From 82c556a8f285b64b5a2c2a74cd5b93d7f2c9776c Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Thu, 30 Jun 2005 03:56:09 +0000 Subject: More copy edits and content updates. (This used to be commit b135c36d9e0ec14c855101bf8e3d40c45331290a) --- docs/Samba3-ByExample/SBE-preface.xml | 28 ++- docs/Samba3-HOWTO/TOSHARG-Passdb.xml | 461 ++++++++++++++++++++++++++++++++-- 2 files changed, 470 insertions(+), 19 deletions(-) diff --git a/docs/Samba3-ByExample/SBE-preface.xml b/docs/Samba3-ByExample/SBE-preface.xml index 787e6ece20..d9d9cb9492 100644 --- a/docs/Samba3-ByExample/SBE-preface.xml +++ b/docs/Samba3-ByExample/SBE-preface.xml @@ -551,7 +551,33 @@ avoid Samba configuration options that will weigh the server down. MS distributed file services to make your network fly and much more. This chapter contains a good deal of Did I tell you about this...? type of hints to help keep your name on the top - performers list. (John, should there be entries for Chapter 14 and Apps A & C ???????) + performers list. + + + + + + Chapter 14 &smbmdash; Samba Support. + + This chapter has been added specifically to help those who are seeking professional + paid support for Samba. The critics of Open Source Software often assert that + there is no support for free software. Some critics argue that free software + undermines the service that proprietary commercial software vendors depend on. + This chapter explains what are the support options for Samba and the fact that + a growing number of businesses make money by providing commercial paid-for + Samba support. + + + + + + Appendix A &smbmdash; A Collection of Useful Tid-bits. + + Sometimes it seems that there is not a good place for certain odds and ends that + impact Samba deployment. Some readers would argue that everyone can be expected + to know this information, or at least be able to find it easily. So to avoid + offending a reader's sensitivities, the tid-bits have been placed in this Appendix. + Do check out the contents, you may find something of value among the loose ends. diff --git a/docs/Samba3-HOWTO/TOSHARG-Passdb.xml b/docs/Samba3-HOWTO/TOSHARG-Passdb.xml index 5d2607f885..4ff0e842de 100644 --- a/docs/Samba3-HOWTO/TOSHARG-Passdb.xml +++ b/docs/Samba3-HOWTO/TOSHARG-Passdb.xml @@ -902,7 +902,7 @@ is being added to the net toolset (see - The <command>pdbedit</command> Utility + The <command>pdbedit</command> Tool pdbedit User Management + account policy User AccountsAdding/Deleting pdbedit is a tool that can be used only by root. It is used to - manage the passdb backend. pdbedit can be used to: + manage the passdb backend, as well as domain-wide account policy settings. pdbedit + can be used to: add, remove, or modify user accounts. list user accounts. migrate user accounts. + migrate group accounts. + manage account policies. + manage domain access policy settings. - Domain global policy controls available include: + Sarbanes-Oxley + Under the terms of the Sarbanes-Oxley Act of 2002, American businessies and organizations are mandated to + implement a series of internal controls and procedures to communicate, store, + and protect financial data. The Sarbanes-Oxley Act has far reaching implications in respect of: - - Maximum Password Age - Minimum Password Age - Mimimum Password Length - Password Uniqueness (remembers number of prior passwords) - Account Lockout - Bad Logon Attempts - Lockout Reset Delay - Lockout Duration - + + Who has access to information systems that store financial data. + How personal and finacial information is treated among employees and business + partners. + How security vulnerabilities are managed. + Security and patch level maintenance for all information systems. + How information systems changes are documented and tracked. + How information access controls are implemented and managed. + Auditability of all information systems in