summaryrefslogtreecommitdiff
path: root/docs/Samba3-HOWTO/TOSHARG-Passdb.xml
diff options
context:
space:
mode:
Diffstat (limited to 'docs/Samba3-HOWTO/TOSHARG-Passdb.xml')
-rw-r--r--docs/Samba3-HOWTO/TOSHARG-Passdb.xml362
1 files changed, 180 insertions, 182 deletions
diff --git a/docs/Samba3-HOWTO/TOSHARG-Passdb.xml b/docs/Samba3-HOWTO/TOSHARG-Passdb.xml
index 00ac479e2b..200861919e 100644
--- a/docs/Samba3-HOWTO/TOSHARG-Passdb.xml
+++ b/docs/Samba3-HOWTO/TOSHARG-Passdb.xml
@@ -37,23 +37,20 @@ as follows:
<indexterm><primary>encrypted passwords</primary></indexterm>
</para>
-<?latex \newpage ?>
-
<sect2>
<title>Backward Compatibility Backends</title>
<variablelist>
- <varlistentry><term>Plain Text</term>
+ <varlistentry><term>Plaintext</term>
<listitem>
<para>
- This isn't really a backend at all, but is listed here for simplicity. Samba can be
- configured to pass plaintext authentication requests to the traditional UNIX/Linux
- <filename>/etc/passwd</filename> and <filename>/etc/shadow</filename>
- style subsystems. On systems that have Pluggable Authentication Modules (PAM)
- support, all PAM modules are supported. The behavior is just as it was with
- Samba-2.2.x, and the protocol limitations imposed by MS Windows clients
- apply likewise. Please refer to <link linkend="passdbtech">Technical Information</link> for more information
- regarding the limitations of Plain Text password usage.
+ This isn't really a backend at all, but is listed here for simplicity. Samba can be configured to pass
+ plaintext authentication requests to the traditional UNIX/Linux <filename>/etc/passwd</filename> and
+ <filename>/etc/shadow</filename>-style subsystems. On systems that have Pluggable Authentication Modules
+ (PAM) support, all PAM modules are supported. The behavior is just as it was with Samba-2.2.x, and the
+ protocol limitations imposed by MS Windows clients apply likewise. Please refer to <link
+ linkend="passdbtech">Technical Information</link>, for more information regarding the limitations of plaintext
+ password usage.
</para>
</listitem>
</varlistentry>
@@ -63,11 +60,11 @@ as follows:
<para>
This option allows continued use of the <filename>smbpasswd</filename>
file that maintains a plain ASCII (text) layout that includes the MS Windows
- LanMan and NT encrypted passwords as well as a field that stores some
+ LanMan and NT-encrypted passwords as well as a field that stores some
account information. This form of password backend does not store any of
the MS Windows NT/200x SAM (Security Account Manager) information required to
provide the extended controls that are needed for more comprehensive
- inter-operation with MS Windows NT4/200x servers.
+ interoperation with MS Windows NT4/200x servers.
</para>
<para>
@@ -108,13 +105,13 @@ Samba-3 introduces a number of new password backend capabilities.
<listitem>
<para>
This backend provides a rich database backend for local servers. This
- backend is not suitable for multiple Domain Controllers (i.e., PDC + one
+ backend is not suitable for multiple domain controllers (i.e., PDC + one
or more BDC) installations.
</para>
<para>
The <emphasis>tdbsam</emphasis> password backend stores the old <emphasis>
- smbpasswd</emphasis> information plus the extended MS Windows NT / 200x
+ smbpasswd</emphasis> information plus the extended MS Windows NT/200x
SAM information into a binary format TDB (trivial database) file.
The inclusion of the extended information makes it possible for Samba-3
to implement the same account and system access controls that are possible
@@ -146,14 +143,14 @@ Samba-3 introduces a number of new password backend capabilities.
<para>
The new LDAP implementation significantly expands the control abilities that
were possible with prior versions of Samba. It is now possible to specify
- <quote>per user</quote> profile settings, home directories, account access controls, and
+ <quote>per-user</quote> profile settings, home directories, account access controls, and
much more. Corporate sites will see that the Samba Team has listened to their
- requests both for capability and to allow greater scalability.
+ requests both for capability and greater scalability.
</para>
</listitem>
</varlistentry>
- <varlistentry><term>mysqlsam (MySQL based backend)</term>
+ <varlistentry><term>mysqlsam (MySQL-based backend)</term>
<listitem>
<para>
It is expected that the MySQL-based SAM will be very popular in some corners.
@@ -163,18 +160,18 @@ Samba-3 introduces a number of new password backend capabilities.
</listitem>
</varlistentry>
- <varlistentry><term>pgsqlsam (PostGreSQL based backend)</term>
+ <varlistentry><term>pgsqlsam (PostGreSQL-based backend)</term>
<listitem>
<para>
Stores user information in a PostgreSQL database.
This backend is largely undocumented at
- the moment, though it's configuration is very similar to
+ the moment, though its configuration is very similar to
that of the mysqlsam backend.
</para>
</listitem>
</varlistentry>
- <varlistentry><term>xmlsam (XML based datafile)</term>
+ <varlistentry><term>xmlsam (XML-based datafile)</term>
<listitem>
<para>
<indexterm><primary>pdbedit</primary></indexterm>
@@ -186,7 +183,7 @@ Samba-3 introduces a number of new password backend capabilities.
<para>
The <parameter>xmlsam</parameter> option can be useful for account migration between database
- backends or backups. Use of this tool will allow the data to be edited before migration
+ backends or backups. Use of this tool allows the data to be edited before migration
into another backend format.
</para>
</listitem>
@@ -202,15 +199,14 @@ Samba-3 introduces a number of new password backend capabilities.
<title>Technical Information</title>
<para>
- Old Windows clients send plain text passwords over the wire. Samba can check these
+ Old Windows clients send plaintext passwords over the wire. Samba can check these
passwords by encrypting them and comparing them to the hash stored in the UNIX user database.
</para>
<para>
<indexterm><primary>encrypted passwords</primary></indexterm>
- Newer Windows clients send encrypted passwords (so-called LanMan and NT hashes) over
- the wire, instead of plain text passwords. The newest clients will send only encrypted
- passwords and refuse to send plain text passwords, unless their registry is tweaked.
+ Newer Windows clients send encrypted passwords (LanMan and NT hashes) instead of plaintext passwords over the wire. The newest clients will send only encrypted
+ passwords and refuse to send plaintext passwords unless their registry is tweaked.
</para>
<para>
@@ -221,7 +217,7 @@ Samba-3 introduces a number of new password backend capabilities.
