Samba exposes Unix objects—files, printers, users and groups—in a way that Windows clients understand. It is necessary, however, for Samba to store some additional attributes for users beyond the information in /etc/passwd. These attributes, such as the LanMan and NT password hashes, the user’s SID, and a home directory UNC path, are maintained in what is referred to as a passdb backend . This storage facility can currently take one of three forms:
The passdb backend parameter is a global option whose value is in the form name: argument[,argument] . The Samba code for passdb is written such that new storage modules can be written by the community. However, in this chapter, we concern ourselves with only three, which are distributed as part of the core Samba source code: smbpasswd , tdbsam , and ldapsam . Because each passdb module has its own list of supported options, we discuss possible argument values later, after we have covered each backend in depth. Frequently, arguments can be omitted in order to rely on the passdb module’s default behavior. If no backend is specified in smb.conf, Samba defaults to using an smbpasswd file.
passdb backend = smbpasswd
We have seen the structure of an entry from an smbpasswd file earlier in this chapter. Although the file’s format changed between Samba 1.9 and 2.0, smbpasswd is the original account storage mechanism used by Samba and still the recommended solution for most standalone servers. Additional storage facilities were not officially supported until Samba 3.0.* The structure of an smbpasswd entry is:
The fields are defined as follows:
Table 5-8. Null passwords option
Table 5-9. User account flags supported by Samba
The following example configures Samba to use an smbpasswd text file for account storage:
The file’s default location is set at compile time and can be determined by entering smbd -b | grep SMB_PASSWD_FILE . If you wish to assign a different location, append a colon and the desired absolute path to the smbpasswd module name:
passdb backend = smbpasswd:/etc/smbpasswd
passdb backend = tdbsam
The TDB passdb backend, named tdbsam , expands upon the list of user attributes supported by the smbpasswd backend. tdbsam is the recommended method for storing accounts for a single Samba primary domain controller that does not share its users and groups with any Samba backup domain controllers. The full discussion of Samba domains is provided in Chapter 9. For now, it is sufficient to understand that a tdbsam is a database variant of smbpasswd with support for a richer set of attributes.
The default tdbsam database filename is passdb.tdb and is located in the /usr/local/samba/private directory. For custom Samba installations, you can determine this location by running smbd -b | grep PRIVATE_DIR . If you wish to change that location at runtime, tdbsam accepts, as its only argument, the absolute path to a tdb file:
passdb backend = tdbsam:/etc/passdb.tdb
Please check back next week for the continuation of this article.
blog comments powered by Disqus