From 20967627378194121bc48bf387838b8bd7682478 Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Tue, 18 Mar 2003 16:48:14 +0000 Subject: Regenerate (This used to be commit 25db62e3101dbcae8e9daee3cb16430297afa223) --- docs/htmldocs/passdb.html | 370 +++++++++++++++++++++------------------------- 1 file changed, 169 insertions(+), 201 deletions(-) (limited to 'docs/htmldocs/passdb.html') diff --git a/docs/htmldocs/passdb.html b/docs/htmldocs/passdb.html index f53641624a..7a8fb7fdec 100644 --- a/docs/htmldocs/passdb.html +++ b/docs/htmldocs/passdb.html @@ -5,7 +5,7 @@ >User information database

3.1. Introduction

3.1. Introduction

Old windows clients send plain text passwords over the wire. Samba can check these passwords by crypting them and comparing them @@ -121,9 +121,9 @@ CLASS="SECT1" >

3.2. Important Notes About Security

3.2. Important Notes About Security

The unix and SMB password encryption techniques seem similar on the surface. This similarity is, however, only skin deep. The unix @@ -229,9 +229,9 @@ CLASS="SECT2" >

3.2.1. Advantages of SMB Encryption

3.2.1. Advantages of SMB Encryption

3.2.2. Advantages of non-encrypted passwords

3.2.2. Advantages of non-encrypted passwords

3.3. The smbpasswd Command

3.3. The smbpasswd Command

The smbpasswd utility is a utility similar to the

To run smbpasswd as a normal user just type :

$ $ smbpasswdsmbpasswd

Old SMB password: Old SMB password: <type old value here - - or hit return if there was no old password><type old value here - + or hit return if there was no old password>

New SMB Password: New SMB Password: <type new value> - <type new value> +

Repeat New SMB Password: Repeat New SMB Password: <re-type new value - <re-type new value +

If the old value does not match the current value stored for @@ -411,9 +403,9 @@ CLASS="SECT1" >

3.4. Plain text

3.4. Plain text

Older versions of samba retrieved user information from the unix user database and eventually some other fields from the file

3.5. TDB

3.5. TDB

Samba can also store the user data in a "TDB" (Trivial Database). Using this backend doesn't require any additional configuration. This backend is recommended for new installations who @@ -444,17 +436,17 @@ CLASS="SECT1" >

3.6. LDAP

3.6. LDAP

3.6.1. Introduction

3.6.1. Introduction

This document describes how to use an LDAP directory for storing Samba user account information traditionally stored in the smbpasswd(5) file. It is @@ -520,9 +512,9 @@ CLASS="SECT2" >

3.6.2. Introduction

3.6.2. Introduction

Traditionally, when configuring --with-ldapsam--with-ldapsam or ---with-tdbsam--with-tdbsam) requires compile time support.

When compiling Samba to include the When compiling Samba to include the --with-ldapsam--with-ldapsam autoconf option, smbd (and associated tools) will store and lookup user accounts in an LDAP directory. In reality, this is very easy to understand. If you are comfortable with using an smbpasswd file, simply replace "smbpasswd" with "LDAP directory" in all the documentation.

There are a few points to stress about what the There are a few points to stress about what the --with-ldapsam--with-ldapsam does not provide. The LDAP support referred to in the this documentation does not include:

3.6.3. Supported LDAP Servers

3.6.3. Supported LDAP Servers

The LDAP samdb code in 2.2.3 has been developed and tested using the OpenLDAP 2.0 server and client libraries. The same code should be able to work with @@ -662,9 +646,9 @@ CLASS="SECT2" >

3.6.4. Schema and Relationship to the RFC 2307 posixAccount

3.6.4. Schema and Relationship to the RFC 2307 posixAccount

Samba 3.0 includes the necessary schema file for OpenLDAP 2.0 in /etc/passwd entry, so is the sambaAccount object meant to supplement the UNIX user account information. A sambaAccount is a -STRUCTURALSTRUCTURAL objectclass so it can be stored individually in the directory. However, there are several fields (e.g. uid) which overlap with the posixAccount objectclass outlined in RFC2307. This is by design.

3.6.5. Configuring Samba with LDAP

3.6.5. Configuring Samba with LDAP

3.6.5.1. OpenLDAP configuration

3.6.5.1. OpenLDAP configuration

To include support for the sambaAccount object in an OpenLDAP directory server, first copy the samba.schema file to slapd's configuration directory.

root# root# cp samba.schema /etc/openldap/schema/

3.6.5.2. Configuring Samba

3.6.5.2. Configuring Samba

The following parameters are available in smb.conf only with The following parameters are available in smb.conf only with --with-ldapsam--with-ldapsam was included with compiling Samba.

secretpwsecretpw' to store the # passphrase in the secrets.tdb file. If the "ldap admin dn" values # changes, this password will need to be reset. @@ -920,7 +900,7 @@ CLASS="REPLACEABLE" ldap suffix = "ou=people,dc=samba,dc=org" # generally the default ldap search filter is ok - # ldap filter = "(&(uid=%u)(objectclass=sambaAccount))"

3.6.6. Accounts and Groups management

3.6.6. Accounts and Groups management

As users accounts are managed thru the sambaAccount objectclass, you should modify you existing administration tools to deal with sambaAccount attributes.

3.6.7. Security and sambaAccount

3.6.7. Security and sambaAccount

There are two important points to remember when discussing the security of sambaAccount entries in the directory.

3.6.8. LDAP specials attributes for sambaAccounts

3.6.8. LDAP specials attributes for sambaAccounts

The sambaAccount objectclass is composed of the following attributes: