1<html>
2<body bgcolor="#ffffff">
3
4<img src="samba2_xs.gif" border="0" alt=" " height="100" width="76"
5hspace="10" align="left" />
6
7<h1 class="head0">Chapter 9. Users and Security</h1>
8
9 
10
11<p><a name="INDEX-1"/>In this chapter, we
12cover the basic concepts of managing security in Samba so that you
13can set up your Samba server with a security policy suited to your
14network.</p>
15
16<p>One of Samba's most complicated tasks lies in
17reconciling the security models of Unix and Windows systems. Samba
18must identify users by associating them with valid usernames and
19groups, authenticate them by checking their passwords, then control
20their access to resources by comparing their access rights to the
21permissions on files and directories. These are complex topics on
22their own, and it doesn't help that there are three
23different operating system types to deal with (Unix, Windows
2495/98/Me, and Windows NT/2000/XP) and that Samba supports multiple
25methods of handling user authentication.</p>
26
27
28
29<div class="sect1"><a name="samba2-CHP-9-SECT-1"/>
30
31<h2 class="head1">Users and Groups</h2>
32
33<p><a name="INDEX-2"/>Let's start
34out as simply as possible and add support for a single user. The
35easiest way to set up a client user is to create a Unix account (and
36home directory) for that individual on the server and notify Samba of
37the user's existence. You can do the latter by
38creating a disk share that maps to the user's home
39directory in the Samba configuration file and restricting access to
40that user with the <tt class="literal">valid</tt><a name="INDEX-3"/>
41<tt class="literal">users</tt> option. For example:</p>
42
43<blockquote><pre class="code">[dave]
44        path = /home/dave
45        comment = Dave's home directory
46        writable = yes
47        valid users = dave</pre></blockquote>
48
49<p>The <tt class="literal">valid</tt> <tt class="literal">users</tt> option lists
50the users allowed to access the share. In this case, only the user
51<tt class="literal">dave</tt> is allowed to access the share. In some
52situations it is possible to specify that any user can access a disk
53share by using the <tt class="literal">guest</tt> <tt class="literal">ok</tt>
54parameter. Because we don't wish to allow guest
55access, that option is absent here. If you allow both authenticated
56users and guest users access to the same share, you can make some
57files accessible to guest users by assigning world-readable
58permissions to those files while restricting access to other files to
59particular users or groups.</p>
60
61<p>When client users access a Samba share, they have to pass two levels
62of restriction. Unix permissions on files and directories apply as
63usual, and configuration parameters specified in the Samba
64configuration file apply as well. In other words, a client must first
65pass Samba's security mechanisms (e.g.,
66authenticating with a valid username and password, passing the check
67for the <tt class="literal">valid</tt> <tt class="literal">users</tt> parameter
68and the <tt class="literal">read</tt> <tt class="literal">only</tt> parameter,
69etc.), as well as the normal Unix file and directory permissions of
70its Unix-side user, before it can gain read/write access to a share.</p>
71
72<p>Remember that you can abbreviate the user's home
73directory by using the <tt class="literal">%H</tt><a name="INDEX-4"/> variable. In addition, you can use the
74Unix username variable <tt class="literal">%u</tt><a name="INDEX-5"/> and/or the client username variable
75<tt class="literal">%U</tt><a name="INDEX-6"/> in your options as well. For
76example :</p>
77
78<blockquote><pre class="code">[dave]
79    comment = %U home directory
80    writable = yes
81    valid users = dave
82    path = %H</pre></blockquote>
83
84<p>With a single user accessing a home directory, access permissions are
85taken care of when the user account is created. The home directory is
86owned by the user, and permissions on it are set appropriately.
87However, if you're creating a shared directory for
88group access, you need to perform a few more steps.
89Let's take a stab at a
90<a name="INDEX-7"/>group share for the
91accounting department in the <em class="emphasis">smb.conf</em> file:</p>
92
93<blockquote><pre class="code">[accounting]
94    comment = Accounting Department Directory
95    writable = yes
96    valid users = @account
97    path = /home/samba/accounting
98    create mode = 0660
99    directory mode = 0770</pre></blockquote>
100
101<p>The first thing we did differently is to specify
102<tt class="literal">@account</tt> as the valid user instead of one or more
103individual usernames. This is shorthand for saying that the valid
104users are represented by the Unix group <tt class="literal">account</tt>.
