From cdd3fa410a6b9f0ddc778149175f3ba7e8a7095d Mon Sep 17 00:00:00 2001 From: Jelmer Vernooij Date: Thu, 17 Apr 2003 19:15:22 +0000 Subject: Regenerate docs (This used to be commit 13a4cd540a1c193e77d973b9dac5bc2d9e7a5353) --- docs/htmldocs/passdb.html | 345 ++++++++++++++++++++++++++++++++-------------- 1 file changed, 245 insertions(+), 100 deletions(-) (limited to 'docs/htmldocs/passdb.html') diff --git a/docs/htmldocs/passdb.html b/docs/htmldocs/passdb.html index 35a941b63a..0b3fb11a2a 100644 --- a/docs/htmldocs/passdb.html +++ b/docs/htmldocs/passdb.html @@ -74,14 +74,164 @@ CLASS="CHAPTER" >Chapter 3. User information databaseChapter 4. User information database
Table of Contents
4.1. Introduction
4.2. Important Notes About Security
4.2.1. Advantages of SMB Encryption
4.2.2. Advantages of non-encrypted passwords
4.3. The smbpasswd Command
4.4. Plain text
4.5. TDB
4.6. LDAP
4.6.1. Introduction
4.6.2. Introduction
4.6.3. Supported LDAP Servers
4.6.4. Schema and Relationship to the RFC 2307 posixAccount
4.6.5. Configuring Samba with LDAP
4.6.5.1. OpenLDAP configuration
4.6.5.2. Configuring Samba
4.6.6. Accounts and Groups management
4.6.7. Security and sambaAccount
4.6.8. LDAP specials attributes for sambaAccounts
4.6.9. Example LDIF Entries for a sambaAccount
4.7. MySQL
4.7.1. Creating the database
4.7.2. Configuring
4.7.3. Using plaintext passwords or encrypted password
4.7.4. Getting non-column data from the table
4.8. XML

3.1. Introduction4.1. Introduction

Old windows clients send plain text passwords over the wire. @@ -121,8 +271,8 @@ CLASS="SECT1" >

3.2. Important Notes About Security4.2. Important Notes About Security

The unix and SMB password encryption techniques seem similar @@ -248,44 +398,62 @@ BORDER="0" >

Note :All current release of - Microsoft SMB/CIFS clients support authentication via the - SMB Challenge/Response mechanism described here. Enabling - clear text authentication does not disable the ability - of the client to participate in encrypted authentication.

MS Windows clients will cache the encrypted password alone. - Even when plain text passwords are re-enabled, through the appropriate - registry change, the plain text password is NEVER cached. This means that - in the event that a network connections should become disconnected (broken) - only the cached (encrypted) password will be sent to the resource server - to affect a auto-reconnect. If the resource server does not support encrypted - passwords the auto-reconnect will fail. USE OF ENCRYPTED PASSWORDS - IS STRONGLY ADVISED.

3.2.1. Advantages of SMB Encryption4.2.1. Advantages of SMB Encryption

3.2.2. Advantages of non-encrypted passwords4.2.2. Advantages of non-encrypted passwords

3.3. The smbpasswd Command4.3. The smbpasswd Command

The smbpasswd utility is a utility similar to the @@ -461,8 +629,8 @@ CLASS="SECT1" >

3.4. Plain text4.4. Plain text

Older versions of samba retrieved user information from the unix user database @@ -481,8 +649,8 @@ CLASS="SECT1" >

3.5. TDB4.5. TDB

Samba can also store the user data in a "TDB" (Trivial Database). Using this backend @@ -494,16 +662,16 @@ CLASS="SECT1" >

3.6. LDAP4.6. LDAP

3.6.1. Introduction4.6.1. Introduction

This document describes how to use an LDAP directory for storing Samba user @@ -570,8 +738,8 @@ CLASS="SECT2" >

3.6.2. Introduction4.6.2. Introduction

Traditionally, when configuring As a result of these defeciencies, a more robust means of storing user attributes used by smbd was developed. The API which defines access to user accounts is commonly referred to as the samdb interface (previously this was called the passdb -API, and is still so named in the CVS trees). In Samba 2.2.3, enabling support -for a samdb backend (e.g. --with-ldapsam or ---with-tdbsam) requires compile time support.