<para>
In addition to differently encrypted passwords, Windows also stores certain data for each
- user that is not stored in a UNIX user database. For example, workstations the user may logon from,
+ user that is not stored in a UNIX user database: for example, workstations the user may logon from,
the location where the user's profile is stored, and so on. Samba retrieves and stores this
information using a <smbconfoption name="passdb backend"/>. Commonly available backends are LDAP, plain text
file, and MySQL. For more information, see the man page for &smb.conf; regarding the
@@ -235,10 +231,11 @@ Samba-3 introduces a number of new password backend capabilities.
</figure>
<para>
-<indexterm><primary>SID</primary></indexterm>
- The resolution of SIDs to UIDs is fundamental to correct operation of Samba. In both cases shown, if winbindd is not running, or cannot
- be contacted, then only local SID/UID resolution is possible. See <link linkend="idmap-sid2uid">resolution of SIDs to UIDs</link> and
- <link linkend="idmap-uid2sid">resolution of UIDs to SIDs</link> diagrams.
+ <indexterm><primary>SID</primary></indexterm>
+ The resolution of SIDs to UIDs is fundamental to correct operation of Samba. In both cases shown, if winbindd
+ is not running or cannot be contacted, then only local SID/UID resolution is possible. See <link
+ linkend="idmap-sid2uid">resolution of SIDs to UIDs</link> and <link linkend="idmap-uid2sid">resolution of UIDs
+ to SIDs</link> diagrams.
</para>
<figure id="idmap-uid2sid">
@@ -253,20 +250,20 @@ Samba-3 introduces a number of new password backend capabilities.
The UNIX and SMB password encryption techniques seem similar on the surface. This
similarity is, however, only skin deep. The UNIX scheme typically sends clear-text
passwords over the network when logging in. This is bad. The SMB encryption scheme
- never sends the clear-text password over the network but it does store the 16 byte
+ never sends the clear-text password over the network, but it does store the 16-byte
hashed values on disk. This is also bad. Why? Because the 16 byte hashed values
are a <quote>password equivalent.</quote> You cannot derive the user's password from them, but
they could potentially be used in a modified client to gain access to a server.
This would require considerable technical knowledge on behalf of the attacker but
- is perfectly possible. You should thus treat the data stored in whatever passdb
+ is perfectly possible. You should therefore treat the data stored in whatever passdb
backend you use (smbpasswd file, LDAP, MYSQL) as though it contained the clear-text
- passwords of all your users. Its contents must be kept secret and the file should
+ passwords of all your users. Its contents must be kept secret, and the file should
be protected accordingly.
</para>
<para>
- Ideally, we would like a password scheme that involves neither plain text passwords
- on the network nor on disk. Unfortunately, this is not available as Samba is stuck with
+ Ideally, we would like a password scheme that involves neither plaintext passwords
+ on the network nor plaintext passwords on disk. Unfortunately, this is not available because Samba is stuck with
having to be compatible with other SMB systems (Windows NT, Windows for Workgroups, Windows 9x/Me).
</para>
@@ -290,7 +287,7 @@ Samba-3 introduces a number of new password backend capabilities.
<note>
<para>
- MS Windows XP Home does not have facilities to become a Domain Member and it cannot participate in domain logons.
+ MS Windows XP Home does not have facilities to become a domain member, and it cannot participate in domain logons.
</para>
</note>
@@ -308,18 +305,18 @@ Samba-3 introduces a number of new password backend capabilities.
<para>
All current releases of Microsoft SMB/CIFS clients support authentication via the
- SMB Challenge/Response mechanism described here. Enabling clear-text authentication
+ SMB challenge/response mechanism described here. Enabling clear-text authentication
does not disable the ability of the client to participate in encrypted authentication.
- Instead, it allows the client to negotiate either plain text or encrypted password
+ Instead, it allows the client to negotiate either plaintext or encrypted password
handling.
</para>
<para>
- MS Windows clients will cache the encrypted password alone. Where plain text passwords
- are re-enabled through the appropriate registry change, the plain text password is never
+ MS Windows clients will cache the encrypted password alone. Where plaintext passwords
+ are re-enabled through the appropriate registry change, the plaintext password is never
cached. This means that in the event that a network connections should become disconnected
(broken), only the cached (encrypted) password will be sent to the resource server to
- effect an auto-reconnect. If the resource server does not support encrypted passwords the
+ effect an auto-reconnect. If the resource server does not support encrypted passwords, the
auto-reconnect will fail. Use of encrypted passwords is strongly advised.
</para>
@@ -336,10 +333,10 @@ Samba-3 introduces a number of new password backend capabilities.
<listitem><para>Windows NT does not like talking to a server
that does not support encrypted passwords. It will refuse
- to browse the server if the server is also in User Level
+ to browse the server if the server is also in user-level
security mode. It will insist on prompting the user for the
password on each connection, which is very annoying. The
- only things you can do to stop this is to use SMB encryption.
+ only thing you can do to stop this is to use SMB encryption.
</para></listitem>
<listitem><para>Encrypted password support allows automatic share
@@ -356,13 +353,13 @@ Samba-3 introduces a number of new password backend capabilities.
<itemizedlist>
<listitem><para>Plaintext passwords are not kept
- on disk, and are not cached in memory. </para></listitem>
+ on disk and are not cached in memory. </para></listitem>
- <listitem><para>Uses same password file as other UNIX
- services such as Login and FTP.</para></listitem>
+ <listitem><para>Plaintext passwords use the same password file as other UNIX
+ services, such as Login and FTP.</para></listitem>
<listitem><para>Use of other services (such as Telnet and FTP) that
- send plain text passwords over the network, so sending them for SMB
+ send plaintext passwords over the network makes sending them for SMB
is not such a big deal.</para></listitem>
</itemizedlist>
</sect3>
@@ -373,12 +370,12 @@ Samba-3 introduces a number of new password backend capabilities.
<para>
Every operation in UNIX/Linux requires a user identifier (UID), just as in
- MS Windows NT4/200x this requires a Security Identifier (SID). Samba provides
+ MS Windows NT4/200x this requires a security identifier (SID). Samba provides
two means for mapping an MS Windows user to a UNIX/Linux UID.
</para>
<para>
- First, all Samba SAM (Security Account Manager database) accounts require
+ First, all Samba SAM database accounts require
a UNIX/Linux UID that the account will map to. As users are added to the account
information database, Samba will call the <smbconfoption name="add user script"/>
interface to add the account to the Samba host OS. In essence all accounts in
@@ -388,7 +385,7 @@ Samba-3 introduces a number of new password backend capabilities.
<para>
<indexterm><primary>idmap uid</primary></indexterm>
<indexterm><primary>idmap gid</primary></indexterm>
- The second way to effect Windows SID to UNIX UID mapping is via the
+ The second way to map Windows SID to UNIX UID is via the
<emphasis>idmap uid</emphasis> and <emphasis>idmap gid</emphasis> parameters in &smb.conf;.
