8 <firstname>Olivier (lem)</firstname><surname>Lemaire</surname>
10 <orgname>IDEALX</orgname>
11 <address><email>olem@IDEALX.org</email></address>
15 <pubdate>February 2003</pubdate>
18 <title>User information database</title>
21 <title>Introduction</title>
23 <para>Old windows clients send plain text passwords over the wire.
24 Samba can check these passwords by crypting them and comparing them
25 to the hash stored in the unix user database.
29 Newer windows clients send encrypted passwords (so-called
30 Lanman and NT hashes) over
31 the wire, instead of plain text passwords. The newest clients
32 will only send encrypted passwords and refuse to send plain text
33 passwords, unless their registry is tweaked.
36 <para>These passwords can't be converted to unix style encrypted
37 passwords. Because of that you can't use the standard unix
38 user database, and you have to store the Lanman and NT hashes
39 somewhere else. </para>
41 <para>Next to a differently encrypted passwords,
42 windows also stores certain data for each user
43 that is not stored in a unix user database, e.g.
44 workstations the user may logon from, the location where his/her
45 profile is stored, etc.
46 Samba retrieves and stores this information using a "passdb backend".
48 available backends are LDAP, plain text file, MySQL and nisplus.
49 For more information, see the documentation about the
50 <command>passdb backend = </command> parameter.
55 <title>Important Notes About Security</title>
57 <para>The unix and SMB password encryption techniques seem similar
58 on the surface. This similarity is, however, only skin deep. The unix
59 scheme typically sends clear text passwords over the network when
60 logging in. This is bad. The SMB encryption scheme never sends the
61 cleartext password over the network but it does store the 16 byte
62 hashed values on disk. This is also bad. Why? Because the 16 byte hashed
63 values are a "password equivalent". You cannot derive the user's
64 password from them, but they could potentially be used in a modified
65 client to gain access to a server. This would require considerable
66 technical knowledge on behalf of the attacker but is perfectly possible.
67 You should thus treat the data stored in whatever
68 passdb backend you use (smbpasswd file, ldap, mysql) as though it contained the
69 cleartext passwords of all your users. Its contents must be kept
70 secret, and the file should be protected accordingly.</para>
72 <para>Ideally we would like a password scheme which neither requires
73 plain text passwords on the net or on disk. Unfortunately this
74 is not available as Samba is stuck with being compatible with
75 other SMB systems (WinNT, WfWg, Win95 etc). </para>
78 <para>Note that Windows NT 4.0 Service pack 3 changed the
79 default for permissible authentication so that plaintext
80 passwords are <emphasis>never</emphasis> sent over the wire.
81 The solution to this is either to switch to encrypted passwords
82 with Samba or edit the Windows NT registry to re-enable plaintext
83 passwords. See the document WinNT.txt for details on how to do
86 <para>Other Microsoft operating systems which also exhibit
87 this behavior includes</para>
89 <para> These versions of MS Windows do not support full domain
90 security protocols, although they may log onto a domain environment.
91 Of these Only MS Windows XP Home does NOT support domain logons.</para>
94 <member>MS DOS Network client 3.0 with
95 the basic network redirector installed</member>
97 <member>Windows 95 with the network redirector
98 update installed</member>
100 <member>Windows 98 [se]</member>
102 <member>Windows Me</member>
104 <member>Windows XP Home</member>
107 <para> The following versions of MS Windows fully support domain
108 security protocols.</para>
111 <member>Windows NT 3.5x</member>
112 <member>Windows NT 4.0</member>
113 <member>Windows 2000 Professional</member>
114 <member>Windows 200x Server/Advanced Server</member>
115 <member>Windows XP Professional</member>
119 <note><para>All current release of
120 Microsoft SMB/CIFS clients support authentication via the
121 SMB Challenge/Response mechanism described here. Enabling
122 clear text authentication does not disable the ability
123 of the client to participate in encrypted authentication.</para></note>
125 <para>MS Windows clients will cache the encrypted password alone.
