<title>Account Information Databases</title>
<para>
-Samba-3 implements a new capability to work concurrently with mulitple account backends.
+Samba-3 implements a new capability to work concurrently with multiple account backends.
The possible new combinations of password backends allows Samba-3 a degree of flexibility
and scalability that previously could be achieved only with MS Windows Active Directory.
This chapter describes the new functionality and how to get the most out of it.
</para>
<para>
-In the course of development of Samba-3 a number of requests were received to provide the
+In the course of development of Samba-3, a number of requests were received to provide the
ability to migrate MS Windows NT4 SAM accounts to Samba-3 without the need to provide
matching Unix/Linux accounts. We called this the <emphasis>Non Unix Accounts (NUA)</emphasis>
capability. The intent was that an administrator could decide to use the <emphasis>tdbsam</emphasis>
backend and by simply specifying <emphasis>"passdb backend = tdbsam_nua, guest"</emphasis>
this would allow Samba-3 to implement a solution that did not use Unix accounts per se. Late
-in the development cycle the team doing this work hit upon some obstacles that prevents this
+in the development cycle, the team doing this work hit upon some obstacles that prevents this
solution from being used. Given the delays with Samba-3 release a decision was made to NOT
deliver this functionality until a better method of recognising NT Group SIDs from NT User
SIDs could be found. This feature may thus return during the life cycle for the Samba-3 series.
</listitem>
</varlistentry>
- <varlistentry><term>ldapsam_compat (Samba-2.2 LDAP Compatibilty):</term>
+ <varlistentry><term>ldapsam_compat (Samba-2.2 LDAP Compatibility):</term>
<listitem>
<para>
There is a password backend option that allows continued operation with
<varlistentry><term>ldapsam:</term>
<listitem>
<para>
- This provides a rich directory backend for distributed account installation
+ This provides a rich directory backend for distributed account installation.
</para>
<para>
Samba-3 has a new and extended LDAP implementation that requires configuration
of OpenLDAP with a new format samba schema. The new format schema file is
- included in the <filename>~samba/examples/LDAP</filename> directory.
+ included in the <filename class="directory">examples/LDAP</filename> directory of the Samba distribution.
</para>
<para>
</para>
<para>
- These passwords can't be converted to unix style encrypted passwords. Because of that
+ These passwords can't be converted to unix style encrypted passwords. Because of that,
you can't use the standard unix user database, and you have to store the Lanman and NT
hashes somewhere else.
</para>
</para>
<para>
- Firstly, all Samba SAM (Security Account Management database) accounts require
+ Firstly, all Samba SAM (Security Account Manager database) accounts require
a Unix/Linux UID that the account will map to. As users are added to the account
- information database
samba-3 will call the <parameter>add user script</parameter>
- interface to add the account to the Samba host OS. In essence all accounts in
+ information database
, Samba-3 will call the <parameter>add user script</parameter>
+ interface to add the account to the Samba host OS. In essence, all accounts in
the local SAM require a local user account.
</para>
<para>
Samba-3 provides two (2) tools for management of User and machine accounts. These tools are
-called <filename>smbpasswd</filename> and <command>pdbedit</command>. A third tool is under
+called <command>smbpasswd</command> and <command>pdbedit</command>. A third tool is under
development but is NOT expected to ship in time for Samba-3.0.0. The new tool will be a TCL/TK
GUI tool that looks much like the MS Windows NT4 Domain User Manager - hopefully this will
-be announced in time for samba-3.0.1 release timing.
+be announced in time for the Samba-3.0.1 release.
</para>
<sect2>
<title>The <emphasis>smbpasswd</emphasis> Command</title>
<para>
<command>smbpasswd</command> works in a client-server mode where it contacts the
- local smbd to change the user's password on its behalf.This has enormous benefits
+ local smbd to change the user's password on its behalf. This has enormous benefits
as follows:
</para>
<title>Plain Text</title>
<para>
- Older versions of samba retrieved user information from the unix user database
+ Older versions of Samba retrieved user information from the unix user database
and eventually some other fields from the file <filename>/etc/samba/smbpasswd</filename>
or <filename>/etc/smbpasswd</filename>. When password encryption is disabled, no
- SMB specific data is stored at all. Instead all operations are conduected via the way
- that the samba host OS will access it's <filename>/etc/passwd</filename> database.
+ SMB specific data is stored at all. Instead all operations are conducted via the way
+ that the Samba host OS will access its <filename>/etc/passwd</filename> database.
eg: On Linux systems that is done via PAM.
</para>
<title>smbpasswd - Encrypted Password Database</title>
<para>
- Traditionally, when configuring <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">"encrypt
- passwords = yes"</ulink> in Samba's <filename>smb.conf</filename> file, user account
+ Traditionally, when configuring <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">encrypt
+ passwords = yes</ulink> in Samba's <filename>smb.conf</filename> file, user account
information such as username, LM/NT password hashes, password change times, and account
flags have been stored in the <filename>smbpasswd(5)</filename> file. There are several
disadvantages to this approach for sites with very large numbers of users (counted
</para>
<para>
- As a general guide the Samba-Team do NOT recommend using the tdbsam backend for sites
+ As a general guide the Samba-Team does NOT recommend using the tdbsam backend for sites
that have 250 or more users. Additionally, tdbsam is not capable of scaling for use
- in sites that require PDB/BDC implmentations that requires replication of the account
- database. Clearly, for reason of scalability the use of ldapsam should be encouraged.
+ in sites that require PDB/BDC implementations that requires replication of the account
+ database. Clearly, for reason of scalability, the use of ldapsam should be encouraged.
</para>
</sect2>
more about configuration and administration of an OpenLDAP server.