Please refer to the man page for information about these parameters.
These parameters are essential when mapping users from a remote SAM server.
@@ -402,7 +399,7 @@ Samba-3 introduces a number of new password backend capabilities.
<para>
Samba-3 has a special facility that makes it possible to maintain identical UIDs and GIDs
on all servers in a distributed network. A distributed network is one where there exists
- a PDC, one or more BDCs and/or one or more Domain Member servers. Why is this important?
+ a PDC, one or more BDCs, and/or one or more domain member servers. Why is this important?
This is important if files are being shared over more than one protocol (e.g., NFS) and where
users are copying files across UNIX/Linux systems using tools such as <command>rsync</command>.
</para>
@@ -411,23 +408,22 @@ Samba-3 introduces a number of new password backend capabilities.
<indexterm><primary>idmap backend</primary></indexterm>
The special facility is enabled using a parameter called <parameter>idmap backend</parameter>.
The default setting for this parameter is an empty string. Technically it is possible to use
- an LDAP based idmap backend for UIDs and GIDs, but it makes most sense when this is done for
- network configurations that also use LDAP for the SAM backend. Following
- <link linkend="idmapbackendexample">example</link> shows that.
+ an LDAP-based idmap backend for UIDs and GIDs, but it makes most sense when this is done for
+ network configurations that also use LDAP for the SAM backend.
+ <link linkend="idmapbackendexample">Example Configuration with the LDAP idmap Backend</link>
+ shows that configuration.
</para>
- <para>
<indexterm><primary>SAM backend</primary><secondary>ldapsam</secondary></indexterm>
<example id="idmapbackendexample">
-<title>Example configuration with the LDAP idmap backend</title>
+<title>Example Configuration with the LDAP idmap Backend</title>
<smbconfblock>
<smbconfsection name="[global]"/>
<smbconfoption name="idmap backend">ldap:ldap://ldap-server.quenya.org:636</smbconfoption>
-<smbconfcomment>Alternately, this could be specified as:</smbconfcomment>
+<smbconfcomment>Alternatively, this could be specified as:</smbconfcomment>
<smbconfoption name="idmap backend">ldap:ldaps://ldap-server.quenya.org</smbconfoption>
</smbconfblock>
</example>
- </para>
<para>
A network administrator who wants to make significant use of LDAP backends will sooner or later be
@@ -438,9 +434,9 @@ Samba-3 introduces a number of new password backend capabilities.
<itemizedlist>
<listitem>
<para>
- <emphasis>nss_ldap:</emphasis> An LDAP Name Service Switch module to provide native
+ <emphasis>nss_ldap:</emphasis> An LDAP name service switch (NSS) module to provide native
name service support for AIX, Linux, Solaris, and other operating systems. This tool
- can be used for centralized storage and retrieval of UIDs/GIDs.
+ can be used for centralized storage and retrieval of UIDs and GIDs.
</para>
</listitem>
@@ -453,7 +449,7 @@ Samba-3 introduces a number of new password backend capabilities.
<listitem>
<para>
<emphasis>idmap_ad:</emphasis> An IDMAP backend that supports the Microsoft Services for
- UNIX RFC 2307 schema available from the PADL web
+ UNIX RFC 2307 schema available from the PADL Web
<ulink url="http://www.padl.com/download/xad_oss_plugins.tar.gz">site</ulink>.
</para>
</listitem>
@@ -467,7 +463,7 @@ Samba-3 introduces a number of new password backend capabilities.
<para>
Samba doesn't provide a turnkey solution to LDAP. It is best to deal with the design and configuration
of an LDAP directory prior to integration with Samba. A working knowledge of LDAP makes Samba integration
- easy and the lack of a working knowledge of LDAP can make it one a frustrating experience.
+ easy, and the lack of a working knowledge of LDAP can make it one a frustrating experience.
</para>
<para>
@@ -476,32 +472,32 @@ Samba-3 introduces a number of new password backend capabilities.
</para>
<para>
- The POSIX and SambaSAMAccount components of computer (machine) accounts are both used by Samba.
- i.e.: Machine accounts are treated inside Samba in the same way that Windows NT4/200X treats
+ The POSIX and sambaSamAccount components of computer (machine) accounts are both used by Samba.
+ That is, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats
them. A user account and a machine account are indistinquishable from each other, except that
- the machine account ends in a '$' character, as do trust accounts.
+ the machine account ends in a $ character, as do trust accounts.
</para>
<para>
- The need for Windows user, group, machine, trust, etc. accounts to be tied to a valid UNIX uid
+ The need for Windows user, group, machine, trust, and other accounts to be tied to a valid UNIX UID
is a design decision that was made a long way back in the history of Samba development. It is
- unlikely that this decision will be reversed of changed during the remaining life of the
+ unlikely that this decision will be reversed or changed during the remaining life of the
Samba-3.x series.
</para>
<para>
The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that
- must refer back to the host operating system on which Samba is running. The Name Service
- Switcher (NSS) is the preferred mechanism that shields applications (like Samba) from the
+ must refer back to the host operating system on which Samba is running. The
+ NSS is the preferred mechanism that shields applications (like Samba) from the
need to know everything about every host OS it runs on.
</para>
<para>
- Samba asks the host OS to provide a UID via the <quote>passwd</quote>, <quote>shadow</quote>
+ Samba asks the host OS to provide a UID via the <quote>passwd</quote>, <quote>shadow</quote>,
and <quote>group</quote> facilities in the NSS control (configuration) file. The best tool
for achieving this is left up to the UNIX administrator to determine. It is not imposed by
- Samba. Samba provides winbindd together with its support libraries as one method. It is
- possible to do this via LDAP - and for that Samba provides the appropriate hooks so that
+ Samba. Samba provides winbindd with its support libraries as one method. It is
+ possible to do this via LDAP, and for that Samba provides the appropriate hooks so that
all account entities can be located in an LDAP directory.
</para>
@@ -522,15 +518,15 @@ Samba-3 introduces a number of new password backend capabilities.
<para>
<indexterm><primary>pdbedit</primary></indexterm>
-Samba provides two tools for management of user and machine accounts. These tools are
-called <command>smbpasswd</command> and <command>pdbedit</command>.
+Samba provides two tools for management of user and machine accounts:
+<command>smbpasswd</command> and <command>pdbedit</command>.
</para>
<sect2>
<title>The <emphasis>smbpasswd</emphasis> Command</title>
<para>
The smbpasswd utility is similar to the <command>passwd</command>
- or <command>yppasswd</command> programs. It maintains the two 32 byte password
+ and <command>yppasswd</command> programs. It maintains the two 32 byte password
fields in the passdb backend.
</para>
@@ -541,8 +537,8 @@ called <command>smbpasswd</command> and <command>pdbedit</command>.
<para>
<command>smbpasswd</command> has the capability to change passwords on Windows NT
- servers (this only works when the request is sent to the NT Primary Domain Controller
- if changing an NT Domain user's password).
+ servers (this only works when the request is sent to the NT PDC
+ if changing an NT domain user's password).
</para>
<para>
@@ -558,11 +554,11 @@ called <command>smbpasswd</command> and <command>pdbedit</command>.
<listitem><para><emphasis>enable</emphasis> user or machine accounts.</para></listitem>
<listitem><para><emphasis>disable</emphasis> user or machine accounts.</para></listitem>
<listitem><para><emphasis>set to NULL</emphasis> user passwords.</para></listitem>
- <listitem><para><emphasis>manage interdomain trust accounts.</emphasis></para></listitem>
+ <listitem><para><emphasis>manage</emphasis> interdomain trust accounts.</para></listitem>
</itemizedlist>
<para>
- To run smbpasswd as a normal user just type:
+ To run smbpasswd as a normal user, just type:
</para>
<para>
@@ -570,7 +566,7 @@ called <command>smbpasswd</command> and <command>pdbedit</command>.
&prompt;<userinput>smbpasswd</userinput>
<prompt>Old SMB password: </prompt><userinput><replaceable>secret</replaceable></userinput>
</screen>
- For <replaceable>secret</replaceable>, type old value here or press return if
+ For <replaceable>secret</replaceable>, type the old value here or press return if
there is no old password.
<screen>
<prompt>New SMB Password: </prompt><userinput><replaceable>new secret</replaceable></userinput>
@@ -584,13 +580,13 @@ called <command>smbpasswd</command> and <command>pdbedit</command>.
</para>
<para>
- When invoked by an ordinary user, the command will only allow the user to change his or her own
+ When invoked by an ordinary user, the command will allow only the user to change his or her own
SMB password.
</para>
<para>
When run by root, <command>smbpasswd</command> may take an optional argument specifying
- the user name whose SMB password you wish to change. When run as root, <command>smbpasswd</command>
+ the username whose SMB password you wish to change. When run as root, <command>smbpasswd</command>
does not prompt for or check the old password value, thus allowing root to set passwords
for users who have forgotten their passwords.
</para>
@@ -598,7 +594,7 @@ called <command>smbpasswd</command> and <command>pdbedit</command>.
<para>
<command>smbpasswd</command> is designed to work in the way familiar to UNIX
users who use the <command>passwd</command> or <command>yppasswd</command> commands.
- While designed for administrative use, this tool provides essential User Level
+ While designed for administrative use, this tool provides essential user-level
password change capabilities.
</para>
@@ -621,7 +617,7 @@ called <command>smbpasswd</command> and <command>pdbedit</command>.
</para>
<itemizedlist>
- <listitem><para>add, remove or modify user accounts.</para></listitem>
+ <listitem><para>add, remove, or modify user accounts.</para></listitem>
<listitem><para>list user accounts.</para></listitem>
<listitem><para>migrate user accounts.</para></listitem>
</itemizedlist>
@@ -630,7 +626,7 @@ called <command>smbpasswd</command> and <command>pdbedit</command>.
<indexterm><primary>pdbedit</primary></indexterm>
The <command>pdbedit</command> tool is the only one that can manage the account
security and policy settings. It is capable of all operations that smbpasswd can
- do as well as a super set of them.
+ do as well as a superset of them.
</para>
<para>
@@ -672,7 +668,7 @@ Password must change: Mon, 18 Jan 2038 20:14:07 GMT
<para>
<indexterm><primary>pdbedit</primary></indexterm>
The <command>pdbedit</command> tool allows migration of authentication (account)
- databases from one backend to another. For example: To migrate accounts from an
+ databases from one backend to another. For example, to migrate accounts from an
old <filename>smbpasswd</filename> database to a <parameter>tdbsam</parameter>
backend:
</para>
@@ -690,7 +686,7 @@ Password must change: Mon, 18 Jan 2038 20:14:07 GMT
</para></step>
<step><para>
- Now remove the <parameter>smbpasswd</parameter> from the passdb backend
+ Remove the <parameter>smbpasswd</parameter> from the passdb backend
configuration in &smb.conf;.
</para></step>
</procedure>
@@ -708,7 +704,7 @@ capability.
</para>
<para>
-It is possible to specify not only multiple different password backends, but even multiple
+It is possible to specify not only multiple password backends, but even multiple
backends of the same type. For example, to use two different tdbsam databases:
</para>
@@ -726,15 +722,15 @@ backends of the same type. For example, to use two different tdbsam databases:
Older versions of Samba retrieved user information from the UNIX user database
and eventually some other fields from the file <filename>/etc/samba/smbpasswd</filename>
or <filename>/etc/smbpasswd</filename>. When password encryption is disabled, no
- SMB specific data is stored at all. Instead all operations are conducted via the way
+ SMB-specific data is stored at all. Instead, all operations are conducted via the way
that the Samba host OS will access its <filename>/etc/passwd</filename> database.
- Linux systems For example, all operations are done via PAM.
+ On Linux systems, for example, all operations are done via PAM.
</para>
</sect2>
<sect2>
- <title>smbpasswd &smbmdash; Encrypted Password Database</title>
+ <title>smbpasswd: Encrypted Password Database</title>
<para>
<indexterm><primary>SAM backend</primary><secondary>smbpasswd</secondary></indexterm>
@@ -755,29 +751,29 @@ backends of the same type. For example, to use two different tdbsam databases:
</para></listitem>
<listitem><para>
- The second problem is that administrators who desire to replicate a smbpasswd file
- to more than one Samba server were left to use external tools such as
- <command>rsync(1)</command> and <command>ssh(1)</command> and wrote custom,
+ The second problem is that administrators who desire to replicate an smbpasswd file
+ to more than one Samba server are left to use external tools such as
+ <command>rsync(1)</command> and <command>ssh(1)</command> and write custom,
in-house scripts.
</para></listitem>
<listitem><para>
Finally, the amount of information that is stored in an smbpasswd entry leaves
no room for additional attributes such as a home directory, password expiration time,
- or even a Relative Identifier (RID).
+ or even a relative identifier (RID).
</para></listitem>
</itemizedlist>
<para>
As a result of these deficiencies, a more robust means of storing user attributes
- used by smbd was developed. The API which defines access to user accounts
- is commonly referred to as the samdb interface (previously this was called the passdb
- API, and is still so named in the Samba CVS trees).
+ used by smbd was developed. The API that defines access to user accounts
+ is commonly referred to as the samdb interface (previously, this was called the passdb
+ API and is still so named in the Samba CVS trees).
