[Samba] pam_smbpass.so passdb.tdb support
John H Terpstra
jht at samba.org
Mon Jul 5 23:41:59 MDT 2010
On 07/05/2010 11:33 PM, Kandukuru_Suresh at emc.com wrote:
> Dear John T and samba list,
> Can you please help me to understand following things. I have browsed
> the net , points are not clear to me.
> 1) What exactly doesn't work with the existing smbpasswd based
> d2593073 This form of password backend does not store any of the MS
> Windows NT/200x SAM (Security Account Manager) information required to
> provide the extended controls that are needed for more comprehensive
> interoperation with MS Windows NT4/200x servers.
Here is a comparison of what is stored in smbpasswd v's tdbsam/ldapsam:
Description smbpasswd tdbsam/ldapsam
------------- ---------- ---------------
unix username yes yes
Unix UID yes no
LanManPassword (*) can can
NTPassword yes yes
NT username no yes
Account Flags yes yes
User SID no yes
Primary Group SID no yes
Full Name no yes
Home Directory no yes
Homedir Drive no yes
Logon script no yes
Profile Path no yes
Domain no yes
Account Description no yes
Workstations no yes
Munged dial string no yes
Logon time no yes
Logoff time no yes
Password last set yes (**) yes
Password can change no yes
Password must change no yes
Last bad password no yes
Bad password count no yes
Logon hours no yes
Note (*): LanManPassword is obsoleted, is needed only for Windows 9X
Note (**): The password last set info is represented as LCT time in
The information that can not be stored in smbpasswd can be generated
on-the-fly from smb.conf default settings, but it is not possible to
store these on a per-user basis.
> what exactly is the above point? is it the only one limitation?. is
> there any other limitations?.please let me know if any other.
Please refer to Microsoft Windows NT4 knowledge-base resource to learn
more of why the tsbsam and ldapsam parameters are important.
> 2) Can we easily convert an existing smbpasswd file to the new format
> and allow system authentication to work uninterrupted?
The smbpasswd file can be migrated to the tdbsam/ldapsam formats by
pdbedit -i smbpasswd -e tdbsam
pdbedit -i smbpasswd -e ldapsam
The reverse is also possible.
- John T.
> -----Original Message-----
> From: Kandukuru, Suresh
> Sent: Saturday, July 03, 2010 9:02 PM
> To: 'jht at samba.org'
> Subject: RE: [Samba] pam_smbpass.so passdb.tdb support
> Thanks John, Created bug at
> Thanks again.
> -----Original Message-----
> From: John H Terpstra [mailto:jht at samba.org]
> Sent: Saturday, July 03, 2010 7:56 PM
> To: Kandukuru, Suresh
> Cc: samba at lists.samba.org
> Subject: Re: [Samba] pam_smbpass.so passdb.tdb support
> On 07/03/2010 08:50 AM, Kandukuru_Suresh at emc.com wrote:
>> Dear JHT,
>> Thanks for the quick reply.in
>> http://www.samba.org/samba/history/samba-3.4.0.html .
>> Samba team is recommending to use tdbsam.
> Not just recommending - it is the default now. The smbpasswd file can
> not contain the information needed to fully support current MS Windows
> clients. The result is the smbpasswd format storage of MS Windows
> networking credentials has been obsoleted.
>> just wanted to know one thing,
>> from samba 3.4 default backend has been changed to tdbsam , why for
>> of the module "pam_smbpass" in samba code is still looking for
>> in smbpasswd?.is there any patch for that?.
> The pam_smbpasswd module has not been updated because noone has
> contributed the necessary patches. The tdbsam backend has been
> available since September 2003, so my take on this is that VERY few
> people use pam_smbpasswd. If more were using it, someone might by now
> have done something about the lack of support for tsbsam (and ldapsam
> for that matter) in the pam_smbpasswd module.
>> will this be removed in higher versions of samba than > 3.4?
> Probably. Why don't you file a bug report on https://bugzilla.samba.org
> ? - that is the only way you might get action on this.
>> I find several people asking the question on net.did not find any
>> answer.anticipating your reply.
> Sorry to disappoint you.
> John T.
>> Configuration changes
>> !!! ATTENTION !!!
>> The default passdb backend has been changed to 'tdbsam'! That breaks
>> setups using the 'smbpasswd' backend without explicit declaration!
>> Please use
>> 'passdb backend = smbpasswd' if you would like to stick to the
>> backend or convert your smbpasswd entries using e.g. 'pdbedit -i
>> smbpasswd -e
>> The 'tdbsam' backend is much more flexible concerning per user
>> like 'profile path' or 'home directory' and there are some commands
>> which do not
>> work with the 'smbpasswd' backend at all.
>> -----Original Message-----
>> From: samba-bounces at lists.samba.org
>> [mailto:samba-bounces at lists.samba.org] On Behalf Of John H Terpstra
>> Sent: Saturday, July 03, 2010 6:31 PM
>> To: samba at lists.samba.org
>> Subject: Re: [Samba] pam_smbpass.so passdb.tdb support
>> On 07/03/2010 05:29 AM, Kandukuru_Suresh at emc.com wrote:
>>> Recently I have installed samba 3.4.8 on my device. Since then
>>> (vsftp,proftpd) which is taking users from samba database with
>>> pam_smbpass.so is not working. After enabling detailed log I have
>>> noticed it is looking for the passwords in smbpasswd
>>> (/etc/samba/private) which is of zero size . I think all users passwd
>>> are located in passwd.tdb.I could fix this by giving "passdb
>>> backend=smbpasswd" .
>>> somewhere I read smbpasswd is obsolete , and recommended to use
>>> and /etc/pam.d/ftp file is
>>> root at storage:/# cat /etc/pam.d/ftp
>>> auth required /lib/security/pam_smbpass.so
>>> account required /lib/security/pam_nologin.so
>>> account required /lib/security/pam_smbpass.so
>>> password required /lib/security/pam_smbpass.so
>>> session required /lib/security/pam_unix.so
>>> How can I tell pam_smbpass module to use passdb.tdb (tdbsam) .?.
>>> tell me I have been trying for last 2 days. Did not find anything.
>> You can not do that without changing the pam_smbpasswd code. This
>> specifically operates against the smbpasswd file.
>> -John T.
More information about the samba