Account Storage - Administration

In this second part of a four-part series on handling authentication and authorization in Samba, you will learn about pluggable authentication modules, a challenge/response authentication algorithm developed by Microsoft, and more. This article is excerpted from chapter five of Using Samba, Third Edition, written by Gerald Carter, Jay Ts and Robert Eckstein (O'Reilly, 2007; ISBN: 0596007698). Copyright © 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

TABLE OF CONTENTS:

By: O'Reilly Media

Poor Best

Rating:

/ 8

February 14, 2008

print this article

SEARCH DEV SHED

TOOLS YOU CAN USE

Samba exposes Unix objects—files, printers, users and groups—in a way that Windows clients understand. It is necessary, however, for Samba to store some additional attributes for users beyond the information in /etc/passwd. These attributes, such as the LanMan and NT password hashes, the user’s SID, and a home directory UNC path, are maintained in what is referred to as a passdb backend . This storage facility can currently take one of three forms:

A flat text file
A trivial database (tdb) file
An LDAP directory service

The passdb backend parameter is a global option whose value is in the form name: argument[,argument] . The Samba code for passdb is written such that new storage modules can be written by the community. However, in this chapter, we concern ourselves with only three, which are distributed as part of the core Samba source code: smbpasswd , tdbsam , and ldapsam . Because each passdb module has its own list of supported options, we discuss possible argument values later, after we have covered each backend in depth. Frequently, arguments can be omitted in order to rely on the passdb module’s default behavior. If no backend is specified in smb.conf, Samba defaults to using an smbpasswd file.

passdb backend = smbpasswd

We have seen the structure of an entry from an smbpasswd file earlier in this chapter. Although the file’s format changed between Samba 1.9 and 2.0, smbpasswd is the original account storage mechanism used by Samba and still the recommended solution for most standalone servers. Additional storage facilities were not officially supported until Samba 3.0.^* The structure of an smbpasswd entry is:

username:uid:lanman_hash:nt_hash:flags:pw_lct

The fields are defined as follows:

username

The user’s login name.

uid

The Unix numeric uid of the user. This field is currently ignored by Samba, because the value is obtained by querying the operating system instead.

lanman_hash
nt_hash

The user’s password hashes, represented as 32-character hexadecimal strings. A string of 32 Xs indicates an invalid password. A value of the string “NO PASSWORD” followed by 21 Xs in the lanman_hash indicates that no password has been associated with this account. Accounts with no passwords are allowed access only if the null passwords option (Table 5-8) is enabled in the [global] section of smb.conf.

flags

Various single-character flags representing the type and state of the user’s account. The complete list of account flags is in Table 5-9.

pw_lct

The Unix timestamp of the user’s last successful password change, encoded as a hexadecimal string.

Table 5-8. Null passwords option

Parameter
Value
Description
Default
Scope
null passwords
boolean
Determines whether Samba allows connections using accounts with no associated password hash and possessing the Naccount flag.
no
Global
Table 5-9. User account flags supported by Samba
Flags Description
D Account is disabled.
I Interdomain trust account.
L The account has been autolocked due to bad login attempts.
N
No password is required by this account. This flag is honored only if the null passwords global parameter is enabled.
S Backup domain controller trust account.
U User account.
W Workstation trust account.
X The associated password will not expire, regardless of the server’s password policy settings.

The following example configures Samba to use an smbpasswd text file for account storage:

[global]
      security = user
      encrypt passwords = yes
      passdb backend = smbpasswd

The file’s default location is set at compile time and can be determined by entering smbd -b | grep SMB_PASSWD_FILE . If you wish to assign a different location, append a colon and the desired absolute path to the smbpasswd module name:

passdb backend = smbpasswd:/etc/smbpasswd

passdb backend = tdbsam

The TDB passdb backend, named tdbsam , expands upon the list of user attributes supported by the smbpasswd backend. tdbsam is the recommended method for storing accounts for a single Samba primary domain controller that does not share its users and groups with any Samba backup domain controllers. The full discussion of Samba domains is provided in Chapter 9. For now, it is sufficient to understand that a tdbsam is a database variant of smbpasswd with support for a richer set of attributes.

The default tdbsam database filename is passdb.tdb and is located in the /usr/local/samba/private directory. For custom Samba installations, you can determine this location by running smbd -b | grep PRIVATE_DIR . If you wish to change that location at runtime, tdbsam accepts, as its only argument, the absolute path to a tdb file:

passdb backend = tdbsam:/etc/passdb.tdb

Please check back next week for the continuation of this article.