126 Even when plain text passwords are re-enabled, through the appropriate
127 registry change, the plain text password is NEVER cached. This means that
128 in the event that a network connections should become disconnected (broken)
129 only the cached (encrypted) password will be sent to the resource server
130 to affect a auto-reconnect. If the resource server does not support encrypted
131 passwords the auto-reconnect will fail. <emphasis>USE OF ENCRYPTED PASSWORDS
132 IS STRONGLY ADVISED.</emphasis></para>
135 <title>Advantages of SMB Encryption</title>
138 <member>Plain text passwords are not passed across
139 the network. Someone using a network sniffer cannot just
140 record passwords going to the SMB server.</member>
142 <member>WinNT doesn't like talking to a server
143 that does not support encrypted passwords. It will refuse
144 to browse the server if the server is also in user level
145 security mode. It will insist on prompting the user for the
146 password on each connection, which is very annoying. The
147 only things you can do to stop this is to use SMB encryption.
150 <member>Encrypted password support allows automatic share
151 (resource) reconnects.</member>
157 <title>Advantages of non-encrypted passwords</title>
160 <member>Plain text passwords are not kept
161 on disk, and are NOT cached in memory. </member>
163 <member>Uses same password file as other unix
164 services such as login and ftp</member>
166 <member>Use of other services (such as telnet and ftp) which
167 send plain text passwords over the net, so sending them for SMB
168 isn't such a big deal.</member>
175 <title>The smbpasswd Command</title>
177 <para>The smbpasswd utility is a utility similar to the
178 <command>passwd</command> or <command>yppasswd</command> programs.
179 It maintains the two 32 byte password fields in the passdb backend. </para>
181 <para><command>smbpasswd</command> works in a client-server mode
182 where it contacts the local smbd to change the user's password on its
183 behalf. This has enormous benefits - as follows.</para>
185 <para><command>smbpasswd</command> has the capability
186 to change passwords on Windows NT servers (this only works when
187 the request is sent to the NT Primary Domain Controller if you
188 are changing an NT Domain user's password).</para>
190 <para>To run smbpasswd as a normal user just type :</para>
192 <para><prompt>$ </prompt><userinput>smbpasswd</userinput></para>
193 <para><prompt>Old SMB password: </prompt><userinput><type old value here -
194 or hit return if there was no old password></userinput></para>
195 <para><prompt>New SMB Password: </prompt><userinput><type new value>
197 <para><prompt>Repeat New SMB Password: </prompt><userinput><re-type new value
200 <para>If the old value does not match the current value stored for
201 that user, or the two new values do not match each other, then the
202 password will not be changed.</para>
204 <para>If invoked by an ordinary user it will only allow the user
205 to change his or her own Samba password.</para>
207 <para>If run by the root user smbpasswd may take an optional
208 argument, specifying the user name whose SMB password you wish to
209 change. Note that when run as root smbpasswd does not prompt for
210 or check the old password value, thus allowing root to set passwords
211 for users who have forgotten their passwords.</para>
213 <para><command>smbpasswd</command> is designed to work in the same way
214 and be familiar to UNIX users who use the <command>passwd</command> or
215 <command>yppasswd</command> commands.</para>
217 <para>For more details on using <command>smbpasswd</command> refer
218 to the man page which will always be the definitive reference.</para>
223 <title>The <command>pdbedit</command> command</title>
229 <title>Plain text</title>
231 Older versions of samba retrieved user information from the unix user database
232 and eventually some other fields from the file <filename>/etc/samba/smbpasswd</filename>
233 or <filename>/etc/smbpasswd</filename>. When password encryption is disabled, no
234 data is stored at all.
240 <para>Samba can also store the user data in a "TDB" (Trivial Database). Using this backend
241 doesn't require any additional configuration. This backend is recommended for new installations that
242 don not require LDAP.
