From b2ded598ca76ba61bd6efd1598434c986135e723 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Tue, 21 Jun 2005 20:34:29 +0000 Subject: Fixing index problems. (This used to be commit 2e192190776e41ed96ccb77af945e8ab815be526) --- docs/Samba3-HOWTO/TOSHARG-NetworkBrowsing.xml | 2 +- docs/Samba3-HOWTO/TOSHARG-Passdb.xml | 271 ++++++++++++++++++++----- docs/Samba3-HOWTO/TOSHARG-StandAloneServer.xml | 13 +- docs/Samba3-HOWTO/index.xml | 4 +- 4 files changed, 233 insertions(+), 57 deletions(-) diff --git a/docs/Samba3-HOWTO/TOSHARG-NetworkBrowsing.xml b/docs/Samba3-HOWTO/TOSHARG-NetworkBrowsing.xml index 042f1c156f..c5a5d7633a 100644 --- a/docs/Samba3-HOWTO/TOSHARG-NetworkBrowsing.xml +++ b/docs/Samba3-HOWTO/TOSHARG-NetworkBrowsing.xml @@ -249,7 +249,7 @@ configuration parameter called the NetBIOS node-type. There are four basic NetBI -Hybrid +h-node hybrid enables NetBIOS over TCP/IP WINS diff --git a/docs/Samba3-HOWTO/TOSHARG-Passdb.xml b/docs/Samba3-HOWTO/TOSHARG-Passdb.xml index 200861919e..34bf2604de 100644 --- a/docs/Samba3-HOWTO/TOSHARG-Passdb.xml +++ b/docs/Samba3-HOWTO/TOSHARG-Passdb.xml @@ -20,12 +20,51 @@ Account Information Databases +account backends +password backends +scalability +ADS Samba-3 implements a new capability to work concurrently with multiple account backends. The possible new combinations of password backends allows Samba-3 a degree of flexibility -and scalability that previously could be achieved only with MS Windows Active Directory. +and scalability that previously could be achieved only with MS Windows Active Directory (ADS). This chapter describes the new functionality and how to get the most out of it. + +passdb backend +smbpasswd +tdbsam +ldapsam +LDAP +single repository +The three passdb backends that are fully maintained (actively supported) by the Samba Team are: +smbpasswd (being obsoleted), tdbsam (a tdb based binary file format), +and ldapsam (LDAP directory). Of these, only the ldapsam backend +stores both POSIX (UNIX) and Samba user and group account information in a single repository. The +smbpasswd and tdbsam backends store only Samba user accounts. + + + +In a strict sense, there are three supported account storage and access systems. One of these is considered +obsolete (smbpasswd). It is recommended to use tdbsam method for all simple systems. Use +the ldapsam for larger and more complex networks. + + + +passdb backend +account storage mechanisms +account storage system +user and trust accounts +machine trust accounts +computer accounts +interdomain trust accounts +In a strict and literal sense, the passdb backends are account storage mechanisms (or methods) alone. The choice +of terminology can be misleading, however we are stuck with this choice of wording. This chapter documents the +nature of the account storage system with a focus on user and trust accounts. Trust accounts have two forms, +machine trust accounts (computer accounts) and interdomain trust accounts. These are all treated as user-like +entities. + + Features and Benefits @@ -38,12 +77,17 @@ as follows: - Backward Compatibility Backends + Backward Compatibility Account Storage Systems Plaintext +plaintext +plaintext authentication +/etc/passwd +/etc/shadow +PAM This isn't really a backend at all, but is listed here for simplicity. Samba can be configured to pass plaintext authentication requests to the traditional UNIX/Linux /etc/passwd and /etc/shadow-style subsystems. On systems that have Pluggable Authentication Modules @@ -58,6 +102,10 @@ as follows: smbpasswd +smbpasswd +LanMan passwords +NT-encrypted passwords +SAM This option allows continued use of the smbpasswd file that maintains a plain ASCII (text) layout that includes the MS Windows LanMan and NT-encrypted passwords as well as a field that stores some @@ -77,6 +125,9 @@ as follows: ldapsam_compat (Samba-2.2 LDAP Compatibility) +ldapsam_compat +Samba-2.2.x LDAP schema +OpenLDAP backend There is a password backend option that allows continued operation with an existing OpenLDAP backend that uses the Samba-2.2.x LDAP schema extension. This option is provided primarily as a migration tool, although there is @@ -90,7 +141,7 @@ as follows: -New Backends +New Account Storage Systems Samba-3 introduces a number of new password backend capabilities. @@ -104,12 +155,21 @@ Samba-3 introduces a number of new password backend capabilities. tdbsam +rich database backend +PDC +BDC This backend provides a rich database backend for local servers. This backend is not suitable for multiple domain controllers (i.e., PDC + one or more BDC) installations. +extended SAM +TDB +binary format TDB +trivial database +system access controls +MS Windows NT4/200x The tdbsam password backend stores the old smbpasswd information plus the extended MS Windows NT/200x SAM information into a binary format TDB (trivial database) file. @@ -119,6 +179,9 @@ Samba-3 introduces a number