</para>
+ <note>
+ <para>
+ This section is outdated for Samba-3 schema. Samba-3 introduces a new schema
+ that has not been documented at the time of this publication.
+ </para>
+ </note>
+
<para>
This document describes how to use an LDAP directory for storing Samba user
account information traditionally stored in the smbpasswd(5) file. It is
<para>
<programlisting>
objectclass ( 1.3.6.1.4.1.7165.2.2.3 NAME 'sambaSamAccount' SUP top AUXILIARY
- DESC 'Samba Auxilary Account'
+ DESC 'Samba Auxiliary Account'
MUST ( uid $ rid )
MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
</para>
<para>
- It is recommended that you maintain some indices on some of the most usefull attributes,
+ It is recommended that you maintain some indices on some of the most useful attributes,
like in the following example, to speed up searches made on sambaSamAccount objectclasses
(and possibly posixAccount and posixGroup as well).
</para>
<note>
<para>
- Before Samba can access the LDAP server you need to stoe the LDAP admin password
+ Before Samba can access the LDAP server you need to store the LDAP admin password
into the Samba-3 <filename>secrets.tdb</filename> database by:
<screen>
&rootprompt; <userinput>smbpasswd -w <replaceable>secret</replaceable></userinput>
ldap delete dn = no
# the machine and user suffix added to the base suffix
- # wrote WITHOUT quotes. NULL siffixes by default
+ # wrote WITHOUT quotes. NULL suffixes by default
ldap user suffix = ou=People
ldap machine suffix = ou=Systems
<title>Accounts and Groups management</title>
<para>
- As users accounts are managed thru the sambaSamAccount objectclass, you should
+ As users accounts are managed through the sambaSamAccount objectclass, you should
modify your existing administration tools to deal with sambaSamAccount attributes.
</para>
<para>
Machines accounts are managed with the sambaSamAccount objectclass, just
- like users accounts. However, it's up to you to store thoses accounts
+ like users accounts. However, it's up to you to store those accounts
in a different tree of your LDAP namespace: you should use
"ou=Groups,dc=plainjoe,dc=org" to store groups and
"ou=People,dc=plainjoe,dc=org" to store users. Just configure your
</para>
<para>
- In Samba release 3.0, the group management system is based on posix
- groups. This means that Samba makes usage of the posixGroup objectclass.
+ In Samba release 3.0, the group management system is based on POSIX
+ groups. This means that Samba makes use of the posixGroup objectclass.
For now, there is no NT-like group system management (global and local
groups).
</para>
<tgroup cols="2" align="left">
<tbody>
<row><entry><constant>lmPassword</constant></entry><entry>the LANMAN password 16-byte hash stored as a character
- representation of a hexidecimal string.</entry></row>
+ representation of a hexadecimal string.</entry></row>
<row><entry><constant>ntPassword</constant></entry><entry>the NT password hash 16-byte stored as a character
- representation of a hexidecimal string.</entry></row>
+ representation of a hexadecimal string.</entry></row>
<row><entry><constant>pwdLastSet</constant></entry><entry>The integer time in seconds since 1970 when the
<constant>lmPassword</constant> and <constant>ntPassword</constant> attributes were last set.
</entry></row>
for the column names) or use the default table. The file <filename>examples/pdb/mysql/mysql.dump</filename>
contains the correct queries to create the required tables. Use the command :
- <screen><prompt>$ </prompt><userinput>mysql -u<replaceable>username</replaceable> -h<replaceable>hostname</replaceable> -p<replaceable>password</replaceable> <replaceable>databasename</replaceable> > <filename>/path/to/samba/examples/pdb/mysql/mysql.dump</filename></userinput></screen>
+ <screen><prompt>$ </prompt><userinput>mysql -u<replaceable>username</replaceable> -h<replaceable>hostname</replaceable> -p<replaceable>password</replaceable> \
+<replaceable>databasename</replaceable> < <filename>/path/to/samba/examples/pdb/mysql/mysql.dump</filename></userinput></screen>
</para>
</sect3>
</para>
<para>
- Additional options can be given thr
u the &smb.conf; file in the <parameter>[global]</parameter> section.
+ Additional options can be given thr
ough the &smb.conf; file in the <parameter>[global]</parameter> section.
</para>
<para>
<warning>
<para>
- Since the password for the mysql user is stored in the
+ Since the password for the MySQL user is stored in the
&smb.conf; file, you should make the the &smb.conf; file
- readable only to the user that runs samba. This is considered a security
+ readable only to the user that runs Samba This is considered a security
bug and will be fixed soon.
</para>
</warning>
- <para>Names of the columns in this table(I've added column types those columns should have first):</para>
+ <para>Names of the columns in this table (I've added column types those columns should have first):</para>
<para>
<table frame="all">
</para>
<para>
- <prompt>$ </prompt><userinput>pdbedit -e xml:filename</userinput>
+ <prompt>$ </prompt> <userinput>pdbedit -e xml:filename</userinput>
</para>
<para>
<para>
To import data, use:
- <prompt>$ </prompt><userinput>pdbedit -i xml:filename</userinput>
+ <prompt>$ </prompt> <userinput>pdbedit -i xml:filename</userinput>
</para>
</sect2>
</sect1>
<title>Users can not logon - Users not in Samba SAM</title>
<para>
- People forget to put their users in their backend and then complain samba won't authorize them.
+ People forget to put their users in their backend and then complain Samba won't authorize them.
</para>
</sect2>
<title>Users are being added to the wrong backend database</title>
<para>
- A few complaints have been recieved from users that just moved to samba-3. The following
+ A few complaints have been received from users that just moved to Samba-3. The following
&smb.conf; file entries were causing problems, new accounts were being added to the old
smbpasswd file, not to the tdbsam passdb.tdb file:
</para>
git.samba.org / jra / samba / .git / blobdiff