250 <title>Introduction</title>
253 This document describes how to use an LDAP directory for storing Samba user
254 account information traditionally stored in the smbpasswd(5) file. It is
255 assumed that the reader already has a basic understanding of LDAP concepts
256 and has a working directory server already installed. For more information
257 on LDAP architectures and Directories, please refer to the following sites.
261 <listitem><para>OpenLDAP - <ulink url="http://www.openldap.org/">http://www.openldap.org/</ulink></para></listitem>
262 <listitem><para>iPlanet Directory Server - <ulink url="http://iplanet.netscape.com/directory">http://iplanet.netscape.com/directory</ulink></para></listitem>
266 Note that <ulink url="http://www.ora.com/">O'Reilly Publishing</ulink> is working on
267 a guide to LDAP for System Administrators which has a planned release date of
272 Two additional Samba resources which may prove to be helpful are
276 <listitem><para>The <ulink url="http://www.unav.es/cti/ldap-smb/ldap-smb-3-howto.html">Samba-PDC-LDAP-HOWTO</ulink>
277 maintained by Ignacio Coupeau.</para></listitem>
279 <listitem><para>The NT migration scripts from <ulink url="http://samba.idealx.org/">IDEALX</ulink> that are
280 geared to manage users and group in such a Samba-LDAP Domain Controller configuration.
287 <title>Encrypted Password Database</title>
290 Traditionally, when configuring <ulink url="smb.conf.5.html#ENCRYPTPASSWORDS">"encrypt
291 passwords = yes"</ulink> in Samba's <filename>smb.conf</filename> file, user account
292 information such as username, LM/NT password hashes, password change times, and account
293 flags have been stored in the <filename>smbpasswd(5)</filename> file. There are several
294 disadvantages to this approach for sites with very large numbers of users (counted
300 The first is that all lookups must be performed sequentially. Given that
301 there are approximately two lookups per domain logon (one for a normal
302 session connection such as when mapping a network drive or printer), this
303 is a performance bottleneck for large sites. What is needed is an indexed approach
304 such as is used in databases.
308 The second problem is that administrators who desired to replicate a
309 smbpasswd file to more than one Samba server were left to use external
310 tools such as <command>rsync(1)</command> and <command>ssh(1)</command>
311 and wrote custom, in-house scripts.
315 And finally, the amount of information which is stored in an
316 smbpasswd entry leaves no room for additional attributes such as
317 a home directory, password expiration time, or even a Relative
323 As a result of these defeciencies, a more robust means of storing user attributes
324 used by smbd was developed. The API which defines access to user accounts
325 is commonly referred to as the samdb interface (previously this was called the passdb
326 API, and is still so named in the CVS trees).
330 There are a few points to stress about that the ldapsam
331 does not provide. The LDAP support referred to in the this documentation does not
336 <listitem><para>A means of retrieving user account information from
337 an Windows 2000 Active Directory server.</para></listitem>
338 <listitem><para>A means of replacing /etc/passwd.</para></listitem>
342 The second item can be accomplished by using LDAP NSS and PAM modules. LGPL
343 versions of these libraries can be obtained from PADL Software
344 (<ulink url="http://www.padl.com/">http://www.padl.com/</ulink>). More
345 information about the configuration of these packages may be found at "LDAP,
346 System Administration; Gerald Carter, O'Reilly; Chapter 6: Replacing NIS".
352 <title>Supported LDAP Servers</title>
354 <!-- FIXME: This is outdated for 3.0 -->
357 The LDAP samdb code in 2.2.3 (and later) has been developed and tested
358 using the OpenLDAP 2.0 server and client libraries.
359 The same code should be able to work with Netscape's Directory Server
360 and client SDK. However, due to lack of testing so far, there are bound
361 to be compile errors and bugs. These should not be hard to fix.
362 If you are so inclined, please be sure to forward all patches to
363 <ulink url="mailto:samba-patches@samba.org">samba-patches@samba.org</ulink> and
364 <ulink url="mailto:jerry@samba.org">jerry@samba.org</ulink>.
