1 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
5 >User information database</TITLE
8 CONTENT="Modular DocBook HTML Stylesheet Version 1.7"><LINK
10 TITLE="SAMBA Project Documentation"
11 HREF="samba-howto-collection.html"><LINK
13 TITLE="General installation"
14 HREF="introduction.html"><LINK
16 TITLE="Quick Cross Subnet Browsing / Cross Workgroup Browsing guide"
17 HREF="browsing-quick.html"><LINK
19 TITLE="Type of installation"
20 HREF="type.html"></HEAD
31 SUMMARY="Header navigation table"
40 >SAMBA Project Documentation</TH
48 HREF="browsing-quick.html"
77 >Chapter 4. User information database</H1
87 HREF="passdb.html#AEN469"
92 HREF="passdb.html#AEN476"
93 >Important Notes About Security</A
99 HREF="passdb.html#AEN502"
100 >Advantages of SMB Encryption</A
104 HREF="passdb.html#AEN508"
105 >Advantages of non-encrypted passwords</A
111 HREF="passdb.html#AEN514"
112 >The smbpasswd Command</A
116 HREF="passdb.html#AEN545"
121 HREF="passdb.html#AEN550"
126 HREF="passdb.html#AEN553"
133 HREF="passdb.html#AEN555"
138 HREF="passdb.html#AEN575"
143 HREF="passdb.html#AEN599"
144 >Supported LDAP Servers</A
148 HREF="passdb.html#AEN604"
149 >Schema and Relationship to the RFC 2307 posixAccount</A
153 HREF="passdb.html#AEN616"
154 >Configuring Samba with LDAP</A
160 HREF="passdb.html#AEN618"
161 >OpenLDAP configuration</A
165 HREF="passdb.html#AEN635"
166 >Configuring Samba</A
172 HREF="passdb.html#AEN663"
173 >Accounts and Groups management</A
177 HREF="passdb.html#AEN668"
178 >Security and sambaAccount</A
182 HREF="passdb.html#AEN688"
183 >LDAP specials attributes for sambaAccounts</A
187 HREF="passdb.html#AEN758"
188 >Example LDIF Entries for a sambaAccount</A
194 HREF="passdb.html#AEN766"
201 HREF="passdb.html#AEN768"
202 >Creating the database</A
206 HREF="passdb.html#AEN778"
211 HREF="passdb.html#AEN795"
212 >Using plaintext passwords or encrypted password</A
216 HREF="passdb.html#AEN800"
217 >Getting non-column data from the table</A
223 HREF="passdb.html#AEN808"
234 >4.1. Introduction</A
237 >Old windows clients send plain text passwords over the wire.
238 Samba can check these passwords by crypting them and comparing them
239 to the hash stored in the unix user database.
242 > Newer windows clients send encrypted passwords (so-called
243 Lanman and NT hashes) over
244 the wire, instead of plain text passwords. The newest clients
245 will only send encrypted passwords and refuse to send plain text
246 passwords, unless their registry is tweaked.
249 >These passwords can't be converted to unix style encrypted
250 passwords. Because of that you can't use the standard unix
251 user database, and you have to store the Lanman and NT hashes
254 >Next to a differently encrypted passwords,
255 windows also stores certain data for each user
256 that is not stored in a unix user database, e.g.
257 workstations the user may logon from, the location where his/her
258 profile is stored, etc.
259 Samba retrieves and stores this information using a "passdb backend".
261 available backends are LDAP, plain text file, MySQL and nisplus.
262 For more information, see the documentation about the
265 >passdb backend = </B
275 >4.2. Important Notes About Security</A
278 >The unix and SMB password encryption techniques seem similar
279 on the surface. This similarity is, however, only skin deep. The unix
280 scheme typically sends clear text passwords over the network when
281 logging in. This is bad. The SMB encryption scheme never sends the
282 cleartext password over the network but it does store the 16 byte
283 hashed values on disk. This is also bad. Why? Because the 16 byte hashed
284 values are a "password equivalent". You cannot derive the user's
285 password from them, but they could potentially be used in a modified
286 client to gain access to a server. This would require considerable
287 technical knowledge on behalf of the attacker but is perfectly possible.