of new password backend capabilities. +simple operation +OpenLDAP +ADS The inclusion of the tdbsam capability is a direct response to user requests to allow simple site operation without the overhead of the complexities of running OpenLDAP. It is recommended to use this only @@ -131,16 +194,28 @@ Samba-3 introduces a number of new password backend capabilities. ldapsam +rich directory backend +distributed account This provides a rich directory backend for distributed account installation. +LDAP +OpenLDAP +Samba schema +schema file +examples/LDAP Samba-3 has a new and extended LDAP implementation that requires configuration of OpenLDAP with a new format Samba schema. The new format schema file is included in the examples/LDAP directory of the Samba distribution. +expands control abilities +profile +home directories +account access controls +greater scalability The new LDAP implementation significantly expands the control abilities that were possible with prior versions of Samba. It is now possible to specify per-user profile settings, home directories, account access controls, and @@ -153,6 +228,8 @@ Samba-3 introduces a number of new password backend capabilities. mysqlsam (MySQL-based backend) +MySQL-based SAM +database backend It is expected that the MySQL-based SAM will be very popular in some corners. This database backend will be of considerable interest to sites that want to leverage existing MySQL technology. @@ -163,10 +240,10 @@ Samba-3 introduces a number of new password backend capabilities. pgsqlsam (PostGreSQL-based backend) - Stores user information in a PostgreSQL database. - This backend is largely undocumented at - the moment, though its configuration is very similar to - that of the mysqlsam backend. +PostgreSQL database +mysqlsam + Stores user information in a PostgreSQL database. This backend is largely undocumented at + the moment, though its configuration is very similar to that of the mysqlsam backend. @@ -175,13 +252,21 @@ Samba-3 introduces a number of new password backend capabilities. pdbedit +XML format +pdb2pdb Allows the account and password data to be stored in an XML format data file. This backend cannot be used for normal operation, it can only be used in conjunction with pdbedit's pdb2pdb - functionality. The DTD that is used might be subject to changes in the future. + functionality. The Document Type Definition (DTD) file that is used + might be subject to changes in the future. (See the XML reference for a definition + of XML terms.) +account migration +database backends +backend format The xmlsam option can be useful for account migration between database backends or backups. Use of this tool allows the data to be edited before migration into another backend format. @@ -199,39 +284,54 @@ Samba-3 introduces a number of new password backend capabilities. Technical Information +plaintext passwords +encrypted passwords Old Windows clients send plaintext passwords over the wire. Samba can check these passwords by encrypting them and comparing them to the hash stored in the UNIX user database. encrypted passwords - Newer Windows clients send encrypted passwords (LanMan and NT hashes) instead of plaintext passwords over the wire. The newest clients will send only encrypted - passwords and refuse to send plaintext passwords unless their registry is tweaked. +LanMan +plaintext passwords +registry + Newer Windows clients send encrypted passwords (LanMan and NT hashes) instead of plaintext passwords over + the wire. The newest clients will send only encrypted passwords and refuse to send plaintext passwords unless + their registry is tweaked. - These passwords can't be converted to UNIX-style encrypted passwords. Because of that, - you can't use the standard UNIX user database, and you have to store the LanMan and NT - hashes somewhere else. +UNIX-style encrypted passwords +converted + Many people ask why Samba can not simply use the UNIX password database. Windows requires + passwords that are encrypted in its own format. The UNIX passwords can't be converted to + UNIX-style encrypted passwords. Because of that, you can't use the standard UNIX user + database, and you have to store the LanMan and NT hashes somewhere else. +differently encrypted passwords +profile +workstations +tdbsam In addition to differently encrypted passwords, Windows also stores certain data for each user that is not stored in a UNIX user database: for example, workstations the user may logon from, the location where the user's profile is stored, and so on. Samba retrieves and stores this - information using a . Commonly available backends are LDAP, plain text - file, and MySQL. For more information, see the man page for &smb.conf; regarding the + information using a . Commonly available backends are LDAP, + tdbsam, plain text file, and MySQL. For more information, see the man page for &smb.conf; regarding the parameter.
