1<html> 2<body bgcolor="#ffffff"> 3 4<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76" 5hspace="10" align="left" /> 6 7<h1 class="head0">Chapter 9. Users and Security</h1> 8 9 10 11<p><a name="INDEX-1"/>In this chapter, we 12cover the basic concepts of managing security in Samba so that you 13can set up your Samba server with a security policy suited to your 14network.</p> 15 16<p>One of Samba's most complicated tasks lies in 17reconciling the security models of Unix and Windows systems. Samba 18must identify users by associating them with valid usernames and 19groups, authenticate them by checking their passwords, then control 20their access to resources by comparing their access rights to the 21permissions on files and directories. These are complex topics on 22their own, and it doesn't help that there are three 23different operating system types to deal with (Unix, Windows 2495/98/Me, and Windows NT/2000/XP) and that Samba supports multiple 25methods of handling user authentication.</p> 26 27 28 29<div class="sect1"><a name="samba2-CHP-9-SECT-1"/> 30 31<h2 class="head1">Users and Groups</h2> 32 33<p><a name="INDEX-2"/>Let's start 34out as simply as possible and add support for a single user. The 35easiest way to set up a client user is to create a Unix account (and 36home directory) for that individual on the server and notify Samba of 37the user's existence. You can do the latter by 38creating a disk share that maps to the user's home 39directory in the Samba configuration file and restricting access to 40that user with the <tt class="literal">valid</tt><a name="INDEX-3"/> 41<tt class="literal">users</tt> option. For example:</p> 42 43<blockquote><pre class="code">[dave] 44 path = /home/dave 45 comment = Dave's home directory 46 writable = yes 47 valid users = dave</pre></blockquote> 48 49<p>The <tt class="literal">valid</tt> <tt class="literal">users</tt> option lists 50the users allowed to access the share. In this case, only the user 51<tt class="literal">dave</tt> is allowed to access the share. In some 52situations it is possible to specify that any user can access a disk 53share by using the <tt class="literal">guest</tt> <tt class="literal">ok</tt> 54parameter. Because we don't wish to allow guest 55access, that option is absent here. If you allow both authenticated 56users and guest users access to the same share, you can make some 57files accessible to guest users by assigning world-readable 58permissions to those files while restricting access to other files to 59particular users or groups.</p> 60 61<p>When client users access a Samba share, they have to pass two levels 62of restriction. Unix permissions on files and directories apply as 63usual, and configuration parameters specified in the Samba 64configuration file apply as well. In other words, a client must first 65pass Samba's security mechanisms (e.g., 66authenticating with a valid username and password, passing the check 67for the <tt class="literal">valid</tt> <tt class="literal">users</tt> parameter 68and the <tt class="literal">read</tt> <tt class="literal">only</tt> parameter, 69etc.), as well as the normal Unix file and directory permissions of 70its Unix-side user, before it can gain read/write access to a share.</p> 71 72<p>Remember that you can abbreviate the user's home 73directory by using the <tt class="literal">%H</tt><a name="INDEX-4"/> variable. In addition, you can use the 74Unix username variable <tt class="literal">%u</tt><a name="INDEX-5"/> and/or the client username variable 75<tt class="literal">%U</tt><a name="INDEX-6"/> in your options as well. For 76example :</p> 77 78<blockquote><pre class="code">[dave] 79 comment = %U home directory 80 writable = yes 81 valid users = dave 82 path = %H</pre></blockquote> 83 84<p>With a single user accessing a home directory, access permissions are 85taken care of when the user account is created. The home directory is 86owned by the user, and permissions on it are set appropriately. 87However, if you're creating a shared directory for 88group access, you need to perform a few more steps. 89Let's take a stab at a 90<a name="INDEX-7"/>group share for the 91accounting department in the <em class="emphasis">smb.conf</em> file:</p> 92 93<blockquote><pre class="code">[accounting] 94 comment = Accounting Department Directory 95 writable = yes 96 valid users = @account 97 path = /home/samba/accounting 98 create mode = 0660 99 directory mode = 0770</pre></blockquote> 100 101<p>The first thing we did differently is to specify 102<tt class="literal">@account</tt> as the valid user instead of one or more 103individual usernames. This is shorthand for saying that the valid 104users are represented by the Unix group <tt class="literal">account</tt>. 105These users will need to be added to the group entry 106<tt class="literal">account</tt> in the 107<a name="INDEX-8"/><a name="INDEX-9"/>system group file ( 108<em class="filename">/etc/group</em><a name="INDEX-10"/> 109or equivalent) to be recognized as part of the group. Once they are, 110Samba will recognize those users as valid users for the share.</p> 111 112<p>In addition, you need to create a shared directory that the members 113of the group can access and point to it with the 114<tt class="literal">path</tt> configuration option. Here are the Unix 115commands that create the shared directory for the accounting 116department (assuming <em class="emphasis">/home/samba</em> already 117exists):</p> 118 119<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /home/samba/accounting</b></tt> 120# <tt class="userinput"><b>chgrp account /home/samba/accounting</b></tt> 121# <tt class="userinput"><b>chmod 770 /home/samba/accounting</b></tt></pre></blockquote> 122 123<p>There are two other options in this <em class="filename">smb.conf</em> 124example, both of which we saw in the previous chapter. These options 125are <tt class="literal">create</tt><a name="INDEX-11"/> <tt class="literal">mode</tt> and 126<tt class="literal">directory</tt><a name="INDEX-12"/> <tt class="literal">mode</tt>. These 127options set the maximum file and directory permissions that a new 128file or directory can have. In this case, we have denied all world 129access to the contents of this share. (This is reinforced by the 130<em class="emphasis">chmod</em> command, shown earlier.)<a name="INDEX-13"/></p> 131 132 133<div class="sect2"><a name="samba2-CHP-9-SECT-1.1"/> 134 135<h3 class="head2">Handling Multiple Individual Users</h3> 136 137<p><a name="INDEX-14"/>Let's return 138to user shares for a moment. If we have several users for whom to set 139up home directory shares, we probably want to use the special 140<tt class="literal">[homes]</tt> share that we introduced in <a href="ch08.html">Chapter 8</a>. With the 141<tt class="literal">[homes]</tt><a name="INDEX-15"/> share, all we need to say is:</p> 142 143<blockquote><pre class="code">[homes] 144 browsable = no 145 writable = yes</pre></blockquote> 146 147<p>The <tt class="literal">[homes]</tt> share is a special section of the 148Samba configuration file. If a user attempts to connect to an 149ordinary share that doesn't appear in the 150<em class="filename">smb.conf</em> file (such as specifying it with a UNC 151in Windows Explorer), Samba will search for a 152<tt class="literal">[homes]</tt> share. If one exists, the incoming share 153name is assumed to be a username and is queried as such in the 154password database ( <em class="filename">/etc/passwd</em> or equivalent) 155file of the Samba server. If it appears, Samba assumes the client is 156a Unix user trying to connect to his home directory.</p> 157 158<p>As an illustration, let's assume that 159<tt class="literal">sofia</tt> is attempting to connect to a share called 160<tt class="literal">[sofia]</tt> on the Samba server. There is no share by 161that name in the configuration file, but a <tt class="literal">[homes]</tt> 162share exists and user <tt class="literal">sofia</tt> is present in the 163password database, so Samba takes the following steps:</p> 164 165<ol><li> 166<p>Samba creates a new disk share called <tt class="literal">[sofia]</tt> with 167the <tt class="literal">path</tt> specified in the 168<tt class="literal">[homes]</tt> section. If no <tt class="literal">path</tt> 169option is specified in <tt class="literal">[homes]</tt>, Samba initializes 170it to her home directory.</p> 171</li><li> 172<p>Samba initializes the new share's options from the 173defaults in <tt class="literal">[globals]</tt>, as well as any overriding 174options in <tt class="literal">[homes]</tt> with the exception of 175<tt class="literal">browsable</tt>.</p> 176</li><li> 177<p>Samba connects <tt class="literal">sofia</tt>'s client to 178that share.</p> 179</li></ol> 180<p>The <tt class="literal">[homes]</tt> share is a fast, painless way to 181create shares for your user community without having to duplicate the 182information from the password database file in the 183<em class="filename">smb.conf</em> file. It does have some 184<a name="INDEX-16"/>peculiarities, however, that we need to 185point out:</p> 186 187<ul><li> 188<p>The <tt class="literal">[homes]</tt> section can represent any account on 189the machine, which isn't always desirable. For 190example, it can potentially create a share for 191<tt class="literal">root</tt>, <tt class="literal">bin</tt>, 192<tt class="literal">sys</tt>, <tt class="literal">uucp</tt>, and the like. You 193can set a global 194<tt class="literal">invalid</tt><a name="INDEX-17"/> <tt class="literal">users</tt> option 195to protect against this.</p> 196</li><li> 197<p>The meaning of the 198<tt class="literal">browsable</tt><a name="INDEX-18"/> configuration option is 199different from other shares; it indicates only that a 200<tt class="literal">[homes]</tt> section won't show up in 201the local browse list, not that the <tt class="literal">[alice]</tt> share 202won't. When the <tt class="literal">[alice]</tt> section 203is created (after the initial connection), it will use the 204<tt class="literal">browsable</tt> value from the 205<tt class="literal">[globals]</tt> section for that share, not the value 206from <tt class="literal">[homes]</tt>.</p> 207</li></ul> 208<p>As we mentioned, there is no need for a path statement in 209<tt class="literal">[homes]</tt> if the users have Unix home directories in 210the server's <em class="filename">/etc/passwd</em> file. 211You should ensure that a valid home directory does exist, however, as 212Samba will not automatically create a home directory for a user and 213will refuse a tree connect if the user's directory 214does not exist or is not accessible. <a name="INDEX-19"/></p> 215 216 217</div> 218 219 220</div> 221 222 223 224<div class="sect1"><a name="samba2-CHP-9-SECT-2"/> 225 226<h2 class="head1">Controlling Access to Shares</h2> 227 228<p><a name="INDEX-20"/><a name="INDEX-21"/>Often you will need to restrict the users who 229can access a specific share for security reasons. This is very easy 230to do with Samba because it contains a wealth of options for creating 231practically any security configuration. Let's 232introduce a few configurations that you might want to use in your own 233Samba setup.</p> 234 235<p>We've seen what happens when you specify valid 236users. However, you are also allowed to specify a list of 237<a name="INDEX-22"/>invalid users—users who should never be 238allowed access to Samba or its shares. This is done with the 239<tt class="literal">invalid</tt><a name="INDEX-23"/> <tt class="literal">users</tt> 240option. We hinted at one frequent use of this option earlier: a 241global default with the <tt class="literal">[homes]</tt> section to ensure 242that various system users and superusers cannot be forged for access. 243For example:</p> 244 245<blockquote><pre class="code">[global] 246 invalid users = root bin daemon adm sync shutdown \ 247 halt mail news uucp operator 248 auto services = dave peter bob 249 250[homes] 251 browsable = no 252 writable = yes</pre></blockquote> 253 254<p>The <tt class="literal">invalid</tt> <tt class="literal">users</tt> option, like 255<tt class="literal">valid</tt> <tt class="literal">users</tt>, can take group 256names, preceded by an at sign (<tt class="literal">@</tt>), as well as 257usernames. In the event that a user or group appears in both lists, 258the <tt class="literal">invalid</tt> <tt class="literal">users</tt> option takes 259precedence, and the user or group is denied access to the share.</p> 260 261<p>At the other end of the spectrum, you can explicitly specify users 262who will be allowed <a name="INDEX-24"/><a name="INDEX-25"/>superuser (root) access to a share with 263the <tt class="literal">admin</tt><a name="INDEX-26"/> <tt class="literal">users</tt> 264option. An example follows:</p> 265 266<blockquote><pre class="code">[sales] 267 path = /home/sales 268 comment = Sedona Real Estate Sales Data 269 writable = yes 270 valid users = sofie shelby adilia 271 admin users = mike</pre></blockquote> 272 273<p>This option takes both group names and usernames. In addition, you 274can specify NIS netgroups by preceding them with an 275<tt class="literal">@</tt> as well; if the netgroup is not found, Samba 276will assume that you are referring to a standard Unix group.</p> 277 278<p>Be careful if you assign administrative privileges to a share for an 279entire group. The Samba Team highly recommends you avoid using this 280option, as it essentially gives root access to the specified users or 281groups for that share.</p> 282 283<p>If you wish to force read-only or read/write access on users who 284access a share, you can do so with the 285<tt class="literal">read</tt><a name="INDEX-27"/> <tt class="literal">list</tt> and 286<tt class="literal">write</tt> <tt class="literal">list</tt> options, 287respectively. These options can be used on a per-share basis to 288restrict a writable share or to grant write access to specific users 289in a read-only share, respectively. For example:</p> 290 291<blockquote><pre class="code">[sales] 292 path = /home/sales 293 comment = Sedona Real Estate Sales Data 294 read only = yes 295 write list = sofie shelby</pre></blockquote> 296 297<p>The <tt class="literal">write</tt><a name="INDEX-28"/> <tt class="literal">list</tt> option 298cannot override Unix permissions. If you've created 299the share without giving the <tt class="literal">write-list</tt> user write 300permission on the Unix system, she will be denied write access 301regardless of the setting of <tt class="literal">write</tt> 302<tt class="literal">list</tt>.</p> 303 304 305<div class="sect2"><a name="samba2-CHP-9-SECT-2.1"/> 306 307<h3 class="head2">Guest Access</h3> 308 309<p><a name="INDEX-29"/>As mentioned 310earlier, you can configure a share using 311<tt class="literal">guest</tt><a name="INDEX-30"/> <tt class="literal">ok</tt> 312<tt class="literal">=</tt> <tt class="literal">yes</tt> to allow access to guest 313users. This works only when using share-level security, which we will 314cover later in this chapter. When a user connects as a guest, 315authenticating with a username and password is unnecessary, but Samba 316still needs a way to map the connected client to a user on the local 317system. The <tt class="literal">guest</tt><a name="INDEX-31"/> 318<tt class="literal">account</tt> parameter can be used in the share to 319specify the Unix account that guest users should be assigned when 320connecting to the Samba server. The default value for this is set 321during compilation and is typically <tt class="literal">nobody</tt>, which 322works well with most Unix versions. However, on some systems the 323<tt class="literal">nobody</tt><a name="INDEX-32"/> account is not allowed to access some 324services (e.g., printing), and you might need to set the guest user 325to <tt class="literal">ftp</tt> or some other account instead.</p> 326 327<p>If you wish to restrict access in a share only to guests—in 328other words, all clients connect as the guest account when accessing 329the share—you can use the <tt class="literal">guest</tt> 330<tt class="literal">only</tt> option in conjunction with the 331<tt class="literal">guest</tt> <tt class="literal">ok</tt> option, as shown in 332the following example:</p> 333 334<blockquote><pre class="code">[sales] 335 path = /home/sales 336 comment = Sedona Real Estate Sales Data 337 writable = yes 338 guest ok = yes 339 guest account = ftp 340 guest only = yes</pre></blockquote> 341 342<p>Make sure you specify <tt class="literal">yes</tt> for both 343<tt class="literal">guest</tt> <tt class="literal">only</tt> and 344<tt class="literal">guest</tt> <tt class="literal">ok</tt>; otherwise, Samba will 345not use the guest account that you specify.</p> 346 347 348</div> 349 350 351<div class="sect2"><a name="samba2-CHP-9-SECT-2.2"/> 352 353<h3 class="head2">Access Control Options</h3> 354 355<p><a href="ch09.html#samba2-CHP-9-TABLE-1">Table 9-1</a> <a name="INDEX-33"/><a name="INDEX-34"/>summarizes the options that you can use 356to control access to shares.