respect of change and security. + Disciplinary procedures and controls to ensure privacy. + + + + accountability + compliance + In short, the Sarbanes-Oxley Act of 2002 is an instrument that enforces accountability in respect of + business related information systems so as to ensure the compliance of all information systems that + are used to store personal information and particularly for financial records processing. Similar + accountabilities are being demanded around the world. + + + + laws + regulations + pdbedit + access controls + manage accounts + The need to be familiar with the Samba tools and facilities that permit information systems operation + in compliance with government laws and regulations is clear to all. The pdbedit is + currently the only Samba tool that provides the capacity to manage account and systems access controls + and policies. During the remaining life-cycle of the Samba-3 series it is possible the new tools may + be implemented to aid in this important area. + + + + Domain global policy controls available in Windows NT4 compared with Samba + is shown in NT4 Domain v's Samba Policy Controls. + + + + NT4 Domain v's Samba Policy Controls + + + + + + + + + NT4 policy Name + Samba Policy Name + NT4 Range + Samba Range + Samba Default + + + + + Maximum Password Age + maximum password age + 0 - 999 (days) + 0 - 4294967295 (sec) + 4294967295 + + + Minimum Password Age + minimum password age + 0 - 999 (days) + 0 - 4294967295 (sec) + 0 + + + Mimimum Password Length + min password length + 1 - 14 (Chars) + 0 - 4294967295 (Chars) + 5 + + + Password Uniqueness + password history + 0 - 23 (#) + 0 - 4294967295 (#) + 0 + + + Account Lockout - Reset count after + reset count minutes + 1 - 99998 (min) + 0 - 4294967295 (min) + 30 + + + Lockout after bad logon attempts + bad lockout attempt + 0 - 998 (#) + 0 - 4294967295 (#) + 0 + + + *** Not Known *** + disconnect time + TBA + 0 - 4294967295 + 0 + + + Lockout Duration + lockout duration + 1 - 99998 (min) + 0 - 4294967295 (min) + 30 + + + Users must log on in order to change password + user must logon to change password + 0/1 + 0 - 4294967295 + 0 + + + *** Registry Setting *** + refuse machine password change + 0/1 + 0 - 4294967295 + 0 + + + +
pdbedit @@ -1053,17 +1181,47 @@ is being added to the net toolset (see XML password backend section of this chapter. + + User Account Management + + +pdbedit +smbpasswd +system accounts +user account +domain user manager +add user script +interface scripts + The pdbedit tool, like the smbpasswd tool, requires + that a POSIX user account already exists in the UNIX/Linux system accounts database (backend). + Neither tool will call out to the operating system to create a user account because this is + considered to be the responsibility of the system administrator. When the Windows NT4 domain + user manager is used to add an account, Samba will implement the add user script + (as well as the other interface scripts) to ensure that user, group and machine accounts are + correctly created and changed. The use of the pdbedit tool does not + make use of these interface scripts. + + + +pdbedit +POSIX account + Before attempting to use the pdbedit tool to manage user and machine + accounts, make certain that a system (POSIX) account has already been created. + + + + Listing User and Machine Accounts + tdbsam +password backend The following is an example of the user account information that is stored in a tdbsam password backend. This listing was produced by running: - - &prompt;pdbedit -Lv met UNIX username: met -NT username: -Account Flags: [UX ] +NT username: met +Account Flags: [U ] User SID: S-1-5-21-1449123459-1407424037-3116680435-2004 Primary Group SID: S-1-5-21-1449123459-1407424037-3116680435-1201 Full Name: Melissa E Terpstra @@ -1082,6 +1240,272 @@ Password last set: Sat, 14 Dec 2002 14:37:03 GMT Password