[Samba] Clarifying different password systems

Fri Oct 14 06:49:13 GMT 2005

On Thursday 13 October 2005 12:36, Ross Boylan wrote:
> I'm running samba 3.0.14a-6 on Debian GNU/Linux 2.4.  I believe that I
> should be using pdbedit to add or modify users and their passwords,
> but I want to double-check that.  I'd also like to suggest the
> documentation could be clearer.

Please direct me to the specific sections of the documentation that you 
referred to to help me to understand where I have messed up. Humble apologies 
if I have written bad documentation. Please help me to find my errors so I 
can fix them.

> I had earlier versions installed, and the upgraded seems to have
> migrated me to the new password scheme. smb.conf has "passdb backend =
> tdbsam guest"; there is no smbpasswd file in the location designated
> in smb.conf or anywhere else according to locate; and there are
> various tdb files.
>
> First uncertainty: is the smbpasswd program a general front end, like
> pdbedit, or does it only work with the smbpasswd back end and file?
> The man page and other documentation (e.g., 10.3 of the How To) seem
> to provide evidence for both interpretations.

The smbpasswd program uses the first argument (reading from left to right) 
that has been specified to the passdb backend parameter in the smb.conf file.

> Second uncertainty: the smb.conf man page, in the section "Note About
> Username/Password Validation" discusses authentication mechanisms.  It
> doesn't look to me as if the samba backend figure in this discussion.
> The first item refers to "the UNIX system's password programs"; to me
> this means this means the usual Unix mechanisms for password
> verification and not SAMBA's special facilities.  However, those may
> be programs, and they are on a UNIX system, so maybe that is
> intended.  This is the only password matching mechanism discussed
> explicitly in the whole section.  This section contains no hint of the
> issues with encrypted vs clear-text passwords.
>
> The simple fact that one needs to set up users and passwords, at least
> in some configurations (namely, the recommended ones for NT clients),
> was not something that was obvious to me from the man pages, the How
> To, and the cookbook.  It was so unobvious that I began to doubt it
> was necessary, even though I had done it a few years ago (and since
> kind of forgotten).
>
> To summarize the question and the comment:
>
> Given "passdb backend = tdbsam guest", " encrypt passwords = true",
> and NT clients, does the smbpasswd command work on my system?

Yes. If you execute "smbpasswd -a 'username'" it will add the SambaSAM account 
enttry to the tdbsam backend. This data will be written to the passdb.tdb 
file in the /etc/samba directory (Linux).

> Comment: the documentation on the use and setup of passwords was
> obscure to me.  A few strategically placed sentences could help a lot
> to clarify things

Once you figure this out please email me your corrections/clarifications to 
the documentation. When will you contribute this vital information?

- John T.