</p> 357 358<a name="samba2-CHP-9-TABLE-1"/><h4 class="head4">Table 9-1. Share-level access options</h4><table border="1"> 359 360 361 362 363 364 365<tr> 366<th> 367<p>Option</p> 368</th> 369<th> 370<p>Parameters</p> 371</th> 372<th> 373<p>Function</p> 374</th> 375<th> 376<p>Default</p> 377</th> 378<th> 379<p>Scope</p> 380</th> 381</tr> 382 383 384<tr> 385<td> 386<p><tt class="literal">admin users</tt></p> 387</td> 388<td> 389<p>string (list of usernames)</p> 390</td> 391<td> 392<p>Users who can perform operations as root</p> 393</td> 394<td> 395<p>None</p> 396</td> 397<td> 398<p>Share</p> 399</td> 400</tr> 401<tr> 402<td> 403<p><tt class="literal">valid users</tt></p> 404</td> 405<td> 406<p>string (list of usernames)</p> 407</td> 408<td> 409<p>Users who can connect to a share</p> 410</td> 411<td> 412<p>None</p> 413</td> 414<td> 415<p>Share</p> 416</td> 417</tr> 418<tr> 419<td> 420<p><tt class="literal">invalid users</tt></p> 421</td> 422<td> 423<p>string (list of usernames)</p> 424</td> 425<td> 426<p>Users who will be denied access to a share</p> 427</td> 428<td> 429<p>None</p> 430</td> 431<td> 432<p>Share</p> 433</td> 434</tr> 435<tr> 436<td> 437<p><tt class="literal">read list</tt></p> 438</td> 439<td> 440<p>string (list of usernames)</p> 441</td> 442<td> 443<p>Users who have read-only access to a writable share</p> 444</td> 445<td> 446<p>None</p> 447</td> 448<td> 449<p>Share</p> 450</td> 451</tr> 452<tr> 453<td> 454<p><tt class="literal">write list</tt></p> 455</td> 456<td> 457<p>string (list of usernames)</p> 458</td> 459<td> 460<p>Users who have read/write access to a read-only share</p> 461</td> 462<td> 463<p>None</p> 464</td> 465<td> 466<p>Share</p> 467</td> 468</tr> 469<tr> 470<td> 471<p><tt class="literal">max connections</tt></p> 472</td> 473<td> 474<p>numeric</p> 475</td> 476<td> 477<p>Maximum number of connections for a share at a given time</p> 478</td> 479<td> 480<p><tt class="literal">0</tt></p> 481</td> 482<td> 483<p>Share</p> 484</td> 485</tr> 486<tr> 487<td> 488<p><tt class="literal">guest only</tt> <tt class="literal">(only guest)</tt></p> 489</td> 490<td> 491<p>Boolean</p> 492</td> 493<td> 494<p>If <tt class="literal">yes</tt>, allows only guest access</p> 495</td> 496<td> 497<p><tt class="literal">no</tt></p> 498</td> 499<td> 500<p>Share</p> 501</td> 502</tr> 503<tr> 504<td> 505<p><tt class="literal">guest account</tt></p> 506</td> 507<td> 508<p>string (name of account)</p> 509</td> 510<td> 511<p>Unix account that will be used for guest access</p> 512</td> 513<td> 514<p><tt class="literal">nobody</tt></p> 515</td> 516<td> 517<p>Share</p> 518</td> 519</tr> 520 521</table> 522 523 524<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.1"/> 525 526<a name="INDEX-35"/><h3 class="head3">admin users</h3> 527 528<p>This option specifies a list of users that perform file operations as 529if they were <tt class="literal">root</tt>. This means that they can modify 530or destroy any other user's files, regardless of the 531permissions. Any files that they create will have root ownership and 532will use the default group of the admin user. The 533<tt class="literal">admin</tt> <tt class="literal">users</tt> option allows PC 534users to act as administrators for particular shares. Be very careful 535when using this option, and make sure good password and other 536security policies are in place.</p> 537 538 539</div> 540 541 542 543<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.2"/> 544 545<a name="INDEX-36"/><a name="INDEX-37"/><h3 class="head3">valid users, invalid users</h3> 546 547<p>These two options let you enumerate the users and groups who are 548granted or denied access to a particular share. You can enter a list 549of user and/or group names. If a name is prefixed by an at sign 550(<tt class="literal">@</tt>), it is interpreted as a group name—with 551NIS groups searched before Unix groups. If the name is prefixed by a 552plus sign (<tt class="literal">+</tt>), it is interpreted as the name of a 553Unix group, and NIS is not searched. If the name is prefixed by an 554ampersand (<tt class="literal">&</tt>), it is interpreted as an NIS 555group name rather than as a Unix group name. The plus sign and 556ampersand can be used together to specify whether NIS or Unix groups 557are searched first. For example:</p> 558 559<blockquote><pre class="code">[database] 560 valid users = mary ellen sue &sales +marketing @dbadmin 561 invalid users = gavin syd dana &techies +&helpdesk</pre></blockquote> 562 563<p>In the <tt class="literal">valid</tt> <tt class="literal">users</tt> parameter, 564users <tt class="literal">mary</tt>, <tt class="literal">ellen</tt>, and 565<tt class="literal">sue</tt> are allowed access to the 566<tt class="literal">[database]</tt> share, as are the members of the Unix 567group <tt class="literal">marketing</tt> and NIS/Unix group 568<tt class="literal">dbadmin</tt>. The <tt class="literal">invalid</tt> 569<tt class="literal">users</tt> parameter denies access to the share by 570users <tt class="literal">gavin</tt>, <tt class="literal">syd</tt>, and 571<tt class="literal">dana</tt>, as well as members of the NIS group 572<tt class="literal">techies</tt> and Unix/NIS group 573<tt class="literal">helpdesk</tt>. In this last case, the list of Unix 574groups is searched first for the <tt class="literal">helpdesk</tt> group, 575and if it is not found there, the list of NIS groups is searched.</p> 576 577<p>The important rule to remember with these options is that any name or 578group in the <tt class="literal">invalid</tt> <tt class="literal">users</tt> list 579will <em class="emphasis">always</em> be denied access, even if it is 580included (in any form) in the <tt class="literal">valid</tt> 581<tt class="literal">users</tt> list.</p> 582 583 584</div> 585 586 587 588<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.3"/> 589 590<a name="INDEX-38"/><a name="INDEX-39"/><h3 class="head3">read list, write list</h3> 591 592<p>Like the <tt class="literal">valid</tt> <tt class="literal">users</tt> 593<tt class="literal">and</tt> <tt class="literal">invalid</tt> 594<tt class="literal">users</tt> options, this pair of options specifies 595which users have read-only access to a writable share and read/write 596access to a read-only share, respectively. The value of either 597options is a list of users. The <tt class="literal">read</tt> 598<tt class="literal">list</tt> parameter overrides any other Samba 599permissions granted—as well as Unix file permissions on the 600server system—to deny users write access. 601<tt class="literal">The</tt> <tt class="literal">write</tt> 602<tt class="literal">list</tt> parameter overrides other Samba permissions 603to grant write access, but cannot grant write access if the user 604lacks write permissions for the file on the Unix system. You can 605specify NIS or Unix group names by prefixing the name with an at sign 606(such as <tt class="literal">@users</tt>). Neither configuration option has 607a default value associated with it.</p> 608 609 610</div> 611 612 613 614<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.4"/> 615 616<a name="INDEX-40"/><h3 class="head3">max connections</h3> 617 618<p>This option specifies the maximum number of client connections that a 619share can have at any given time. Any connections that are attempted 620after the maximum is reached will be rejected. The default value is 621<tt class="literal">0</tt>, which is a special case that allows an 622unlimited number of connections. You can override it per share as 623follows:</p> 624 625<blockquote><pre class="code">[accounting] 626 max connections = 30</pre></blockquote> 627 628<p>This option is useful in the event that you need to limit the number 629of users who are accessing a licensed program or piece of data 630concurrently.</p> 631 632 633</div> 634 635 636 637<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.5"/> 638 639<a name="INDEX-41"/><h3 class="head3">guest only</h3> 640 641<p>This share-level option (also called <tt class="literal">only</tt> 642<tt class="literal">guest</tt>) forces a connection to a share to be 643performed with the user specified by the <tt class="literal">guest</tt> 644<tt class="literal">account</tt> option. The share to which this is applied 645must explicitly specify <tt class="literal">guest</tt> 646<tt class="literal">ok</tt> <tt class="literal">=</tt> <tt class="literal">yes</tt> for 647this option to be recognized by Samba. The default value for this 648option is <tt class="literal">no</tt>.</p> 649 650 651</div> 652 653 654 655<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.6"/> 656 657<a name="INDEX-42"/><h3 class="head3">guest account</h3> 658 659<p>This option specifies the name of the account to be used for guest 660access to shares in Samba. The default for this option varies from 661system to system, but it is often set to <tt class="literal">nobody</tt>. 662Some default user accounts have trouble connecting as guest users. If 663that occurs on your system, the Samba Team recommends using the 664<tt class="literal">ftp</tt> account as the guest user. <a name="INDEX-43"/> <a name="INDEX-44"/><a name="INDEX-45"/></p> 665 666 667</div> 668 669 670</div> 671 672 673<div class="sect2"><a name="samba2-CHP-9-SECT-2.3"/> 674 675<h3 class="head2">Username Options</h3> 676 677<p><a href="ch09.html#samba2-CHP-9-TABLE-2">Table 9-2</a> shows two additional options that Samba 678can use to correct for incompatibilities in usernames between Windows 679and Unix.</p> 680 681<a name="samba2-CHP-9-TABLE-2"/><h4 class="head4">Table 9-2. Username options</h4><table border="1"> 682 683 684 685 686 687 688<tr> 689<th> 690<p>Option</p> 691</th> 692<th> 693<p>Parameters</p> 694</th> 695<th> 696<p>Function</p> 697</th> 698<th> 699<p>Default</p> 700</th> 701<th> 702<p>Scope</p> 703</th> 704</tr> 705 706 707<tr> 708<td> 709<p><tt class="literal">username</tt> <tt class="literal">map</tt></p> 710</td> 711<td> 712<p>string (filename)</p> 713</td> 714<td> 715<p>Sets the name of the username mapping file</p> 716</td> 717<td> 718<p>None</p> 719</td> 720<td> 721<p>Global</p> 722</td> 723</tr> 724<tr> 725<td> 726<p><tt class="literal">username</tt> <tt class="literal">level</tt></p> 727</td> 728<td> 729<p>numeric</p> 730</td> 731<td> 732<p>Indicates the number of capital letters to use when trying to match a 733username</p> 734</td> 735<td> 736<p><tt class="literal">0</tt></p> 737</td> 738<td> 739<p>Global</p> 740</td> 741</tr> 742 743</table> 744 745 746<div class="sect3"><a name="samba2-CHP-9-SECT-2.3.1"/> 747 748<a name="INDEX-46"/><h3 class="head3">username map</h3> 749 750<p>Client usernames on an SMB network can be relatively long (up to 255 751characters), while usernames on a Unix network often cannot be longer 752than eight characters. This means that an individual user can have 753one username on a client and another (shorter) one on the Samba 754server. You can get past this issue by<em class="firstterm"> 755</em><a name="INDEX-47"/>mapping a free-form client 756username to a Unix username of eight or fewer characters. It is 757placed in a standard text file, using a format that 758we'll describe shortly. You can then specify the 759pathname to Samba with the global <tt class="literal">username</tt> 760<tt class="literal">map</tt> option. Be sure to restrict access to this 761file; make the root user the file's owner and deny 762write access to others (with octal permissions of 744 or 644). 763Otherwise, an untrusted user with access to the file can easily map 764his client username to the root user of the Samba server.</p> 765 766<p>You can specify this option as follows:</p> 767 768<blockquote><pre class="code">[global] 769 username map = /usr/local/samba/private/usermap.txt</pre></blockquote> 770 771<p>Each entry in the username map file should be listed as follows: the 772Unix username, followed by an equal sign (<tt class="literal">=</tt>), 773followed by one or more whitespace-separated SMB client usernames. 774Note that unless instructed otherwise (i.e., a guest connection), 775Samba will expect both the client and the server user to have the 776same password. You can also map NT groups to one or more specific 777Unix groups using the <tt class="literal">@</tt> sign. Here are some 778examples:</p> 779 780<blockquote><pre class="code">jarwin = JosephArwin 781manderso = MarkAnderson 782users = @account</pre></blockquote> 783 784<p>You can also use the asterisk to specify a wildcard that matches any 785free-form client username as an entry in the username map file:</p> 786 787<blockquote><pre class="code">nobody = *</pre></blockquote> 788 789<p>Comments can be placed in the file by starting the line with a hash 790mark (<tt class="literal">#</tt>) or a semicolon (<tt class="literal">;</tt>).</p> 791 792<p>Note that you can also use this file to redirect one Unix user to 793another user. Be careful, though, as Samba and your client might not 794notify the user that the mapping has been made and Samba might be 795expecting a different password.</p> 796 797 798</div> 799 800 801 802<div class="sect3"><a name="samba2-CHP-9-SECT-2.3.2"/> 803 804<a name="INDEX-48"/><h3 class="head3">username level</h3> 805 806<p>SMB clients (such as Windows) will often send usernames in SMB 807connection requests entirely in capital letters; in other words, 808client usernames are not necessarily case-sensitive. On a Unix 809server, however, usernames <em class="emphasis">are</em> case-sensitive: 810the user <tt class="literal">ANDY</tt> is different from the user 811<tt class="literal">andy</tt>. By default, Samba attacks this problem by 812doing the following:</p> 813 814<ol><li> 815<p>Checking for a user account with the exact name sent by the client</p> 816</li><li> 817<p>Testing the username in all lowercase letters</p> 818</li><li> 819<p>Testing the username in lowercase letters with only the first letter 820capitalized</p> 821</li></ol> 822<p>If you wish to have Samba attempt more combinations of upper- and 823lowercase letters, you can use the <tt class="literal">username</tt> 824<tt class="literal">level</tt> global configuration option. This option 825takes an integer value that specifies how many letters in the 826username should be capitalized when attempting to connect to a share. 827You can specify this option as follows:</p> 828 829<blockquote><pre class="code">[global] 830 username level = 3</pre></blockquote> 831 832<p>In this case, Samba attempts all possible permutations of usernames 833having three capital letters. The larger the number, the more 834computations Samba has to perform to match the username, and the 835longer the authentication will take.</p> 836 837 838</div> 839 840 841</div> 842 843 844</div> 845 846 847 848<div class="sect1"><a name="samba2-CHP-9-SECT-3"/> 849 850<h2 class="head1">Authentication of Clients</h2> 851 852<p><a name="INDEX-49"/>At 853this point, we should discuss how Samba authenticates users. Each 854user who attempts to connect to a share not allowing guest access 855must provide a password to 856<a name="INDEX-50"/>make a successful connection. What 857Samba does with that password—and consequently the strategy 858Samba will use to handle user authentication—is the arena of 859the <tt class="literal">security</tt> configuration option. Samba currently 860supports <a name="INDEX-51"/><a name="INDEX-52"/><a name="INDEX-53"/>four 861<a name="INDEX-54"/>security levels on its network: 862<em class="firstterm">share</em>, <em class="firstterm">user</em>, 863<em class="firstterm">server</em>, and <em class="firstterm">domain</em>.</p> 864 865<dl> 866<dt><b><a name="INDEX-55"/>Share-level security</b></dt> 867<dd> 868<p>Each share in the workgroup has one or more passwords associated with 869it. Anyone who knows a valid password for the share can access it.</p> 870</dd> 871 872 873 874<dt><b><a name="INDEX-56"/>User-level security</b></dt> 875<dd> 876<p>Each share in the workgroup is configured to allow access from 877certain users. With each initial tree connection, the Samba server 878verifies users and their passwords to allow them access to the share.</p> 879</dd> 880 881 882 883<dt><b><a name="INDEX-57"/>Server-level security</b></dt> 884<dd> 885<p>This is the same as user-level security, except that the Samba server 886uses another server to validate users and their passwords before 887granting access to the share.</p> 888</dd> 889 890 891 892<dt><b><a name="INDEX-58"/>Domain-level security</b></dt> 893<dd> 894<p>Samba becomes a member of a Windows NT domain and uses one of the 895domain's domain controllers—either the PDC or 896a BDC—to perform authentication. Once authenticated, the user 897is given a special token that allows her access to any share with 898appropriate access rights. With this token, the domain controller 899will not have to revalidate the user's password each 900time she attempts to access another share within the domain. The 901domain controller can be a Windows NT/2000 PDC or BDC, or Samba 902acting as a Windows NT PDC.