can change: Sat, 14 Dec 2002 14:37:03 GMT Password must change: Mon, 18 Jan 2038 20:14:07 GMT + + + +smbpasswd format + Accounts can also be listed in the older smbpasswd format: + +&rootprompt;pdbedit -Lw +root:0:84B0D8E14D158FF8417EAF50CFAC29C3: + AF6DD3FD4E2EA8BDE1695A3F05EFBF52:[U ]:LCT-42681AB8: +jht:1000:6BBC4159020A52741486235A2333E4D2: + CC099521AD554A3C3CF2556274DBCFBC:[U ]:LCT-40D75B5B: +rcg:1002:E95D4331A6F23AF8AAD3B435B51404EE: + BB0F2C39B04CA6100F0E535DF8314B43:[U ]:LCT-40D7C5A3: +afw:1003:1AAFA7F9F6DC1DEAAAD3B435B51404EE: + CE92C2F9471594CDC4E7860CA6BC62DB:[T ]:LCT-40DA501F: +met:1004:A2848CB7E076B435AAD3B435B51404EE: + F25F5D3405085C555236B80B7B22C0D2:[U ]:LCT-4244FAB8: +aurora$:1005:060DE593EA638B8ACC4A19F14D2FF2BB: + 060DE593EA638B8ACC4A19F14D2FF2BB:[W ]:LCT-4173E5CC: +temptation$:1006:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: + A96703C014E404E33D4049F706C45EE9:[W ]:LCT-42BF0C57: +vaioboss$:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: + 88A30A095160072784C88F811E89F98A:[W ]:LCT-41C3878D: +frodo$:1008:15891DC6B843ECA41249940C814E316B: + B68EADCCD18E17503D3DAD3E6B0B9A75:[W ]:LCT-42B7979F: +marvel$:1011:BF709959C3C94E0B3958B7B84A3BB6F3: + C610EFE9A385A3E8AA46ADFD576E6881:[W ]:LCT-40F07A4 + + + + + + + Adding User Accounts + + +pdbedit +add a user account +standalone server +domain +SambaSAMAccount + The pdbedit can be used to add a user account to a standalone server + or to a domain. In the example shown here the account for the user vlaan + has been created before attempting to add the SambaSAMAccount. + +&rootprompt; pdbedit -a vlaan +new password: secretpw +retype new password: secretpw +Unix username: vlaan +NT username: vlaan +Account Flags: [U ] +User SID: S-1-5-21-726309263-4128913605-1168186429-3014 +Primary Group SID: S-1-5-21-726309263-4128913605-1168186429-513 +Full Name: Victor Laan +Home Directory: \\frodo\vlaan +HomeDir Drive: H: +Logon Script: scripts\logon.bat +Profile Path: \\frodo\profiles\vlaan +Domain: &example.workgroup; +Account desc: Guest User +Workstations: +Munged dial: +Logon time: 0 +Logoff time: Mon, 18 Jan 2038 20:14:07 GMT +Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT +Password last set: Wed, 29 Jun 2005 19:35:12 GMT +Password can change: Wed, 29 Jun 2005 19:35:12 GMT +Password must change: Mon, 18 Jan 2038 20:14:07 GMT +Last bad password : 0 +Bad password count : 0 +Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF + + + + + + + Deleting Accounts + + +account deleted +SambaSAMAccount +pdbedit +passdb backend + An account can be deleted from the SambaSAMAccount database + +&rootprompt; pdbedit -x vlaan + + The account is removed without further screen output. The account is removed only from the + SambaSAMAccount (passdb backend) database, it is not removed from the UNIX account backend. + + + +delete user script +pdbedit + The use of the NT4 domain user manager to delete an account will trigger the delete user + script, but not the pdbedit tool. + + + + + + Changing User Accounts + + +pdbedit + Refer to the pdbedit man page for a full synopsis of all operations + that are available with this tool. + + + +pdbedit + An example of a simple change in the user account information is the change of the full name + information shown here: + +&rootprompt; pdbedit -r --fullname="Victor Aluicious Laan" vlaan +... +Primary Group SID: S-1-5-21-726309263-4128913605-1168186429-513 +Full Name: Victor Aluicious Laan +Home Directory: \\frodo\vlaan +... + + + + +grace time +password expired +expired password + Let us assume for a moment that a user's password has expired and the user is unable to + change the password at this time. It may be necessary to give the user additional grace time + so that it is possible to continue to work with the account and the original password. This + demonstrates how the password expiration settings may be