When compiling Samba to include the --with-ldapsam autoconf -option, smbd (and associated tools) will store and lookup user accounts in -an LDAP directory. In reality, this is very easy to understand. If you are -comfortable with using an smbpasswd file, simply replace "smbpasswd" with -"LDAP directory" in all the documentation.

There are a few points to stress about what the --with-ldapsam +>There are a few points to stress about what the ldapsam does not provide. The LDAP support referred to in the this documentation does not include:

3.6.3. Supported LDAP Servers4.6.3. Supported LDAP Servers

The LDAP samdb code in 2.2.3 (and later) has been developed and tested @@ -705,8 +853,8 @@ CLASS="SECT2" >

3.6.4. Schema and Relationship to the RFC 2307 posixAccount4.6.4. Schema and Relationship to the RFC 2307 posixAccount

Samba 3.0 includes the necessary schema file for OpenLDAP 2.0 in @@ -762,16 +910,16 @@ CLASS="SECT2" >

3.6.5. Configuring Samba with LDAP4.6.5. Configuring Samba with LDAP

3.6.5.1. OpenLDAP configuration4.6.5.1. OpenLDAP configuration

To include support for the sambaAccount object in an OpenLDAP directory @@ -817,9 +965,7 @@ include /etc/openldap/schema/core.schema include /etc/openldap/schema/cosine.schema include /etc/openldap/schema/inetorgperson.schema include /etc/openldap/schema/samba.schema - -## uncomment this line if you want to support the RFC2307 (NIS) schema -## include /etc/openldap/schema/nis.schema +include /etc/openldap/schema/nis.schema ....

3.6.5.2. Configuring Samba4.6.5.2. Configuring Samba

The following parameters are available in smb.conf only with

3.6.6. Accounts and Groups management4.6.6. Accounts and Groups management

As users accounts are managed thru the sambaAccount objectclass, you should @@ -993,8 +1139,8 @@ CLASS="SECT2" >

3.6.7. Security and sambaAccount4.6.7. Security and sambaAccount

There are two important points to remember when discussing the security @@ -1029,9 +1175,8 @@ CLASS="EMPHASIS" >These password hashes are clear text equivalents and can be used to impersonate the user without deriving the original clear text strings. For more information on the details of LM/NT password hashes, refer to the ENCRYPTION chapterUser Database of the Samba-HOWTO-Collection.

To remedy the first security issue, the "ldap ssl" smb.conf parameter defaults @@ -1072,8 +1217,8 @@ CLASS="SECT2" >

3.6.8. LDAP specials attributes for sambaAccounts4.6.8. LDAP specials attributes for sambaAccounts

The sambaAccount objectclass is composed of the following attributes:

3.6.9. Example LDIF Entries for a sambaAccount4.6.9. Example LDIF Entries for a sambaAccount

The following is a working LDIF with the inclusion of the posixAccount objectclass:

3.7. MySQL4.7. MySQL

3.7.1. Creating the database4.7.1. Creating the database

You either can set up your own table and specify the field names to pdb_mysql (see below @@ -1382,8 +1527,8 @@ CLASS="SECT2" >

3.7.2. Configuring4.7.2. Configuring

This plugin lacks some good documentation, but here is some short info:

3.7.3. Using plaintext passwords or encrypted password4.7.3. Using plaintext passwords or encrypted password

I strongly discourage the use of plaintext passwords, however, you can use them:

3.7.4. Getting non-column data from the table4.7.4. Getting non-column data from the table

It is possible to have not all data in the database and making some 'constant'.

3.8. XML4.8. XML

This module requires libxml2 to be installed.