</p> 903</dd> 904 905</dl> 906 907<p>Each security policy can be implemented with the global 908<tt class="literal">security</tt> option, as shown in <a href="ch09.html#samba2-CHP-9-TABLE-3">Table 9-3</a>.</p> 909 910<a name="samba2-CHP-9-TABLE-3"/><h4 class="head4">Table 9-3. Security option</h4><table border="1"> 911 912 913 914 915 916 917<tr> 918<th> 919<p>Option</p> 920</th> 921<th> 922<p>Parameters</p> 923</th> 924<th> 925<p>Function</p> 926</th> 927<th> 928<p>Default</p> 929</th> 930<th> 931<p>Scope</p> 932</th> 933</tr> 934 935 936<tr> 937<td> 938<p><tt class="literal">security</tt><a name="INDEX-59"/></p> 939</td> 940<td> 941<p><tt class="literal">domain</tt>, <tt class="literal">server</tt>, 942<tt class="literal">share</tt>, or <tt class="literal">user</tt></p> 943</td> 944<td> 945<p>Indicates the type of security that the Samba server will use</p> 946</td> 947<td> 948<p><tt class="literal">user</tt></p> 949</td> 950<td> 951<p>Global</p> 952</td> 953</tr> 954 955</table> 956 957 958<div class="sect2"><a name="samba2-CHP-9-SECT-3.1"/> 959 960<h3 class="head2">Share-Level Security</h3> 961 962<p>With share-level security, each share has one or more passwords 963associated with it, with the client being authenticated when first 964connecting to the share. This differs from the other modes of 965security in that there are no restrictions as to whom can access a 966share, as long as that individual knows the correct password. Shares 967often have multiple passwords. For example, one password might grant 968read-only access, while another might grant read/write access. 969Security is maintained as long as unauthorized users do not discover 970the password for a share to which they shouldn't 971have access.</p> 972 973<p>OS/2 and Windows 95/98/Me both support share-level security on their 974resources. You can set up share-level security with Windows 95/98/Me 975by first enabling share-level security using the Access Control tab 976of the Network Control Panel dialog. Then select the 977"Share-level access control" radio 978button (which deselects the "User-level access 979control" radio button), as shown in <a href="ch09.html#samba2-CHP-9-FIG-1">Figure 9-1</a>, and click the OK button. Reboot as requested.</p> 980 981<div class="figure"><a name="samba2-CHP-9-FIG-1"/><img src="figs/sam2_0901.gif"/></div><h4 class="head4">Figure 9-1. Selecting share-level security on a Windows 95/98/Me system</h4> 982 983<p>Next, right-click a resource—such as a hard drive or a 984CD-ROM—and select the Properties menu item. This will bring up 985the Resource Properties dialog box. Select the Sharing tab at the top 986of the dialog box, and enable the resource as Shared As. From here, 987you can configure how the shared resource will appear to individual 988users, as well as assign whether the resource will appear as 989read-only, read/write, or a mix, depending on the password that is 990supplied.</p> 991 992<p>You might be thinking that this security model is not a good fit for 993Samba—and you would be right. In fact, if you set the 994<tt class="literal">security</tt> <tt class="literal">=</tt> 995<tt class="literal">share</tt> option in the Samba configuration file, 996Samba will still reuse the username/password combinations in the 997system password files to authenticate access. More precisely, Samba 998will take the following steps when a client requests a connection 999using share-level security:</p> 1000 1001<ol><li> 1002<p>When a connection is requested, Samba will accept the password and 1003(if sent) the username of the client.</p> 1004</li><li> 1005<p>If the share is <tt class="literal">guest</tt> <tt class="literal">only</tt> , 1006the user is immediately granted access to the share with the rights 1007of the user specified by the <tt class="literal">guest</tt> 1008<tt class="literal">account</tt> parameter; no password checking is 1009performed.</p> 1010</li><li> 1011<p>For other shares, Samba appends the username to a list of users who 1012are allowed access to the share. It then attempts to validate the 1013password given in association with that username. If successful, 1014Samba grants the user access to the share with the rights assigned to 1015that user. The user will not need to authenticate again unless a 1016<tt class="literal">revalidate</tt> <tt class="literal">=</tt> 1017<tt class="literal">yes</tt> option has been set inside the share.</p> 1018</li><li> 1019<p>If the authentication is unsuccessful, Samba attempts to validate the 1020password against the list of users previously compiled during 1021attempted connections, as well as those specified under the share in 1022the configuration file. If the password matches that of any username 1023(as specified in the system password file, typically 1024<em class="filename">/etc/passwd </em>), the user is granted access to the 1025share under that username.</p> 1026</li><li> 1027<p>However, if the share has a <tt class="literal">guest</tt> 1028<tt class="literal">ok</tt> or <tt class="literal">public</tt> option set, the 1029user will default to access with the rights of the user specified by 1030the <tt class="literal">guest</tt> <tt class="literal">account</tt> option.</p> 1031</li></ol> 1032<p>You can indicate in the configuration file which users should be 1033initially placed on the share-level security user list by using the 1034<tt class="literal">username</tt> configuration option, as shown here:</p> 1035 1036<blockquote><pre class="code">[global] 1037 security = share 1038 1039[accounting1] 1040 path = /home/samba/accounting1 1041 guest ok = no 1042 writable = yes 1043 username = davecb, pkelly, andyo</pre></blockquote> 1044 1045<p>Here, when a user attempts to connect to a share, Samba verifies the 1046sent password against each user in its own list, in addition to the 1047passwords of users <tt class="literal">davecb</tt>, 1048<tt class="literal">pkelly</tt>, and <tt class="literal">andyo</tt>. If any of 1049the passwords match, the connection is verified, and the user is 1050allowed. Otherwise, connection to the specific share will fail.</p> 1051 1052 1053</div> 1054 1055 1056<div class="sect2"><a name="samba2-CHP-9-SECT-3.2"/> 1057 1058<h3 class="head2">Share-Level Security Options</h3> 1059 1060<p><a href="ch09.html#samba2-CHP-9-TABLE-4">Table 9-4</a> shows the options typically associated 1061with <em class="firstterm">share-level 1062security</em><a name="INDEX-60"/>.</p> 1063 1064<a name="samba2-CHP-9-TABLE-4"/><h4 class="head4">Table 9-4. Share-level access options</h4><table border="1"> 1065 1066 1067 1068 1069 1070 1071<tr> 1072<th> 1073<p>Option</p> 1074</th> 1075<th> 1076<p>Parameters</p> 1077</th> 1078<th> 1079<p>Function</p> 1080</th> 1081<th> 1082<p>Default</p> 1083</th> 1084<th> 1085<p>Scope</p> 1086</th> 1087</tr> 1088 1089 1090<tr> 1091<td> 1092<p><tt class="literal">only user</tt></p> 1093</td> 1094<td> 1095<p>Boolean</p> 1096</td> 1097<td> 1098<p>If <tt class="literal">yes</tt>, usernames specified by 1099<tt class="literal">username</tt> are the only ones allowed</p> 1100</td> 1101<td> 1102<p><tt class="literal">no</tt></p> 1103</td> 1104<td> 1105<p>Share</p> 1106</td> 1107</tr> 1108<tr> 1109<td> 1110<p><tt class="literal">username</tt> (<tt class="literal">user</tt> or 1111<tt class="literal">users</tt>)</p> 1112</td> 1113<td> 1114<p>string (list of usernames)</p> 1115</td> 1116<td> 1117<p>Users against which a client's password is tested</p> 1118</td> 1119<td> 1120<p>None</p> 1121</td> 1122<td> 1123<p>Share</p> 1124</td> 1125</tr> 1126 1127</table> 1128 1129 1130<div class="sect3"><a name="samba2-CHP-9-SECT-3.2.1"/> 1131 1132<a name="INDEX-61"/><h3 class="head3">only user</h3> 1133 1134<p>This Boolean option indicates whether Samba will allow connections to 1135a share using share-level security based solely on the individuals 1136specified in the <tt class="literal">username</tt> option, instead of those 1137users compiled on Samba's internal list. The default 1138value for this option is <tt class="literal">no</tt>. You can override it 1139per share as follows:</p> 1140 1141<blockquote><pre class="code">[global] 1142 security = share 1143[data] 1144 username = andy, peter, valerie 1145 only user = yes</pre></blockquote> 1146 1147 1148</div> 1149 1150 1151 1152<div class="sect3"><a name="samba2-CHP-9-SECT-3.2.2"/> 1153 1154<a name="INDEX-62"/><h3 class="head3">username</h3> 1155 1156<p>This option presents a list of usernames and/or group names against 1157which Samba tests a connection password to allow access. It is 1158typically used with clients that have share-level security to allow 1159connections to a particular service based solely on a qualifying 1160password—in this case, one that matches a password set up for a 1161specific user:</p> 1162 1163<blockquote><pre class="code">[global] 1164 security = share 1165[data] 1166 username = andy, peter, terry</pre></blockquote> 1167 1168<p>You can enter a list of usernames and/or group names. If a name is 1169prefixed by an at sign (<tt class="literal">@</tt>), it is interpreted as a 1170group name, with NIS groups searched before Unix groups. If the name 1171is prefixed by a plus sign (<tt class="literal">+</tt>), it is interpreted 1172as the name of a Unix group, and NIS is not searched. If the name is 1173prefixed by an ampersand (<tt class="literal">&</tt>), it is 1174interpreted as an NIS group name rather than a Unix group name. The 1175plus sign and ampersand can be used together to specify whether NIS 1176or Unix groups are searched first. When Samba encounters a group name 1177in this option, it attempts to authenticate each user in the group 1178until if finds one that succeeds. Beware that this can be very 1179inefficient.</p> 1180 1181<p>We recommend against using this option unless you are implementing a 1182Samba server with share-level security.</p> 1183 1184 1185</div> 1186 1187 1188</div> 1189 1190 1191<div class="sect2"><a name="samba2-CHP-9-SECT-3.3"/> 1192 1193<h3 class="head2">User-Level Security</h3> 1194 1195<p>The default mode of security with Samba is <em class="firstterm">user-level 1196security</em><a name="INDEX-63"/>. With this method, each share is 1197assigned specific users that can access it. When a user requests a 1198connection to a share, Samba authenticates by validating the given 1199username and password with the authorized users in the configuration 1200file and the passwords in the password database of the Samba server. 1201As mentioned earlier in the chapter, one way to isolate which users 1202are allowed access to a specific share is by using the 1203<tt class="literal">valid</tt> <tt class="literal">users</tt> option for each 1204share:</p> 1205 1206<blockquote><pre class="code">[global] 1207 security = user 1208 1209[accounting1] 1210 writable = yes 1211 valid users = bob, joe, sandy</pre></blockquote> 1212 1213<p>Each user listed can connect to the share if the password provided 1214matches the password stored in the system password database on the 1215server. Once the initial authentication succeeds, the client will not 1216need to supply a password again to access that share unless the 1217<tt class="literal">revalidate</tt> <tt class="literal">=</tt> 1218<tt class="literal">yes</tt> option has been set.</p> 1219 1220<p>Passwords can be sent to the Samba server in either an encrypted or a 1221nonencrypted format. If you have both types of systems on your 1222network, you should ensure that the passwords represented by each 1223user are stored both in a traditional account database and 1224Samba's encrypted password database. This way, 1225authorized users can gain access to their shares from any type of 1226client.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> However, we recommend that you 1227move your system to encrypted passwords and abandon nonencrypted 1228passwords if security is an issue. <a href="ch09.html#samba2-CHP-9-SECT-4">Section 9.4</a> of this chapter 1229explains how to use encrypted as well as nonencrypted passwords.</p> 1230 1231 1232</div> 1233 1234 1235<div class="sect2"><a name="samba2-CHP-9-SECT-3.4"/> 1236 1237<h3 class="head2">Server-Level Security</h3> 1238 1239<p><em class="firstterm">Server-level 1240security</em><a name="INDEX-64"/> is similar to user-level security. 1241However, with server-level security, Samba delegates password 1242authentication to another SMB password server—typically another 1243Samba server or a Windows NT/2000 server acting as a PDC on the 1244network. Note that Samba still maintains its list of shares and their 1245configuration in its <em class="filename">smb.conf</em> file. When a 1246client attempts to make a connection to a particular share, Samba 1247validates that the user is indeed authorized to connect to the share. 1248Samba then attempts to validate the password by passing the username 1249and password to the SMB password server. If the password is accepted, 1250a session is established with the client. See <a href="ch09.html#samba2-CHP-9-FIG-2">Figure 9-2</a> for an illustration of this setup.</p> 1251 1252<div class="figure"><a name="samba2-CHP-9-FIG-2"/><img src="figs/sam2_0902.gif"/></div><h4 class="head4">Figure 9-2. A typical system setup using server-level security</h4> 1253 1254<p>You can configure Samba to use a separate password server under 1255server-level security with the use of the 1256<tt class="literal">password</tt><a name="INDEX-65"/> <tt class="literal">server</tt> 1257global configuration option, as follows:</p> 1258 1259<blockquote><pre class="code">[global] 1260 security = server 1261 password server = mixtec toltec</pre></blockquote> 1262 1263<p>Note that you can specify more than one machine as the target of the 1264<tt class="literal">password</tt> <tt class="literal">server</tt>; Samba moves 1265down the list of servers in the event that its first choice is 1266unreachable. The servers identified by the 1267<tt class="literal">password</tt> <tt class="literal">server</tt> option are 1268given as NetBIOS names, not their DNS names or equivalent IP 1269addresses. Also, if any of the servers reject the given password, the 1270connection automatically fails—Samba will not attempt another 1271server.</p> 1272 1273<p>One caveat: when using this option, you still need an account 1274representing that user on the regular Samba server. This is because 1275the Unix operating system needs a username to perform various I/O 1276operations. The preferable method of handling this is to give the 1277user an account on the Samba server but disable the 1278account's password by replacing it in the system 1279password file (e.g., <em class="filename">/etc/passwd </em>) with an 1280asterisk (*).</p> 1281 1282 1283</div> 1284 1285 1286<div class="sect2"><a name="samba2-CHP-9-SECT-3.5"/> 1287 1288<h3 class="head2">Domain-Level Security</h3> 1289 1290<p>With <em class="firstterm">domain-level 1291security</em><a name="INDEX-66"/>, the Samba server acts as a member of 1292a Windows domain. Recall from <a href="ch01.html">Chapter 1</a> that each 1293domain has a primary domain controller, which can be a Windows 1294NT/2000 or Samba server offering password authentication. The domain 1295controller keeps track of users and passwords in its own database and 1296authenticates each user when she first logs on and wishes to access 1297another machine's shares.</p> 1298 1299<p>As mentioned earlier in this chapter, Samba has a similar ability to 1300offer user-level security, but that option is Unix-centric and 1301assumes that the authentication occurs via Unix password files. If 1302the Unix machine is part of an NIS or NIS+ domain, Samba 1303authenticates users transparently against a shared password file in 1304typical Unix fashion. Samba then provides access to the NIS or NIS+ 1305domain from Windows. There is, of course, no relationship between the 1306NIS concept of a domain and a Windows NT domain.</p> 1307 1308<p>Configuring Samba for domain-level security is covered in <a href="ch04.html">Chapter 4</a> in <a href="ch04.html#samba2-CHP-4-SECT-7">Section 4.7</a>. <a name="INDEX-67"/></p> 1309 1310 1311</div> 1312 1313 1314</div> 1315 1316 1317 1318<div class="sect1"><a name="samba2-CHP-9-SECT-4"/> 1319 1320<h2 class="head1">Passwords</h2> 1321 1322<p><a name="INDEX-68"/>Passwords 1323are a thorny issue with Samba. So much so, in fact, that they are 1324often the first major problem that users encounter when they install 1325Samba. At this point, we need to delve deeper into Samba to discover 1326what is happening on the network.</p> 1327 1328<p>Passwords sent from individual clients can be either encrypted or 1329nonencrypted. Encrypted passwords are, of course, more secure. A 1330nonencrypted, plain-text password can be easily read with a 1331packet-sniffing program, such as the modified 1332<em class="emphasis">tcpdump</em> program for Samba that we used in <a href="ch01.html">Chapter 1</a>. Whether passwords are encrypted by default 1333depends on the operating system that the client is using to connect 1334to the Samba server. <a href="ch09.html#samba2-CHP-9-TABLE-5">Table 9-5</a> lists which 1335<a name="INDEX-69"/>Windows operating 1336systems encrypt their passwords and which send plain-text passwords 1337by default.