Handling User Accounts in Samba - Account Utilities (
Page 3 of 4 )
Samba provides a set of tools for manipulating user accounts stored in its passdb. The Samba developers have designed these tools to work in the same manner, regardless of which passdb module is used. For this reason, our discussion can focus on the tool without worrying about where or how the information is stored.
Many administrators, particularly LDAP administrators, have a tendency to manage the user attributes (e.g., password hashes or SIDs) manually. It is possible in many instances to do this. However, it is not recommended for most installations. If you understand how to manipulate these attributes directly without breaking your server, it is probably okay. But consider this the sticker that voids your warranty if removed. If you can get away with it, congratulations. Such tactics are not covered here.
The two main user management tools are smbpasswd and pdbedit. The former is the original tool for setting user passwords in an smbpasswd file. During the Samba 3.0 development cycle, it was thought that this tool would be superseded by pdbedit. However, this has not yet happened, and pdbedit is considered by some as the example of how not to build a command-line interface. In Chapter 9, we explore how to use MS-RPC tools such as the Windows NT 4.0 User Manager for Domains and MMC plug-ins to manage users and group from Windows clients. At the moment, these two command-line utilities are what we have to work with.
The smbpasswd tool has two basic categories of functions:
- When run as root, the command can be used to manipulate Samba’s local user accounts.
- Normal users can use the tool to perform password changes against remote Samba and Windows servers.
Local user management breaks down further into:
- Adding or deleting a user from Samba’s list of accounts
- Setting user passwords
- Enabling or disabling user accounts
In previous chapters, you’ve seen examples of adding a new user by passing a login name to the -a argument. It is also possible to feed the new password to the tool on standard input using the -s option, which can be very useful for shell scripts. Here is an example that adds a user named smitty and assigns a password of “cat.” The reason for the complicated syntax is to answer both prompts output by the smbpasswd command to request the password. Remember that the Unix user smitty must already exist.
root# (echo "cat"; echo "cat" ) | smbpasswd -s -a smitty
Added user smitty.
To later manually change this user’s password, run the smbpasswd command again, but this time without the
-a option. In this example, we enter the new password interactively rather than using the -s option again:
root# smbpasswd smitty
New SMB password: <enter new password>
Retype new SMB password: <re-enter new password>
The password is verified by comparing both input strings. If both match, the new password is set. Otherwise you will see an error message stating, Mismatch - password unchanged.
An account can be disabled to prevent the user from logging on. Disabling a user’s account sets the D flag in the account control flags. (Refer to Table 5-9 in the earlier section on the smbpasswd file format for an overview of these flags.) The following lines disable smitty’s account ( -d option) and then reenable it ( -e option):
root# smbpasswd -d smitty
Disabled user smitty .
root# smbpasswd -e smitty
Enabled user smitty.
When the account is no longer necessary, we can delete this user from our passdb using the -x option and passing it the account name. This command has no effect on the user’s Unix account in /etc/passwd.
root# smbpasswd -x smitty
Deleted user smitty.
Table 5-12 summarizes the command-line options available to root when running smbpasswd.
Table 5-12. Command-line options for smbpasswd when run as root
| Argument |
Description |
| -a name |
Add a user account. |
| -c smb.conf |
Specify an alternative configuration file. |
| -d name |
Disable a user account. |
| -e name |
Enable a user account. |
| -h |
Print the command usage. |
| -n name |
Set a null password for a user. |
| -x name |
Delete a user account. |
If smbpasswd is a tool for day-to-day administrative tasks, pdbedit is more akin to a low-level database editor. Overall, its syntax can be cryptic at times, but it does pro vide three major functions not supported by the smbpasswd command:
- Editing of account policy settings, such as maximum password age and bad login attempts before locking an account.
- Editing the full set of supported user attributes, such as the login script, the user’s SID, and roaming user profile location.
- Converting from one passdb backend to another.
The first two features are more related to Samba domain controller functionality, and so are discussed in full detail in Chapter 9. The last is covered here, because without the translation support between passdb storage formats, tasks such as converting from an smbpasswd file to tdbsam would be time-consuming and extremely error-prone.
pdbedit’s option naming is a bit confusing at first. The import option ( -i ) reads in from one backend, whereas the export option ( -e ) writes to another. Each command-line switch accepts a passdb backend value as its argument. So to convert from smbpasswd to a tdbsam backend, you would run the following command as root:
root# pdbedit
-ismbpasswd:/tmp/smbpasswd
-etdbsam:/tmp/passdb.tdb
Importing account for root...ok
Importing account for kong...ok
<remaining output deleted>
It is a good idea to copy your current passdb file or database to a tem porary location, rather than working on the live version.