370 <title>Schema and Relationship to the RFC 2307 posixAccount</title>
374 Samba 3.0 includes the necessary schema file for OpenLDAP 2.0 in
375 <filename>examples/LDAP/samba.schema</filename>. The sambaAccount objectclass is given here:
378 <para><programlisting>
379 objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top AUXILIARY
382 MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
383 logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
384 displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
385 description $ userWorkstations $ primaryGroupID $ domain ))
386 </programlisting></para>
389 The samba.schema file has been formatted for OpenLDAP 2.0. The OID's are
390 owned by the Samba Team and as such is legal to be openly published.
391 If you translate the schema to be used with Netscape DS, please
392 submit the modified schema file as a patch to <ulink
393 url="mailto:jerry@samba.org">jerry@samba.org</ulink>
397 Just as the smbpasswd file is meant to store information which supplements a
398 user's <filename>/etc/passwd</filename> entry, so is the sambaAccount object
399 meant to supplement the UNIX user account information. A sambaAccount is a
400 <constant>STRUCTURAL</constant> objectclass so it can be stored individually
401 in the directory. However, there are several fields (e.g. uid) which overlap
402 with the posixAccount objectclass outlined in RFC2307. This is by design.
405 <!--olem: we should perhaps have a note about shadowAccounts too as many
406 systems use them, isn'it ? -->
409 In order to store all user account information (UNIX and Samba) in the directory,
410 it is necessary to use the sambaAccount and posixAccount objectclasses in
411 combination. However, smbd will still obtain the user's UNIX account
412 information via the standard C library calls (e.g. getpwnam(), et. al.).
413 This means that the Samba server must also have the LDAP NSS library installed
414 and functioning correctly. This division of information makes it possible to
415 store all Samba account information in LDAP, but still maintain UNIX account
416 information in NIS while the network is transitioning to a full LDAP infrastructure.
421 <title>Configuring Samba with LDAP</title>
425 <title>OpenLDAP configuration</title>
428 To include support for the sambaAccount object in an OpenLDAP directory
429 server, first copy the samba.schema file to slapd's configuration directory.
433 <prompt>root# </prompt><userinput>cp samba.schema /etc/openldap/schema/</userinput>
437 Next, include the <filename>samba.schema</filename> file in <filename>slapd.conf</filename>.
438 The sambaAccount object contains two attributes which depend upon other schema
439 files. The 'uid' attribute is defined in <filename>cosine.schema</filename> and
440 the 'displayName' attribute is defined in the <filename>inetorgperson.schema</filename>
441 file. Both of these must be included before the <filename>samba.schema</filename> file.
444 <para><programlisting>
445 ## /etc/openldap/slapd.conf
447 ## schema files (core.schema is required by default)
448 include /etc/openldap/schema/core.schema
450 ## needed for sambaAccount
451 include /etc/openldap/schema/cosine.schema
452 include /etc/openldap/schema/inetorgperson.schema
453 include /etc/openldap/schema/samba.schema
454 include /etc/openldap/schema/nis.schema
457 </programlisting></para>
460 It is recommended that you maintain some indices on some of the most usefull attributes,
461 like in the following example, to speed up searches made on sambaAccount objectclasses
462 (and possibly posixAccount and posixGroup as well).
464 <para><programlisting>
465 # Indices to maintain
466 ## required by OpenLDAP 2.0
469 ## support pb_getsampwnam()
471 ## support pdb_getsambapwrid()
474 ## uncomment these if you are storing posixAccount and
475 ## posixGroup entries in the directory as well
481 # (both fetched via ldapsearch):
482 index primaryGroupID eq
483 index displayName pres,eq
485 </programlisting></para>
490 <title>Configuring Samba</title>
493 The following parameters are available in smb.conf only with <parameter>--with-ldapsam</parameter>
494 was included when compiling Samba.