</p> 1338 1339<a name="samba2-CHP-9-TABLE-5"/><h4 class="head4">Table 9-5. Windows operating systems with encrypted passwords</h4><table border="1"> 1340 1341 1342 1343<tr> 1344<th> 1345<p>Operating system</p> 1346</th> 1347<th> 1348<p>Encrypted or plain text</p> 1349</th> 1350</tr> 1351 1352 1353<tr> 1354<td> 1355<p>Windows for Workgroups</p> 1356</td> 1357<td> 1358<p>Plain text</p> 1359</td> 1360</tr> 1361<tr> 1362<td> 1363<p>Windows 95</p> 1364</td> 1365<td> 1366<p>Plain text</p> 1367</td> 1368</tr> 1369<tr> 1370<td> 1371<p>Windows 95 with SMB Update</p> 1372</td> 1373<td> 1374<p>Encrypted</p> 1375</td> 1376</tr> 1377<tr> 1378<td> 1379<p>Windows 98</p> 1380</td> 1381<td> 1382<p>Encrypted</p> 1383</td> 1384</tr> 1385<tr> 1386<td> 1387<p>Windows Me</p> 1388</td> 1389<td> 1390<p>Encrypted</p> 1391</td> 1392</tr> 1393<tr> 1394<td> 1395<p>Windows NT 3.x</p> 1396</td> 1397<td> 1398<p>Plain text</p> 1399</td> 1400</tr> 1401<tr> 1402<td> 1403<p>Windows NT 4.0 before SP <tt class="literal">3</tt></p> 1404</td> 1405<td> 1406<p>Plain text</p> 1407</td> 1408</tr> 1409<tr> 1410<td> 1411<p>Windows NT 4.0 after SP 3</p> 1412</td> 1413<td> 1414<p>Encrypted</p> 1415</td> 1416</tr> 1417<tr> 1418<td> 1419<p>Windows 2000</p> 1420</td> 1421<td> 1422<p>Encrypted</p> 1423</td> 1424</tr> 1425<tr> 1426<td> 1427<p>Windows XP</p> 1428</td> 1429<td> 1430<p>Encrypted</p> 1431</td> 1432</tr> 1433 1434</table> 1435 1436<p>Three different encryption methods are used. Windows 95/98/Me clients 1437use a method inherited from Microsoft's LAN Manager 1438network software. Windows NT/2000/XP systems use a newer system, 1439called NT LAN Manager, or NTLM. A newer version of this (called NT 1440LAN Manager Version 2, or NTLMv2) uses a different method for 1441password hashing.</p> 1442 1443<p>If encrypted passwords are supported, Samba stores the encrypted 1444passwords in a file called <em class="filename">smbpasswd</em>. By 1445default, this file is located in the <em class="filename">private</em> 1446directory of the Samba distribution (typically 1447<em class="filename">/usr/local/samba/private</em>). At the same time, the 1448client stores an encrypted version of a user's 1449password on its own system. The plain-text password is never stored 1450on either system. Each system encrypts the password automatically 1451using a standard algorithm when the password is set or changed.</p> 1452 1453<p>When a client requests a connection to an SMB server that supports 1454encrypted passwords (such as Samba or Windows NT/2000/XP), the two 1455computers undergo the following negotiations:</p> 1456 1457<ol><li> 1458<p>The client attempts to negotiate a protocol with the server.</p> 1459</li><li> 1460<p>The server responds with a protocol and indicates that it supports 1461encrypted passwords. At this time, it sends back a randomly generated 14628-byte challenge string.</p> 1463</li><li> 1464<p>The client uses the challenge string as a key to encrypt its already 1465encrypted password using an algorithm predefined by the negotiated 1466protocol. It then sends the result to the server.</p> 1467</li><li> 1468<p>The server does the same thing with the encrypted password stored in 1469its database. If the results match, the passwords are equivalent, and 1470the user is authenticated.</p> 1471</li></ol> 1472<p>Note that even though the original passwords are not involved in the 1473authentication process, you need to be very careful that the 1474encrypted passwords located inside the <em class="filename">smbpasswd</em> 1475file are guarded from unauthorized users. If they are compromised, an 1476unauthorized user can break into the system by replaying the steps of 1477the previous algorithm. The encrypted passwords are just as sensitive 1478as the plain-text passwords—this is known as 1479<em class="firstterm">plain-text-equivalent</em> data in the cryptography 1480world. Of course, your local security policy should require that the 1481clients safeguard their plain-text-equivalent passwords as well.</p> 1482 1483<p>You can configure Samba to accept encrypted passwords with the 1484following global additions to <em class="filename">smb.conf</em>. Note 1485that we explicitly name the location of the Samba password file:</p> 1486 1487<blockquote><pre class="code">[global] 1488 security = user 1489 encrypt passwords = yes 1490 smb passwd file = /usr/local/samba/private/smbpasswd</pre></blockquote> 1491 1492<p>Samba, however, will not accept any users until the 1493<em class="filename">smbpasswd</em> file has been created and the users 1494have been added to it with the <em class="emphasis">smbpasswd</em> 1495command, as we showed you in <a href="ch02.html">Chapter 2</a>.</p> 1496 1497 1498<div class="sect2"><a name="samba2-CHP-9-SECT-4.1"/> 1499 1500<h3 class="head2">Disabling Encrypted Passwords on the Client</h3> 1501 1502<p><a name="INDEX-70"/><a name="INDEX-71"/>While Unix authentication has been 1503in use for decades—including the use of 1504<em class="emphasis">telnet</em> and <em class="emphasis">rlogin</em> access 1505across the Internet—it embodies well-known security risks. 1506Plaintext passwords are sent over the Internet and can be retrieved 1507from TCP packets by malicious snoopers. However, if you feel that 1508your network is secure and you wish to use standard Unix 1509<em class="filename">/etc/passwd</em> authentication for all clients, you 1510can do so, but you must disable encrypted passwords on those Windows 1511clients that default to using them.</p> 1512 1513<p>To do this, you must modify the Windows registry on each client 1514system. The Samba distribution includes the <em class="filename">.reg</em> 1515files you need for this, located in the source 1516distribution's <em class="filename">/docs/Registry</em> 1517directory. Depending on the platform, you use one of the following 1518files:</p> 1519 1520<blockquote class="simplelist"> 1521 1522<p><em class="filename">Win95_PlainPassword.reg</em></p> 1523 1524<p><em class="filename">Win98_PlainPassword.reg</em></p> 1525 1526<p><em class="filename">WinME_PlainPassword.reg</em></p> 1527 1528<p><em class="filename">NT_PlainPassword.reg</em></p> 1529 1530<p><em class="filename">Win2000_PlainPassword.reg</em></p> 1531 1532</blockquote> 1533 1534<p>(For Windows XP, use the <em class="filename">.reg</em> file for Windows 15352000.) You can perform the installation by copying the appropriate 1536<em class="filename">.reg</em> file to a DOS floppy, inserting the floppy 1537in the client's floppy drive, and running the 1538<em class="filename">.reg</em> file from the Run menu item in the 1539client's Start menu. (Or you can just double-click 1540the file's icon.)</p> 1541 1542<p>After you reboot the machine, the client will not encrypt its hashed 1543passwords before sending them to the server. This means that the 1544plain-text passwords can been seen in the TCP packets that are 1545broadcast across the network. Again, we encourage you not to do this 1546unless you are absolutely sure that your network is secure.</p> 1547 1548<p>If passwords are not encrypted, use these two lines in your Samba 1549configuration file:</p> 1550 1551<blockquote><pre class="code">[global] 1552 security = user 1553 encrypt passwords = no</pre></blockquote> 1554 1555 1556</div> 1557 1558 1559<div class="sect2"><a name="samba2-CHP-9-SECT-4.2"/> 1560 1561<h3 class="head2">The smbpasswd File</h3> 1562 1563<p>Samba stores its encrypted passwords in a file called 1564<em class="filename">smbpasswd</em><a name="INDEX-72"/>, 1565which by default resides in the 1566<em class="filename">/usr/local/samba/private</em> directory. The 1567<em class="filename">smbpasswd</em> file should be guarded as closely as 1568the Unix system's password file (either 1569<em class="filename">/etc/passwd</em> or 1570<em class="filename">/etc/shadow</em>). Only the root user should have 1571read/write access to the <em class="filename">private</em> directory, and 1572no other users should have access to it at all. In addition, the 1573<em class="filename">smbpasswd</em> file should have all access denied to 1574all users except for root. When things are set up for good security, 1575long listings of the <em class="filename">private</em> directory and 1576<em class="filename">smbpasswd</em> file look like the following:</p> 1577 1578<blockquote><pre class="code"># <tt class="userinput"><b>ls -ld /usr/local/samba/private</b></tt> 1579drwx- - - - - - 2 root root 4096 Nov 26 01:11 /usr/local/samba/private 1580# <tt class="userinput"><b>ls -l /usr/local/samba/private/smbpasswd</b></tt> 1581-rw- - - - - - - 1 root root 204 Nov 26 01:11 /usr/local/samba/private/smbpasswd</pre></blockquote> 1582 1583<p>Before you can use encrypted passwords, you need to create an entry 1584for each Unix user in the <em class="filename">smbpasswd</em> file. The 1585structure of the file is somewhat similar to a Unix 1586<em class="filename">passwd</em> file, but has different fields. <a href="ch09.html#samba2-CHP-9-FIG-3">Figure 9-3</a> illustrates the layout of the 1587<em class="filename">smbpasswd</em> file; the entry shown is actually one 1588line in the file.</p> 1589 1590<div class="figure"><a name="samba2-CHP-9-FIG-3"/><img src="figs/sam2_0903.gif"/></div><h4 class="head4">Figure 9-3. Structure of the smbpasswd file entry (actually one line)</h4> 1591 1592<p>Normally, entries in the <em class="filename">smbpasswd</em> file are 1593created automatically by the <em class="emphasis">smbpasswd</em> command. 1594Still, you might like to know how to interpret data within the 1595<em class="filename">smbpasswd</em> file, in case you'd 1596like to see what accounts are stored in it or even modify it 1597manually. Here is a breakdown of the individual fields:</p> 1598 1599<dl> 1600<dt><b>Username</b></dt> 1601<dd> 1602<p>This is the username of the account. It is taken directly from the 1603system password file.</p> 1604</dd> 1605 1606 1607 1608<dt><b>UID</b></dt> 1609<dd> 1610<p>This is the user ID (UID) of the account. Like the username, it is 1611taken directly from the system password file and must match the UID 1612there.</p> 1613</dd> 1614 1615 1616 1617<dt><b>LAN Manager Password Hash</b></dt> 1618<dd> 1619<p>This is a 32-bit hexadecimal sequence that represents the password 1620Windows 95/98/Me clients will use. It is derived by splitting the 1621password into two 7-character strings, with all lowercase letters 1622forced into uppercase. If fewer than 14 characters are in the 1623password, the strings are padded with nulls. Then each 7-character 1624string is converted to a 56-bit DES key and used to encrypt the 1625constant string <tt class="literal">KGS!@#$%</tt>. The two 64-bit results 1626are concatenated and stored as the password hash.</p> 1627 1628 1629<p>If there is currently no password for the user, the first 11 1630characters of the hash will consist of the sequence 1631<tt class="literal">NO</tt> <tt class="literal">PASSWORD</tt> followed by 1632<tt class="literal">X</tt> characters for the remainder. If the password 1633has been disabled, it will consist of 32 <tt class="literal">X</tt> 1634characters.</p> 1635</dd> 1636 1637 1638<dt><b>NT LAN Manager (NTLM) Password Hash</b></dt> 1639<dd> 1640<p>This is a 32-bit hexadecimal sequence that represents the password 1641Windows NT/2000/XP clients will use. It is derived by hashing the 1642user's password (represented as a 16-bit 1643little-endian Unicode sequence) with an MD4 hash. The password is not 1644converted to uppercase letters first.</p> 1645</dd> 1646 1647 1648 1649<dt><b>Account Flags</b></dt> 1650<dd> 1651<p>This field consists of 11 characters between two braces ( [ ] ). Any 1652of the following characters can appear in any order; the remaining 1653characters should be spaces:</p> 1654 1655 1656<dl> 1657<dt><b>U</b></dt> 1658<dd> 1659<p>This account is a standard user account.</p> 1660</dd> 1661 1662 1663 1664<dt><b>D</b></dt> 1665<dd> 1666<p>This account is currently disabled, and Samba should not allow any 1667logins.</p> 1668</dd> 1669 1670 1671 1672<dt><b>N</b></dt> 1673<dd> 1674<p>This account has no password associated with it.</p> 1675</dd> 1676 1677 1678 1679<dt><b>W</b></dt> 1680<dd> 1681<p>This is a workstation trust account that can be used to configure 1682Samba as a PDC when allowing Windows NT machines to join its domain.</p> 1683</dd> 1684 1685</dl> 1686</dd> 1687 1688 1689<dt><b>Last Change Time</b></dt> 1690<dd> 1691<p>This code consists of the characters <tt class="literal">LCT-</tt> followed 1692by a hexadecimal representation of the number of seconds since the 1693epoch (midnight on January 1, 1970) that the entry was last changed. 1694<a name="INDEX-73"/></p> 1695</dd> 1696 1697</dl> 1698 1699 1700</div> 1701 1702 1703<div class="sect2"><a name="samba2-CHP-9-SECT-4.3"/> 1704 1705<h3 class="head2">Password Synchronization</h3> 1706 1707<p><a name="INDEX-74"/><a name="INDEX-75"/>Having a regular password (either in 1708<em class="filename">/etc/passwd</em> or <em class="filename">/etc/shadow</em>) 1709and an encrypted version of the same password (in the 1710<em class="filename">smbpasswd</em> file) can be troublesome when you need 1711to change both of them. Luckily, Samba affords you a limited ability 1712to keep your passwords synchronized. Samba has a pair of 1713configuration options to update a user's regular 1714Unix password automatically when the encrypted password is changed on 1715the system. The feature can be activated by specifying the 1716<tt class="literal">unix</tt><a name="INDEX-76"/> <tt class="literal">password</tt> 1717<tt class="literal">sync</tt> global configuration option:</p> 1718 1719<blockquote><pre class="code">[global] 1720 unix password sync = yes</pre></blockquote> 1721 1722<p>With this option enabled, Samba attempts to change the 1723user's regular password (as <tt class="literal">root</tt>) 1724when the encrypted version is changed with 1725<em class="filename">smbpasswd</em>. However, two other options have to be 1726set correctly for this to work.</p> 1727 1728<p>The easier of the two is <tt class="literal">passwd</tt> 1729<tt class="literal">program</tt>. This option simply specifies the Unix 1730command used to change a user's standard system 1731password. It is set to <tt class="literal">/bin/passwd</tt> 1732<tt class="literal">%u</tt> by default. With some Unix systems, this is 1733sufficient, and you do not need to change anything. Others, such as 1734Red Hat Linux, use <em class="emphasis">/usr/bin/passwd</em> instead. In 1735addition, you might want to change this to another program or script 1736at some point in the future. For example, let's 1737assume that you want to use a script called 1738<em class="emphasis">changepass</em> to change a user's 1739password. Recall that you can use the variable <tt class="literal">%u</tt> 1740to represent the current Unix username. So the example becomes:</p> 1741 1742<blockquote><pre class="code">[global] 1743 unix password sync = yes 1744 passwd program = changepass %u</pre></blockquote> 1745 1746<p>Note that this program is called as the <tt class="literal">root</tt> user 1747when the <tt class="literal">unix</tt> <tt class="literal">password</tt> 1748<tt class="literal">sync</tt> option is set to <tt class="literal">yes</tt>. This 1749is because Samba does not necessarily have the old plain-text 1750password of the user.</p> 1751 1752<p>The harder option to configure is 1753<tt class="literal">passwd</tt><a name="INDEX-77"/> <tt class="literal">chat</tt>. The 1754<tt class="literal">passwd</tt> <tt class="literal">chat</tt> option works like a 1755Unix chat script. It specifies a series of strings to send, as well 1756as responses to expect from the program specified by the 1757<tt class="literal">passwd</tt> <tt class="literal">program</tt> option. For 1758example, this is what the default <tt class="literal">passwd</tt> 1759<tt class="literal">chat</tt> looks like. The delimiters are the spaces 1760between each grouping of characters:</p> 1761 1762<blockquote><pre class="code">passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed*</pre></blockquote> 1763 1764<p>The first grouping represents a response expected from the 1765password-changing program. Note that it can contain wildcards 1766(<tt class="literal">*</tt>), which help to generalize the chat programs to 1767handle a variety of similar outputs. Here, 1768<tt class="literal">*old*password*</tt> indicates that Samba is expecting 1769any line from the password program containing the letters 1770<tt class="literal">old</tt> followed by the letters 1771<tt class="literal">password</tt>, without regard for what comes before, 1772after, or between them. If Samba does not receive the expected 1773response, the password change will fail.