288 You should thus treat the data stored in whatever
289 passdb backend you use (smbpasswd file, ldap, mysql) as though it contained the
290 cleartext passwords of all your users. Its contents must be kept
291 secret, and the file should be protected accordingly.</P
293 >Ideally we would like a password scheme which neither requires
294 plain text passwords on the net or on disk. Unfortunately this
295 is not available as Samba is stuck with being compatible with
296 other SMB systems (WinNT, WfWg, Win95 etc). </P
311 SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif"
318 >Note that Windows NT 4.0 Service pack 3 changed the
319 default for permissible authentication so that plaintext
326 > sent over the wire.
327 The solution to this is either to switch to encrypted passwords
328 with Samba or edit the Windows NT registry to re-enable plaintext
329 passwords. See the document WinNT.txt for details on how to do
332 >Other Microsoft operating systems which also exhibit
333 this behavior includes</P
335 > These versions of MS Windows do not support full domain
336 security protocols, although they may log onto a domain environment.
337 Of these Only MS Windows XP Home does NOT support domain logons.</P
345 >MS DOS Network client 3.0 with
346 the basic network redirector installed</TD
350 >Windows 95 with the network redirector
370 > The following versions of MS Windows fully support domain
371 security protocols.</P
387 >Windows 2000 Professional</TD
391 >Windows 200x Server/Advanced Server</TD
395 >Windows XP Professional</TD
419 SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/note.gif"
426 >All current release of
427 Microsoft SMB/CIFS clients support authentication via the
428 SMB Challenge/Response mechanism described here. Enabling
429 clear text authentication does not disable the ability
430 of the client to participate in encrypted authentication.</P
436 >MS Windows clients will cache the encrypted password alone.
437 Even when plain text passwords are re-enabled, through the appropriate
438 registry change, the plain text password is NEVER cached. This means that
439 in the event that a network connections should become disconnected (broken)
440 only the cached (encrypted) password will be sent to the resource server
441 to affect a auto-reconnect. If the resource server does not support encrypted
442 passwords the auto-reconnect will fail. <SPAN
446 >USE OF ENCRYPTED PASSWORDS
447 IS STRONGLY ADVISED.</I
456 >4.2.1. Advantages of SMB Encryption</A
465 >Plain text passwords are not passed across
466 the network. Someone using a network sniffer cannot just
467 record passwords going to the SMB server.</TD
471 >WinNT doesn't like talking to a server
472 that SM not support encrypted passwords. It will refuse
473 to browse the server if the server is also in user level
474 security mode. It will insist on prompting the user for the
475 password on each connection, which is very annoying. The
476 only things you can do to stop this is to use SMB encryption.
481 >Encrypted password support allows automatic share
482 (resource) reconnects.</TD
495 >4.2.2. Advantages of non-encrypted passwords</A
504 >Plain text passwords are not kept
505 on disk, and are NOT cached in memory. </TD
509 >Uses same password file as other unix
510 services such as login and ftp</TD
514 >Use of other services (such as telnet and ftp) which
515 send plain text passwords over the net, so sending them for SMB
516 isn't such a big deal.</TD
530 >4.3. The smbpasswd Command</A
533 >The smbpasswd utility is a utility similar to the
541 It maintains the two 32 byte password fields in the passdb backend. </P
546 > works in a client-server mode
547 where it contacts the local smbd to change the user's password on its
548 behalf. This has enormous benefits - as follows.</P
554 to change passwords on Windows NT servers (this only works when
555 the request is sent to the NT Primary Domain Controller if you
556 are changing an NT Domain user's password).</P
558 >To run smbpasswd as a normal user just type :</P
570 >Old SMB password: </SAMP
573 ><type old value here -
574 or hit return if there was no old password></KBD
579 >New SMB Password: </SAMP
582 ><type new value>
588 >Repeat New SMB Password: </SAMP
591 ><re-type new value
595 >If the old value does not match the current value stored for
596 that user, or the two new values do not match each other, then the
597 password will not be changed.</P
599 >If invoked by an ordinary user it will only allow the user
600 to change his or her own Samba password.</P
602 >If run by the root user smbpasswd may take an optional
603 argument, specifying the user name whose SMB password you wish to
604 change. Note that when run as root smbpasswd does not prompt for
605 or check the old password value, thus allowing root to set passwords
606 for users who have forgotten their passwords.</P
611 > is designed to work in the same way
612 and be familiar to UNIX users who use the <B
621 >For more details on using <B