</para>
<para>
Samba provides an enhanced set of passdb backends that overcome the deficiencies
- of the smbpasswd plain text database. These are tdbsam, ldapsam and xmlsam.
+ of the smbpasswd plaintext database. These are tdbsam, ldapsam, and xmlsam.
Of these, ldapsam will be of most interest to large corporate or enterprise sites.
</para>
@@ -788,7 +784,7 @@ backends of the same type. For example, to use two different tdbsam databases:
<para>
<indexterm><primary>SAM backend</primary><secondary>tdbsam</secondary></indexterm>
- Samba can store user and machine account data in a <quote>TDB</quote> (Trivial Database).
+ Samba can store user and machine account data in a <quote>TDB</quote> (trivial database).
Using this backend does not require any additional configuration. This backend is
recommended for new installations that do not require LDAP.
</para>
@@ -801,10 +797,10 @@ backends of the same type. For example, to use two different tdbsam databases:
</para>
<para>
- The recommendation of a 250 user limit is purely based on the notion that this
+ The recommendation of a 250-user limit is purely based on the notion that this
would generally involve a site that has routed networks, possibly spread across
more than one physical location. The Samba Team has not at this time established
- the performance based scalability limits of the tdbsam architecture.
+ the performance-based scalability limits of the tdbsam architecture.
</para>
</sect2>
@@ -820,7 +816,7 @@ backends of the same type. For example, to use two different tdbsam databases:
<itemizedlist>
<listitem><para>A means of retrieving user account information from
- an Windows 200x Active Directory server.</para></listitem>
+ a Windows 200x Active Directory server.</para></listitem>
<listitem><para>A means of replacing /etc/passwd.</para></listitem>
</itemizedlist>
@@ -828,9 +824,9 @@ backends of the same type. For example, to use two different tdbsam databases:
The second item can be accomplished by using LDAP NSS and PAM modules. LGPL
versions of these libraries can be obtained from
<ulink url="http://www.padl.com/">PADL Software</ulink>.
- More information about the configuration of these packages may be found at
+ More information about the configuration of these packages may be found in
<ulink url="http://safari.oreilly.com/?XmlId=1-56592-491-6">
- <emphasis>LDAP, System Administration</emphasis>; Gerald Carter by O'Reilly; Chapter 6: Replacing NIS."</ulink>
+ <emphasis>LDAP, System Administration</emphasis> by Gerald Carter, Chapter 6, Replacing NIS"</ulink>.
</para>
<para>
@@ -847,7 +843,7 @@ backends of the same type. For example, to use two different tdbsam databases:
</itemizedlist>
<para>
- Two additional Samba resources which may prove to be helpful are:
+ Two additional Samba resources that may prove to be helpful are:
</para>
<itemizedlist>
@@ -855,7 +851,7 @@ backends of the same type. For example, to use two different tdbsam databases:
maintained by Ignacio Coupeau.</para></listitem>
<listitem><para>The NT migration scripts from <ulink url="http://samba.idealx.org/">IDEALX</ulink> that are
- geared to manage users and group in such a Samba-LDAP Domain Controller configuration.
+ geared to manage users and groups in such a Samba-LDAP domain controller configuration.
</para></listitem>
</itemizedlist>
@@ -863,10 +859,10 @@ backends of the same type. For example, to use two different tdbsam databases:
<title>Supported LDAP Servers</title>
<para>
- The LDAP ldapsam code has been developed and tested using the OpenLDAP 2.0 and 2.1 server and
+ The LDAP ldapsam code was developed and tested using the OpenLDAP 2.0 and 2.1 server and
client libraries. The same code should work with Netscape's Directory Server and client SDK.
However, there are bound to be compile errors and bugs. These should not be hard to fix.
- Please submit fixes via the process outlined in <link linkend="bugreport">Reporting Bugs</link> chapter.
+ Please submit fixes via the process outlined in <link linkend="bugreport">Reporting Bugs</link>.
</para>
</sect3>
@@ -904,8 +900,8 @@ ObjectClass (1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
<para>
Just as the smbpasswd file is meant to store information that provides information additional to a
user's <filename>/etc/passwd</filename> entry, so is the sambaSamAccount object
- meant to supplement the UNIX user account information. A sambaSamAccount is a
- <constant>AUXILIARY</constant> ObjectClass so it can be used to augment existing
+ meant to supplement the UNIX user account information. A sambaSamAccount is an
+ <constant>AUXILIARY</constant> ObjectClass, so it can be used to augment existing
user account information in the LDAP directory, thus providing information needed
for Samba account handling. However, there are several fields (e.g., uid) that overlap
with the posixAccount ObjectClass outlined in RFC2307. This is by design.
@@ -916,9 +912,9 @@ ObjectClass (1.3.6.1.4.1.7165.2.2.6 NAME 'sambaSamAccount' SUP top AUXILIARY
<para>
In order to store all user account information (UNIX and Samba) in the directory,
- it is necessary to use the sambaSamAccount and posixAccount ObjectClass es in
+ it is necessary to use the sambaSamAccount and posixAccount ObjectClasses in
combination. However, smbd will still obtain the user's UNIX account
- information via the standard C library calls (e.g., getpwnam(), et al).
+ information via the standard C library calls, such as getpwnam().
This means that the Samba server must also have the LDAP NSS library installed
and functioning correctly. This division of information makes it possible to
store all Samba account information in LDAP, but still maintain UNIX account
@@ -968,7 +964,7 @@ include /etc/openldap/schema/samba.schema
<para>
It is recommended that you maintain some indices on some of the most useful attributes,
- as in the following example, to speed up searches made on sambaSamAccount objectclasses
+ as in the following example, to speed up searches made on sambaSamAccount ObjectClasses
(and possibly posixAccount and posixGroup as well):
</para>
@@ -1024,7 +1020,7 @@ index default sub
<title>Initialize the LDAP Database</title>
<para>
- Before you can add accounts to the LDAP database you must create the account containers
+ Before you can add accounts to the LDAP database, you must create the account containers
that they will be stored in. The following LDIF file should be modified to match your
needs (DNS entries, and so on):
</para>
@@ -1111,8 +1107,8 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
<note>
<para>
- Before Samba can access the LDAP server you need to store the LDAP admin password
- into the Samba-3 <filename>secrets.tdb</filename> database by:
+ Before Samba can access the LDAP server, you need to store the LDAP admin password
+ in the Samba-3 <filename>secrets.tdb</filename> database by:
<screen>
&rootprompt;<userinput>smbpasswd -w <replaceable>secret</replaceable></userinput>
</screen>
@@ -1130,7 +1126,7 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
LDAP libraries are found.