</p> 1774 1775<p>The second grouping indicates what Samba should send back once the 1776data in the first grouping has been matched. In this case, you see 1777<tt class="literal">%o\n</tt>. This response is actually two items: the 1778variable <tt class="literal">%o</tt> represents the old password, while the 1779<tt class="literal">\n</tt> is a newline character. So, in effect, this 1780will "type" the old password into 1781the standard input of the password-changing program, and then 1782"press" Enter.</p> 1783 1784<p>Following that is another response grouping, followed by data that 1785will be sent back to the password-changing program. (In fact, this 1786response/send pattern continues indefinitely in any standard Unix 1787<em class="emphasis">chat</em> script.) The script continues until the 1788final pattern is matched.</p> 1789 1790<p>You can help match the response strings sent from the password 1791program with the characters listed in <a href="ch09.html#samba2-CHP-9-TABLE-6">Table 9-6</a>. 1792In addition, you can use the characters listed in <a href="ch09.html#samba2-CHP-9-TABLE-7">Table 9-7</a> to help formulate your response.</p> 1793 1794<a name="samba2-CHP-9-TABLE-6"/><h4 class="head4">Table 9-6. Password chat response characters</h4><table border="1"> 1795 1796 1797 1798<tr> 1799<th> 1800<p>Character</p> 1801</th> 1802<th> 1803<p>Definition</p> 1804</th> 1805</tr> 1806 1807 1808<tr> 1809<td> 1810<p><tt class="literal">*</tt></p> 1811</td> 1812<td> 1813<p>Zero or more occurrences of any character.</p> 1814</td> 1815</tr> 1816<tr> 1817<td> 1818<p>"<tt class="literal"> </tt>"</p> 1819</td> 1820<td> 1821<p>Allows you to include matching strings that contain spaces. Asterisks 1822are still considered wildcards even inside of quotes, and you can 1823represent a null response with empty quotes.</p> 1824</td> 1825</tr> 1826 1827</table> 1828 1829<a name="samba2-CHP-9-TABLE-7"/><h4 class="head4">Table 9-7. Password chat send characters</h4><table border="1"> 1830 1831 1832 1833<tr> 1834<th> 1835<p>Character</p> 1836</th> 1837<th> 1838<p>Definition</p> 1839</th> 1840</tr> 1841 1842 1843<tr> 1844<td> 1845<p><tt class="literal">%o</tt></p> 1846</td> 1847<td> 1848<p>The user's old password</p> 1849</td> 1850</tr> 1851<tr> 1852<td> 1853<p><tt class="literal">%n</tt></p> 1854</td> 1855<td> 1856<p>The user's new password</p> 1857</td> 1858</tr> 1859<tr> 1860<td> 1861<p><tt class="literal">\n</tt></p> 1862</td> 1863<td> 1864<p>The linefeed character</p> 1865</td> 1866</tr> 1867<tr> 1868<td> 1869<p><tt class="literal">\r</tt></p> 1870</td> 1871<td> 1872<p>The carriage-return character</p> 1873</td> 1874</tr> 1875<tr> 1876<td> 1877<p><tt class="literal">\t</tt></p> 1878</td> 1879<td> 1880<p>The tab character</p> 1881</td> 1882</tr> 1883<tr> 1884<td> 1885<p><tt class="literal">\s</tt></p> 1886</td> 1887<td> 1888<p>A space</p> 1889</td> 1890</tr> 1891 1892</table> 1893 1894<p>For example, you might want to change your password chat to the 1895following entry. This handles scenarios in which you do not have to 1896enter the old password. In addition, this also handles the new 1897<tt class="literal">all</tt> <tt class="literal">tokens</tt> 1898<tt class="literal">updated</tt> <tt class="literal">successfully</tt> string 1899that Red Hat Linux sends:</p> 1900 1901<blockquote><pre class="code">passwd chat = *New password* %n\n *new password* %n\n *success*</pre></blockquote> 1902 1903<p>Again, the default chat should be sufficient for many Unix systems. 1904If it isn't, you can use the 1905<tt class="literal">passwd</tt> <tt class="literal">chat</tt> 1906<tt class="literal">debug</tt> global option to set up a new chat script 1907for the password change program. The <tt class="literal">passwd</tt> 1908<tt class="literal">chat</tt> <tt class="literal">debug</tt> option logs 1909everything during a password chat. This option is a simple Boolean, 1910as shown here:</p> 1911 1912<blockquote><pre class="code">[global] 1913 unix password sync = yes 1914 passwd chat debug = yes 1915 log level = 100</pre></blockquote> 1916 1917<p>After you activate the password chat debug feature, all I/O received 1918by Samba through the password chat can be sent to the 1919<em class="filename">log.smbd</em> Samba log file with a debug level of 1920100, which is why we entered a new <tt class="literal">log</tt> 1921<tt class="literal">level</tt> option as well. As this can often generate 1922multitudes of error logs, it can be more efficient to use your own 1923script—by setting the <tt class="literal">passwd</tt> 1924<tt class="literal">program</tt> option—in place of 1925<em class="filename">/bin/passwd</em> to record what happens during the 1926exchange. Be careful because the log file contains the passwords in 1927plain text. Keeping files containing plain-text passwords can (or 1928<em class="emphasis">should</em>) be against local security policy in your 1929organization, and it also might raise serious legal issues. Make sure 1930to protect your log files with strict file permissions and to delete 1931them as soon as you've grabbed the information you 1932need. If possible, use the <tt class="literal">passwd</tt> 1933<tt class="literal">chat</tt> <tt class="literal">debug</tt> option only while 1934your own password is being changed.</p> 1935 1936<p>The operating system on which Samba is running might have strict 1937requirements for valid passwords to make them more impervious to 1938dictionary attacks and the like. Users should be made aware of these 1939restrictions when changing their passwords.</p> 1940 1941<p>Earlier we said that password synchronization is limited. This is 1942because there is no reverse synchronization of the encrypted 1943<em class="filename">smbpasswd</em> file when a standard Unix password is 1944updated by a user. There are various strategies to get around this, 1945including NIS and freely available implementations of the Pluggable 1946Authentication Modules (PAM) standard, but none of them really solves 1947all the problems.</p> 1948 1949<p>More information regarding passwords can be found in the in the Samba 1950source distribution file 1951<em class="filename">docs/htmldocs/ENCRYPTION.html</em>.<a name="INDEX-80"/></p> 1952 1953 1954</div> 1955 1956 1957<div class="sect2"><a name="samba2-CHP-9-SECT-4.4"/> 1958 1959<h3 class="head2">Password Configuration Options</h3> 1960 1961<p><a name="INDEX-81"/><a name="INDEX-82"/>The options in <a href="ch09.html#samba2-CHP-9-TABLE-8">Table 9-8</a> will help you work with passwords in Samba.</p> 1962 1963<a name="samba2-CHP-9-TABLE-8"/><h4 class="head4">Table 9-8. Password configuration options</h4><table border="1"> 1964 1965 1966 1967 1968 1969 1970<tr> 1971<th> 1972<p>Option</p> 1973</th> 1974<th> 1975<p>Parameters</p> 1976</th> 1977<th> 1978<p>Function</p> 1979</th> 1980<th> 1981<p>Default</p> 1982</th> 1983<th> 1984<p>Scope</p> 1985</th> 1986</tr> 1987 1988 1989<tr> 1990<td> 1991<p><tt class="literal">encrypt</tt> <tt class="literal">passwords</tt></p> 1992</td> 1993<td> 1994<p>Boolean</p> 1995</td> 1996<td> 1997<p>If <tt class="literal">yes</tt>, enables encrypted passwords.</p> 1998</td> 1999<td> 2000<p><tt class="literal">no</tt></p> 2001</td> 2002<td> 2003<p>Global</p> 2004</td> 2005</tr> 2006<tr> 2007<td> 2008<p><tt class="literal">unix password</tt> <tt class="literal">sync</tt></p> 2009</td> 2010<td> 2011<p>Boolean</p> 2012</td> 2013<td> 2014<p>If <tt class="literal">yes</tt>, updates the standard Unix password 2015database when a user changes his encrypted password.</p> 2016</td> 2017<td> 2018<p><tt class="literal">no</tt></p> 2019</td> 2020<td> 2021<p>Global</p> 2022</td> 2023</tr> 2024<tr> 2025<td> 2026<p><tt class="literal">passwd chat</tt></p> 2027</td> 2028<td> 2029<p>string (chat commands)</p> 2030</td> 2031<td> 2032<p>Sequence of commands sent to the password program.</p> 2033</td> 2034<td> 2035<p>See earlier section on this option</p> 2036</td> 2037<td> 2038<p>Global</p> 2039</td> 2040</tr> 2041<tr> 2042<td> 2043<p><tt class="literal">passwd chat</tt> <tt class="literal">debug</tt></p> 2044</td> 2045<td> 2046<p>Boolean</p> 2047</td> 2048<td> 2049<p>If <tt class="literal">yes</tt>, sends debug logs of the password-change 2050process to the log files with a level of 100.</p> 2051</td> 2052<td> 2053<p><tt class="literal">no</tt></p> 2054</td> 2055<td> 2056<p>Global</p> 2057</td> 2058</tr> 2059<tr> 2060<td> 2061<p><tt class="literal">passwd program</tt></p> 2062</td> 2063<td> 2064<p>string (Unix command)</p> 2065</td> 2066<td> 2067<p>Program to be used to change passwords.</p> 2068</td> 2069<td> 2070<p><tt class="literal">/bin/passwd</tt> <tt class="literal">%u</tt></p> 2071</td> 2072<td> 2073<p>Global</p> 2074</td> 2075</tr> 2076<tr> 2077<td> 2078<p><tt class="literal">password level</tt></p> 2079</td> 2080<td> 2081<p>numeric</p> 2082</td> 2083<td> 2084<p>Number of capital-letter permutations to attempt when matching a 2085client's password.</p> 2086</td> 2087<td> 2088<p>None</p> 2089</td> 2090<td> 2091<p>Global</p> 2092</td> 2093</tr> 2094<tr> 2095<td> 2096<p><tt class="literal">update</tt> <tt class="literal">encrypted</tt></p> 2097</td> 2098<td> 2099<p>Boolean</p> 2100</td> 2101<td> 2102<p>If <tt class="literal">yes</tt>, updates the encrypted password file when a 2103client connects to a share with a plain-text password.</p> 2104</td> 2105<td> 2106<p><tt class="literal">no</tt></p> 2107</td> 2108<td> 2109<p>Global</p> 2110</td> 2111</tr> 2112<tr> 2113<td> 2114<p><tt class="literal">null passwords</tt></p> 2115</td> 2116<td> 2117<p>Boolean</p> 2118</td> 2119<td> 2120<p>If <tt class="literal">yes</tt>, allows access for users with null 2121passwords.</p> 2122</td> 2123<td> 2124<p><tt class="literal">no</tt></p> 2125</td> 2126<td> 2127<p>Global</p> 2128</td> 2129</tr> 2130<tr> 2131<td> 2132<p><tt class="literal">smb passwd file</tt></p> 2133</td> 2134<td> 2135<p>string (filename)</p> 2136</td> 2137<td> 2138<p>Name of the encrypted password file.</p> 2139</td> 2140<td> 2141<p><tt class="literal">/usr/local/samba/private/smbpasswd</tt></p> 2142</td> 2143<td> 2144<p>Global</p> 2145</td> 2146</tr> 2147<tr> 2148<td> 2149<p><tt class="literal">hosts equiv</tt></p> 2150</td> 2151<td> 2152<p>string (filename)</p> 2153</td> 2154<td> 2155<p>Name of a file that contains hosts and users that can connect without 2156using a password.</p> 2157</td> 2158<td> 2159<p>None</p> 2160</td> 2161<td> 2162<p>Global</p> 2163</td> 2164</tr> 2165<tr> 2166<td> 2167<p><tt class="literal">use rhosts</tt></p> 2168</td> 2169<td> 2170<p>string (filename)</p> 2171</td> 2172<td> 2173<p>Name of a .<em class="emphasis">rhosts</em> file that allows users to 2174connect without using a password.</p> 2175</td> 2176<td> 2177<p>None</p> 2178</td> 2179<td> 2180<p>Global</p> 2181</td> 2182</tr> 2183 2184</table> 2185 2186 2187<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.1"/> 2188 2189<h3 class="head3">encrypt passwords</h3> 2190 2191<p>The <tt class="literal">encrypt</tt><a name="INDEX-83"/> 2192<tt class="literal">passwords</tt> global option switches Samba from using 2193plain-text passwords to encrypted passwords for authentication. 2194Encrypted passwords will be expected from clients if the option is 2195set to <tt class="literal">yes</tt>:</p> 2196 2197<blockquote><pre class="code">encrypt passwords = yes</pre></blockquote> 2198 2199<p>In Samba 2.2.x versions and with previous versions, encrypted 2200passwords are disabled by default. This was changed in Samba 3.0 to 2201make encrypted passwords enabled by default.</p> 2202 2203<p>If you use encrypted passwords, you must have a valid 2204<em class="filename">smbpasswd</em> file in place and populated with 2205usernames that authenticate with encrypted passwords. (See <a href="ch09.html#samba2-CHP-9-SECT-4.2">Section 9.4.2</a> earlier in 2206this chapter.) In addition, Samba must know the location of the 2207<em class="filename">smbpasswd</em> file; if it is not in the default 2208location (typically 2209<em class="filename">/usr/local/samba/private/smbpasswd</em> ), you can 2210explicitly name it using the <tt class="literal">smb</tt> 2211<tt class="literal">passwd</tt> <tt class="literal">file</tt> option.</p> 2212 2213<p>If you wish, you can use <tt class="literal">update</tt> 2214<tt class="literal">encrypted</tt> to force Samba to update the 2215<em class="filename">smbpasswd</em> file with encrypted passwords each 2216time a client connects using a nonencrypted password.</p> 2217 2218<p>If you have a mixture of clients on your network, with some of them 2219using encrypted passwords and others using plain-text passwords, you 2220can use the <tt class="literal">include</tt> option to make Samba treat 2221each client appropriately. To do this, create individual 2222configuration files based on the client name (<tt class="literal">%m</tt>). 2223These host-specific configuration files can contain an 2224<tt class="literal">encrypted</tt> <tt class="literal">passwords</tt> 2225<tt class="literal">=</tt> <tt class="literal">yes</tt> option that activates 2226only when those clients are connecting to the server.</p> 2227 2228 2229</div> 2230 2231 2232 2233<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.2"/> 2234 2235<a name="INDEX-84"/><h3 class="head3">unix password sync</h3> 2236 2237<p>The <tt class="literal">unix</tt> <tt class="literal">password</tt> 2238<tt class="literal">sync</tt> global option allows Samba to update the 2239standard Unix password file when a user changes her encrypted 2240password. The encrypted password is stored on a Samba server in the 2241<em class="filename">smbpasswd</em> file, which is located by default in 2242<em class="filename">/usr/local/samba/private</em>. You can activate this 2243feature as follows:</p> 2244 2245<blockquote><pre class="code">[global] 2246 unix password sync = yes</pre></blockquote> 2247 2248<p>If this option is enabled, Samba changes the encrypted password and, 2249in addition, attempts to change the standard Unix password by passing 2250the username and new password to the program specified by the 2251<tt class="literal">passwd</tt> <tt class="literal">program</tt> option 2252(described earlier). Note that Samba does not necessarily have access 2253to the plain-text password for this user, so the password changing 2254program must be invoked as <tt class="literal">root</tt>.<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> If the Unix password change does not 2255succeed, for whatever reason, the SMB password is not changed either.</p> 2256 2257 2258</div> 2259 2260 2261 2262<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.3"/> 2263 2264<a name="INDEX-85"/><h3 class="head3">passwd chat</h3> 2265 2266<p>This option specifies a series of send/response strings similar to a 2267Unix chat script, which interface with the password-changing program 2268on the Samba server. <a href="ch09.html#samba2-CHP-9-SECT-4.3">Section 9.4.3</a> earlier in this 2269chapter covers this option in detail.</p> 2270 2271 2272</div> 2273 2274 2275 2276<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.4"/> 2277 2278<h3 class="head3">passwd chat debug</h3> 2279 2280<p>If set to <tt class="literal">yes</tt>, the 2281<tt class="literal">passwd</tt><a name="INDEX-86"/> <tt class="literal">chat</tt> 2282<tt class="literal">debug</tt> global option logs everything sent or 2283received by Samba during a password chat. All the I/O received by 2284Samba through the password chat is sent to the Samba logs with a 2285debug level of 100; you must specify <tt class="literal">log</tt> 2286<tt class="literal">level</tt> <tt class="literal">=</tt> <tt class="literal">100</tt> 2287for the information to be recorded. <a href="ch09.html#samba2-CHP-9-SECT-4.3">Section 9.4.3</a> earlier in this 2288chapter describes this option in more detail. Be aware that if you do 2289set this option, the plain-text passwords will be visible in the 2290debugging logs, which could be a security hazard if they are not 2291properly secured. It is against the security policy of some 2292organizations for system administrators to have access to 2293users' passwords.</p> 2294 2295 2296</div> 2297 2298 2299 2300<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.5"/> 2301 2302<h3 class="head3">passwd program</h3> 2303 2304<p>The <tt class="literal">passwd</tt><a name="INDEX-87"/> 2305<tt class="literal">program</tt> option specifies a program on the Unix 2306Samba server that Samba can use to update the standard system 2307password file when the encrypted password file is updated. This 2308option defaults to the standard <em class="emphasis">passwd</em> program, 2309usually located in the <em class="filename">/bin</em> directory. The 2310<tt class="literal">%u</tt> variable is typically used as the requesting 2311user when the command is executed. The actual handling of input and 2312output to this program during execution is handled through the 2313<tt class="literal">passwd</tt> <tt class="literal">chat</tt> option. <a href="ch09.html#samba2-CHP-9-SECT-4.3">Section 9.4.3</a> earlier in this 2314chapter covers this option in detail.