625 to the man page which will always be the definitive reference.</P
636 >Older versions of samba retrieved user information from the unix user database
637 and eventually some other fields from the file <TT
639 >/etc/samba/smbpasswd</TT
644 >. When password encryption is disabled, no
645 data is stored at all.</P
656 >Samba can also store the user data in a "TDB" (Trivial Database). Using this backend
657 doesn't require any additional configuration. This backend is recommended for new installations who
658 don't require LDAP.</P
674 >4.6.1. Introduction</A
677 >This document describes how to use an LDAP directory for storing Samba user
678 account information traditionally stored in the smbpasswd(5) file. It is
679 assumed that the reader already has a basic understanding of LDAP concepts
680 and has a working directory server already installed. For more information
681 on LDAP architectures and Directories, please refer to the following sites.</P
688 HREF="http://www.openldap.org/"
690 >http://www.openldap.org/</A
695 >iPlanet Directory Server - <A
696 HREF="http://iplanet.netscape.com/directory"
698 >http://iplanet.netscape.com/directory</A
704 HREF="http://www.ora.com/"
706 >O'Reilly Publishing</A
708 a guide to LDAP for System Administrators which has a planned release date of
709 early summer, 2002.</P
711 >Two additional Samba resources which may prove to be helpful are</P
718 HREF="http://www.unav.es/cti/ldap-smb/ldap-smb-3-howto.html"
720 >Samba-PDC-LDAP-HOWTO</A
722 maintained by Ignacio Coupeau.</P
726 >The NT migration scripts from <A
727 HREF="http://samba.idealx.org/"
731 geared to manage users and group in such a Samba-LDAP Domain Controller configuration.
742 >4.6.2. Introduction</A
745 >Traditionally, when configuring <A
746 HREF="smb.conf.5.html#ENCRYPTPASSWORDS"
754 information such as username, LM/NT password hashes, password change times, and account
755 flags have been stored in the <TT
758 > file. There are several
759 disadvantages to this approach for sites with very large numbers of users (counted
760 in the thousands).</P
766 >The first is that all lookups must be performed sequentially. Given that
767 there are approximately two lookups per domain logon (one for a normal
768 session connection such as when mapping a network drive or printer), this
769 is a performance bottleneck for lareg sites. What is needed is an indexed approach
770 such as is used in databases.</P
774 >The second problem is that administrators who desired to replicate a
775 smbpasswd file to more than one Samba server were left to use external
783 and wrote custom, in-house scripts.</P
787 >And finally, the amount of information which is stored in an
788 smbpasswd entry leaves no room for additional attributes such as
789 a home directory, password expiration time, or even a Relative
794 >As a result of these defeciencies, a more robust means of storing user attributes
795 used by smbd was developed. The API which defines access to user accounts
796 is commonly referred to as the samdb interface (previously this was called the passdb
797 API, and is still so named in the CVS trees). </P
799 >There are a few points to stress about what the ldapsam
800 does not provide. The LDAP support referred to in the this documentation does not
807 >A means of retrieving user account information from
808 an Windows 2000 Active Directory server.</P
812 >A means of replacing /etc/passwd.</P
816 >The second item can be accomplished by using LDAP NSS and PAM modules. LGPL
817 versions of these libraries can be obtained from PADL Software
819 HREF="http://www.padl.com/"
821 >http://www.padl.com/</A
823 the details of configuring these packages are beyond the scope of this document.</P
831 >4.6.3. Supported LDAP Servers</A
834 >The LDAP samdb code in 2.2.3 (and later) has been developed and tested
835 using the OpenLDAP 2.0 server and client libraries.
836 The same code should be able to work with Netscape's Directory Server
837 and client SDK. However, due to lack of testing so far, there are bound
838 to be compile errors and bugs. These should not be hard to fix.
839 If you are so inclined, please be sure to forward all patches to
841 HREF="mailto:samba-patches@samba.org"
843 >samba-patches@samba.org</A
846 HREF="mailto:jerry@samba.org"
857 >4.6.4. Schema and Relationship to the RFC 2307 posixAccount</A
860 >Samba 3.0 includes the necessary schema file for OpenLDAP 2.0 in
863 >examples/LDAP/samba.schema</TT
864 >. The sambaAccount objectclass is given here:</P
867 CLASS="PROGRAMLISTING"
868 >objectclass ( 1.3.1.5.1.4.1.7165.2.2.2 NAME 'sambaAccount' SUP top STRUCTURAL
871 MAY ( cn $ lmPassword $ ntPassword $ pwdLastSet $ logonTime $
872 logoffTime $ kickoffTime $ pwdCanChange $ pwdMustChange $ acctFlags $
873 displayName $ smbHome $ homeDrive $ scriptPath $ profilePath $
874 description $ userWorkstations $ primaryGroupID $ domain ))</PRE
877 >The samba.schema file has been formatted for OpenLDAP 2.0. The OID's are
878 owned by the Samba Team and as such is legal to be openly published.