498 <listitem><para><ulink url="smb.conf.5.html#PASSDBBACKEND">passdb backend [ldapsam|ldapsam_nua]:url</ulink></para></listitem>
499 <listitem><para><ulink url="smb.conf.5.html#LDAPSSL">ldap ssl</ulink></para></listitem>
500 <listitem><para><ulink url="smb.conf.5.html#LDAPADMINDN">ldap admin dn</ulink></para></listitem>
501 <listitem><para><ulink url="smb.conf.5.html#LDAPSUFFIX">ldap suffix</ulink></para></listitem>
502 <listitem><para><ulink url="smb.conf.5.html#LDAPFILTER">ldap filter</ulink></para></listitem>
503 <listitem><para><ulink url="smb.conf.5.html#LDAPPORT">ldap port</ulink></para></listitem>
504 <listitem><para><ulink url="smb.conf.5.html#LDAPMACHINSUFFIX">ldap machine suffix</ulink></para></listitem>
505 <listitem><para><ulink url="smb.conf.5.html#LDAPUSERSUFFIX">ldap user suffix</ulink></para></listitem>
506 <listitem><para><ulink url="smb.conf.5.html#LDAPDELETEDN">ldap delete dn</ulink></para></listitem>
511 These are described in the <ulink url="smb.conf.5.html">smb.conf(5)</ulink> man
512 page and so will not be repeated here. However, a sample smb.conf file for
513 use with an LDAP directory could appear as
516 <para><programlisting>
517 ## /usr/local/samba/lib/smb.conf
520 encrypt passwords = yes
522 netbios name = TASHTEGO
525 # ldap related parameters
527 # define the DN to use when binding to the directory servers
528 # The password for this DN is not stored in smb.conf. Rather it
529 # must be set by using 'smbpasswd -w <replaceable>secretpw</replaceable>' to store the
530 # passphrase in the secrets.tdb file. If the "ldap admin dn" values
531 # change, this password will need to be reset.
532 ldap admin dn = "cn=Samba Manager,ou=people,dc=samba,dc=org"
534 # Define the SSL option when connecting to the directory
535 # ('off', 'start tls', or 'on' (default))
538 passdb backend ldapsam:ldap://ahab.samba.org
540 # smbpasswd -x delete the entire dn-entry
543 # the machine and user suffix added to the base suffix
544 # wrote WITHOUT quotes. NULL siffixes by default
545 ldap user suffix = ou=People
546 ldap machine suffix = ou=Systems
548 # define the port to use in the LDAP session (defaults to 636 when
552 # specify the base DN to use when searching the directory
553 ldap suffix = "ou=people,dc=samba,dc=org"
555 # generally the default ldap search filter is ok
556 # ldap filter = "(&(uid=%u)(objectclass=sambaAccount))"
557 </programlisting></para>
565 <title>Accounts and Groups management</title>
568 As users accounts are managed thru the sambaAccount objectclass, you should
569 modify your existing administration tools to deal with sambaAccount attributes.
573 Machines accounts are managed with the sambaAccount objectclass, just
574 like users accounts. However, it's up to you to store thoses accounts
575 in a different tree of you LDAP namespace: you should use
576 "ou=Groups,dc=plainjoe,dc=org" to store groups and
577 "ou=People,dc=plainjoe,dc=org" to store users. Just configure your
578 NSS and PAM accordingly (usually, in the /etc/ldap.conf configuration
583 In Samba release 3.0, the group management system is based on posix
584 groups. This means that Samba makes usage of the posixGroup objectclass.
585 For now, there is no NT-like group system management (global and local
592 <title>Security and sambaAccount</title>
596 There are two important points to remember when discussing the security
597 of sambaAccount entries in the directory.
601 <listitem><para><emphasis>Never</emphasis> retrieve the lmPassword or
602 ntPassword attribute values over an unencrypted LDAP session.</para></listitem>
603 <listitem><para><emphasis>Never</emphasis> allow non-admin users to
604 view the lmPassword or ntPassword attribute values.</para></listitem>
608 These password hashes are clear text equivalents and can be used to impersonate
609 the user without deriving the original clear text strings. For more information
610 on the details of LM/NT password hashes, refer to the <link
611 linkend="passdb">User Database</link> of the Samba-HOWTO-Collection.