</p> 2315 2316 2317</div> 2318 2319 2320 2321<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.6"/> 2322 2323<a name="INDEX-88"/><h3 class="head3">password level</h3> 2324 2325<p>With SMB, nonencrypted (or plain-text) passwords are sent with 2326capital letters, just like the usernames mentioned previously. Many 2327Unix users, however, choose passwords with both upper- and lowercase 2328letters. Samba, by default, only attempts to match the password 2329entirely in lowercase letters and not capitalizing the first letter.</p> 2330 2331<p>Like <tt class="literal">username</tt> <tt class="literal">level</tt>, a 2332<tt class="literal">password</tt> <tt class="literal">level</tt> option can be 2333used to attempt various permutations of the password with capital 2334letters. This option takes an integer value that specifies how many 2335letters in the password should be capitalized when attempting to 2336connect to a share. You can specify this option as follows:</p> 2337 2338<blockquote><pre class="code">[global] 2339 password level = 3</pre></blockquote> 2340 2341<p>In this case, Samba then attempts all permutations of the password it 2342can compute having three capital letters. The larger the number, the 2343more computations Samba has to perform to match the password, and the 2344longer a connection to a specific share might take.</p> 2345 2346 2347</div> 2348 2349 2350 2351<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.7"/> 2352 2353<a name="INDEX-89"/><h3 class="head3">update encrypted</h3> 2354 2355<p>For sites switching over to the encrypted password format, Samba 2356provides an option that should help with the transition. The 2357<tt class="literal">update</tt> <tt class="literal">encrypted</tt> option allows 2358a site to ease into using encrypted passwords from plain-text 2359passwords. You can activate this option as follows:</p> 2360 2361<blockquote><pre class="code">[global] 2362 update encrypted = yes</pre></blockquote> 2363 2364<p>This instructs Samba to create an encrypted version of each 2365user's Unix password in the 2366<em class="filename">smbpasswd</em> file each time she connects to a 2367share. When this option is enabled, you must have the 2368<tt class="literal">encrypt</tt> <tt class="literal">passwords</tt> option set to 2369<tt class="literal">no</tt> so that the client passes plain-text passwords 2370to Samba to update the files. Once each user has connected at least 2371once, you can set <tt class="literal">encrypted</tt> 2372<tt class="literal">passwords</tt> <tt class="literal">=</tt> 2373<tt class="literal">yes</tt>, allowing you to use only the encrypted 2374passwords. The user must already have a valid entry in the 2375<em class="filename">smbpasswd</em> file for this option to work.</p> 2376 2377 2378</div> 2379 2380 2381 2382<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.8"/> 2383 2384<a name="INDEX-90"/><h3 class="head3">null passwords</h3> 2385 2386<p>This global option tells Samba whether to allow access from users 2387that have null passwords (encrypted or nonencrypted) set in their 2388accounts. The default value is <tt class="literal">no</tt>. You can 2389override it as follows:</p> 2390 2391<blockquote><pre class="code">null passwords = yes</pre></blockquote> 2392 2393<p>We highly recommend against doing so because of the security risks 2394this option can present to your system, including inadvertent access 2395to system users (such as <tt class="literal">bin</tt>) in the system 2396password file who have null passwords set.</p> 2397 2398 2399</div> 2400 2401 2402 2403<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.9"/> 2404 2405<a name="INDEX-91"/><h3 class="head3">smb passwd file</h3> 2406 2407<p>This global option identifies the location of the encrypted password 2408database. By default, it is set to 2409<em class="filename">/usr/local/samba/private/smbpasswd</em>. You can 2410override it as follows:</p> 2411 2412<blockquote><pre class="code">[global] 2413 smb passwd file = /etc/samba/smbpasswd</pre></blockquote> 2414 2415<p>This location, for example, is common on many Red Hat distributions 2416on which Samba has been installed using an RPM package.</p> 2417 2418 2419</div> 2420 2421 2422 2423<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.10"/> 2424 2425<a name="INDEX-92"/><h3 class="head3">hosts equiv</h3> 2426 2427<p>This global option specifies the name of a standard Unix 2428<em class="filename">hosts.equiv</em> file that allows hosts or users to 2429access shares without specifying a password. You can specify the 2430location of such a file as follows:</p> 2431 2432<blockquote><pre class="code">[global] 2433 hosts equiv = /etc/hosts.equiv</pre></blockquote> 2434 2435<p>The default value for this option does not specify any 2436<em class="filename">hosts.equiv</em> file. Because using a 2437<em class="filename">hosts.equiv</em> file is a huge security risk, we 2438strongly recommend against using this option.</p> 2439 2440 2441</div> 2442 2443 2444 2445<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.11"/> 2446 2447<a name="INDEX-93"/><h3 class="head3">use rhosts</h3> 2448 2449<p>This global option specifies the name of a standard Unix 2450user's <em class="filename">.rhosts</em> file that allows 2451foreign hosts to access shares without specifying a password. You can 2452specify the location of such a file as follows:</p> 2453 2454<blockquote><pre class="code">[global] 2455 use rhosts = /home/dave/.rhosts</pre></blockquote> 2456 2457<p>The default value for this option does not specify any 2458<em class="filename">.rhosts</em> file. Like the <tt class="literal">hosts</tt> 2459<tt class="literal">equiv</tt> option discussed earlier, using such a file 2460is a security risk. We highly recommend that you do not use this 2461option unless you are confident in the security of your network. 2462<a name="INDEX-94"/> 2463<a name="INDEX-95"/><a name="INDEX-96"/></p> 2464 2465 2466</div> 2467 2468 2469</div> 2470 2471 2472</div> 2473 2474 2475 2476<div class="sect1"><a name="samba2-CHP-9-SECT-5"/> 2477 2478<h2 class="head1">Authentication with winbind</h2> 2479 2480<p><a name="INDEX-97"/><a name="INDEX-98"/>In <a href="ch03.html">Chapter 3</a>, we 2481showed you how to add Windows clients to a network in which user 2482accounts were maintained on the Samba server. We added a user account 2483to the Windows client using the same username and password as an 2484account on the Unix system. This method works well in many computing 2485environments. However, if a Samba server is added to a Windows 2486network that already has a Windows NT/2000 primary domain controller, 2487the PDC has a preexisting database of user accounts and group 2488information that is used for authentication. It can be a big chore to 2489transfer that database manually to the Unix server, and later 2490maintain and synchronize the Unix and Windows databases.</p> 2491 2492<p>In <a href="ch04.html">Chapter 4</a>, we showed you how to add a Samba 2493server as a domain member server to a network having a Windows 2494NT/2000 primary domain controller. We set <tt class="literal">security</tt> 2495<tt class="literal">=</tt> <tt class="literal">domain</tt> in the Samba 2496configuration file to have the Samba server hand off authentication 2497to the Windows PDC. Using that method, passwords are kept only on the 2498PDC, but it is still necessary to set up user accounts on the Unix 2499side to make sure each client has a valid Unix UID and group ID 2500(GID). This is necessary for maintaining the file ownerships and 2501permissions of the Unix security model. Whenever Samba performs an 2502operation on the Unix filesystem on behalf of the Windows client, the 2503user must have a valid UID and GID on the local Unix system.</p> 2504 2505<p>A facility that has recently been added to Samba, winbind, allows the 2506Windows <a name="INDEX-99"/>PDC to handle 2507not only authentication, but the user and group information as well. 2508Winbind works by extending the Unix user and group databases beyond 2509the standard <em class="filename">/etc/passwd</em> and 2510<em class="filename">/etc/group</em> files such that users and groups on 2511the Windows PDC also exist as valid users and groups on the Unix 2512system. The extension applies to the entire Unix system and allows 2513users who are members of a Windows domain to perform any action on 2514the Unix system that a local user would, including logging in to the 2515Unix system by <em class="emphasis">telnet</em> or even on the local 2516system, using their domain usernames and passwords.</p> 2517 2518<p>When winbind is in use, administration of user accounts can be done 2519on the Windows PDC, without having to repeat the tasks on the Unix 2520side. This includes password expiration and allowing users to change 2521their passwords, which would otherwise not be practical. Aside from 2522simplifying domain administration and being a great time saver, 2523winbind lets Samba be used in computing environments where it 2524otherwise might not be allowed.</p> 2525<a name="samba2-CHP-9-NOTE-143"/><blockquote class="note"><h4 class="objtitle">WARNING</h4> 2526<p>Because this is a chapter on security, we want to point out that some 2527issues might relate to allowing a Windows system to authenticate 2528users accessing a Unix system! Whatever you might think of the 2529relative merits of Unix and Windows security models (and even more 2530importantly, their <em class="emphasis">implementations</em>), one thing 2531is certain: adding winbind support to your Samba server greatly 2532complicates the authentication system overall—and quite 2533possibly allows more opportunities for crackers.</p> 2534 2535<p>We present winbind in this chapter not as a means of improving 2536security, but rather as a further example of Samba's 2537ability to integrate itself into a modern Windows environment.</p> 2538</blockquote> 2539 2540 2541<div class="sect2"><a name="samba2-CHP-9-SECT-5.1"/> 2542 2543<h3 class="head2">Installing winbind</h3> 2544 2545<p><a name="INDEX-100"/>Installing 2546and configuring winbind is fairly complicated and involves the 2547following steps:</p> 2548 2549<ol><li> 2550<p>Reconfigure, recompile, and reinstall Samba—to add support for 2551winbind.</p> 2552</li><li> 2553<p>Configure the Unix name server switch.</p> 2554</li><li> 2555<p>Modify the Samba configuration file.</p> 2556</li><li> 2557<p>Start and test the <em class="emphasis">winbindd</em> daemon.</p> 2558</li><li> 2559<p>Configure the system to start and stop the 2560<em class="emphasis">winbindd</em> daemon automatically.</p> 2561</li><li> 2562<p>Optionally, configure PAM for use with winbind.</p> 2563</li></ol> 2564<p>At the time this book was written, winbind was supported only on 2565Linux, so all of the following directions are specific to it. Other 2566Unix flavors might be supported at a later time. In addition, we 2567assume you have a Windows NT/2000 primary domain controller running 2568on your network.</p> 2569 2570<p>First, you will need to configure and compile Samba using the 2571<tt class="literal">--with-winbind</tt> configure option. Directions for 2572doing this are included in <a href="ch02.html">Chapter 2</a> in <a href="ch02.html#samba2-CHP-2-SECT-3">Section 2.3</a>. As usual, run 2573<em class="emphasis">make install</em> to reinstall the Samba binaries.</p> 2574 2575 2576</div> 2577 2578 2579<div class="sect2"><a name="samba2-CHP-9-SECT-5.2"/> 2580 2581<h3 class="head2">Configuring nsswitch</h3> 2582 2583<p><a name="INDEX-101"/>When 2584Samba is compiled after being configured with the 2585<tt class="literal">--with-winbind</tt> option, the compilation process 2586produces a library called 2587<em class="filename">libnss_winbind.so</em><a name="INDEX-102"/> in the 2588<em class="filename">source/nsswitch</em> directory. This library needs to 2589be copied to the <em class="filename">/lib</em> directory:</p> 2590 2591<blockquote><pre class="code"># <tt class="userinput"><b>cp nsswitch/libnss_winbind.so /lib</b></tt></pre></blockquote> 2592 2593<p>Also, a symbolic link must be created for winbind to be fully 2594functional:</p> 2595 2596<blockquote><pre class="code"># <tt class="userinput"><b>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</b></tt></pre></blockquote> 2597 2598<a name="samba2-CHP-9-NOTE-144"/><blockquote class="note"><h4 class="objtitle">TIP</h4> 2599<p>The name of this symbolic link is correct for Samba 2.2.3 and Red Hat 26007.1. The name might change—with a higher version number in the 2601extension—in future releases. See the 2602<em class="emphasis">winbindd</em> manual page for details.</p> 2603</blockquote> 2604 2605<p>Next, we need to modify <em class="filename">/etc/nsswitch.conf</em> to 2606make the lines for <tt class="literal">passwd</tt> and 2607<tt class="literal">group</tt> look like this:</p> 2608 2609<blockquote><pre class="code">passwd: files winbind 2610group: files winbind</pre></blockquote> 2611 2612<p>Then activate these changes by issuing the following command:</p> 2613 2614<blockquote><pre class="code"># <tt class="userinput"><b>/sbin/ldconfig</b></tt></pre></blockquote> 2615 2616<p>What we've just done is reconfigure the Linux name 2617service switch, which allows name service and other tasks to be 2618configured to use the traditional method (files in the 2619<em class="filename">/etc</em> directory) or an extension coded in a 2620library, such as the <em class="filename">libnss_winbind.so</em> library 2621we've just installed. We've 2622specified in our configuration that Samba will search for user and 2623group information first in the <em class="filename">/etc/passwd</em> and 2624<em class="filename">/etc/group files</em>, and if they are not found 2625there, in the winbind service.</p> 2626 2627 2628</div> 2629 2630 2631<div class="sect2"><a name="samba2-CHP-9-SECT-5.3"/> 2632 2633<h3 class="head2">Modifying smb.conf</h3> 2634 2635<p><a name="INDEX-103"/><a name="INDEX-104"/>To use winbind, we must have our Samba 2636server added to the Windows NT domain as a domain member server (as 2637we described in <a href="ch04.html">Chapter 4</a>) and also add some 2638parameters to the Samba configuration file to configure winbind. In 2639addition to the options required to configure Samba as a domain 2640member server, we need:</p> 2641 2642<blockquote><pre class="code">[global] 2643 winbind uid = 10000-20000 2644 winbind gid = 10000-20000</pre></blockquote> 2645 2646<p>The <tt class="literal">winbind</tt> <tt class="literal">uid</tt> and 2647<tt class="literal">winbind</tt> <tt class="literal">gid</tt> options tell 2648winbind how to map between Windows relative identifiers (RIDs) and 2649Unix UIDs and GIDs. Windows uses RIDs to identify users and groups 2650within the domain, and to function, the Unix system must have a UID 2651and GID associated with every user and group RID that is received 2652from the Windows primary domain controller. The 2653<tt class="literal">winbind</tt> <tt class="literal">uid</tt> and 2654<tt class="literal">winbind</tt> <tt class="literal">gid</tt> parameters simply 2655provide winbind with a range of UIDs and GIDs, respectively, that are 2656allocated by the system administrator for Windows NT domain users and 2657groups. You can use whatever range you want for each; just make sure 2658the lowest number in the range does not conflict with any entries in 2659your <em class="filename">/etc/passwd</em> or 2660<em class="filename">/etc/group</em> files at any time, either now or in 2661the future. It is important to be conservative about this. Once 2662winbind adds an RID to UID/GID mapping to its database, it is very 2663difficult to modify the mapping.</p> 2664<a name="samba2-CHP-9-NOTE-145"/><blockquote class="note"><h4 class="objtitle">WARNING</h4> 2665<p><a name="INDEX-105"/>The file 2666<em class="filename">/usr/local/samba/locks/winbindd_idmap.tdb</em> 2667contains winbind's RID mapping file by default. We 2668suggest you regard this file as extremely sensitive and make sure to 2669guard it carefully against any kind of harm or loss. If you lose it, 2670you will have to re-create it manually, which can be a very 2671labor-intensive task.</p> 2672</blockquote> 2673 2674<a name="samba2-CHP-9-NOTE-145a"/><blockquote class="note"><h4 class="objtitle">WARNING</h4> 2675<p>Be careful when adding local users after domain users have started 2676accessing the Samba server. The domain users will have entries 2677created for them by winbind in <em class="filename">/etc/passwd,</em> with 2678UIDs in the range you specify. If you are using a method of creating 2679new accounts that automatically assigns UIDs, it might choose UIDs by 2680adding 1 to the highest UID assigned thus far, which will be the most 2681recent UID added by winbind. (This is the case on Red Hat Linux, with 2682the <em class="emphasis">useradd</em> script, for example.) The UID for 2683the new local user will be within the range allocated for winbind, 2684which will have undesired effects. Make sure to add new local users 2685using a method that assigns them UIDs in the proper range. For 2686example, you can use the <em class="emphasis">-u</em> option of 2687<em class="emphasis">useradd</em> to specify the UID to assign to the new 2688user.