updated + +&rootprompt; pdbedit -Lv vlaan +... +Password last set: Sun, 09 Sep 2001 22:21:40 GMT +Password can change: Thu, 03 Jan 2002 15:08:35 GMT +Password must change: Thu, 03 Jan 2002 15:08:35 GMT +Last bad password : Thu, 03 Jan 2002 15:08:35 GMT +Bad password count : 2 +... + +bad logon attempts +lock the account + The user has recorded 2 bad logon attempts and the next will lock the account, but the + password is also expired. Here is how this account can be reset: + +&rootprompt; pdbedit -z vlaan +... +Password last set: Sun, 09 Sep 2001 22:21:40 GMT +Password can change: Thu, 03 Jan 2002 15:08:35 GMT +Password must change: Thu, 03 Jan 2002 15:08:35 GMT +Last bad password : 0 +Bad password count : 0 +... + + The Password must change: parameter can be reset like this: + +&rootprompt; pdbedit --pwd-must-change-time=1200000000 vlaan +... +Password last set: Sun, 09 Sep 2001 22:21:40 GMT +Password can change: Thu, 03 Jan 2002 15:08:35 GMT +Password must change: Thu, 10 Jan 2008 14:20:00 GMT +... + + Another way to use this tools is to set the date like this: + +&rootprompt; pdbedit --pwd-must-change-time="2010-01-01" \ + --time-format="%Y-%m-%d" vlaan +... +Password last set: Sun, 09 Sep 2001 22:21:40 GMT +Password can change: Thu, 03 Jan 2002 15:08:35 GMT +Password must change: Fri, 01 Jan 2010 00:00:00 GMT +... + +strptime +time format + Refer to the strptime man page for specific time format information. + + + +pdbedit +SambaSAMAccount + Please refer to the pdbedit man page for further information relating to SambaSAMAccount + management. + + + + + + Domain Account Policy Managment + + +domain account access policies +access policies + To view the domain account access policies that may be configured execute: + +&rootprompt; pdbedit -P ? +No account policy by that name +Account policy names are : +min password length +password history +user must logon to change password +maximum password age +minimum password age +lockout duration +reset count minutes +bad lockout attempt +disconnect time +refuse machine password change + + + + + Commands will be executed to establish controls for our domain as follows: + + + + min password length = 8 characters. + password history = last 4 passwords. + maximum password age = 90 days. + minimum password age = 7 days. + bad lockout attempt = 8 bad logon attempts. + lockout duration = forever, account must be manually reenabled. + + + + The following command execution will achieve these settings: + +&rootprompt; pdbedit -P "min password length" -C 8 +account policy value for min password length was 5 +account policy value for min password length is now 8 +&rootprompt; pdbedit -P "password history" -C 4 +account policy value for password history was 0 +account policy value for password history is now 4 +&rootprompt; pdbedit -P "maximum password age" -C 90 +account policy value for maximum password age was 4294967295 +account policy value for maximum password age is now 90 +&rootprompt; pdbedit -P "minimum password age" -C 7 +account policy value for minimum password age was 0 +account policy value for minimum password age is now 7 +&rootprompt; pdbedit -P "bad lockout attempt" -C 8 +account policy value for bad lockout attempt was 0 +account policy value for bad lockout attempt is now 8 +&rootprompt; pdbedit -P "lockout duration" -C -1 +account policy value for lockout duration was 30 +account policy value for lockout duration is now 4294967295 + + + + +To set the maximum (infinite) lockout time use the value of -1. + + + +Account policies must be set individually on each PDC and BDC. At this time (Samba 3.0.11 to Samba 3.0.14a) +account policies are not replicated automatically. This may be fixed before Samba 3.0.20 ships or some +time there after. + + + + + + + + Account Migration pdbedit @@ -1113,6 +1537,7 @@ Password must change: Mon, 18 Jan 2038 20:14:07 GMT + -- cgit