IDMAP: Resolution of SIDs to UIDs. - idmap-sid2uid + idmap-sid2uid
SID +UID +SID The resolution of SIDs to UIDs is fundamental to correct operation of Samba. In both cases shown, if winbindd is not running or cannot be contacted, then only local SID/UID resolution is possible. See resolution of SIDs to UIDs and resolution of UIDs @@ -247,6 +347,12 @@ Samba-3 introduces a number of new password backend capabilities. Important Notes About Security +SMB password encryption +clear-text passwords +hashed password equivalent +LDAP +MYSQL +secret The UNIX and SMB password encryption techniques seem similar on the surface. This similarity is, however, only skin deep. The UNIX scheme typically sends clear-text passwords over the network when logging in. This is bad. The SMB encryption scheme @@ -262,18 +368,25 @@ Samba-3 introduces a number of new password backend capabilities. +password scheme +plaintext passwords +compatible Ideally, we would like a password scheme that involves neither plaintext passwords on the network nor plaintext passwords on disk. Unfortunately, this is not available because Samba is stuck with having to be compatible with other SMB systems (Windows NT, Windows for Workgroups, Windows 9x/Me). +encrypted passwords +plaintext passwords Windows NT 4.0 Service Pack 3 changed the default setting so plaintext passwords are disabled from being sent over the wire. This mandates either the use of encrypted password support or editing the Windows NT registry to re-enable plaintext passwords. +domain security +domain environment The following versions of Microsoft Windows do not support full domain security protocols, although they may log onto a domain environment: @@ -287,6 +400,9 @@ Samba-3 introduces a number of new password backend capabilities. +Windows XP Home +domain member +domain logons MS Windows XP Home does not have facilities to become a domain member, and it cannot participate in domain logons. @@ -304,6 +420,12 @@ Samba-3 introduces a number of new password backend capabilities. +SMB/CIFS +authentication +challenge/response mechanis +clear-text +encrypted +negotiate All current releases of Microsoft SMB/CIFS clients support authentication via the SMB challenge/response mechanism described here. Enabling clear-text authentication does not disable the ability of the client to participate in encrypted authentication. @@ -312,6 +434,11 @@ Samba-3 introduces a number of new password backend capabilities. +cached encrypted password +plaintext passwords +registry change +auto-reconnect +encrypted passwords MS Windows clients will cache the encrypted password alone. Where plaintext passwords are re-enabled through the appropriate registry change, the plaintext password is never cached. This means that in the event that a network connections should become disconnected @@ -324,26 +451,43 @@ Samba-3 introduces a number of new password backend capabilities. Advantages of Encrypted Passwords - Plaintext passwords are not passed across - the network. Someone using a network sniffer cannot just - record passwords going to the SMB server. + +passed across the network +network sniffer +SMB server + Plaintext passwords are not passed across the network. Someone using a network sniffer + cannot just record passwords going to the SMB server. + - Plaintext passwords are not stored anywhere in - memory or on disk. + +not stored anywhere +memory +disk + Plaintext passwords are not stored anywhere in memory or on disk. + - Windows NT does not like talking to a server - that does not support encrypted passwords. It will refuse - to browse the server if the server is also in user-level - security mode. It will insist on prompting the user for the - password on each connection, which is very annoying. The - only thing you can do to stop this is to use SMB encryption. + +encrypted passwords +user-level security +password prompt +SMB encryption + Windows NT does not like talking to a server that does not support encrypted passwords. It will refuse to + browse the server if the server is also in user-level security mode. It will insist on prompting the user for + the password on each connection, which is very annoying. The only thing you can do to stop this is to use SMB + encryption. - Encrypted password support allows automatic share - (resource) reconnects. + +encrypted password +automatic reconnects + Encrypted password support allows automatic share (resource) reconnects. + - Encrypted passwords are essential for PDC/BDC - operation. + +PDC +BDC + Encrypted passwords are essential for PDC/BDC operation. + @@ -352,15 +496,23 @@ Samba-3 introduces a number of new password backend capabilities. Advantages of Non-Encrypted Passwords - Plaintext passwords are not kept - on disk and are not cached in memory. + +cached in memory + Plaintext passwords are not kept on disk and are not cached in memory. + - Plaintext passwords use the same password file as other UNIX - services, such as Login and FTP. + +Login +FTP + Plaintext passwords use the same password file as other UNIX services, such as Login and FTP. + - Use of other services (such as Telnet and FTP) that - send plaintext passwords over the network makes sending them for SMB - is not such a big deal. + +Telnet +FTP + Use of other services (such as Telnet and FTP) that send plaintext passwords over + the network makes sending them for SMB is not such a big deal. +
