From 55f0d8a44646cf95a1826c6480fef06f1068d93a Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Wed, 22 Jun 2005 02:17:10 +0000 Subject: Another partial update. (This used to be commit 9318b2c9509cd864b4e1df7ce6302e07b45e4343) --- docs/Samba3-HOWTO/TOSHARG-Passdb.xml | 368 +++++++++++++++++++++++++++-------- 1 file changed, 282 insertions(+), 86 deletions(-) diff --git a/docs/Samba3-HOWTO/TOSHARG-Passdb.xml b/docs/Samba3-HOWTO/TOSHARG-Passdb.xml index 5ec5c62a8f..c9cea565ed 100644 --- a/docs/Samba3-HOWTO/TOSHARG-Passdb.xml +++ b/docs/Samba3-HOWTO/TOSHARG-Passdb.xml @@ -603,6 +603,8 @@ Samba-3 introduces a number of new password backend capabilities. +LDAP backends +PADL Software A network administrator who wants to make significant use of LDAP backends will sooner or later be exposed to the excellent work done by PADL Software. PADL have produced and released to open source an array of tools that might be of interest. These tools include: @@ -611,6 +613,14 @@ Samba-3 introduces a number of new password backend capabilities. +nss_ldap +NSS +AIX +Linux +LDAP +Solaris +UID +GID nss_ldap: An LDAP name service switch (NSS) module to provide native name service support for AIX, Linux, Solaris, and other operating systems. This tool can be used for centralized storage and retrieval of UIDs and GIDs. @@ -619,12 +629,21 @@ Samba-3 introduces a number of new password backend capabilities. +pam_ldap +PAM +LDAP +access authentication pam_ldap: A PAM module that provides LDAP integration for UNIX/Linux system access authentication. + +idmap_ad +IDMAP backend +RFC 2307 +PADL idmap_ad: An IDMAP backend that supports the Microsoft Services for UNIX RFC 2307 schema available from the PADL Web site. @@ -638,6 +657,10 @@ Samba-3 introduces a number of new password backend capabilities. Comments Regarding LDAP +LDAPdirectories +architecture +FIM +SSO There is much excitement and interest in LDAP directories in the information technology world today. The LDAP architecture was designed to be highly scalable. It was also designed for use across a huge number of potential areas of application encompasing a wide range of operating @@ -646,13 +669,31 @@ Samba-3 introduces a number of new password backend capabilities. +LDAP +eDirectory +ADS +authentication LDAP implementations have been built across a wide variety of platforms. It lies at the core of Microsoft - Windows Active Directory services, Novell's e-Directory, as well as many others. Implementation of the + Windows Active Directory services (ADS), Novell's eDirectory, as well as many others. Implementation of the directory services LDAP involves interaction with legacy as well as new generation applications, all of which depend on some form of authentication services. +LDAP directory +authentication +access controls +intermediate tools +middle-ware +central environment +infrastructure +login shells +mail +messaging systems +quota controls +printing systems +DNS servers +DHCP servers UNIX services can utilize LDAP directory information for authentication and access controls through intermediate tools and utilities. The total environment that consists of the LDAP directory and the middle-ware tools and utilities makes it possible for all user access to the UNIX platform @@ -663,6 +704,12 @@ Samba-3 introduces a number of new password backend capabilities. +LDAP +passdb backend +scalable +SAM backend +LDAP directory +management costs Many sites are installing LDAP for the first time in order to provide a scalable passdb backend for Samba. Others are faced with the need to adapt an existing LDAP directory to new uses such as for the Samba SAM backend. Whatever your particular need and attraction to Samba may be, @@ -672,6 +719,8 @@ Samba-3 introduces a number of new password backend capabilities. +LDAP deployment +Directory Information TreeDIT Do not rush into an LDAP deployment. Take the time to understand how the design of the Directory Information Tree (DIT) may impact current and future site needs, as well as the ability to meet them. The way that Samba SAM information should be stored within the DIT varies from site to site @@ -684,6 +733,13 @@ Samba-3 introduces a number of new password backend capabilities. Caution Regarding LDAP and Samba +POSIX identity +networking environment +user accounts +group accounts +machine trust accounts +interdomain trust accounts +intermediate information Samba requires UNIX POSIX identity information as well as a place to store information that is specific to Samba and the Windows networking environment. The