879 If you translate the schema to be used with Netscape DS, please
880 submit the modified schema file as a patch to <A
881 HREF="mailto:jerry@samba.org"
886 >Just as the smbpasswd file is mean to store information which supplements a
890 > entry, so is the sambaAccount object
891 meant to supplement the UNIX user account information. A sambaAccount is a
895 > objectclass so it can be stored individually
896 in the directory. However, there are several fields (e.g. uid) which overlap
897 with the posixAccount objectclass outlined in RFC2307. This is by design.</P
899 >In order to store all user account information (UNIX and Samba) in the directory,
900 it is necessary to use the sambaAccount and posixAccount objectclasses in
901 combination. However, smbd will still obtain the user's UNIX account
902 information via the standard C library calls (e.g. getpwnam(), et. al.).
903 This means that the Samba server must also have the LDAP NSS library installed
904 and functioning correctly. This division of information makes it possible to
905 store all Samba account information in LDAP, but still maintain UNIX account
906 information in NIS while the network is transitioning to a full LDAP infrastructure.</P
914 >4.6.5. Configuring Samba with LDAP</A
922 >4.6.5.1. OpenLDAP configuration</A
925 >To include support for the sambaAccount object in an OpenLDAP directory
926 server, first copy the samba.schema file to slapd's configuration directory.</P
933 >cp samba.schema /etc/openldap/schema/</KBD
936 >Next, include the <TT
943 The sambaAccount object contains two attributes which depend upon other schema
944 files. The 'uid' attribute is defined in <TT
948 the 'displayName' attribute is defined in the <TT
950 >inetorgperson.schema</TT
952 file. Both of these must be included before the <TT
958 CLASS="PROGRAMLISTING"
959 >## /etc/openldap/slapd.conf
961 ## schema files (core.schema is required by default)
962 include /etc/openldap/schema/core.schema
964 ## needed for sambaAccount
965 include /etc/openldap/schema/cosine.schema
966 include /etc/openldap/schema/inetorgperson.schema
967 include /etc/openldap/schema/samba.schema
968 include /etc/openldap/schema/nis.schema
973 >It is recommended that you maintain some indices on some of the most usefull attributes,
974 like in the following example, to speed up searches made on sambaAccount objectclasses
975 (and possibly posixAccount and posixGroup as well).</P
978 CLASS="PROGRAMLISTING"
979 ># Indices to maintain
980 ## required by OpenLDAP 2.0
983 ## support pb_getsampwnam()
985 ## support pdb_getsambapwrid()
988 ## uncomment these if you are storing posixAccount and
989 ## posixGroup entries in the directory as well
993 ##index memberUid eq</PRE
1002 >4.6.5.2. Configuring Samba</A
1005 >The following parameters are available in smb.conf only with <VAR
1007 >--with-ldapsam</VAR
1009 was included with compiling Samba.</P
1016 HREF="smb.conf.5.html#LDAPSSL"
1024 HREF="smb.conf.5.html#LDAPSERVER"
1032 HREF="smb.conf.5.html#LDAPADMINDN"
1040 HREF="smb.conf.5.html#LDAPSUFFIX"
1048 HREF="smb.conf.5.html#LDAPFILTER"
1056 HREF="smb.conf.5.html#LDAPPORT"
1063 >These are described in the <A
1064 HREF="smb.conf.5.html"
1068 page and so will not be repeated here. However, a sample smb.conf file for
1069 use with an LDAP directory could appear as</P
1072 CLASS="PROGRAMLISTING"
1073 >## /usr/local/samba/lib/smb.conf
1076 encrypt passwords = yes
1078 netbios name = TASHTEGO
1081 # ldap related parameters
1083 # define the DN to use when binding to the directory servers
1084 # The password for this DN is not stored in smb.conf. Rather it
1085 # must be set by using 'smbpasswd -w <VAR
1089 # passphrase in the secrets.tdb file. If the "ldap admin dn" values
1090 # changes, this password will need to be reset.