</p> 2689</blockquote> 2690 2691<p>Restart the Samba daemons to put your changes to the configuration 2692file into effect. If you have not already done so while adding your 2693Samba server as a domain member server, you must issue the command:</p> 2694 2695<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j </b></tt><em class="replaceable">domain</em><tt class="userinput"><b> -r </b></tt><em class="replaceable">pdc</em><tt class="userinput"><b> -U Administrator</b></tt></pre></blockquote> 2696 2697<p>as we described in <a href="ch04.html">Chapter 4</a>. At this point, you 2698can start the <em class="emphasis">winbindd</em> daemon:</p> 2699 2700<blockquote><pre class="code"># <tt class="userinput"><b>winbindd</b></tt></pre></blockquote> 2701 2702<p><a name="INDEX-106"/>You might want to 2703run a <em class="emphasis">ps ax</em> command to see that the 2704<em class="emphasis">winbindd</em> daemon is running. Now, to make sure 2705everything we've done up to this point works, we can 2706use Samba's <em class="emphasis">wbinfo</em> command:</p> 2707 2708<blockquote><pre class="code">$ <tt class="userinput"><b>wbinfo -u</b></tt> 2709METRAN\Administrator 2710METRAN\bebe 2711METRAN\Guest 2712METRAN\jay 2713METRAN\linda 2714$ <tt class="userinput"><b>wbinfo -g</b></tt> 2715METRAN\Domain Admins 2716METRAN\Domain Guests 2717METRAN\Domain Users</pre></blockquote> 2718 2719<p>The <em class="emphasis">-u</em> option queries the domain controller for 2720a list of domain users, and the <em class="emphasis">-g</em> option asks 2721for the list of groups. The output shows that the Samba host system 2722can query the Windows PDC through winbind.</p> 2723 2724<p>Another thing to check is the list of users and groups, using the 2725<em class="emphasis">getent</em> command:</p> 2726 2727<blockquote><pre class="code"># <tt class="userinput"><b>getent passwd</b></tt> 2728root:x:0:0:root:/root:/bin/bash 2729bin:x:1:1:bin:/bin: 2730daemon:x:2:2:daemon:/sbin: 2731 <i class="lineannotation">... deleted ...</i> 2732jay:x:500:500:Jay Ts:/home/jay:/bin/bash 2733rik:x:501:501::/home/rik:/bin/bash 2734METRAN\Administrator:x:10000:10000::/home/METRAN/administrator:/bin/bash 2735METRAN\bebe:x:10001:10000:Bebe Larta:/home/METRAN/bebe:/bin/bash 2736METRAN\Guest:x:10002:10000::/home/METRAN/guest:/bin/bash 2737METRAN\jay:x:10003:10000:Jay Ts:/home/METRAN/jay:/bin/bash 2738METRAN\linda:x:10004:10000:Linda Lewis:/home/METRAN/linda:/bin/bash 2739 2740# getent group 2741root:x:0:root 2742bin:x:1:root,bin,daemon 2743daemon:x:2:root,bin,daemon 2744 <i class="lineannotation">... deleted ...</i> 2745jay:x:500: 2746rik:x:501: 2747METRAN\Domain Admins:x:10001:METRAN\Administrator 2748METRAN\Domain Guests:x:10002:METRAN\Guest 2749METRAN\Domain Users:x:10000:METRAN\Administrator,METRAN\jay,METRAN\linda,METRAN\bebe</pre></blockquote> 2750 2751<p>This shows that the Linux system is finding the domain users and 2752groups through winbind, in addition to those in the 2753<em class="filename">/etc/passwd</em> and <em class="filename">/etc/group</em> 2754files. If this part doesn't work as shown earlier, 2755with the domain users and groups listed after the local ones, check 2756to make sure you made the symbolic link to 2757<em class="filename">libnss_winbind.so</em> in <em class="filename">/lib</em> 2758correctly.</p> 2759 2760<p>Now you can try connecting to a Samba share from a Windows system 2761using a domain account. You can either log on to the domain from a 2762Windows NT/2000/XP workstation or use <em class="emphasis">smbclient</em> 2763with the <em class="emphasis">-U</em> option to specify a username.</p> 2764 2765<a name="samba2-CHP-9-NOTE-147"/><blockquote class="note"><h4 class="objtitle">NOTE</h4> 2766<p>If you get errors while attempting to log on to the domain, it is 2767probably because you had previously configured the client system with 2768a computer account on another domain controller. Commonly, you get a 2769dialog box that says, "The domain 2770<em class="replaceable">NAME</em> is not available." 2771On a Windows 2000 system, the fix is to log in to the system as an 2772administrative user and open the Control Panel, double-click the 2773System icon, click the Network Identification tab, then click the 2774Properties button. In the dialog that comes up, click the 2775"Workgroup:" radio button and fill 2776in the name of the workgroup (you can use the same name as the 2777domain). Click the OK buttons in the dialogs, and reboot if 2778requested.</p> 2779 2780<p>This removes the computer account from the primary domain controller. 2781Now log in again as the administrative user and repeat the previous 2782directions, but change from the workgroup back to the domain. This 2783creates a new computer account that 2784"fits" the workstation to the new 2785primary domain controller. If your network has backup domain 2786controllers, it will take up to 15 minutes for the new computer 2787account to propagate to the BDCs.</p> 2788 2789<p>If you are using Windows NT/XP, the method is slightly different. For 2790the exact procedure, see the section in <a href="ch04.html">Chapter 4</a> 2791that is specific to your Windows version.</p> 2792</blockquote> 2793 2794<p>After logging in as a domain user, try creating a file or two in a 2795Samba share. (You might need to change the permissions on the shared 2796directory—say, to 777—to allow this access. This is very 2797permissive, but after you finish reading this section, you will 2798understand how to change ownership and permissions on the directory 2799to restrict access to selected domain users.) After 2800you've created files by one or more domain users, 2801take a look at the directory's contents from a Linux 2802shell. You will see something like this:</p> 2803 2804<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /u</b></tt> 2805-rwxrw-rw- 1 METRAN\b METRAN\D 0 Apr 13 00:00 bebes-file.doc 2806-rwxrw-rw- 1 METRAN\l METRAN\D 0 Apr 12 23:58 lindas-file.doc 2807drwxrwxr-x 6 jay jay 4096 Jan 15 05:12 snd 2808<b class="emphasis-bold">$ ls -ln /u</b> 2809total 4 2810-rwxrw-rw- 1 10001 10000 0 Apr 13 00:00 bebes-file.doc 2811-rwxrw-rw- 1 10004 10000 0 Apr 12 23:58 lindas-file.doc 2812drwxrwxr-x 6 500 500 4096 Jan 15 05:12 snd</pre></blockquote> 2813 2814<p>We can even use the domain usernames and groups from the Linux shell:</p> 2815 2816<blockquote><pre class="code"># <tt class="userinput"><b>chown 'METRAN\linda:METRAN\Domain Users' /u</b></tt> 2817# <tt class="userinput"><b>ls -ldu /u</b></tt> 2818drwxrwxrwx 3 METRAN\l METRAN\D 4096 Apr 13 00:44 /u 2819# <tt class="userinput"><b>ls -ldn /u</b></tt> 2820drwxrwxrwx 3 10004 10000 4096 Apr 13 00:00 /u</pre></blockquote> 2821 2822<p>Notice how the owner and group are listed as being those of the 2823domain user and group. Unfortunately, the GNU <em class="emphasis">ls</em> 2824command won't show the full names of the domain 2825users and groups, but we can use the <em class="emphasis">-ln</em> listing 2826to show the UIDs and GIDs and then translate with the 2827<em class="emphasis">wbinfo</em> command:</p> 2828 2829<blockquote><pre class="code">$ <tt class="userinput"><b>wbinfo -s `wbinfo -U 10004`</b></tt> 2830METRAN\LINDA 1 2831$ <tt class="userinput"><b>wbinfo -s `wbinfo -G 10000`</b></tt> 2832METRAN\Domain Users 2</pre></blockquote> 2833 2834<p>(It's a bit messy, but it works, and it shows that 2835the winbind system is working!) At this point, you might want to 2836modify your <em class="filename">/etc/rc.d/init.d/smb</em> script to start 2837and stop the <em class="emphasis">winbindd</em> daemon automatically along 2838with the <em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em> 2839daemons. Starting with the script we presented in <a href="ch02.html">Chapter 2</a>, we first add this code to the 2840<em class="emphasis">start( )</em> function:</p> 2841 2842<blockquote><pre class="code">echo -n $"Starting WINBIND services: " 2843/usr/local/samba/bin/winbindd 2844ERROR2=$? 2845if [ $ERROR2 -ne 0 ] 2846then 2847 ERROR=1 2848fi 2849echo</pre></blockquote> 2850 2851<p>The previous code should be located after the code that starts 2852<em class="emphasis">nmbd</em> and before the <em class="emphasis">return</em> 2853statement.</p> 2854 2855<a name="samba2-CHP-9-NOTE-148"/><blockquote class="note"><h4 class="objtitle">TIP</h4> 2856<p>We start <em class="emphasis">winbindd</em> after 2857<em class="emphasis">nmbd</em> because <em class="emphasis">winbindd</em> needs 2858<em class="emphasis">nmbd</em> to be running to work properly.</p> 2859</blockquote> 2860 2861<p>In the <tt class="function">stop( )</tt> function, we add the following:</p> 2862 2863<blockquote><pre class="code">echo -n $"Shutting down WINBIND services: " 2864/bin/kill -TERM -a winbindd 2865ERROR2=$? 2866if [ $ERROR2 -ne 0 ] 2867then 2868 ERROR=1 2869fi 2870echo</pre></blockquote> 2871 2872<p>Again, this code should be located after the code that stops 2873<em class="emphasis">nmbd</em> and before the <em class="emphasis">return</em> 2874statement. <a name="INDEX-107"/></p> 2875 2876 2877</div> 2878 2879 2880<div class="sect2"><a name="samba2-CHP-9-SECT-5.4"/> 2881 2882<h3 class="head2">Configuring PAM</h3> 2883 2884<p><a name="INDEX-108"/>Most 2885popular Linux distributions use <a name="INDEX-109"/>Pluggable 2886Authentication Modules (PAM), a suite of shared libraries that 2887provide a centralized source of authentication for applications 2888running on the Unix system. PAM can be configured differently for 2889each application (or service) that uses it, without needing to 2890recompile the application. As a hypothetical example, if an 2891organization's security policy mandated the use of 2892passwords exactly 10 characters in length, a PAM module could be 2893written to check the length of passwords submitted by users and 2894reject any attempts to use a longer or shorter password. PAM would 2895then be reconfigured to include the new module for services such as 2896<em class="emphasis">ftp</em>, console login, and GUI login that call upon 2897PAM to authenticate users.</p> 2898 2899<p>If you are not already familiar with PAM, we suggest you read the 2900documentation provided with the Linux PAM package before continuing. 2901On most Linux systems, it is located in the 2902<em class="filename">/usr/share/doc</em> directory hierarchy. Another 2903resource is the <em class="citetitle">Linux-PAM System 2904Administrator's 2905Guide</em><a name="INDEX-110"/>, which you can find 2906on the Internet at <a href="http://www.kernel.org/pub/linux/libs/pam">http://www.kernel.org/pub/linux/libs/pam</a>.</p> 2907 2908<p>The rest of this section is about using the PAM module provided in 2909the Samba distribution to enable Windows domain users to authenticate 2910on the Linux system hosting Samba. Depending on which services you 2911choose to configure, this allows Windows domain users to log in on a 2912local console (or through <em class="emphasis">telnet</em>), log in to a 2913GUI desktop on the Linux system, authenticate with an FTP server 2914running on the Linux system, or use other services normally limited 2915to users who have an account on the Linux system. The PAM module 2916authenticates Windows domain users by querying winbind, which passes 2917the authentication off to a Windows NT domain controller.</p> 2918 2919<p>As an example, we will show how to allow Windows domain users to log 2920in to a text console on the Linux system and get a command shell and 2921home directory. The method used in our example can be applied (with 2922variations) to other services.</p> 2923 2924<p>All users who can log in to the Linux system need a shell and a home 2925directory. Unix and Linux keep this user information in the password 2926file (<em class="filename">/etc/passwd</em> ), but information about 2927Windows users isn't located there. Instead, in the 2928Samba configuration file, we add the following to notify winbind what 2929the shell and home directory for Windows domain users will be:</p> 2930 2931<blockquote><pre class="code">[global] 2932 template shell = /bin/bash 2933 template homedir = /home/%D/%U</pre></blockquote> 2934 2935<p>The first line sets the 2936<tt class="literal">template</tt><a name="INDEX-111"/> <tt class="literal">shell</tt> 2937parameter, which tells winbind what shell to use for domain users 2938that are logging in to the Unix host. The 2939<tt class="literal">template</tt><a name="INDEX-112"/> 2940<tt class="literal">homedir</tt> parameter specifies the location of 2941users' home directories. The <tt class="literal">%D</tt> 2942variable is replaced by the name of the domain in which the 2943user's account resides, and <tt class="literal">%U</tt> is 2944replaced by the user's username in that domain.</p> 2945 2946<p>Before the domain users can successfully log in, their home 2947directories must be created manually. To add a single account for 2948<tt class="literal">linda</tt> in the METRAN domain, we would use these 2949commands:</p> 2950 2951<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /home/METRAN</b></tt> 2952# <tt class="userinput"><b>chmod 755 /home/METRAN</b></tt> 2953 2954# <tt class="userinput"><b>mkdir /home/METRAN/linda</b></tt> 2955# <tt class="userinput"><b>chown 'METRAN\linda:METRAN\Domain Users' /home/METRAN/linda</b></tt> 2956# <tt class="userinput"><b>chmod 700 /home/METRAN/linda</b></tt></pre></blockquote> 2957<a name="samba2-CHP-9-NOTE-149"/><blockquote class="note"><h4 class="objtitle">WARNING</h4> 2958<p>One side effect of creating the home directories is that if the Samba 2959server is configured with a <tt class="literal">[homes]</tt> share, the 2960domain users can see and access their home directories through 2961Samba's file sharing.</p> 2962</blockquote> 2963 2964<p>Next, we need to compile and install the PAM module in the Samba 2965distribution. From the source directory in the Samba distribution, 2966issue the following commands:</p> 2967 2968<blockquote><pre class="code"># <tt class="userinput"><b>make nsswitch/pam_winbind.so</b></tt> 2969# <tt class="userinput"><b>cp nsswitch/pam_winbind.so /lib/security</b></tt></pre></blockquote> 2970 2971<p>and check that it was copied over correctly:</p> 2972 2973<blockquote><pre class="code"># <tt class="userinput"><b>ls /lib/security/pam_winbind.so</b></tt> 2974/lib/security/pam_winbind.so</pre></blockquote> 2975 2976<p>On Red Hat Linux, the PAM configuration files reside in 2977<em class="filename">/etc/pam.d</em>. Before making any modifications, we 2978strongly advise making a backup of this directory:</p> 2979 2980<blockquote><pre class="code"># cp -pR /etc/pam.d /etc/pam.d.backup</pre></blockquote> 2981 2982<p>The reason for this is that we will be modifying the Linux 2983system's means of authenticating logins, and if our 2984configuration goes awry, all users (including 2985<tt class="literal">root</tt>) will be locked out of the system. In case 2986the worst happens, we would reboot into single-user mode (by typing 2987<tt class="literal">linux</tt> <tt class="literal">single</tt> at the LILO: 2988prompt) or boot a rescue disk, and then we would issue these two 2989commands:</p> 2990 2991<blockquote><pre class="code"># <tt class="userinput"><b>mv /etc/pam.d /etc/pam.d.bad</b></tt> 2992# <tt class="userinput"><b>mv /etc/pam.d.backup /etc/pam.d</b></tt></pre></blockquote> 2993 2994<p>Be very careful to make sure you can recover from any errors you make 2995because when PAM encounters any configuration information it 2996doesn't understand, its action is not to allow 2997access. This means you must be sure to enter everything correctly! 2998You might want to leave yourself logged in as root on a spare virtual 2999terminal while you are modifying your PAM configuration to ensure 3000yourself a means of easy recovery.</p> 3001 3002<p>In the <em class="filename">/etc/pam.d</em> directory, you will encounter 3003a file for each service that uses PAM. We are interested only in the 3004file corresponding to the login service, which is called 3005<em class="filename">login</em>. It contains the following lines:</p> 3006 3007<blockquote><pre class="code">auth required /lib/security/pam_securetty.so 3008auth required /lib/security/pam_stack.so service=system-auth 3009auth required /lib/security/pam_nologin.so 3010account required /lib/security/pam_stack.so service=system-auth 3011password required /lib/security/pam_stack.so service=system-auth 3012session required /lib/security/pam_stack.so service=system-auth 3013session optional /lib/security/pam_console.so</pre></blockquote> 3014 3015<p>The lines starting with <tt class="literal">auth</tt> are related to the 3016function of authentication—that is, printing a password prompt, 3017accepting the password, verifying that it is correct, and matching 3018the user to a valid user and group ID. The line starting with 3019<tt class="literal">account</tt> is for account management, which allows 3020access to be controlled by other factors, such as what times during 3021the day a user is allowed access. We are not concerned with the lines 3022starting with <tt class="literal">password</tt> or 3023<tt class="literal">session</tt> because winbind does not add to either of 3024those functions.