615 To remedy the first security issue, the "ldap ssl" smb.conf parameter defaults
616 to require an encrypted session (<command>ldap ssl = on</command>) using
617 the default port of 636
618 when contacting the directory server. When using an OpenLDAP 2.0 server, it
619 is possible to use the use the StartTLS LDAP extended operation in the place of
620 LDAPS. In either case, you are strongly discouraged to disable this security
621 (<command>ldap ssl = off</command>).
625 Note that the LDAPS protocol is deprecated in favor of the LDAPv3 StartTLS
626 extended operation. However, the OpenLDAP library still provides support for
627 the older method of securing communication between clients and servers.
631 The second security precaution is to prevent non-administrative users from
632 harvesting password hashes from the directory. This can be done using the
633 following ACL in <filename>slapd.conf</filename>:
636 <para><programlisting>
637 ## allow the "ldap admin dn" access, but deny everyone else
638 access to attrs=lmPassword,ntPassword
639 by dn="cn=Samba Admin,ou=people,dc=plainjoe,dc=org" write
641 </programlisting></para>
649 <title>LDAP specials attributes for sambaAccounts</title>
652 The sambaAccount objectclass is composed of the following attributes:
657 <listitem><para><constant>lmPassword</constant>: the LANMAN password 16-byte hash stored as a character
658 representation of a hexidecimal string.</para></listitem>
660 <listitem><para><constant>ntPassword</constant>: the NT password hash 16-byte stored as a character
661 representation of a hexidecimal string.</para></listitem>
663 <listitem><para><constant>pwdLastSet</constant>: The integer time in seconds since 1970 when the
664 <constant>lmPassword</constant> and <constant>ntPassword</constant> attributes were last set.
667 <listitem><para><constant>acctFlags</constant>: string of 11 characters surrounded by square brackets []
668 representing account flags such as U (user), W(workstation), X(no password expiration), I(Domain trust account), H(Home dir required), S(Server trust account), N(Password not required) and D(disabled).</para></listitem>
670 <listitem><para><constant>logonTime</constant>: Integer value currently unused</para></listitem>
672 <listitem><para><constant>logoffTime</constant>: Integer value currently unused</para></listitem>
674 <listitem><para><constant>kickoffTime</constant>: Integer value currently unused</para></listitem>
676 <listitem><para><constant>pwdCanChange</constant>: Integer value currently unused</para></listitem>
678 <listitem><para><constant>pwdMustChange</constant>: Integer value currently unused</para></listitem>
680 <listitem><para><constant>homeDrive</constant>: specifies the drive letter to which to map the
681 UNC path specified by homeDirectory. The drive letter must be specified in the form "X:"
682 where X is the letter of the drive to map. Refer to the "logon drive" parameter in the
683 smb.conf(5) man page for more information.</para></listitem>
685 <listitem><para><constant>scriptPath</constant>: The scriptPath property specifies the path of
686 the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. The path
687 is relative to the netlogon share. Refer to the "logon script" parameter in the
688 smb.conf(5) man page for more information.</para></listitem>
690 <listitem><para><constant>profilePath</constant>: specifies a path to the user's profile.
691 This value can be a null string, a local absolute path, or a UNC path. Refer to the
692 "logon path" parameter in the smb.conf(5) man page for more information.</para></listitem>
694 <listitem><para><constant>smbHome</constant>: The homeDirectory property specifies the path of
695 the home directory for the user. The string can be null. If homeDrive is set and specifies
696 a drive letter, homeDirectory should be a UNC path. The path must be a network
697 UNC path of the form \\server\share\directory. This value can be a null string.
698 Refer to the "logon home" parameter in the smb.conf(5) man page for more information.
701 <listitem><para><constant>userWorkstation</constant>: character string value currently unused.
