[Samba] Clarifying different password systems

Ross Boylan RossBoylan at stanfordalumni.org
Mon Oct 17 21:34:39 GMT 2005 

On Fri, Oct 14, 2005 at 12:49:13AM -0600, John H Terpstra wrote:
> On Thursday 13 October 2005 12:36, Ross Boylan wrote:
> > I'm running samba 3.0.14a-6 on Debian GNU/Linux 2.4.  I believe that I
> > should be using pdbedit to add or modify users and their passwords,
> > but I want to double-check that.  I'd also like to suggest the
> > documentation could be clearer.
> 
> Please direct me to the specific sections of the documentation that you 
> referred to to help me to understand where I have messed up. Humble apologies 
> if I have written bad documentation. Please help me to find my errors so I 
> can fix them.

I indicated some of the areas in the original message, and am now
looking for specifics.  I appreciate your willingness to clarify
things.  

It's probably worth mentioning the context in which I was doing this:
at home, one machine running Linux the other Windows (ordinarily NT,
but boots other flavors).  I wanted to see the shares on the Windows
machine (which I believe is not strictly part of the samba suite), and
to present file and print services to the Windows machine from Linux.
In other words, I'm at the extremely simple end of the spectrum.

As a start on the specifics, consider the man page for smbpasswd
(parts that confused me excerpted).

Description:
"On a UNIX machine the encrypted SMB passwords are usually stored in
the smbpasswd(5) file."

"When run by root, smbpasswd allows new users to be added and deleted
in the smbpasswd file, as well as allows changes to the attributes of
the user in this file to be made. When run by root,  smbpasswd
accesses the local smbpasswd file directly,"

Options (sorry about the wrapping):
"
      -a This option specifies that the username following should be
added to the local smbpasswd file, with the new password typed (type
<Enter> for the old password). This option is ignored if the username
following already exists in the smbpasswd file and it is treated like
a regular change password command. Note that the default passdb backends require the user to already exist in the system password file (usually
              /etc/passwd), else the request to add the user will fail.

              This option is only available when running smbpasswd as root.

       -x     This option specifies that the username following should be deleted from the local smbpasswd file.

              This option is only available when running smbpasswd as root.

       -d     This option specifies that the username following should be disabled in the local smbpasswd file. This is done by writing a 'D' flag  into
              the account control space in the smbpasswd file. Once this is done all attempts to authenticate via SMB using this username will fail.

              If  the smbpasswd file is in the 'old' format (pre-Samba 2.0 format) there is no space in the user's password entry to write this informa-
              tion and the command will FAIL. See smbpasswd(5) for details on the 'old' and new password file formats.

              This option is only available when running smbpasswd as root.

       -e     This option specifies that the username following should be enabled in the local smbpasswd file, if the account was  previously  disabled.
              If  the account was not disabled this option has no effect. Once the account is enabled then the user will be able to authenticate via SMB
              once again.

              If the smbpasswd file is in the 'old' format, then
	      smbpasswd will FAIL to enable the account. See
	      smbpasswd(5) for details on  the  'old'"

All of these gave me the impression that smbpasswd, the program, was
tightly connected to the smbpasswd file and the smbpasswd backend.


However, some options refer to other systems (e.g., LDAP, remote
hosts) and the note says "Since smbpasswd works in client-server mode
communicating with a local smbd for a non-root user".  It seems
reasonable to conclude that client-server mode is not sensitive to the
backend used by the server.

There are other areas of the documentation that also have this
ambiguity.  I think one of the problems is that smbpasswd has so many
meanings:
*the name of a command
*an option for the backed in the configuration file
*the name of one of several systems for managing users and passwords
*the name of a file used by that system.

Ross

P.S. Thanks also for answering my specific questions.

> 
> > I had earlier versions installed, and the upgraded seems to have
> > migrated me to the new password scheme. smb.conf has "passdb backend =
> > tdbsam guest"; there is no smbpasswd file in the location designated
> > in smb.conf or anywhere else according to locate; and there are
> > various tdb files.
> >
> > First uncertainty: is the smbpasswd program a general front end, like
> > pdbedit, or does it only work with the smbpasswd back end and file?
> > The man page and other documentation (e.g., 10.3 of the How To) seem
> > to provide evidence for both interpretations.
> 
> The smbpasswd program uses the first argument (reading from left to right) 
> that has been specified to the passdb backend parameter in the smb.conf file.
> 
> > Second uncertainty: the smb.conf man page, in the section "Note About
> > Username/Password Validation" discusses authentication mechanisms.  It
> > doesn't look to me as if the samba backend figure in this discussion.
> > The first item refers to "the UNIX system's password programs"; to me
> > this means this means the usual Unix mechanisms for password
> > verification and not SAMBA's special facilities.  However, those may
> > be programs, and they are on a UNIX system, so maybe that is
> > intended.  This is the only password matching mechanism discussed
> > explicitly in the whole section.  This section contains no hint of the
> > issues with encrypted vs clear-text passwords.
> >
> > The simple fact that one needs to set up users and passwords, at least
> > in some configurations (namely, the recommended ones for NT clients),
> > was not something that was obvious to me from the man pages, the How
> > To, and the cookbook.  It was so unobvious that I began to doubt it
> > was necessary, even though I had done it a few years ago (and since
> > kind of forgotten).
> >
> > To summarize the question and the comment:
> >
> > Given "passdb backend = tdbsam guest", " encrypt passwords = true",
> > and NT clients, does the smbpasswd command work on my system?
> 
> Yes. If you execute "smbpasswd -a 'username'" it will add the SambaSAM account 
> enttry to the tdbsam backend. This data will be written to the passdb.tdb 
> file in the /etc/samba directory (Linux).
> 
> > Comment: the documentation on the use and setup of passwords was
> > obscure to me.  A few strategically placed sentences could help a lot
> > to clarify things
> 
> Once you figure this out please email me your corrections/clarifications to 
> the documentation. When will you contribute this vital information?
> 
> - John T.
>

More information about the samba mailing list