most used information that must be dealt with includes: user accounts, group accounts, machine trust accounts, interdomain @@ -691,6 +747,9 @@ Samba-3 introduces a number of new password backend capabilities. +deployment guidelines +HOWTO documents +LDAP The example deployment guidelines in this book, as well as other books and HOWTO documents available from the internet may not fit with established directory designs and implementations. The existing DIT may not be able to accomodate the simple information layout proposed in common @@ -699,6 +758,7 @@ Samba-3 introduces a number of new password backend capabilities. +existing LDAP DIT It is not uncommon, for sites that have existing LDAP DITs to find necessity to generate a set of site specific scripts and utilities to make it possible to deploy Samba within the scope of site operations. The way that user and group accounts are distributed throughout @@ -708,6 +768,8 @@ Samba-3 introduces a number of new password backend capabilities. +scripts +tools Above all, do not blindly use scripts and tools that are not suitable for your site. Check and validate all scripts before you execute them to make sure that the existing infrastructure will not be damaged by inadvertent use of an inappropriate tool. @@ -721,6 +783,9 @@ Samba-3 introduces a number of new password backend capabilities. LDAP Directories and Windows Computer Accounts +turnkey solution +LDAP. +frustrating experience Samba doesn't provide a turnkey solution to LDAP. It is best to deal with the design and configuration of an LDAP directory prior to integration with Samba. A working knowledge of LDAP makes Samba integration easy, and the lack of a working knowledge of LDAP can make @@ -728,11 +793,21 @@ Samba-3 introduces a number of new password backend capabilities. +computer accounts +machine accounts +LDAP Computer (machine) accounts can be placed wherever you like in an LDAP directory subject to some constraints that are described in this chapter. +POSIX +sambaSamAccount +computer accounts +machine accounts +Windows NT4/200X +user account +trust accounts The POSIX and sambaSamAccount components of computer (machine) accounts are both used by Samba. Thus, machine accounts are treated inside Samba in the same way that Windows NT4/200X treats them. A user account and a machine account are indistinquishable from each other, except that @@ -740,6 +815,11 @@ Samba-3 introduces a number of new password backend capabilities. +user +group +machine +trust +UID The need for Windows user, group, machine, trust, and other accounts to be tied to a valid UNIX UID is a design decision that was made a long way back in the history of Samba development. It is unlikely that this decision will be reversed or changed during the remaining life of the @@ -747,6 +827,9 @@ Samba-3 introduces a number of new password backend capabilities. +UID +SID +NSS The resolution of a UID from the Windows SID is achieved within Samba through a mechanism that must refer back to the host operating system on which Samba is running. The NSS is the preferred mechanism that shields applications (like Samba) from the need to know everything about every @@ -754,6 +837,13 @@ Samba-3 introduces a number of new password backend capabilities. +UID +passwd +shadow +group +NSS +winbindd +LDAP Samba asks the host OS to provide a UID via the passwd, shadow, and group facilities in the NSS control (configuration) file. The best tool for achieving this is left up to the UNIX administrator to determine. It is not imposed by @@ -763,6 +853,11 @@ Samba-3 introduces a number of new password backend capabilities. +PADL +nss_ldap +UID +LDAP +documentation For many the weapon of choice is to use the PADL nss_ldap utility. This utility must be configured so that computer accounts can be resolved to a POSIX/UNIX account UID. That is fundamentally an LDAP design question. The information provided on the Samba list and @@ -779,21 +874,32 @@ Samba-3 introduces a number of new password backend capabilities. pdbedit +machine accounts +management tools Samba provides two tools for management of user and machine accounts: smbpasswd and pdbedit. +smbpasswd +storage mechanism +SambaSAMAccount +net Some people are confused when reference is made to smbpasswd because the name refers to a storage mechanism for SambaSAMAccount information, but it is also the name of a utility tool. That tool is destined to eventually be replaced by new functionality that -is being added to the net toolset. +is being added to the net toolset (see