</para>
- <para>LDAP related smb.conf options:
+ <para>LDAP-related smb.conf options are
<smbconfoption name="passdb backend">ldapsam:url</smbconfoption>,
<smbconfoption name="ldap admin dn"/>,
<smbconfoption name="ldap delete dn"/>,
@@ -1146,8 +1142,8 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
<para>
These are described in the &smb.conf; man
- page and so will not be repeated here. However, a <link linkend="confldapex">sample &smb.conf; file</link> for
- use with an LDAP directory could appear as shown below.
+ page and so are not repeated here. However, a <link linkend="confldapex">sample &smb.conf; file</link> for
+ use with an LDAP directory could appear as in Example 10.4.1.
</para>
<example id="confldapex">
@@ -1204,13 +1200,13 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
<indexterm><primary>User Management</primary></indexterm>
<indexterm><primary>User Accounts</primary><secondary>Adding/Deleting</secondary></indexterm>
- As user accounts are managed through the sambaSamAccount objectclass, you should
+ Because user accounts are managed through the sambaSamAccount ObjectClass, you should
modify your existing administration tools to deal with sambaSamAccount attributes.
</para>
<para>
- Machine accounts are managed with the sambaSamAccount objectclass, just
- like users accounts. However, it is up to you to store those accounts
+ Machine accounts are managed with the sambaSamAccount ObjectClass, just
+ like user accounts. However, it is up to you to store those accounts
in a different tree of your LDAP namespace. You should use
<quote>ou=Groups,dc=quenya,dc=org</quote> to store groups and
<quote>ou=People,dc=quenya,dc=org</quote> to store users. Just configure your
@@ -1220,7 +1216,7 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
<para>
In Samba-3, the group management system is based on POSIX
- groups. This means that Samba makes use of the posixGroup objectclass.
+ groups. This means that Samba makes use of the posixGroup ObjectClass.
For now, there is no NT-like group system management (global and local
groups). Samba-3 knows only about <constant>Domain Groups</constant>
and, unlike MS Windows 2000 and Active Directory, Samba-3 does not
@@ -1248,8 +1244,8 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz
<para>
These password hashes are clear-text equivalents and can be used to impersonate
the user without deriving the original clear-text strings. For more information
- on the details of LM/NT password hashes, refer to the
- <link linkend="passdb">Account Information Database</link> section of this chapter.
+ on the details of LM/NT password hashes, refer to <link linkend="passdb">the Account Information
+ Database section</link>.
</para>
<para>
@@ -1288,44 +1284,44 @@ access to attrs=SambaLMPassword,SambaNTPassword
<sect3>
<title>LDAP Special Attributes for sambaSamAccounts</title>
- <para> The sambaSamAccount objectclass is composed of the attributes shown in next tables: <link
+ <para> The sambaSamAccount ObjectClass is composed of the attributes shown in next tables: <link
linkend="attribobjclPartA">Part A</link>, and <link linkend="attribobjclPartB">Part B</link>.
</para>
<para>
<table frame="all" id="attribobjclPartA">
- <title>Attributes in the sambaSamAccount objectclass (LDAP) &smbmdash; Part A</title>
+ <title>Attributes in the sambaSamAccount ObjectClass (LDAP), Part A</title>
<tgroup cols="2" align="justify">
<colspec align="left"/>
<colspec align="justify" colwidth="1*"/>
<tbody>
- <row><entry><constant>sambaLMPassword</constant></entry><entry>The LANMAN password 16-byte hash stored as a character
+ <row><entry><constant>sambaLMPassword</constant></entry><entry>The LanMan password 16-byte hash stored as a character
representation of a hexadecimal string.</entry></row>
- <row><entry><constant>sambaNTPassword</constant></entry><entry>The NT password hash 16-byte stored as a character
+ <row><entry><constant>sambaNTPassword</constant></entry><entry>The NT password 16-byte hash stored as a character
representation of a hexadecimal string.</entry></row>
<row><entry><constant>sambaPwdLastSet</constant></entry><entry>The integer time in seconds since 1970 when the
<constant>sambaLMPassword</constant> and <constant>sambaNTPassword</constant> attributes were last set.
</entry></row>
- <row><entry><constant>sambaAcctFlags</constant></entry><entry>String of 11 characters surrounded by square brackets []
+ <row><entry><constant>sambaAcctFlags</constant></entry><entry>String of 11 characters surrounded by square brackets [ ]
representing account flags such as U (user), W (workstation), X (no password expiration),
- I (Domain trust account), H (Home dir required), S (Server trust account),
+ I (domain trust account), H (home dir required), S (server trust account),
and D (disabled).</entry></row>
- <row><entry><constant>sambaLogonTime</constant></entry><entry>Integer value currently unused</entry></row>
+ <row><entry><constant>sambaLogonTime</constant></entry><entry>Integer value currently unused.</entry></row>
- <row><entry><constant>sambaLogoffTime</constant></entry><entry>Integer value currently unused</entry></row>
+ <row><entry><constant>sambaLogoffTime</constant></entry><entry>Integer value currently unused.</entry></row>
<row><entry><constant>sambaKickoffTime</constant></entry><entry>Specifies the time (UNIX time format) when the user
will be locked down and cannot login any longer. If this attribute is omitted, then the account will never expire.
- If you use this attribute together with `shadowExpire' of the `shadowAccount' objectClass, will enable accounts to
+ Using this attribute together with shadowExpire of the shadowAccount ObjectClass will enable accounts to
expire completely on an exact date.</entry></row>
- <row><entry><constant>sambaPwdCanChange</constant></entry><entry>Specifies the time (UNIX time format) from which on the user is allowed to
+ <row><entry><constant>sambaPwdCanChange</constant></entry><entry>Specifies the time (UNIX time format) after which the user is allowed to
change his password. If attribute is not set, the user will be free to change his password whenever he wants.</entry></row>
- <row><entry><constant>sambaPwdMustChange</constant></entry><entry>Specifies the time (UNIX time format) since when the user is
- forced to change his password. If this value is set to `0', the user will have to change his password at first login.
+ <row><entry><constant>sambaPwdMustChange</constant></entry><entry>Specifies the time (UNIX time format) when the user is
+ forced to change his password. If this value is set to 0, the user will have to change his password at first login.
If this attribute is not set, then the password will never expire.</entry></row>
<row><entry><constant>sambaHomeDrive</constant></entry><entry>Specifies the drive letter to which to map the
@@ -1353,21 +1349,21 @@ access to attrs=SambaLMPassword,SambaNTPassword
</para>
<para>
<table frame="all" id="attribobjclPartB">
- <title>Attributes in the sambaSamAccount objectclass (LDAP) &smbmdash; Part B</title>
+ <title>Attributes in the sambaSamAccount ObjectClass (LDAP), Part B</title>
<tgroup cols="2" align="justify">
<colspec align="left"/>
<colspec align="justify" colwidth="1*"/>
<tbody>
<row><entry><constant>sambaUserWorkstations</constant></entry><entry>Here you can give a comma-separated list of machines
- on which the user is allowed to login. You may observe problems when you try to connect to an Samba Domain Member.
- Because Domain Members are not in this list, the Domain Controllers will reject them. Where this attribute is omitted,
+ on which the user is allowed to login. You may observe problems when you try to connect to a Samba domain member.
+ Because domain members are not in this list, the domain controllers will reject them. Where this attribute is omitted,
the default implies no restrictions.
</entry></row>
<row><entry><constant>sambaSID</constant></entry><entry>The security identifier(SID) of the user.
The Windows equivalent of UNIX UIDs.</entry></row>
- <row><entry><constant>sambaPrimaryGroupSID</constant></entry><entry>The Security IDentifier (SID) of the primary group
+ <row><entry><constant>sambaPrimaryGroupSID</constant></entry><entry>The security identifier (SID) of the primary group
of the user.</entry></row>
<row><entry><constant>sambaDomainName</constant></entry><entry>Domain the user is part of.</entry></row>
@@ -1378,7 +1374,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
<para>
The majority of these parameters are only used when Samba is acting as a PDC of
a domain (refer to <link linkend="samba-pdc">Domain Control</link>, for details on
- how to configure Samba as a Primary Domain Controller). The following four attributes
+ how to configure Samba as a PDC). The following four attributes
are only stored with the sambaSamAccount entry if the values are non-default values:
</para>
@@ -1393,7 +1389,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
These attributes are only stored with the sambaSamAccount entry if
the values are non-default values. For example, assume MORIA has now been
configured as a PDC and that <smbconfoption name="logon home">\\%L\%u</smbconfoption> was defined in
- its &smb.conf; file. When a user named <quote>becky</quote> logons to the domain,
+ its &smb.conf; file. When a user named <quote>becky</quote> logs on to the domain,
the <smbconfoption name="logon home"/> string is expanded to \\MORIA\becky.
If the smbHome attribute exists in the entry <quote>uid=becky,ou=People,dc=samba,dc=org</quote>,
this value is used. However, if this attribute does not exist, then the value
@@ -1408,7 +1404,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
<title>Example LDIF Entries for a sambaSamAccount</title>
<para>
- The following is a working LDIF that demonstrates the use of the SambaSamAccount objectclass:
+ The following is a working LDIF that demonstrates the use of the SambaSamAccount ObjectClass:
</para>
<para>
@@ -1432,7 +1428,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
<para>
The following is an LDIF entry for using both the sambaSamAccount and
- posixAccount objectclasses:
+ posixAccount ObjectClasses:
</para>
<para>
@@ -1468,15 +1464,15 @@ access to attrs=SambaLMPassword,SambaNTPassword
<title>Password Synchronization</title>
<para>
- Samba-3 and later can update the non-samba (LDAP) password stored with an account. When
+ Samba-3 and later can update the non-Samba (LDAP) password stored with an account. When
using pam_ldap, this allows changing both UNIX and Windows passwords at once.
</para>
<para>The <smbconfoption name="ldap passwd sync"/> options can have the values shown in
- <link linkend="ldappwsync">the next table</link>.</para>
+ <link linkend="ldappwsync">Table 10.3</link>.</para>
<table frame="all" id="ldappwsync">
- <title>Possible <emphasis>ldap passwd sync</emphasis> values</title>
+ <title>Possible <emphasis>ldap passwd sync</emphasis> Values</title>
<tgroup cols="2">
<colspec align="left" colwidth="1*"/>
<colspec align="justify" colwidth="4*"/>
@@ -1485,13 +1481,13 @@ access to attrs=SambaLMPassword,SambaNTPassword
</thead>
<tbody>
<row><entry>yes</entry><entry><para>When the user changes his password, update
- <constant>SambaNTPassword</constant>, <constant>SambaLMPassword</constant>
+ <constant>SambaNTPassword</constant>, <constant>SambaLMPassword</constant>,
and the <constant>password</constant> fields.</para></entry></row>
<row><entry>no</entry><entry><para>Only update <constant>SambaNTPassword</constant> and <constant>SambaLMPassword</constant>.</para></entry></row>
<row><entry>only</entry><entry><para>Only update the LDAP password and let the LDAP server worry about the other fields.
- This option is only available on some LDAP servers. Only when the LDAP server
+ This option is only available on some LDAP servers and only when the LDAP server
supports LDAP_EXOP_X_MODIFY_PASSWD.</para></entry></row>
</tbody>
</tgroup>
@@ -1509,10 +1505,10 @@ access to attrs=SambaLMPassword,SambaNTPassword
<para>
<indexterm><primary>SAM backend</primary><secondary>mysqlsam</secondary></indexterm>
- Every so often someone will come along with a great new idea. Storing user accounts in a
+ Every so often someone comes along with a great new idea. Storing user accounts in a
SQL backend is one of them. Those who want to do this are in the best position to know what the
specific benefits are to them. This may sound like a cop-out, but in truth we cannot attempt
- to document every little detail why certain things of marginal utility to the bulk of
+ to document every little detail of why certain things of marginal utility to the bulk of
Samba users might make sense to the rest. In any case, the following instructions should help
the determined SQL user to implement a working system.
</para>
@@ -1521,10 +1517,11 @@ access to attrs=SambaLMPassword,SambaNTPassword
<title>Creating the Database</title>
<para>
- You can set up your own table and specify the field names to pdb_mysql (see below
- for the column names) or use the default table. The file <filename>examples/pdb/mysql/mysql.dump</filename>
- contains the correct queries to create the required tables. Use the command:
-
+ You can set up your own table and specify the field names to pdb_mysql (see
+ <link linkend="moremysqlpdbe">MySQL field names for MySQL passdb backend</link> for
+ the column names) or use the default table. The file
+ <filename>examples/pdb/mysql/mysql.dump</filename> contains the correct queries to
+ create the required tables. Use the command:
<screen>
&prompt;<userinput>mysql -u<replaceable>username</replaceable> -h<replaceable>hostname</replaceable> -p<replaceable>password</replaceable> \
<replaceable>databasename</replaceable> &lt; <filename>/path/to/samba/examples/pdb/mysql/mysql.dump</filename></userinput>
@@ -1550,11 +1547,11 @@ access to attrs=SambaLMPassword,SambaNTPassword
<para>
Additional options can be given through the &smb.conf; file in the <smbconfsection name="[global]"/> section.
- Refer to <link linkend="mysqlpbe">the following table</link>.
+ Refer to <link linkend="mysqlpbe">Basic smb.conf Options for MySQL passdb Backend</link>.