1091 ldap admin dn = "cn=Samba Manager,ou=people,dc=samba,dc=org"
1093 # specify the LDAP server's hostname (defaults to locahost)
1094 ldap server = ahab.samba.org
1096 # Define the SSL option when connecting to the directory
1097 # ('off', 'start tls', or 'on' (default))
1098 ldap ssl = start tls
1100 # define the port to use in the LDAP session (defaults to 636 when
1104 # specify the base DN to use when searching the directory
1105 ldap suffix = "ou=people,dc=samba,dc=org"
1107 # generally the default ldap search filter is ok
1108 # ldap filter = "(&(uid=%u)(objectclass=sambaAccount))"</PRE
1118 >4.6.6. Accounts and Groups management</A
1121 >As users accounts are managed thru the sambaAccount objectclass, you should
1122 modify you existing administration tools to deal with sambaAccount attributes.</P
1124 >Machines accounts are managed with the sambaAccount objectclass, just
1125 like users accounts. However, it's up to you to stored thoses accounts
1126 in a different tree of you LDAP namespace: you should use
1127 "ou=Groups,dc=plainjoe,dc=org" to store groups and
1128 "ou=People,dc=plainjoe,dc=org" to store users. Just configure your
1129 NSS and PAM accordingly (usually, in the /etc/ldap.conf configuration
1132 >In Samba release 3.0, the group management system is based on posix
1133 groups. This means that Samba make usage of the posixGroup objectclass.
1134 For now, there is no NT-like group system management (global and local
1143 >4.6.7. Security and sambaAccount</A
1146 >There are two important points to remember when discussing the security
1147 of sambaAccount entries in the directory.</P
1159 > retrieve the lmPassword or
1160 ntPassword attribute values over an unencrypted LDAP session.</P
1170 > allow non-admin users to
1171 view the lmPassword or ntPassword attribute values.</P
1175 >These password hashes are clear text equivalents and can be used to impersonate
1176 the user without deriving the original clear text strings. For more information
1177 on the details of LM/NT password hashes, refer to the <A
1180 > of the Samba-HOWTO-Collection.</P
1182 >To remedy the first security issue, the "ldap ssl" smb.conf parameter defaults
1183 to require an encrypted session (<B
1187 the default port of 636
1188 when contacting the directory server. When using an OpenLDAP 2.0 server, it
1189 is possible to use the use the StartTLS LDAP extended operation in the place of
1190 LDAPS. In either case, you are strongly discouraged to disable this security
1196 >Note that the LDAPS protocol is deprecated in favor of the LDAPv3 StartTLS
1197 extended operation. However, the OpenLDAP library still provides support for
1198 the older method of securing communication between clients and servers.</P
1200 >The second security precaution is to prevent non-administrative users from
1201 harvesting password hashes from the directory. This can be done using the
1202 following ACL in <TT
1208 CLASS="PROGRAMLISTING"
1209 >## allow the "ldap admin dn" access, but deny everyone else
1210 access to attrs=lmPassword,ntPassword
1211 by dn="cn=Samba Admin,ou=people,dc=plainjoe,dc=org" write
1221 >4.6.8. LDAP specials attributes for sambaAccounts</A
1224 >The sambaAccount objectclass is composed of the following attributes:</P
1233 >: the LANMAN password 16-byte hash stored as a character
1234 representation of a hexidecimal string.</P
1241 >: the NT password hash 16-byte stored as a character
1242 representation of a hexidecimal string.</P
1249 >: The integer time in seconds since 1970 when the
1256 > attributes were last set.
1264 >: string of 11 characters surrounded by square brackets []
1265 representing account flags such as U (user), W(workstation), X(no password expiration), and
1273 >: Integer value currently unused</P
1280 >: Integer value currently unused</P
1287 >: Integer value currently unused</P
1294 >: Integer value currently unused</P
1300 >pwdMustChange</CODE
1301 >: Integer value currently unused</P
1308 >: specifies the drive letter to which to map the
1309 UNC path specified by homeDirectory. The drive letter must be specified in the form "X:"
1310 where X is the letter of the drive to map. Refer to the "logon drive" parameter in the
1311 smb.conf(5) man page for more information.</P
1318 >: The scriptPath property specifies the path of
1319 the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. The path
1320 is relative to the netlogon share. Refer to the "logon script" parameter in the
1321 smb.conf(5) man page for more information.</P
1328 >: specifies a path to the user's profile.