704 <listitem><para><constant>rid</constant>: the integer representation of the user's relative identifier
705 (RID).</para></listitem>
707 <listitem><para><constant>primaryGroupID</constant>: the relative identifier (RID) of the primary group
708 of the user.</para></listitem>
713 The majority of these parameters are only used when Samba is acting as a PDC of
714 a domain (refer to the <ulink url="Samba-PDC-HOWTO.html">Samba-PDC-HOWTO</ulink> for details on
715 how to configure Samba as a Primary Domain Controller). The following four attributes
716 are only stored with the sambaAccount entry if the values are non-default values:
720 <listitem><para>smbHome</para></listitem>
721 <listitem><para>scriptPath</para></listitem>
722 <listitem><para>logonPath</para></listitem>
723 <listitem><para>homeDrive</para></listitem>
727 These attributes are only stored with the sambaAccount entry if
728 the values are non-default values. For example, assume TASHTEGO has now been
729 configured as a PDC and that <command>logon home = \\%L\%u</command> was defined in
730 its <filename>smb.conf</filename> file. When a user named "becky" logons to the domain,
731 the <parameter>logon home</parameter> string is expanded to \\TASHTEGO\becky.
732 If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org",
733 this value is used. However, if this attribute does not exist, then the value
734 of the <parameter>logon home</parameter> parameter is used in its place. Samba
735 will only write the attribute value to the directory entry if the value is
736 something other than the default (e.g. \\MOBY\becky).
745 <title>Example LDIF Entries for a sambaAccount</title>
749 The following is a working LDIF with the inclusion of the posixAccount objectclass:
752 <para><programlisting>
753 dn: uid=guest2, ou=people,dc=plainjoe,dc=org
754 ntPassword: 878D8014606CDA29677A44EFA1353FC7
755 pwdMustChange: 2147483647
757 lmPassword: 552902031BEDE9EFAAD3B435B51404EE
758 pwdLastSet: 1010179124
760 objectClass: sambaAccount
762 kickoffTime: 2147483647
764 logoffTime: 2147483647
767 </programlisting></para>
770 The following is an LDIF entry for using both the sambaAccount and
771 posixAccount objectclasses:
774 <para><programlisting>
775 dn: uid=gcarter, ou=people,dc=plainjoe,dc=org
777 displayName: Gerald Carter
778 lmPassword: 552902031BEDE9EFAAD3B435B51404EE
780 objectClass: posixAccount
781 objectClass: sambaAccount
783 userPassword: {crypt}BpM2ej8Rkzogo
787 loginShell: /bin/bash
788 logoffTime: 2147483647
790 kickoffTime: 2147483647
791 pwdLastSet: 1010179230
793 homeDirectory: /home/tashtego/gcarter
795 pwdMustChange: 2147483647
796 ntPassword: 878D8014606CDA29677A44EFA1353FC7
797 </programlisting></para>
806 <title>Creating the database</title>
809 You either can set up your own table and specify the field names to pdb_mysql (see below
810 for the column names) or use the default table. The file <filename>examples/pdb/mysql/mysql.dump</filename>
811 contains the correct queries to create the required tables. Use the command :
813 <command>mysql -u<replaceable>username</replaceable> -h<replaceable>hostname</replaceable> -p<replaceable>password</replaceable> <replaceable>databasename</replaceable> > <filename>/path/to/samba/examples/pdb/mysql/mysql.dump</filename></command>
819 <title>Configuring</title>
821 <para>This plugin lacks some good documentation, but here is some short info:</para>
823 <para>Add a the following to the <command>passdb backend</command> variable in your <filename>smb.conf</filename>:
825 passdb backend = [other-plugins] mysql:identifier [other-plugins]
829 <para>The identifier can be any string you like, as long as it doesn't collide with
830 the identifiers of other plugins or other instances of pdb_mysql. If you
831 specify multiple pdb_mysql.so entries in 'passdb backend', you also need to
832 use different identifiers!