</para>
<table frame="all" id="mysqlpbe">
- <title>Basic smb.conf options for MySQL passdb backend</title>
+ <title>Basic smb.conf Options for MySQL passdb Backend</title>
<tgroup cols="2">
<colspec align="left"/>
<colspec align="justify" colwidth="1*"/>
@@ -1579,8 +1576,8 @@ access to attrs=SambaLMPassword,SambaNTPassword
</para>
</warning>
- <para>Names of the columns are given in <link linkend="moremysqlpdbe">the next table</link>.
- The default column names can be found in the example table dump.
+ <para>Names of the columns are given in <link linkend="moremysqlpdbe">MySQL field names for MySQL
+ passdb backend</link>. The default column names can be found in the example table dump.
</para>
<para>
@@ -1594,12 +1591,12 @@ access to attrs=SambaLMPassword,SambaNTPassword
<row><entry>Field</entry><entry>Type</entry><entry>Contents</entry></row>
</thead>
<tbody>
- <row><entry>logon time column</entry><entry>int(9)</entry><entry>UNIX time stamp of last logon of user</entry></row>
- <row><entry>logoff time column</entry><entry>int(9)</entry><entry>UNIX time stamp of last logoff of user</entry></row>
- <row><entry>kickoff time column</entry><entry>int(9)</entry><entry>UNIX time stamp of moment user should be kicked off workstation (not enforced)</entry></row>
- <row><entry>pass last set time column</entry><entry>int(9)</entry><entry>UNIX time stamp of moment password was last set</entry></row>
- <row><entry>pass can change time column</entry><entry>int(9)</entry><entry>UNIX time stamp of moment from which password can be changed</entry></row>
- <row><entry>pass must change time column</entry><entry>int(9)</entry><entry>UNIX time stamp of moment on which password must be changed</entry></row>
+ <row><entry>logon time column</entry><entry>int(9)</entry><entry>UNIX timestamp of last logon of user</entry></row>
+ <row><entry>logoff time column</entry><entry>int(9)</entry><entry>UNIX timestamp of last logoff of user</entry></row>
+ <row><entry>kickoff time column</entry><entry>int(9)</entry><entry>UNIX timestamp of moment user should be kicked off workstation (not enforced)</entry></row>
+ <row><entry>pass last set time column</entry><entry>int(9)</entry><entry>UNIX timestamp of moment password was last set</entry></row>
+ <row><entry>pass can change time column</entry><entry>int(9)</entry><entry>UNIX timestamp of moment from which password can be changed</entry></row>
+ <row><entry>pass must change time column</entry><entry>int(9)</entry><entry>UNIX timestamp of moment on which password must be changed</entry></row>
<row><entry>username column</entry><entry>varchar(255)</entry><entry>UNIX username</entry></row>
<row><entry>domain column</entry><entry>varchar(255)</entry><entry>NT domain user belongs to</entry></row>
<row><entry>nt username column</entry><entry>varchar(255)</entry><entry>NT username</entry></row>
@@ -1630,15 +1627,16 @@ access to attrs=SambaLMPassword,SambaNTPassword
<para>
You can put a colon (:) after the name of each column, which
- should specify the column to update when updating the table. One can also specify nothing behind the colon, in which case the field data will not be updated. Setting a column name to <parameter>NULL</parameter> means the field should not be used.
+ should specify the column to update when updating the table. You can also specify nothing behind the colon, in which case the field data will not be updated. Setting a column name to <parameter>NULL</parameter> means the field should not be used.
</para>
- <para><link linkend="mysqlsam">An example configuration</link> looks like:
+ <para><link linkend="mysqlsam">An example configuration</link> is shown in <link
+ linkend="mysqlsam">Example Configuration for the MySQL passdb Backend</link>.
</para>
<example id="mysqlsam">
- <title>Example configuration for the MySQL passdb backend</title>
- <smbconfblock>
+ <title>Example Configuration for the MySQL passdb Backend</title>
+ <smbconfblock>
<smbconfsection name="[global]"/>
<smbconfoption name="passdb backend">mysql:foo</smbconfoption>
<smbconfoption name="foo:mysql user">samba</smbconfoption>
@@ -1653,8 +1651,8 @@ access to attrs=SambaLMPassword,SambaNTPassword
<smbconfoption name="foo:nt pass column">nt_pass:</smbconfoption>
<smbconfcomment>The unknown 3 column is not stored</smbconfcomment>
<smbconfoption name="foo:unknown 3 column">NULL</smbconfoption>
- </smbconfblock>
- </example>
+ </smbconfblock>
+ </example>
</sect3>
<sect3>
@@ -1662,7 +1660,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
<para>
<indexterm><primary>encrypted passwords</primary></indexterm>
- I strongly discourage the use of plaintext passwords, however, you can use them.
+ I strongly discourage the use of plaintext passwords; however, you can use them.
</para>
<para>
@@ -1683,7 +1681,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
<title>Getting Non-Column Data from the Table</title>
<para>
- It is possible to have not all data in the database by making some `constant'.
+ It is possible to have not all data in the database by making some "constant."
</para>
<para>
@@ -1693,7 +1691,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
<para>
Or, set `identifier:workstations column' to:
- <command>NULL</command></para>
+ <command>NULL</command></para>.
<para>See the MySQL documentation for more language constructs.</para>
@@ -1716,7 +1714,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
</para>
<para>
- (where filename is the name of the file to put the data in)
+ where filename is the name of the file to put the data in.
</para>
<para>
@@ -1735,7 +1733,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
<para><quote>I've installed Samba, but now I can't log on with my UNIX account! </quote></para>
<para>Make sure your user has been added to the current Samba <smbconfoption name="passdb backend"/>.
- Read the section <link linkend="acctmgmttools">Account Management Tools</link> for details.</para>
+ Read the <link linkend="acctmgmttools">Account Management Tools,</link> for details.</para>
</sect2>
@@ -1743,8 +1741,8 @@ access to attrs=SambaLMPassword,SambaNTPassword
<title>Users Being Added to the Wrong Backend Database</title>
<para>
- A few complaints have been received from users that just moved to Samba-3. The following
- &smb.conf; file entries were causing problems, new accounts were being added to the old
+ A few complaints have been received from users who just moved to Samba-3. The following
+ &smb.conf; file entries were causing problems: new accounts were being added to the old
smbpasswd file, not to the tdbsam passdb.tdb file:
</para>
@@ -1778,7 +1776,7 @@ access to attrs=SambaLMPassword,SambaNTPassword
<para>
When explicitly setting an <smbconfoption name="auth methods"/> parameter,
- <parameter>guest</parameter> must be specified as the first entry on the line,
+ <parameter>guest</parameter> must be specified as the first entry on the line &smbmdash;
for example, <smbconfoption name="auth methods">guest sam</smbconfoption>.
</para>