Home arrow Site Administration arrow Page 3 - Handling User Accounts in Samba

Account Utilities - Administration

In this third part to a four-part series on handling authentication and authorization in Samba, you will learn about username maps, account utilities, and more. It is excerpted from chapter five of Using Samba, Third Edition, written by Gerald Carter, Jay Ts and Robert Eckstein (O'Reilly, 2007; ISBN: 0596007698). Copyright © 2007 O'Reilly Media, Inc. All rights reserved. Used with permission from the publisher. Available from booksellers or direct from O'Reilly Media.

TABLE OF CONTENTS:
  1. Handling User Accounts in Samba
  2. Username Maps
  3. Account Utilities
  4. Synchronizing Passwords
By: O'Reilly Media
Rating: starstarstarstarstar / 4
February 21, 2008

print this article
SEARCH DEV SHED

TOOLS YOU CAN USE

advertisement

Samba provides a set of tools for manipulating user accounts stored in its passdb. The Samba developers have designed these tools to work in the same manner, regardless of which passdb module is used. For this reason, our discussion can focus on the tool without worrying about where or how the information is stored.

Many administrators, particularly LDAP administrators, have a tendency to manage the user attributes (e.g., password hashes or SIDs) manually. It is possible in many instances to do this. However, it is not recommended for most installations. If you understand how to manipulate these attributes directly without breaking your server, it is probably okay. But consider this the sticker that voids your warranty if removed. If you can get away with it, congratulations. Such tactics are not covered here.

The two main user management tools are smbpasswd and pdbedit. The former is the original tool for setting user passwords in an smbpasswd file. During the Samba 3.0 development cycle, it was thought that this tool would be superseded by pdbedit. However, this has not yet happened, and pdbedit is considered by some as the example of how not to build a command-line interface. In Chapter 9, we explore how to use MS-RPC tools such as the Windows NT 4.0 User Manager for Domains and MMC plug-ins to manage users and group from Windows clients. At the moment, these two command-line utilities are what we have to work with.

The smbpasswd tool has two basic categories of functions:

  • When run as root, the command can be used to manipulate Sambaís local user accounts.
  • Normal users can use the tool to perform password changes against remote Samba and Windows servers.

Local user management breaks down further into:

  1. Adding or deleting a user from Sambaís list of accounts
  2. Setting user passwords
  3. Enabling or disabling user accounts

In previous chapters, youíve seen examples of adding a new user by passing a login name to the -a argument. It is also possible to feed the new password to the tool on standard input using the -s option, which can be very useful for shell scripts. Here is an example that adds a user named smitty and assigns a password of ďcat.Ē The reason for the complicated syntax is to answer both prompts output by the smbpasswd command to request the password. Remember that the Unix user smitty must already exist.

  root# (echo "cat"; echo "cat" ) | smbpasswd -s -a smitty
  Added user smitty.

To later manually change this userís password, run the smbpasswd command again, but this time without the
-a option. In this example, we enter the new password interactively rather than using the -s option again:

  root# smbpasswd smitty
  New SMB password: <enter new password>
  Retype new SMB password: 
<re-enter new password>

The password is verified by comparing both input strings. If both match, the new password is set. Otherwise you will see an error message stating, Mismatch - password unchanged. 

An account can be disabled to prevent the user from logging on. Disabling a userís account sets the D flag in the account control flags. (Refer to Table 5-9 in the earlier section on the smbpasswd file format for an overview of these flags.) The following lines disable smittyís account ( -d option) and then reenable it ( -e option):

  root# smbpasswd -d smitty
 
Disabled user smitty .
  root# smbpasswd -e smitty
  Enabled user smitty.

When the account is no longer necessary, we can delete this user from our passdb using the -x option and passing it the account name. This command has no effect on the userís Unix account in /etc/passwd.

  root# smbpasswd -x smitty
  Deleted user smitty.

Table 5-12 summarizes the command-line options available to root when running smbpasswd.

Table 5-12. Command-line options for smbpasswd when run as root

Argument Description
-a name Add a user account.
-c smb.conf Specify an alternative configuration file.
-d name Disable a user account.
-e name Enable a user account.
-h Print the command usage.
-n name Set a null password for a user.
-x name Delete a user account.

If smbpasswd is a tool for day-to-day administrative tasks, pdbedit is more akin to a low-level database editor. Overall, its syntax can be cryptic at times, but it does pro vide three major functions not supported by the smbpasswd command:

  1. Editing of account policy settings, such as maximum password age and bad login attempts before locking an account.
  2. Editing the full set of supported user attributes, such as the login script, the userís SID, and roaming user profile location.
  3. Converting from one passdb backend to another.

The first two features are more related to Samba domain controller functionality, and so are discussed in full detail in Chapter 9. The last is covered here, because without the translation support between passdb storage formats, tasks such as converting from an smbpasswd file to tdbsam would be time-consuming and extremely error-prone.

pdbeditís option naming is a bit confusing at first. The import option ( -i ) reads in from one backend, whereas the export option ( -e ) writes to another. Each command-line switch accepts a passdb backend value as its argument. So to convert from smbpasswd to a tdbsam backend, you would run the following command as root:

  root# pdbedit
-ismbpasswd:/tmp/smbpasswd
-etdbsam:/tmp/passdb.tdb
  Importing account for root...ok
  Importing account for kong...ok
  <remaining output deleted>

It is a good idea to copy your current passdb file or database to a tem porary location, rather than working on the live version.



 
 
>>> More Site Administration Articles          >>> More By O'Reilly Media
 

blog comments powered by Disqus
escort Bursa Bursa escort Antalya eskort
   

SITE ADMINISTRATION ARTICLES

- Coding: Not Just for Developers
- To Support or Not Support IE?
- Administration: Networking OSX and Win 7
- DotNetNuke Gets Social
- Integrating MailChimp with Joomla: Creating ...
- Integrating MailChimp with Joomla: List Mana...
- Integrating MailChimp with Joomla: Building ...
- Integrating MailChimp with Joomla
- More Top WordPress Plugins for Social Media
- Optimizing Security: SSH Public Key Authenti...
- Patches and Rejects in Software Configuratio...
- Configuring a CVS Server
- Managing Code and Teams for Cross-Platform S...
- Software Configuration Management
- Back Up a Joomla Site with Akeeba Backup

Developer Shed Affiliates

 


Dev Shed Tutorial Topics: