Home arrow Site Administration arrow Page 4 - Authentication in Samba

Account Storage - Administration

In this second part of a four-part series on handling authentication and authorization in Samba, you will learn about pluggable authentication modules, a challenge/response authentication algorithm developed by Microsoft, and more. This article is excerpted from chapter five of Using Samba, Third Edition, written by Gerald Carter, Jay Ts and Robert Eckstein (O'Reilly, 2007; ISBN: 0596007698). Copyright © 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

  1. Authentication in Samba
  2. NTLMv1
  3. User Management
  4. Account Storage
By: O'Reilly Media
Rating: starstarstarstarstar / 8
February 14, 2008

print this article



Samba exposes Unix objects—files, printers, users and groups—in a way that Windows clients understand. It is necessary, however, for Samba to store some additional attributes for users beyond the information in /etc/passwd. These attributes, such as the LanMan and NT password hashes, the user’s SID, and a home directory UNC path, are maintained in what is referred to as a passdb backend . This storage facility can currently take one of three forms:

  1. A flat text file
  2. A trivial database (tdb) file
  3. An LDAP directory service

The passdb backend parameter is a global option whose value is in the form name: argument[,argument] . The Samba code for passdb is written such that new storage modules can be written by the community. However, in this chapter, we concern ourselves with only three, which are distributed as part of the core Samba source code: smbpasswd , tdbsam , and ldapsam . Because each passdb module has its own list of supported options, we discuss possible argument values later, after we have covered each backend in depth. Frequently, arguments can be omitted in order to rely on the passdb module’s default behavior. If no backend is specified in smb.conf, Samba defaults to using an smbpasswd file.

passdb backend = smbpasswd

We have seen the structure of an entry from an smbpasswd file earlier in this chapter. Although the file’s format changed between Samba 1.9 and 2.0, smbpasswd is the original account storage mechanism used by Samba and still the recommended solution for most standalone servers. Additional storage facilities were not officially supported until Samba 3.0.* The structure of an smbpasswd entry is:


The fields are defined as follows:


The user’s login name.


The Unix numeric uid of the user. This field is currently ignored by Samba, because the value is obtained by querying the operating system instead.


The user’s password hashes, represented as 32-character hexadecimal strings. A string of 32 Xs indicates an invalid password. A value of the string “NO PASSWORD” followed by 21 Xs in the lanman_hash  indicates that no password has been associated with this account. Accounts with no passwords are allowed access only if the null passwords option (Table 5-8) is enabled in the [global] section of smb.conf.


Various single-character flags representing the type and state of the user’s account. The complete list of account flags is in Table 5-9.


The Unix timestamp of the user’s last successful password change, encoded as a hexadecimal string.

Table 5-8. Null passwords option






null passwords


Determines whether Samba allows connections using accounts with no associated password hash and possessing the Naccount flag.



Table 5-9. User account flags supported by Samba

Flags Description
D Account is disabled.
I Interdomain trust account.
L The account has been autolocked due to bad login attempts.

No password is required by this account. This flag is honored only if the null passwords global parameter is enabled. 

S Backup domain controller trust account.
U User account.
W Workstation trust account.
X The associated password will not expire, regardless of the server’s password policy settings.

The following example configures Samba to use an smbpasswd text file for account storage:

security = user
encrypt passwords = yes
passdb backend = smbpasswd

The file’s default location is set at compile time and can be determined by entering smbd -b | grep SMB_PASSWD_FILE . If you wish to assign a different location, append a colon and the desired absolute path to the smbpasswd module name:

  passdb backend = smbpasswd:/etc/smbpasswd

passdb backend = tdbsam

The TDB passdb backend, named tdbsam , expands upon the list of user attributes supported by the smbpasswd backend. tdbsam is the recommended method for storing accounts for a single Samba primary domain controller that does not share its users and groups with any Samba backup domain controllers. The full discussion of Samba domains is provided in Chapter 9. For now, it is sufficient to understand that a tdbsam is a database variant of smbpasswd with support for a richer set of attributes.

The default tdbsam database filename is passdb.tdb and is located in the /usr/local/samba/private directory. For custom Samba installations, you can determine this location by running smbd -b | grep PRIVATE_DIR . If you wish to change that location at runtime, tdbsam accepts, as its only argument, the absolute path to a tdb file:

  passdb backend = tdbsam:/etc/passdb.tdb

Please check back next week for the continuation of this article.

>>> More Site Administration Articles          >>> More By O'Reilly Media

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort


- Coding: Not Just for Developers
- To Support or Not Support IE?
- Administration: Networking OSX and Win 7
- DotNetNuke Gets Social
- Integrating MailChimp with Joomla: Creating ...
- Integrating MailChimp with Joomla: List Mana...
- Integrating MailChimp with Joomla: Building ...
- Integrating MailChimp with Joomla
- More Top WordPress Plugins for Social Media
- Optimizing Security: SSH Public Key Authenti...
- Patches and Rejects in Software Configuratio...
- Configuring a CVS Server
- Managing Code and Teams for Cross-Platform S...
- Software Configuration Management
- Back Up a Joomla Site with Akeeba Backup

Developer Shed Affiliates


Dev Shed Tutorial Topics: