From 8184969379bfb0880f9d3f4cc17f2c2b528dfd49 Mon Sep 17 00:00:00 2001 From: John Terpstra Date: Mon, 13 Aug 2007 13:14:52 +0000 Subject: Removal of mulitple passdb backend notes. (This used to be commit 23c08492e7e34535d312d47e18ef83d237e2868a) --- docs/Samba3-HOWTO/TOSHARG-Passdb.xml | 137 ++++++++++++++++------------------- 1 file changed, 64 insertions(+), 73 deletions(-) (limited to 'docs') diff --git a/docs/Samba3-HOWTO/TOSHARG-Passdb.xml b/docs/Samba3-HOWTO/TOSHARG-Passdb.xml index c327f78324..2283fbb89d 100644 --- a/docs/Samba3-HOWTO/TOSHARG-Passdb.xml +++ b/docs/Samba3-HOWTO/TOSHARG-Passdb.xml @@ -14,7 +14,7 @@
olem@IDEALX.org
- + May 24, 2003 Account Information Databases @@ -24,10 +24,9 @@ password backends scalability ADS -Samba-3 implements a new capability to work concurrently with multiple account backends. -The possible new combinations of password backends allows Samba-3 a degree of flexibility -and scalability that previously could be achieved only with MS Windows Active Directory (ADS). -This chapter describes the new functionality and how to get the most out of it. +Early releases of Samba-3 implemented new capability to work concurrently with multiple account backends. This +capability was removed beginning with release of Samba 3.0.23. Commencing with Samba 3.0.23 it is possible to +work with only one specified passwd backend. @@ -111,7 +110,7 @@ as follows: LanMan and NT-encrypted passwords as well as a field that stores some account information. This form of password backend does not store any of the MS Windows NT/200x SAM (Security Account Manager) information required to - provide the extended controls that are needed for more comprehensive + provide the extended controls that are needed for more comprehensive interoperation with MS Windows NT4/200x servers. @@ -194,7 +193,7 @@ Samba-3 introduces a number of new password backend capabilities. rich directory backend distributed account - This provides a rich directory backend for distributed account installation. + This provides a rich directory backend for distributed account installation. @@ -240,7 +239,7 @@ Samba-3 introduces a number of new password backend capabilities. -encrypted passwords +encrypted passwords LanMan plaintext passwords registry @@ -253,11 +252,11 @@ Samba-3 introduces a number of new password backend capabilities. UNIX-style encrypted passwords converted Many people ask why Samba cannot simply use the UNIX password database. Windows requires - passwords that are encrypted in its own format. The UNIX passwords can't be converted to + passwords that are encrypted in its own format. The UNIX passwords can't be converted to UNIX-style encrypted passwords. Because of that, you can't use the standard UNIX user database, and you have to store the LanMan and NT hashes somewhere else. - + differently encrypted passwords profile @@ -267,7 +266,7 @@ Samba-3 introduces a number of new password backend capabilities. user that is not stored in a UNIX user database: for example, workstations the user may logon from, the location where the user's profile is stored, and so on. Samba retrieves and stores this information using a . Commonly available backends are LDAP, - tdbsam, and plain text file. For more information, see the man page for &smb.conf; regarding the + tdbsam, and plain text file. For more information, see the man page for &smb.conf; regarding the parameter. @@ -294,7 +293,7 @@ Samba-3 introduces a number of new password backend capabilities. Important Notes About Security - + SMB password encryption clear-text passwords @@ -304,7 +303,7 @@ Samba-3 introduces a number of new password backend capabilities. The UNIX and SMB password encryption techniques seem similar on the surface. This similarity is, however, only skin deep. The UNIX scheme typically sends clear-text passwords over the network when logging in. This is bad. The SMB encryption scheme - never sends the clear-text password over the network, but it does store the 16-byte + never sends the clear-text password over the network, but it does store the 16-byte hashed values on disk. This is also bad. Why? Because the 16 byte hashed values are a password equivalent. You cannot derive the user's password from them, but they could potentially be used in a modified client to gain access to a server. @@ -314,7 +313,7 @@ Samba-3 introduces a number of new password backend capabilities. passwords of all your users. Its contents must be kept secret, and the file should be protected accordingly. - + password scheme plaintext passwords @@ -331,7 +330,7 @@ Samba-3 introduces a number of new password backend capabilities. are disabled from being sent over the wire. This mandates either the use of encrypted password support or editing the Windows NT registry to re-enable plaintext passwords. - + domain security domain environment @@ -366,7 +365,7 @@ Samba-3 introduces a number of new password backend capabilities. Windows 200x Server/Advanced Server. Windows XP Professional. - + SMB/CIFS authentication @@ -413,7 +412,7 @@ Samba-3 introduces a number of new password backend capabilities. disk Plaintext passwords are not stored anywhere in memory or on disk. - + encrypted passwords user-level security @@ -448,13 +447,13 @@ Samba-3 introduces a number of new password backend capabilities. cached in memory Plaintext passwords are not kept on disk and are not cached in memory. - + Login FTP Plaintext passwords use the same password file as other UNIX services, such as Login and FTP. - + Telnet FTP @@ -593,7 +592,7 @@ Samba-3 introduces a number of new password backend capabilities. RFC 2307 PADL idmap_ad: An IDMAP backend that supports the Microsoft Services for - UNIX RFC 2307 schema available from the PADL Web + UNIX RFC 2307 schema available from the PADL Web site. @@ -646,7 +645,7 @@ Samba-3 introduces a number of new password backend capabilities. through intermediate tools and utilities. The total environment that consists of the LDAP directory and the middle-ware tools and utilities makes it possible for all user access to the UNIX platform to be managed from a central environment and yet distributed to wherever the point of need may - be physically located. Applications that benefit from this infrastructure include: UNIX login + be physically located. Applications that benefit from this infrastructure include: UNIX login shells, mail and messaging systems, quota controls, printing systems, DNS servers, DHCP servers, and also Samba. @@ -673,7 +672,7 @@ Samba-3 introduces a number of new password backend capabilities. Information Tree (DIT) may impact current and future site needs, as well as the ability to meet them. The way that Samba SAM information should be stored within the DIT varies from site to site and with each implementation new experience is gained. It is well understood by LDAP veterans that - first implementations create awakening, second implementations of LDAP create fear, and + first implementations create awakening, second implementations of LDAP create fear, and third-generation deployments bring peace and tranquility. @@ -825,7 +824,7 @@ Samba-3 introduces a number of new password backend capabilities. machine accounts management tools Samba provides two tools for management of user and machine accounts: -smbpasswd and pdbedit. +smbpasswd and pdbedit. @@ -851,7 +850,7 @@ is being added to the net toolset (see set to NULL user passwords. manage interdomain trust accounts. - + To run smbpasswd as a normal user, just type: - + &prompt;smbpasswd @@ -911,27 +910,27 @@ is being added to the net toolset (see account policy User AccountsAdding/Deleting pdbedit is a tool that can be used only by root. It is used to - manage the passdb backend, as well as domain-wide account policy settings. pdbedit + manage the passdb backend, as well as domain-wide account policy settings. pdbedit can be used to: @@ -1122,10 +1121,10 @@ is being added to the net toolset (see default settings The flags can be reset to the default settings by executing: -&rootprompt; pdbedit -r -c "[]" jra +&rootprompt; pdbedit -r -c "[]" jht Unix username: jht NT username: jht Account Flags: [U ] @@ -1635,7 +1634,8 @@ To set the maximum (infinite) lockout time use the value of -1. Account policies must be set individually on each PDC and BDC. At this time (Samba 3.0.11 to Samba 3.0.14a) account policies are not replicated automatically. This may be fixed before Samba 3.0.20 ships or some -time there after. +time there after. Please check the WHATSNEW.txt file in the Samba-3 tarball for specific update notiations +regarding this facility. @@ -1643,26 +1643,21 @@ time there after. - Account Migration + Account Import/Export pdbedit -migrate accounts +iccount mport/export authentication - The pdbedit tool allows migration of authentication (account) - databases from one backend to another. For example, to migrate accounts from an + The pdbedit tool allows import/export of authentication (account) + databases from one backend to another. For example, to import/export accounts from an old smbpasswd database to a tdbsam backend: - Set the tdbsam, smbpasswd. - - - pdbedit - Execute: &rootprompt;pdbedit -i smbpasswd -e tdbsam @@ -1670,8 +1665,8 @@ time there after. smbpasswd - Remove the smbpasswd from the passdb backend - configuration in &smb.conf;. + Replace the smbpasswd with tdbsam in the + passdb backend configuration in &smb.conf;. @@ -1685,26 +1680,22 @@ time there after. account database SMB/CIFS server -Samba offers the greatest flexibility in backend account database design of any SMB/CIFS server -technology available today. The flexibility is immediately obvious as one begins to explore this -capability. +Samba offers flexibility in backend account database design. The flexibility is immediately obvious as one +begins to explore this capability. Recent changes to Samba (since 3.0.23) have removed the mulitple backend +feature in order to simplify problems that broke some installations. This removal has made the internal +operation of Samba-3 more consistent and predictable. multiple backends tdbsam databases -It is possible to specify not only multiple password backends, but even multiple -backends of the same type. For example, to use two different tdbsam databases: - - -tdbsam:/etc/samba/passdb.tdb tdbsam:/etc/samba/old-passdb.tdb - - -What is possible is not always sensible. Be careful to avoid complexity to the point that it -may be said that the solution is too clever by half! +Beginning with Samba 3.0.23 it is no longer possible to specify use of mulitple passdb backends. Earlier +versions of Samba-3 made it possible to specify multiple password backends, and even multiple +backends of the same type. The multiple passdb backend capability caused many problems with name to SID and +SID to name ID resolution. The Samba team wrestled with the challenges and decided that this feature needed +to be removed. - Plaintext @@ -1715,9 +1706,9 @@ may be said that the solution is too clever by half! password encryption /etc/passwd PAM - Older versions of Samba retrieved user information from the UNIX user database + Older versions of Samba retrieved user information from the UNIX user database and eventually some other fields from the file /etc/samba/smbpasswd - or /etc/smbpasswd. When password encryption is disabled, no + or /etc/smbpasswd. When password encryption is disabled, no SMB-specific data is stored at all. Instead, all operations are conducted via the way that the Samba host OS will access its /etc/passwd database. On most Linux systems, for example, all user and group resolution is done via PAM. @@ -1782,7 +1773,7 @@ may be said that the solution is too clever by half! As a result of these deficiencies, a more robust means of storing user attributes used by smbd was developed. The API that defines access to user accounts is commonly referred to as the samdb interface (previously, this was called the passdb - API and is still so named in the Samba source code trees). + API and is still so named in the Samba source code trees). @@ -2218,7 +2209,7 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz LDAP smbd The following parameters are available in &smb.conf; only if your version of Samba was built with - LDAP support. Samba automatically builds with LDAP support if the LDAP libraries are found. The + LDAP support. Samba automatically builds with LDAP support if the LDAP libraries are found. The best method to verify that Samba was built with LDAP support is: &rootprompt; smbd -b | grep LDAP @@ -2256,7 +2247,7 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz - These are described in the &smb.conf; man page and so are not repeated here. However, an example + These are described in the &smb.conf; man page and so are not repeated here. However, an example for use with an LDAP directory is shown in the Configuration with LDAP. @@ -2337,7 +2328,7 @@ userPassword: {SSHA}c3ZM9tBaBo9autm1dL3waDS21+JSfQVz For now, there is no NT-like group system management (global and local groups). Samba-3 knows only about Domain Groups and, unlike MS Windows 2000 and Active Directory, Samba-3 does not - support nested groups. + support nested groups. @@ -2417,7 +2408,7 @@ access to attrs=SambaLMPassword,SambaNTPassword LDAP Special Attributes for sambaSamAccounts The sambaSamAccount ObjectClass is composed of the attributes shown in next tables: Part A, and Part B. + linkend="attribobjclPartA">Part A, and Part B. @@ -2445,12 +2436,12 @@ access to attrs=SambaLMPassword,SambaNTPassword sambaKickoffTimeSpecifies the time (UNIX time format) when the user will be locked down and cannot login any longer. If this attribute is omitted, then the account will never expire. - Using this attribute together with shadowExpire of the shadowAccount ObjectClass will enable accounts to + Using this attribute together with shadowExpire of the shadowAccount ObjectClass will enable accounts to expire completely on an exact date.sambaPwdCanChangeSpecifies the time (UNIX time format) after which the user is allowed to change his password. If this attribute is not set, the user will be free - to change his password whenever he wants. + to change his password whenever he wants.sambaPwdMustChangeSpecifies the time (UNIX time format) when the user is forced to change his password. If this value is set to 0, the user will have to change his password at first login. @@ -2663,7 +2654,7 @@ sambaNTPassword: 878D8014606CDA29677A44EFA1353FC7 I've installed Samba, but now I can't log on with my UNIX account! - Make sure your user has been added to the current Samba . + Make sure your user has been added to the current Samba . Read the Account Management Tools, for details. -- cgit