836 Additional options can be given thru the smb.conf file in the [global] section.
839 <para><programlisting>
840 identifier:mysql host - host name, defaults to 'localhost'
841 identifier:mysql password
842 identifier:mysql user - defaults to 'samba'
843 identifier:mysql database - defaults to 'samba'
844 identifier:mysql port - defaults to 3306
845 identifier:table - Name of the table containing users
846 </programlisting></para>
850 Since the password for the mysql user is stored in the
851 smb.conf file, you should make the the smb.conf file
852 readable only to the user that runs samba. This is considered a security
853 bug and will be fixed soon.
857 <para>Names of the columns in this table(I've added column types those columns should have first):</para>
859 <para><programlisting>
860 identifier:logon time column - int(9)
861 identifier:logoff time column - int(9)
862 identifier:kickoff time column - int(9)
863 identifier:pass last set time column - int(9)
864 identifier:pass can change time column - int(9)
865 identifier:pass must change time column - int(9)
866 identifier:username column - varchar(255) - unix username
867 identifier:domain column - varchar(255) - NT domain user is part of
868 identifier:nt username column - varchar(255) - NT username
869 identifier:fullname column - varchar(255) - Full name of user
870 identifier:home dir column - varchar(255) - Unix homedir path
871 identifier:dir drive column - varchar(2) - Directory drive path (eg: 'H:')
872 identifier:logon script column - varchar(255)
873 - Batch file to run on client side when logging on
874 identifier:profile path column - varchar(255) - Path of profile
875 identifier:acct desc column - varchar(255) - Some ASCII NT user data
876 identifier:workstations column - varchar(255)
877 - Workstations user can logon to (or NULL for all)
878 identifier:unknown string column - varchar(255) - unknown string
879 identifier:munged dial column - varchar(255) - ?
880 identifier:user sid column - varchar(255) - NT user SID
881 identifier:group sid column - varchar(255) - NT group ID
882 identifier:lanman pass column - varchar(255) - encrypted lanman password
883 identifier:nt pass column - varchar(255) - encrypted nt passwd
884 identifier:plain pass column - varchar(255) - plaintext password
885 identifier:acct control column - int(9) - nt user data
886 identifier:unknown 3 column - int(9) - unknown
887 identifier:logon divs column - int(9) - ?
888 identifier:hours len column - int(9) - ?
889 identifier:unknown 5 column - int(9) - unknown
890 identifier:unknown 6 column - int(9) - unknown
891 </programlisting></para>
894 Eventually, you can put a colon (:) after the name of each column, which
895 should specify the column to update when updating the table. You can also
896 specify nothing behind the colon - then the data from the field will not be
903 <title>Using plaintext passwords or encrypted password</title>
906 I strongly discourage the use of plaintext passwords, however, you can use them:
910 If you would like to use plaintext passwords, set
911 'identifier:lanman pass column' and 'identifier:nt pass column' to
912 'NULL' (without the quotes) and 'identifier:plain pass column' to the
913 name of the column containing the plaintext passwords.
917 If you use encrypted passwords, set the 'identifier:plain pass
918 column' to 'NULL' (without the quotes). This is the default.
924 <title>Getting non-column data from the table</title>
927 It is possible to have not all data in the database and making some 'constant'.
931 For example, you can set 'identifier:fullname column' to :
932 <command>CONCAT(First_name,' ',Sur_name)</command>
936 Or, set 'identifier:workstations column' to :
937 <command>NULL</command></para>
939 <para>See the MySQL documentation for more language constructs.</para>
947 <para>This module requires libxml2 to be installed.</para>
949 <para>The usage of pdb_xml is pretty straightforward. To export data, use:
953 <userinput>pdbedit -e xml:filename</userinput>
957 (where filename is the name of the file to put the data in)
962 <userinput>pdbedit -i xml:filename -e current-pdb</userinput>
965 Where filename is the name to read the data from and current-pdb to put it in.