@@ -369,26 +521,38 @@ Samba-3 introduces a number of new password backend capabilities. Mapping User Identifiers between MS Windows and UNIX +UID +SID +mapping Every operation in UNIX/Linux requires a user identifier (UID), just as in MS Windows NT4/200x this requires a security identifier (SID). Samba provides two means for mapping an MS Windows user to a UNIX/Linux UID. - First, all Samba SAM database accounts require - a UNIX/Linux UID that the account will map to. As users are added to the account - information database, Samba will call the - interface to add the account to the Samba host OS. In essence all accounts in - the local SAM require a local user account. +Samba SAM +SAM +UID +account information database +local user account + First, all Samba SAM database accounts require a UNIX/Linux UID that the account will map to. As users are + added to the account information database, Samba will call the + interface to add the account to the Samba host OS. In essence all accounts in the local SAM require a local + user account. idmap uid idmap gid - The second way to map Windows SID to UNIX UID is via the - idmap uid and idmap gid parameters in &smb.conf;. - Please refer to the man page for information about these parameters. - These parameters are essential when mapping users from a remote SAM server. + UID + SAM + foreign domain + non-member Windows client + SID + The second way to map Windows SID to UNIX UID is via the idmap uid and + idmap gid parameters in &smb.conf;. Please refer to the man page for information about + these parameters. These parameters are essential when mapping users from a remote (non-member Windows client + or a member of a foreign domain) SAM server. @@ -397,6 +561,12 @@ Samba-3 introduces a number of new password backend capabilities. Mapping Common UIDs/GIDs on Distributed Machines +UID +GID +BDC +domain member servers +NFS +rsync Samba-3 has a special facility that makes it possible to maintain identical UIDs and GIDs on all servers in a distributed network. A distributed network is one where there exists a PDC, one or more BDCs, and/or one or more domain member servers. Why is this important? @@ -405,6 +575,13 @@ Samba-3 introduces a number of new password backend capabilities. +LDAP-based +idmap backend +UID +GID +LDAP +SAM backend +LDAP idmap Backend idmap backend The special facility is enabled using a parameter called idmap backend. The default setting for this parameter is an empty string. Technically it is possible to use diff --git a/docs/Samba3-HOWTO/TOSHARG-StandAloneServer.xml b/docs/Samba3-HOWTO/TOSHARG-StandAloneServer.xml index ae658e28ea..fa7fdf72b9 100644 --- a/docs/Samba3-HOWTO/TOSHARG-StandAloneServer.xml +++ b/docs/Samba3-HOWTO/TOSHARG-StandAloneServer.xml @@ -97,13 +97,12 @@ the Samba server is not a member of a domain security context. local smbpasswd file LDAP backend Winbind -Through the use of Pluggable Authentication Modules (PAM) and the name service switcher (NSS), -which maintains the UNIX-user database, the source of authentication may reside on -another server. We would be inclined to call this the authentication server. -This means that the Samba server may use the local UNIX/Linux system password database -(/etc/passwd or /etc/shadow), may use a -local smbpasswd file, or may use an LDAP backend, or even via PAM and Winbind another CIFS/SMB server -for authentication. +Through the use of Pluggable Authentication Modules (PAM) (see the chapter on PAM) +and the name service switcher (NSS), which maintains the UNIX-user database, the source of authentication may +reside on another server. We would be inclined to call this the authentication server. This means that the +Samba server may use the local UNIX/Linux system password database (/etc/passwd or +/etc/shadow), may use a local smbpasswd file, or may use an LDAP backend, or even via PAM +and Winbind another CIFS/SMB server for authentication. diff --git a/docs/Samba3-HOWTO/index.xml b/docs/Samba3-HOWTO/index.xml index b4d17d4176..05792762cf 100644 --- a/docs/Samba3-HOWTO/index.xml +++ b/docs/Samba3-HOWTO/index.xml @@ -16,7 +16,7 @@ - + @@ -152,7 +152,7 @@ The chapters in this part each cover specific Samba features. - + -- cgit