><p>
    1491 <a class="indexterm" name="id2594557"></a>
     1491<a class="indexterm" name="id2594558"></a>
    14921492<a class="indexterm" name="id2594564"></a>
    14931493<a class="indexterm" name="id2594571"></a>
     
    15001500                        support nested groups.
    15011501                        </p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2594596"></a>Security and sambaSamAccount</h4></div></div></div><p>
    1502 <a class="indexterm" name="id2594604"></a>
     1502<a class="indexterm" name="id2594605"></a>
    15031503                        There are two important points to remember when discussing the security
    15041504                        of sambaSAMAccount entries in the directory.
     
    15331533                        the older method of securing communication between clients and servers.
    15341534                        </p><p>
    1535 <a class="indexterm" name="id2594788"></a>
     1535<a class="indexterm" name="id2594789"></a>
    15361536<a class="indexterm" name="id2594796"></a>
    15371537<a class="indexterm" name="id2594802"></a>
     
    15811581                                The Windows equivalent of UNIX UIDs.</td></tr><tr><td align="left"><code class="constant">sambaPrimaryGroupSID</code></td><td align="justify">The security identifier (SID) of the primary group
    15821582                                of the user.</td></tr><tr><td align="left"><code class="constant">sambaDomainName</code></td><td align="justify">Domain the user is part of.</td></tr></tbody></table></div></div><br class="table-break"><p>
    1583 <a class="indexterm" name="id2595180"></a>
     1583<a class="indexterm" name="id2595181"></a>
    15841584<a class="indexterm" name="id2595187"></a>
    15851585                        The majority of these parameters are only used when Samba is acting as a PDC of
     
    15881588                        are only stored with the sambaSamAccount entry if the values are non-default values:
    15891589                        </p><div class="itemizedlist"><a class="indexterm" name="id2595209"></a><a class="indexterm" name="id2595216"></a><a class="indexterm" name="id2595223"></a><a class="indexterm" name="id2595230"></a><ul type="disc"><li><p>sambaHomePath</p></li><li><p>sambaLogonScript</p></li><li><p>sambaProfilePath</p></li><li><p>sambaHomeDrive</p></li></ul></div><p>
    1590 <a class="indexterm" name="id2595258"></a>
    1591 <a class="indexterm" name="id2595265"></a>
     1590<a class="indexterm" name="id2595259"></a>
     1591<a class="indexterm" name="id2595266"></a>
    15921592<a class="indexterm" name="id2595272"></a>
    15931593                        These attributes are only stored with the sambaSamAccount entry if
     
    16551655                                        <code class="constant">SambaLMPassword</code>.</p></td></tr><tr><td align="left">only</td><td align="justify"><p>Only update the LDAP password and let the LDAP server
    16561656                        worry about the other fields.  This option is only available on some LDAP servers and
    1657                         only when the LDAP server supports LDAP_EXOP_X_MODIFY_PASSWD.</p></td></tr></tbody></table></div></div><br class="table-break"><p>More information can be found in the <code class="filename">smb.conf</code> man page.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2595545"></a>Using OpenLDAP Overlay for Password Synchronization</h4></div></div></div><p>
     1657                        only when the LDAP server supports LDAP_EXOP_X_MODIFY_PASSWD.</p></td></tr></tbody></table></div></div><br class="table-break"><p>More information can be found in the <code class="filename">smb.conf</code> man page.</p></div><div class="sect3" lang="en"><div class="titlepage"><div><div><h4 class="title"><a name="id2595546"></a>Using OpenLDAP Overlay for Password Synchronization</h4></div></div></div><p>
    16581658                Howard Chu has written a special overlay called <code class="literal">smbk5pwd</code>. This tool  modifies the
    16591659                <code class="literal">SambaNTPassword</code>, <code class="literal">SambaLMPassword</code> and <code class="literal">Heimdal</code>
Note: See TracChangeset for help on using the changeset viewer.