the Net Command. The <command>smbpasswd</command> Command +smbpasswd +passwd +yppasswd +passdb backend +storage methods The smbpasswd utility is similar to the passwd and yppasswd programs. It maintains the two 32 byte password fields in the passdb backend. This utility operates independantly of the actual @@ -802,11 +908,15 @@ is being added to the net toolset. +smbpasswd +client-server mode smbpasswd works in a client-server mode where it contacts the local smbd to change the user's password on its behalf. This has enormous benefits. +smbpasswd +change passwords smbpasswd has the capability to change passwords on Windows NT servers (this only works when the request is sent to the NT PDC if changing an NT domain user's password). @@ -850,11 +960,14 @@ is being added to the net toolset. +SMB password When invoked by an ordinary user, the command will allow only the user to change his or her own SMB password. +smbpasswd +SMB password When run by root, smbpasswd may take an optional argument specifying the username whose SMB password you wish to change. When run as root, smbpasswd does not prompt for or check the old password value, thus allowing root to set passwords @@ -862,6 +975,10 @@ is being added to the net toolset. +smbpasswd +passwd +yppasswd +change capabilities smbpasswd is designed to work in the way familiar to UNIX users who use the passwd or yppasswd commands. While designed for administrative use, this tool provides essential user-level @@ -869,6 +986,7 @@ is being added to the net toolset. +smbpasswd For more details on using smbpasswd, refer to the man page (the definitive reference). @@ -893,6 +1011,9 @@ is being added to the net toolset. pdbedit +policy settings +account security +smbpasswd The pdbedit tool is the only one that can manage the account security and policy settings. It is capable of all operations that smbpasswd can do as well as a superset of them. @@ -900,12 +1021,15 @@ is being added to the net toolset. pdbedit +account migration +passdb backend One particularly important purpose of the pdbedit is to allow the migration of account information from one passdb backend to another. See the XML password backend section of this chapter. +tdbsam The following is an example of the user account information that is stored in a tdbsam password backend. This listing was produced by running: @@ -936,6 +1060,8 @@ Password must change: Mon, 18 Jan 2038 20:14:07 GMT pdbedit +migrate accounts +authentication The pdbedit tool allows migration of authentication (account) databases from one backend to another. For example, to migrate accounts from an old smbpasswd database to a tdbsam @@ -948,6 +1074,7 @@ Password must change: Mon, 18 Jan 2038 20:14:07 GMT +pdbedit Execute: &rootprompt;pdbedit -i smbpasswd -e tdbsam @@ -955,6 +1082,7 @@ Password must change: Mon, 18 Jan 2038 20:14:07 GMT +smbpasswd Remove the smbpasswd from the passdb backend configuration in &smb.conf;. @@ -967,12 +1095,16 @@ Password must change: Mon, 18 Jan 2038 20:14:07 GMT Password Backends +account database +SMB/CIFS server Samba offers the greatest flexibility in backend account database design of any SMB/CIFS server technology available today. The flexibility is immediately obvious as one begins to explore this capability. +multiple backends +tdbsam databases It is possible to specify not only multiple password backends, but even multiple backends of the same type. For example, to use two different tdbsam databases: @@ -989,6 +1121,12 @@ may be said that the solution is too clever by half! Plaintext +user database +/etc/samba/smbpasswd +/etc/smbpasswd +password encryption +/etc/passwd +PAM Older versions of Samba retrieved user information from the UNIX user database and eventually some other fields from the file /etc/samba/smbpasswd or /etc/smbpasswd. When password encryption is disabled, no @@ -1004,6 +1142,9 @@ may be said that the solution is too clever by half! SAM backendsmbpasswd +user account +LM/NT password hashes +smbpasswd Traditionally, when configuring yes in Samba's &smb.conf; file, user account information such as username, LM/NT password hashes, password change times, and account flags have been stored in the smbpasswd(5) @@ -1013,6 +1154,7 @@ may be said that the solution is too clever by half! +lookups The first problem is that all lookups must be performed sequentially. Given that there are approximately two lookups per domain logon (one during intial logon validation and one for a session connection setup, such as when mapping a network drive or printer), this @@ -1021,6 +1163,11 @@ may be said that the solution is too clever by half! +smbpasswd +replicate +rsync +ssh +custom scripts The second problem is that administrators who desire to replicate an smbpasswd file to more than one Samba server are left to use external tools such as rsync(1) and ssh(1) and write custom, @@ -1028,6 +1175,11 @@ may be said that the solution is too clever by half! +smbpasswd +home directory +password expiration +relative identifier +relative identifierRID Finally, the amount of information that is stored in an smbpasswd entry leaves no room for additional attributes such as a home directory, password expiration time, or even a relative identifier (RID). @@ -1035,13 +1187,23 @@ may be said that the solution is too clever by half! +user attributes +smbd +API +samdb interface As a result of these deficiencies, a more robust means of storing user attributes used by smbd was developed. The API that defines access to user accounts is commonly referred to as the samdb interface (previously, this was called the passdb - API and is still so named in the Samba CVS trees). + API and is still so named in the Samba source code trees). +passdb backends +smbpasswd plaintext database +tdbsam +ldapsam +xmlsam +enterprise Samba provides an enhanced set of passdb backends that overcome the deficiencies of the smbpasswd plaintext database. These are tdbsam, ldapsam, and xmlsam. Of these, ldapsam will be of most interest to large corporate or enterprise sites. @@ -1054,12 +1216,18 @@ may be said that the solution is too clever by half! SAM backendtdbsam +trivial databaseTDB +machine account Samba can store user and machine account data in a TDB (trivial database). Using this backend does not require any additional configuration. This backend is recommended for new installations that do not require LDAP. +tdbsam +PDC +BDC +scalability As a general guide, the Samba Team does not recommend using the tdbsam backend for sites that have 250 or more users. Additionally, tdbsam is not capable of scaling for use in sites that require PDB/BDC implementations that require replication of the account @@ -1067,6 +1235,9 @@ may be said that the solution is too clever by half! +250-user limit +performance-based +tdbsam The recommendation of a 250-user limit is purely based on the notion that this would generally involve a site that has routed networks, possibly spread across more than one physical location. The Samba Team has not at this time established @@ -1074,6 +1245,10 @@ may be said that the solution is too clever by half! +4,500 user accounts +passdb backend +tdbsam +SambaSAMAccount There are sites that have thousands of users and yet require only one server. One site recently reported having 4,500 user accounts on one UNIX system and reported excellent performance with the tdbsam passdb backend. @@ -1089,6 +1264,8 @@ may be said that the solution is too clever by half! ldapsam +LDAP +ldapsam SAM backendldapsam There are a few points to stress that the ldapsam does not provide. The LDAP support referred to in this documentation does not include: @@ -1101,6 +1278,10 @@ may be said that the solution is too clever by half! +LDAP +NSS +PAM +LGPL The second item can be accomplished by using LDAP NSS and PAM modules. LGPL versions of these libraries can be obtained from PADL Software. More information about the configuration of these packages may be found in @@ -1108,6 +1289,9 @@ may be said that the solution is too clever by half! +LDAP directory +smbpasswd +directory server This document describes how to use an LDAP directory for storing Samba user account information traditionally stored in the smbpasswd(5) file. It is assumed that the reader already has a basic understanding of LDAP concepts @@ -1119,7 +1303,7 @@ may be said that the solution is too clever by half! OpenLDAP Sun One Directory Server - Novell eDirectory + Novell eDirectory IBM Tivoli Directory Server Red Hat Directory @@ -1389,12 +1573,26 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz Configuring Samba - The following parameters are available in smb.conf only if your - version of Samba was built with LDAP support. Samba automatically builds with LDAP support if the - LDAP libraries are found. + The following parameters are available in smb.conf only if your version of Samba was built with + LDAP support. Samba automatically builds with LDAP support if the LDAP libraries are found. The + best method to verify that Samba was built with LDAP support is: + +&rootprompt; smbd -b | grep LDAP + HAVE_LDAP_H + HAVE_LDAP + HAVE_LDAP_DOMAIN2HOSTLIST + HAVE_LDAP_INIT + HAVE_LDAP_INITIALIZE + HAVE_LDAP_SET_REBIND_PROC + HAVE_LIBLDAP + LDAP_SET_REBIND_PROC_ARGS + + If the build of the smbd command you are using does not produce output + that includes HAVE_LDAP_H it is necessary to discover why the LDAP headers + and libraries were not found during compilation. - LDAP-related smb.conf options are: + LDAP-related smb.conf options include these: ldapsam:url @@ -1407,6 +1605,9 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz + + + @@ -1428,7 +1629,7 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz Define the DN used when binding to the LDAP servers. The password for this DN is not stored in smb.conf -Set it using 'smbpasswd -w secretpw' to store the +Set it using 'smbpasswd -w secret' to store the passphrase in the secrets.tdb file. If the "ldap admin dn" value changes, it must be reset. "cn=Manager,dc=quenya,dc=org" @@ -1463,8 +1664,8 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz Accounts and Groups Management -User Management -User AccountsAdding/Deleting + User Management + User AccountsAdding/Deleting Because user accounts are managed through the sambaSamAccount ObjectClass, you should modify your existing administration tools to deal with sambaSamAccount attributes. @@ -1510,18 +1711,18 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz These password hashes are clear-text equivalents and can be used to impersonate the user without deriving the original clear-text strings. For more information - on the details of LM/NT password hashes, refer to the Account Information - Database section. + on the details of LM/NT password hashes, refer to the + Account Information Database section. - To remedy the first security issue, the &smb.conf; parameter defaults - to require an encrypted session (on) using - the default port of 636 - when contacting the directory server. When using an OpenLDAP server, it - is possible to use the StartTLS LDAP extended operation in the place of - LDAPS. In either case, you are strongly discouraged to disable this security - (off). + To remedy the first security issue, the &smb.conf; + parameter defaults to require an encrypted session (on) using the default port of 636 when + contacting the directory server. When using an OpenLDAP server, it + is possible to use the StartTLS LDAP extended operation in the place of LDAPS. + In either case, you are strongly encouraged to use secure communications protocols + (so do not set off). @@ -1554,7 +1755,6 @@ access to attrs=SambaLMPassword,SambaNTPassword linkend="attribobjclPartA">Part A, and Part B. - Attributes in the sambaSamAccount ObjectClass (LDAP), Part A @@ -1583,8 +1783,9 @@ access to attrs=SambaLMPassword,SambaNTPassword Using this attribute together with shadowExpire of the shadowAccount ObjectClass will enable accounts to expire completely on an exact date. - sambaPwdCanChangeSpecifies the time (UNIX time format) after which the user is allowed to - change his password. If attribute is not set, the user will be free to change his password whenever he wants. + sambaPwdCanChangeSpecifies the time (UNIX time format) + after which the user is allowed to change his password. If attribute is not set, the user will be free + to change his password whenever he wants. sambaPwdMustChangeSpecifies the time (UNIX time format) when the user is forced to change his password. If this value is set to 0, the user will have to change his password at first login. @@ -1612,8 +1813,8 @@ access to attrs=SambaLMPassword,SambaNTPassword
-
- + + Attributes in the sambaSamAccount ObjectClass (LDAP), Part B @@ -1635,7 +1836,7 @@ access to attrs=SambaLMPassword,SambaNTPassword sambaDomainNameDomain the user is part of.
-
+ The majority of these parameters are only used when Samba is acting as a PDC of @@ -1671,58 +1872,52 @@ access to attrs=SambaLMPassword,SambaNTPassword The following is a working LDIF that demonstrates the use of the SambaSamAccount ObjectClass: - - - - - dn: uid=guest2, ou=People,dc=quenya,dc=org - sambaLMPassword: 878D8014606CDA29677A44EFA1353FC7 - sambaPwdMustChange: 2147483647 - sambaPrimaryGroupSID: S-1-5-21-2447931902-1787058256-3961074038-513 - sambaNTPassword: 552902031BEDE9EFAAD3B435B51404EE - sambaPwdLastSet: 1010179124 - sambaLogonTime: 0 - objectClass: sambaSamAccount - uid: guest2 - sambaKickoffTime: 2147483647 - sambaAcctFlags: [UX ] - sambaLogoffTime: 2147483647 - sambaSID: S-1-5-21-2447931902-1787058256-3961074038-5006 - sambaPwdCanChange: 0 + +dn: uid=guest2, ou=People,dc=quenya,dc=org +sambaLMPassword: 878D8014606CDA29677A44EFA1353FC7 +sambaPwdMustChange: 2147483647 +sambaPrimaryGroupSID: S-1-5-21-2447931902-1787058256-3961074038-513 +sambaNTPassword: 552902031BEDE9EFAAD3B435B51404EE +sambaPwdLastSet: 1010179124 +sambaLogonTime: 0 +objectClass: sambaSamAccount +uid: guest2 +sambaKickoffTime: 2147483647 +sambaAcctFlags: [UX ] +sambaLogoffTime: 2147483647 +sambaSID: S-1-5-21-2447931902-1787058256-3961074038-5006 +sambaPwdCanChange: 0 - + The following is an LDIF entry for using both the sambaSamAccount and posixAccount ObjectClasses: - - - - - dn: uid=gcarter, ou=People,dc=quenya,dc=org - sambaLogonTime: 0 - displayName: Gerald Carter - sambaLMPassword: 552902031BEDE9EFAAD3B435B51404EE - sambaPrimaryGroupSID: S-1-5-21-2447931902-1787058256-3961074038-1201 - objectClass: posixAccount - objectClass: sambaSamAccount - sambaAcctFlags: [UX ] - userPassword: {crypt}BpM2ej8Rkzogo - uid: gcarter - uidNumber: 9000 - cn: Gerald Carter - loginShell: /bin/bash - logoffTime: 2147483647 - gidNumber: 100 - sambaKickoffTime: 2147483647 - sambaPwdLastSet: 1010179230 - sambaSID: S-1-5-21-2447931902-1787058256-3961074038-5004 - homeDirectory: /home/moria/gcarter - sambaPwdCanChange: 0 - sambaPwdMustChange: 2147483647 - sambaNTPassword: 878D8014606CDA29677A44EFA1353FC7 + +dn: uid=gcarter, ou=People,dc=quenya,dc=org +sambaLogonTime: 0 +displayName: Gerald Carter +sambaLMPassword: 552902031BEDE9EFAAD3B435B51404EE +sambaPrimaryGroupSID: S-1-5-21-2447931902-1787058256-3961074038-1201 +objectClass: posixAccount +objectClass: sambaSamAccount +sambaAcctFlags: [UX ] +userPassword: {crypt}BpM2ej8Rkzogo +uid: gcarter +uidNumber: 9000 +cn: Gerald Carter +loginShell: /bin/bash +logoffTime: 2147483647 +gidNumber: 100 +sambaKickoffTime: 2147483647 +sambaPwdLastSet: 1010179230 +sambaSID: S-1-5-21-2447931902-1787058256-3961074038-5004 +homeDirectory: /home/moria/gcarter +sambaPwdCanChange: 0 +sambaPwdMustChange: 2147483647 +sambaNTPassword: 878D8014606CDA29677A44EFA1353FC7 - +
@@ -1735,10 +1930,10 @@ access to attrs=SambaLMPassword,SambaNTPassword
The options can have the values shown in - Table 10.3. + Possible ldap passwd sync Values.
- Possible <emphasis>ldap passwd sync</emphasis> Values + Possible <parameter>ldap passwd sync</parameter> Values @@ -1750,11 +1945,12 @@ access to attrs=SambaLMPassword,SambaNTPassword SambaNTPassword, SambaLMPassword, and the password fields. - noOnly update SambaNTPassword and SambaLMPassword. + noOnly update SambaNTPassword and + SambaLMPassword. - onlyOnly update the LDAP password and let the LDAP server worry about the other fields. - This option is only available on some LDAP servers and only when the LDAP server - supports LDAP_EXOP_X_MODIFY_PASSWD. + onlyOnly update the LDAP password and let the LDAP server + worry about the other fields. This option is only available on some LDAP servers and + only when the LDAP server supports LDAP_EXOP_X_MODIFY_PASSWD.
@@ -1770,13 +1966,13 @@ access to attrs=SambaLMPassword,SambaNTPassword MySQL -SAM backendmysqlsam - Every so often someone comes along with a great new idea. Storing user accounts in a - SQL backend is one of them. Those who want to do this are in the best position to know what the - specific benefits are to them. This may sound like a cop-out, but in truth we cannot attempt - to document every little detail of why certain things of marginal utility to the bulk of - Samba users might make sense to the rest. In any case, the following instructions should help - the determined SQL user to implement a working system. + SAM backendmysqlsam + Every so often someone comes along with what seems to them like a great new idea. Storing user accounts + in a SQL backend is one of them. Those who want to do this are in the best position to know what the + specific benefits are to them. This may sound like a cop-out, but in truth we cannot document + every little detail of why certain things of marginal utility to the bulk of Samba users might make sense + to the rest. In any case, the following instructions should help the determined SQL user to implement a + working system. These account storage methods are not actively maintained by the Samba Team. @@ -1789,7 +1985,7 @@ access to attrs=SambaLMPassword,SambaNTPassword examples/pdb/mysql/mysql.dump contains the correct queries to create the required tables. Use the command: -&prompt;mysql -uusername -hhostname -ppassword \ +&rootprompt;mysql -uusername -hhostname -ppassword \ databasename < /path/to/samba/examples/pdb/mysql/mysql.dump
-- cgit