</p> 3025 3026<p>The third column lists the PAM module, possibly with arguments, that 3027is called in for the task. The 3028<em class="filename">pam_stack.so</em><a name="INDEX-113"/> module has been added by Red Hat to act 3029somewhat like a macro or a subroutine. It calls the file in the 3030<em class="filename">pam.d</em> directory named by the service argument. 3031In this case, the file <em class="filename">/etc/pam.d/system-auth</em> 3032contains a common set of lines that are used as a default for many 3033services. Because we want to customize the login service for winbind, 3034we first replace the <em class="filename">pam_stack.so</em> lines for 3035<tt class="literal">auth</tt> and <tt class="literal">account</tt> with the 3036<tt class="literal">auth</tt> and <tt class="literal">account</tt> lines from 3037<em class="filename">/etc/pam.d/system-auth</em>. This yields:</p> 3038 3039<blockquote><pre class="code">auth required /lib/security/pam_securetty.so 3040<b class="emphasis-bold">auth required /lib/security/pam_env.so</b> 3041<b class="emphasis-bold">auth sufficient /lib/security/pam_unix.so likeauth nullok</b> 3042<b class="emphasis-bold">auth required /lib/security/pam_deny.so</b> 3043auth required /lib/security/pam_nologin.so 3044<b class="emphasis-bold">account required /lib/security/pam_unix.so</b> 3045password required /lib/security/pam_stack.so service=system-auth 3046session required /lib/security/pam_stack.so service=system-auth 3047session optional /lib/security/pam_console.so</pre></blockquote> 3048 3049<p>To add winbind support, we need to add a line in both the 3050<tt class="literal">auth</tt> and <tt class="literal">account</tt> sections to 3051call the 3052<em class="filename">pam_winbind.so</em><a name="INDEX-114"/> module:</p> 3053 3054<blockquote><pre class="code">auth required /lib/security/pam_securetty.so 3055auth required /lib/security/pam_env.so 3056<b class="emphasis-bold">auth sufficient /lib/security/pam_winbind.so</b> 3057auth sufficient /lib/security/pam_unix.so <b class="emphasis-bold">use_first_pass</b> likeauth nullok 3058auth required /lib/security/pam_deny.so 3059auth required /lib/security/pam_nologin.so 3060<b class="emphasis-bold">account sufficient /lib/security/pam_winbind.so</b> 3061account required /lib/security/pam_unix.so 3062password required /lib/security/pam_stack.so service=system-auth 3063session required /lib/security/pam_stack.so service=system-auth 3064session optional /lib/security/pam_console.so</pre></blockquote> 3065 3066<p>The keywords <tt class="literal">required</tt> and 3067<tt class="literal">sufficient</tt> in the second column are significant. 3068The keyword <tt class="literal">required</tt> specifies that the result 3069returned by the module (either to pass or fail the authentication) 3070must be taken into account, whereas the keyword 3071<tt class="literal">sufficient</tt> specifies that if the module 3072successfully authenticates the user, no further lines need to be 3073processed. By specifying <tt class="literal">sufficient</tt> for the 3074<em class="filename">pam_winbind.so</em> module, we let winbind attempt to 3075authenticate users, and if it succeeds, the PAM system returns to the 3076application. If the <em class="filename">pam_winbind.so</em> module 3077doesn't find the user or the password does not 3078match, the PAM system continues with the next line, which performs 3079authentication according to the usual Linux user authentication. This 3080way, both domain users and local users can log in.</p> 3081 3082<p>Notice that we also added the <tt class="literal">use_first_pass</tt> 3083argument to the <em class="filename">pam_unix.so</em> module in the 3084<tt class="literal">auth</tt> section. By default, both the 3085<em class="filename">pam_winbind.so</em> and 3086<em class="filename">pam_unix.so</em> modules print a password prompt and 3087accept a password. In cases where users are logging in to the Linux 3088system using their local accounts, this would require them to enter 3089their password twice. The <tt class="literal">user_first_pass</tt> argument 3090tells the <em class="filename">pam_unix.so</em> module to reuse the 3091password that was given to the <em class="filename">pam_winbind.so</em> 3092module, which results in users having to enter the password only 3093once.</p> 3094 3095<p>After modifying the <em class="filename">login</em> configuration file, 3096switch to a spare virtual console and make sure you can still log in 3097using a regular Linux account. If not, check your modifications 3098carefully and try again until you get it right. Then log in using a 3099domain user account from the Windows PDC database to check that the 3100winbind authentication works. You will need to specify the username 3101in <em class="replaceable">DOMAIN</em>\<em class="replaceable">user</em> 3102format, like this:</p> 3103 3104<blockquote><pre class="code">login: METRAN\linda 3105Password:</pre></blockquote> 3106 3107<p>More information on configuring winbind can be found in the Samba 3108source distribution file 3109<em class="filename">docs/htmldocs/winbind.html</em>, and in the 3110<em class="emphasis">winbindd</em> manual page. If you would like to learn 3111more about configuring PAM, we recommend the web page <a href="http://www.kernel.org/pub/linux/libs/pam/">http://www.kernel.org/pub/linux/libs/pam/</a> as 3112a starting place. Some of the documentation for Linux PAM, including 3113Red Hat's extensions, can also be found on Red Hat 3114Linux in 3115<em class="filename">/usr/share/doc/pam-</em><em class="replaceable">version</em>. 3116<a name="INDEX-115"/></p> 3117 3118 3119</div> 3120 3121 3122<div class="sect2"><a name="samba2-CHP-9-SECT-5.5"/> 3123 3124<h3 class="head2">winbind Configuration Options</h3> 3125 3126<p><a href="ch09.html#samba2-CHP-9-TABLE-9">Table 9-9</a> <a name="INDEX-116"/><a name="INDEX-117"/>summarizes some commonly used options 3127that you can use to configure winbind.</p> 3128 3129<a name="samba2-CHP-9-TABLE-9"/><h4 class="head4">Table 9-9. winbind options</h4><table border="1"> 3130 3131 3132 3133 3134 3135 3136<tr> 3137<th> 3138<p>Option</p> 3139</th> 3140<th> 3141<p>Parameters</p> 3142</th> 3143<th> 3144<p>Function</p> 3145</th> 3146<th> 3147<p>Default</p> 3148</th> 3149<th> 3150<p>Scope</p> 3151</th> 3152</tr> 3153 3154 3155<tr> 3156<td> 3157<p><tt class="literal">winbind</tt> <tt class="literal">separator</tt></p> 3158</td> 3159<td> 3160<p>string (single character)</p> 3161</td> 3162<td> 3163<p>Character to use as a separator in domain usernames and group names</p> 3164</td> 3165<td> 3166<p>Backslash (<tt class="literal">\</tt>)</p> 3167</td> 3168<td> 3169<p>Global</p> 3170</td> 3171</tr> 3172<tr> 3173<td> 3174<p><tt class="literal">winbind uid</tt></p> 3175</td> 3176<td> 3177<p>string (numeric range)</p> 3178</td> 3179<td> 3180<p>Range of UIDs for RID-to-UID mapping</p> 3181</td> 3182<td> 3183<p>None</p> 3184</td> 3185<td> 3186<p>Global</p> 3187</td> 3188</tr> 3189<tr> 3190<td> 3191<p><tt class="literal">winbind gid</tt></p> 3192</td> 3193<td> 3194<p>string (numeric range)</p> 3195</td> 3196<td> 3197<p>Range of GIDs for RID-to-GID mapping</p> 3198</td> 3199<td> 3200<p>None</p> 3201</td> 3202<td> 3203<p>Global</p> 3204</td> 3205</tr> 3206<tr> 3207<td> 3208<p><tt class="literal">winbind cache time</tt></p> 3209</td> 3210<td> 3211<p>numeric</p> 3212</td> 3213<td> 3214<p>Number of seconds the <em class="emphasis">winbindd</em> daemon caches 3215user and group data</p> 3216</td> 3217<td> 3218<p><tt class="literal">15</tt></p> 3219</td> 3220<td> 3221<p>Global</p> 3222</td> 3223</tr> 3224<tr> 3225<td> 3226<p><tt class="literal">template</tt> <tt class="literal">homedir</tt></p> 3227</td> 3228<td> 3229<p>string (directory name)</p> 3230</td> 3231<td> 3232<p>Directory to be used as the home directory of the logged-in domain 3233user</p> 3234</td> 3235<td> 3236<p><tt class="literal">/home/%D/%U</tt></p> 3237</td> 3238<td> 3239<p>Global</p> 3240</td> 3241</tr> 3242<tr> 3243<td> 3244<p><tt class="literal">template</tt> <tt class="literal">shell</tt></p> 3245</td> 3246<td> 3247<p>string (command name)</p> 3248</td> 3249<td> 3250<p>The program to use as the logged-in domain user's 3251shell</p> 3252</td> 3253<td> 3254<p><tt class="literal">/bin/false</tt></p> 3255</td> 3256<td> 3257<p>Global</p> 3258</td> 3259</tr> 3260 3261</table> 3262 3263 3264<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.1"/> 3265 3266<a name="INDEX-118"/><h3 class="head3">winbind separator</h3> 3267 3268<p>On Windows systems, the backslash (<tt class="literal">\</tt>) is commonly 3269used as a separator in file names, UNCs, and the names of domain 3270users and groups. For example, an account in the METRAN domain with a 3271username of <tt class="literal">linda</tt> would be written as 3272<tt class="literal">METRAN\linda</tt>. On Unix systems, the backslash is 3273commonly used as a metacharacter for quoting, so the account would 3274have to be specified as <tt class="literal">METRAN\\linda</tt> or 3275'<tt class="literal">METRAN\linda</tt>'. The winbind separator parameter 3276allows another character to be used instead of the backslash 3277character, making it much easier to type in domain user and group 3278names. For example, with:</p> 3279 3280<blockquote><pre class="code">[global] 3281 winbind separator = +</pre></blockquote> 3282 3283<p>the aforementioned account could be written simply as 3284<tt class="literal">METRAN+linda</tt> on the Unix host, making it 3285unnecessary to use additional backslashes or single quotes. Winbind 3286then uses the same format for reporting domain user and group names.</p> 3287 3288 3289</div> 3290 3291 3292 3293<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.2"/> 3294 3295<a name="INDEX-119"/><h3 class="head3">winbind uid</h3> 3296 3297<p>As part of <em class="emphasis">winbindd</em> 's task of 3298letting Windows NT domain users function as local users on the Unix 3299host, <em class="emphasis">winbindd</em> supplies a Unix UID that is 3300linked to the Windows RID of the domain user. The 3301<tt class="literal">winbind</tt> <tt class="literal">uid</tt> parameter allows 3302the Unix system administrator to allocate a range of UIDs for this 3303purpose. It is very important that this range not overlap any UIDs 3304used for other purposes on the Unix system, so we recommend you begin 3305your range at a very high number, one much larger than the number of 3306local users and NIS users that will ever exist. For example, 3307<tt class="literal">winbind</tt> <tt class="literal">uid</tt> might be defined 3308as:</p> 3309 3310<blockquote><pre class="code">[global] 3311 winbind uid = 10000-15000</pre></blockquote> 3312 3313<p>on a system that would never have more than 9,999 local and NIS 3314users, or for that matter, any other entries in 3315<em class="filename">/etc/passwd</em> that would use up another UID. 3316Because the example allocates 5,000 UIDs to 3317<em class="emphasis">winbindd</em>, the assumption is that there will 3318never be more than 5,000 domain users accessing the Samba host.</p> 3319 3320<p>If your method for adding new local users to the system assigns UIDs 3321automatically, make sure it does not assign them within the range of 3322UIDs allocated to winbind. This might happen if the algorithm used 3323adds 1 to the highest UID assigned thus far.</p> 3324 3325<p>There is no default for <tt class="literal">winbind</tt> 3326<tt class="literal">uid</tt>, so you must specify it in your Samba 3327configuration file for winbind to work.</p> 3328 3329 3330</div> 3331 3332 3333 3334<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.3"/> 3335 3336<a name="INDEX-120"/><h3 class="head3">winbind gid</h3> 3337 3338<p>This option works like <tt class="literal">winbind</tt> 3339<tt class="literal">uid</tt>, except that it is for allocating a range of 3340GIDs for use with <em class="emphasis">winbindd</em>. You might not need 3341to allocate as many GIDs as UIDs because you probably have relatively 3342few domain groups that need corresponding GIDs. (In many cases, users 3343are all members of the Domain Users group, requiring only one GID.) 3344However, it is best to play it safe, so make sure to allocate many 3345more GIDs than you think you will need.</p> 3346 3347<p>As with <tt class="literal">winbind</tt> <tt class="literal">uid</tt>, if you are 3348using a method of adding new local users to your Unix host that 3349automatically assigns GIDs, either make sure the method used 3350doesn't conflict with winbind or set the GIDs 3351manually.</p> 3352 3353<p>There is no default for <tt class="literal">winbind</tt> 3354<tt class="literal">gid</tt>, so you must specify it in your Samba 3355configuration file for winbind to work.</p> 3356 3357 3358</div> 3359 3360 3361 3362<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.4"/> 3363 3364<a name="INDEX-121"/><h3 class="head3">winbind cache time</h3> 3365 3366<p>The <em class="emphasis">winbindd</em> daemon maintains a cache of user 3367and group data that has been retrieved from the Windows PDC to reduce 3368network queries and increase performance. The 3369<tt class="literal">winbind</tt> <tt class="literal">cache</tt> 3370<tt class="literal">time</tt> parameter allows the amount of time (in 3371seconds) <em class="emphasis">winbindd</em> can use the cached data before 3372querying the PDC to check for an update. By default, this interval is 3373set to 15 seconds. This means that when any part of a user or group 3374account on the PDC is modified, it can take up to 15 seconds for 3375<em class="emphasis">winbindd</em> to update its own database.</p> 3376 3377 3378</div> 3379 3380 3381 3382<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.5"/> 3383 3384<a name="INDEX-122"/><h3 class="head3">template homedir</h3> 3385 3386<p>When the local Unix system is configured to allow domain users to log 3387in, the user must be provided with a home directory for many 3388programs, including command shells, to function properly. The 3389<tt class="literal">template</tt> <tt class="literal">homedir</tt> option is used 3390to set the name of the home directory. In the name of the directory, 3391<tt class="literal">%D</tt> is replaced by the name of the Windows NT 3392domain the user is in, and <tt class="literal">%U</tt> is replaced by his 3393username. By default, <tt class="literal">template</tt> 3394<tt class="literal">homedir</tt> is set to <tt class="literal">/home/%D/%U</tt>, 3395which works fine for a network in which there might be more than one 3396Windows NT domain, and it is possible for different people in 3397different domains to have the same username. If you are sure you will 3398never have more than one Windows NT domain on your network, or you 3399have more than one domain but know for sure that unique users have 3400identical usernames in each multiple domain, you might prefer to set 3401<tt class="literal">template</tt> <tt class="literal">homedir</tt> like this:</p> 3402 3403<blockquote><pre class="code">[global] 3404 template homedir = /home/%U</pre></blockquote> 3405 3406 3407</div> 3408 3409 3410 3411<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.6"/> 3412 3413<a name="INDEX-123"/><h3 class="head3">template shell</h3> 3414 3415<p>This option specifies the program to use as the shell for domain 3416users who are logged in to the Unix host. By default, it is set to 3417<em class="emphasis">/bin/false</em>, which effectively denies domain 3418users to log in. If you wish to allow logins for domain users, set 3419<tt class="literal">template</tt> <tt class="literal">shell</tt> to a valid 3420command shell (or other program) that you want to act as the textual 3421interface the domain users will receive when logged in. A common 3422setting on Linux would be:</p> 3423 3424<blockquote><pre class="code">[global] 3425 template shell = /bin/bash</pre></blockquote> 3426 3427<p>which would give users the Bash shell for their interactive login 3428sessions. <a name="INDEX-124"/><a name="INDEX-125"/> <a name="INDEX-126"/><a name="INDEX-127"/></p> 3429 3430 3431</div> 3432 3433 3434</div> 3435 3436 3437</div> 3438 3439<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> Having both encrypted and nonencrypted 3440password clients on your network is one of the reasons why Samba 3441allows you to include (or not include) various options in the Samba 3442configuration file based on the client operating system or machine 3443name variables.</p> <a name="FOOTNOTE-2"/> 3444<p><a href="#FNPTR-2">[2]</a> This is because the Unix <em class="emphasis">passwd</em> program, 3445which is the usual target for this operation, allows 3446<tt class="literal">root</tt> to change a user's password 3447without the security restriction that requests the old password of 3448that user.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html> 3449