Authentication in Samba - Account Storage
(Page 4 of 4 )
Samba exposes Unix objects—files, printers, users and groups—in a way that Windows clients understand. It is necessary, however, for Samba to store some additional attributes for users beyond the information in /etc/passwd. These attributes, such as the LanMan and NT password hashes, the user’s SID, and a home directory UNC path, are maintained in what is referred to as a passdb backend . This storage facility can currently take one of three forms:
- A flat text file
- A trivial database (tdb) file
- An LDAP directory service
The passdb backend parameter is a global option whose value is in the form name: argument[,argument] . The Samba code for passdb is written such that new storage modules can be written by the community. However, in this chapter, we concern ourselves with only three, which are distributed as part of the core Samba source code: smbpasswd , tdbsam , and ldapsam . Because each passdb module has its own list of supported options, we discuss possible argument values later, after we have covered each backend in depth. Frequently, arguments can be omitted in order to rely on the passdb module’s default behavior. If no backend is specified in smb.conf, Samba defaults to using an smbpasswd file.
passdb backend = smbpasswd
We have seen the structure of an entry from an smbpasswd file earlier in this chapter. Although the file’s format changed between Samba 1.9 and 2.0, smbpasswd is the original account storage mechanism used by Samba and still the recommended solution for most standalone servers. Additional storage facilities were not officially supported until Samba 3.0.* The structure of an smbpasswd entry is:
username:uid:lanman_hash:nt_hash:flags:pw_lct
The fields are defined as follows:
username
The user’s login name.
uid
The Unix numeric uid of the user. This field is currently ignored by Samba, because the value is obtained by querying the operating system instead.
lanman_hash
nt_hash
The user’s password hashes, represented as 32-character hexadecimal strings. A string of 32 Xs indicates an invalid password. A value of the string “NO PASSWORD” followed by 21 Xs in the lanman_hash indicates that no password has been associated with this account. Accounts with no passwords are allowed access only if the null passwords option (Table 5-8) is enabled in the [global] section of smb.conf.
flags
Various single-character flags representing the type and state of the user’s account. The complete list of account flags is in Table 5-9.
pw_lct
The Unix timestamp of the user’s last successful password change, encoded as a hexadecimal string.
Table 5-8. Null passwords option
Parameter | Value | Description | Default | Scope |
null passwords | boolean | Determines whether Samba allows connections using accounts with no associated password hash and possessing the Naccount flag. | no | Global |
Table 5-9. User account flags supported by Samba
| Flags | Description |
| D | Account is disabled. |
| I | Interdomain trust account. |
| L | The account has been autolocked due to bad login attempts. |
| N | No password is required by this account. This flag is honored only if the null passwords global parameter is enabled. |
| S | Backup domain controller trust account. |
| U | User account. |
| W | Workstation trust account. |
| X | The associated password will not expire, regardless of the server’s password policy settings. |
The following example configures Samba to use an smbpasswd text file for account storage:
[global]
security = user
encrypt passwords = yes
passdb backend = smbpasswd
The file’s default location is set at compile time and can be determined by entering smbd -b | grep SMB_PASSWD_FILE . If you wish to assign a different location, append a colon and the desired absolute path to the smbpasswd module name:
passdb backend = smbpasswd:/etc/smbpasswd
passdb backend = tdbsam
The TDB passdb backend, named tdbsam , expands upon the list of user attributes supported by the smbpasswd backend. tdbsam is the recommended method for storing accounts for a single Samba primary domain controller that does not share its users and groups with any Samba backup domain controllers. The full discussion of Samba domains is provided in Chapter 9. For now, it is sufficient to understand that a tdbsam is a database variant of smbpasswd with support for a richer set of attributes.
The default tdbsam database filename is passdb.tdb and is located in the /usr/local/samba/private directory. For custom Samba installations, you can determine this location by running smbd -b | grep PRIVATE_DIR . If you wish to change that location at runtime, tdbsam accepts, as its only argument, the absolute path to a tdb file:
passdb backend = tdbsam:/etc/passdb.tdb
Please check back next week for the continuation of this article.
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
|
 This article is excerpted from chapter five of Using Samba, Third Edition, written by Gerald Carter, Jay Ts and Robert Eckstein (O'Reilly, 2007; ISBN: 0596007698). Check it out today at your favorite bookstore. Buy this book now.
|
|