1329 This value can be a null string, a local absolute path, or a UNC path. Refer to the
1330 "logon path" parameter in the smb.conf(5) man page for more information.</P
1337 >: The homeDirectory property specifies the path of
1338 the home directory for the user. The string can be null. If homeDrive is set and specifies
1339 a drive letter, homeDirectory should be a UNC path. The path must be a network
1340 UNC path of the form \\server\share\directory. This value can be a null string.
1341 Refer to the "logon home" parameter in the smb.conf(5) man page for more information.
1348 >userWorkstation</CODE
1349 >: character string value currently unused.
1357 >: the integer representation of the user's relative identifier
1364 >primaryGroupID</CODE
1365 >: the relative identifier (RID) of the primary group
1370 >The majority of these parameters are only used when Samba is acting as a PDC of
1371 a domain (refer to the <A
1372 HREF="Samba-PDC-HOWTO.html"
1376 how to configure Samba as a Primary Domain Controller). The following four attributes
1377 are only stored with the sambaAccount entry if the values are non-default values:</P
1399 >These attributes are only stored with the sambaAccount entry if
1400 the values are non-default values. For example, assume TASHTEGO has now been
1401 configured as a PDC and that <B
1403 >logon home = \\%L\%u</B
1408 > file. When a user named "becky" logons to the domain,
1412 > string is expanded to \\TASHTEGO\becky.
1413 If the smbHome attribute exists in the entry "uid=becky,ou=people,dc=samba,dc=org",
1414 this value is used. However, if this attribute does not exist, then the value
1418 > parameter is used in its place. Samba
1419 will only write the attribute value to the directory entry is the value is
1420 something other than the default (e.g. \\MOBY\becky).</P
1428 >4.6.9. Example LDIF Entries for a sambaAccount</A
1431 >The following is a working LDIF with the inclusion of the posixAccount objectclass:</P
1434 CLASS="PROGRAMLISTING"
1435 >dn: uid=guest2, ou=people,dc=plainjoe,dc=org
1436 ntPassword: 878D8014606CDA29677A44EFA1353FC7
1437 pwdMustChange: 2147483647
1438 primaryGroupID: 1201
1439 lmPassword: 552902031BEDE9EFAAD3B435B51404EE
1440 pwdLastSet: 1010179124
1442 objectClass: sambaAccount
1444 kickoffTime: 2147483647
1446 logoffTime: 2147483647
1448 pwdCanChange: 0</PRE
1451 >The following is an LDIF entry for using both the sambaAccount and
1452 posixAccount objectclasses:</P
1455 CLASS="PROGRAMLISTING"
1456 >dn: uid=gcarter, ou=people,dc=plainjoe,dc=org
1458 displayName: Gerald Carter
1459 lmPassword: 552902031BEDE9EFAAD3B435B51404EE
1460 primaryGroupID: 1201
1461 objectClass: posixAccount
1462 objectClass: sambaAccount
1464 userPassword: {crypt}BpM2ej8Rkzogo
1468 loginShell: /bin/bash
1469 logoffTime: 2147483647
1471 kickoffTime: 2147483647
1472 pwdLastSet: 1010179230
1474 homeDirectory: /home/tashtego/gcarter
1476 pwdMustChange: 2147483647
1477 ntPassword: 878D8014606CDA29677A44EFA1353FC7</PRE
1495 >4.7.1. Creating the database</A
1498 >You either can set up your own table and specify the field names to pdb_mysql (see below
1499 for the column names) or use the default table. The file <TT
1501 >examples/pdb/mysql/mysql.dump</TT
1503 contains the correct queries to create the required tables. Use the command :
1521 >/path/to/samba/examples/pdb/mysql/mysql.dump</TT
1531 >4.7.2. Configuring</A
1534 >This plugin lacks some good documentation, but here is some short info:</P
1536 >Add a the following to the <B
1539 > variable in your <TT
1544 CLASS="PROGRAMLISTING"
1545 >passdb backend = [other-plugins] mysql:identifier [other-plugins]</PRE
1548 >The identifier can be any string you like, as long as it doesn't collide with
1549 the identifiers of other plugins or other instances of pdb_mysql. If you
1550 specify multiple pdb_mysql.so entries in 'passdb backend', you also need to
1551 use different identifiers!</P
1553 >Additional options can be given thru the smb.conf file in the [global] section.</P
1556 CLASS="PROGRAMLISTING"
1557 >identifier:mysql host - host name, defaults to 'localhost'
1558 identifier:mysql password
1559 identifier:mysql user - defaults to 'samba'
1560 identifier:mysql database - defaults to 'samba'
1561 identifier:mysql port - defaults to 3306
1562 identifier:table - Name of the table containing users</PRE
1578 SRC="/usr/share/sgml/docbook/stylesheet/dsssl/modular/images/warning.gif"
1585 >Since the password for the mysql user is stored in the
1586 smb.conf file, you should make the the smb.conf file
1587 readable only to the user that runs samba. This is considered a security
1588 bug and will be fixed soon.</P
1594 >Names of the columns in this table(I've added column types those columns should have first):</P
1597 CLASS="PROGRAMLISTING"
1598 >identifier:logon time column - int(9)
1599 identifier:logoff time column - int(9)
1600 identifier:kickoff time column - int(9)
1601 identifier:pass last set time column - int(9)
1602 identifier:pass can change time column - int(9)
1603 identifier:pass must change time column - int(9)
1604 identifier:username column - varchar(255) - unix username
1605 identifier:domain column - varchar(255) - NT domain user is part of
1606 identifier:nt username column - varchar(255) - NT username
1607 identifier:fullname column - varchar(255) - Full name of user
1608 identifier:home dir column - varchar(255) - Unix homedir path
1609 identifier:dir drive column - varchar(2) - Directory drive path (eg: 'H:')
1610 identifier:logon script column - varchar(255) - Batch file to run on client side when logging on
1611 identifier:profile path column - varchar(255) - Path of profile
1612 identifier:acct desc column - varchar(255) - Some ASCII NT user data
1613 identifier:workstations column - varchar(255) - Workstations user can logon to (or NULL for all)
1614 identifier:unknown string column - varchar(255) - unknown string
1615 identifier:munged dial column - varchar(255) - ?
1616 identifier:uid column - int(9) - Unix user ID (uid)
1617 identifier:gid column - int(9) - Unix user group (gid)
1618 identifier:user sid column - varchar(255) - NT user SID
1619 identifier:group sid column - varchar(255) - NT group ID
1620 identifier:lanman pass column - varchar(255) - encrypted lanman password
1621 identifier:nt pass column - varchar(255) - encrypted nt passwd
1622 identifier:plain pass column - varchar(255) - plaintext password
1623 identifier:acct control column - int(9) - nt user data
1624 identifier:unknown 3 column - int(9) - unknown
1625 identifier:logon divs column - int(9) - ?
1626 identifier:hours len column - int(9) - ?
1627 identifier:unknown 5 column - int(9) - unknown
1628 identifier:unknown 6 column - int(9) - unknown</PRE
1631 >Eventually, you can put a colon (:) after the name of each column, which
1632 should specify the column to update when updating the table. You can also
1633 specify nothing behind the colon - then the data from the field will not be
1642 >4.7.3. Using plaintext passwords or encrypted password</A
1645 >I strongly discourage the use of plaintext passwords, however, you can use them:</P
1647 >If you would like to use plaintext passwords, set 'identifier:lanman pass column' and 'identifier:nt pass column' to 'NULL' (without the quotes) and 'identifier:plain pass column' to the name of the column containing the plaintext passwords. </P
1649 >If you use encrypted passwords, set the 'identifier:plain pass column' to 'NULL' (without the quotes). This is the default.</P
1657 >4.7.4. Getting non-column data from the table</A
1660 >It is possible to have not all data in the database and making some 'constant'.</P
1662 >For example, you can set 'identifier:fullname column' to :
1665 >CONCAT(First_name,' ',Sur_name)</B
1668 >Or, set 'identifier:workstations column' to :
1674 >See the MySQL documentation for more language constructs.</P
1686 >This module requires libxml2 to be installed.</P
1688 >The usage of pdb_xml is pretty straightforward. To export data, use:
1692 >pdbedit -e xml:filename</KBD
1695 (where filename is the name of the file to put the data in)</P
1697 >To import data, use:
1700 >pdbedit -i xml:filename -e current-pdb</KBD
1703 Where filename is the name to read the data from and current-pdb to put it in.</P
1711 SUMMARY="Footer navigation table"
1722 HREF="browsing-quick.html"
1731 HREF="samba-howto-collection.html"
1750 >Quick Cross Subnet Browsing / Cross Workgroup Browsing guide</TD
1756 HREF="introduction.html"
1764 >Type of installation</TD