105These users will need to be added to the group entry
106<tt class="literal">account</tt> in the
107<a name="INDEX-8"/><a name="INDEX-9"/>system group file (
108<em class="filename">/etc/group</em><a name="INDEX-10"/>
109or equivalent) to be recognized as part of the group. Once they are,
110Samba will recognize those users as valid users for the share.</p>
111
112<p>In addition, you need to create a shared directory that the members
113of the group can access and point to it with the
114<tt class="literal">path</tt> configuration option. Here are the Unix
115commands that create the shared directory for the accounting
116department (assuming <em class="emphasis">/home/samba</em> already
117exists):</p>
118
119<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /home/samba/accounting</b></tt>
120# <tt class="userinput"><b>chgrp account /home/samba/accounting</b></tt>
121# <tt class="userinput"><b>chmod 770 /home/samba/accounting</b></tt></pre></blockquote>
122
123<p>There are two other options in this <em class="filename">smb.conf</em>
124example, both of which we saw in the previous chapter. These options
125are <tt class="literal">create</tt><a name="INDEX-11"/> <tt class="literal">mode</tt> and
126<tt class="literal">directory</tt><a name="INDEX-12"/> <tt class="literal">mode</tt>. These
127options set the maximum file and directory permissions that a new
128file or directory can have. In this case, we have denied all world
129access to the contents of this share. (This is reinforced by the
130<em class="emphasis">chmod</em> command, shown earlier.)<a name="INDEX-13"/></p>
131
132
133<div class="sect2"><a name="samba2-CHP-9-SECT-1.1"/>
134
135<h3 class="head2">Handling Multiple Individual Users</h3>
136
137<p><a name="INDEX-14"/>Let's return
138to user shares for a moment. If we have several users for whom to set
139up home directory shares, we probably want to use the special
140<tt class="literal">[homes]</tt> share that we introduced in <a href="ch08.html">Chapter 8</a>. With the
141<tt class="literal">[homes]</tt><a name="INDEX-15"/> share, all we need to say is:</p>
142
143<blockquote><pre class="code">[homes]
144    browsable = no
145    writable = yes</pre></blockquote>
146
147<p>The <tt class="literal">[homes]</tt> share is a special section of the
148Samba configuration file. If a user attempts to connect to an
149ordinary share that doesn't appear in the
150<em class="filename">smb.conf</em> file (such as specifying it with a UNC
151in Windows Explorer), Samba will search for a
152<tt class="literal">[homes]</tt> share. If one exists, the incoming share
153name is assumed to be a username and is queried as such in the
154password database ( <em class="filename">/etc/passwd</em> or equivalent)
155file of the Samba server. If it appears, Samba assumes the client is
156a Unix user trying to connect to his home directory.</p>
157
158<p>As an illustration, let's assume that
159<tt class="literal">sofia</tt> is attempting to connect to a share called
160<tt class="literal">[sofia]</tt> on the Samba server. There is no share by
161that name in the configuration file, but a <tt class="literal">[homes]</tt>
162share exists and user <tt class="literal">sofia</tt> is present in the
163password database, so Samba takes the following steps:</p>
164
165<ol><li>
166<p>Samba creates a new disk share called <tt class="literal">[sofia]</tt> with
167the <tt class="literal">path</tt> specified in the
168<tt class="literal">[homes]</tt> section. If no <tt class="literal">path</tt>
169option is specified in <tt class="literal">[homes]</tt>, Samba initializes
170it to her home directory.</p>
171</li><li>
172<p>Samba initializes the new share's options from the
173defaults in <tt class="literal">[globals]</tt>, as well as any overriding
174options in <tt class="literal">[homes]</tt> with the exception of
175<tt class="literal">browsable</tt>.</p>
176</li><li>
177<p>Samba connects <tt class="literal">sofia</tt>'s client to
178that share.</p>
179</li></ol>
180<p>The <tt class="literal">[homes]</tt> share is a fast, painless way to
181create shares for your user community without having to duplicate the
182information from the password database file in the
183<em class="filename">smb.conf</em> file. It does have some
184<a name="INDEX-16"/>peculiarities, however, that we need to
185point out:</p>
186
187<ul><li>
188<p>The <tt class="literal">[homes]</tt> section can represent any account on
189the machine, which isn't always desirable. For
190example, it can potentially create a share for
191<tt class="literal">root</tt>, <tt class="literal">bin</tt>,
192<tt class="literal">sys</tt>, <tt class="literal">uucp</tt>, and the like. You
193can set a global
194<tt class="literal">invalid</tt><a name="INDEX-17"/> <tt class="literal">users</tt> option
195to protect against this.</p>
196</li><li>
197<p>The meaning of the
198<tt class="literal">browsable</tt><a name="INDEX-18"/> configuration option is
199different from other shares; it indicates only that a
200<tt class="literal">[homes]</tt> section won't show up in
201the local browse list, not that the <tt class="literal">[alice]</tt> share
202won't. When the <tt class="literal">[alice]</tt> section
203is created (after the initial connection), it will use the
204<tt class="literal">browsable</tt> value from the
205<tt class="literal">[globals]</tt> section for that share, not the value
206from <tt class="literal">[homes]</tt>.</p>
207</li></ul>
208<p>As we mentioned, there is no need for a path statement in
209<tt class="literal">[homes]</tt> if the users have Unix home directories in
210the server's <em class="filename">/etc/passwd</em> file.
211You should ensure that a valid home directory does exist, however, as
212Samba will not automatically create a home directory for a user and
213will refuse a tree connect if the user's directory
214does not exist or is not accessible. <a name="INDEX-19"/></p>
215
216
217</div>
218
219
220</div>
221
222
223
224<div class="sect1"><a name="samba2-CHP-9-SECT-2"/>
225
226<h2 class="head1">Controlling Access to Shares</h2>
227
228<p><a name="INDEX-20"/><a name="INDEX-21"/>Often you will need to restrict the users who
229can access a specific share for security reasons. This is very easy
230to do with Samba because it contains a wealth of options for creating
231practically any security configuration. Let's
232introduce a few configurations that you might want to use in your own
233Samba setup.</p>
234
235<p>We've seen what happens when you specify valid
236users. However, you are also allowed to specify a list of
237<a name="INDEX-22"/>invalid users&mdash;users who should never be
238allowed access to Samba or its shares. This is done with the
239<tt class="literal">invalid</tt><a name="INDEX-23"/> <tt class="literal">users</tt>
240option. We hinted at one frequent use of this option earlier: a
241global default with the <tt class="literal">[homes]</tt> section to ensure
242that various system users and superusers cannot be forged for access.
243For example:</p>
244
245<blockquote><pre class="code">[global]
246    invalid users = root bin daemon adm sync shutdown \
247                        halt mail news uucp operator
248    auto services = dave peter bob
249
250[homes]
251    browsable = no
252    writable = yes</pre></blockquote>
253
254<p>The <tt class="literal">invalid</tt> <tt class="literal">users</tt> option, like
255<tt class="literal">valid</tt> <tt class="literal">users</tt>, can take group
256names, preceded by an at sign (<tt class="literal">@</tt>), as well as
257usernames. In the event that a user or group appears in both lists,
258the <tt class="literal">invalid</tt> <tt class="literal">users</tt> option takes
259precedence, and the user or group is denied access to the share.</p>
260
261<p>At the other end of the spectrum, you can explicitly specify users
262who will be allowed <a name="INDEX-24"/><a name="INDEX-25"/>superuser (root) access to a share with
263the <tt class="literal">admin</tt><a name="INDEX-26"/> <tt class="literal">users</tt>
264option. An example follows:</p>
265
266<blockquote><pre class="code">[sales]
267        path = /home/sales
268        comment = Sedona Real Estate Sales Data
269        writable = yes
270        valid users = sofie shelby adilia
271        admin users = mike</pre></blockquote>
272
273<p>This option takes both group names and usernames. In addition, you
274can specify NIS netgroups by preceding them with an
275<tt class="literal">@</tt> as well; if the netgroup is not found, Samba
276will assume that you are referring to a standard Unix group.</p>
277
278<p>Be careful if you assign administrative privileges to a share for an
279entire group. The Samba Team highly recommends you avoid using this
280option, as it essentially gives root access to the specified users or
281groups for that share.</p>
282
283<p>If you wish to force read-only or read/write access on users who
284access a share, you can do so with the
285<tt class="literal">read</tt><a name="INDEX-27"/> <tt class="literal">list</tt> and
286<tt class="literal">write</tt> <tt class="literal">list</tt> options,
287respectively. These options can be used on a per-share basis to
288restrict a writable share or to grant write access to specific users
289in a read-only share, respectively. For example:</p>
290
291<blockquote><pre class="code">[sales]
292        path = /home/sales
293        comment = Sedona Real Estate Sales Data
294        read only = yes
295        write list = sofie shelby</pre></blockquote>
296
297<p>The <tt class="literal">write</tt><a name="INDEX-28"/> <tt class="literal">list</tt> option
298cannot override Unix permissions. If you've created
299the share without giving the <tt class="literal">write-list</tt> user write
300permission on the Unix system, she will be denied write access
301regardless of the setting of <tt class="literal">write</tt>
302<tt class="literal">list</tt>.</p>
303
304
305<div class="sect2"><a name="samba2-CHP-9-SECT-2.1"/>
306
307<h3 class="head2">Guest Access</h3>
308
309<p><a name="INDEX-29"/>As mentioned
310earlier, you can configure a share using
311<tt class="literal">guest</tt><a name="INDEX-30"/> <tt class="literal">ok</tt>
312<tt class="literal">=</tt> <tt class="literal">yes</tt> to allow access to guest
313users. This works only when using share-level security, which we will
314cover later in this chapter. When a user connects as a guest,
315authenticating with a username and password is unnecessary, but Samba
316still needs a way to map the connected client to a user on the local
317system. The <tt class="literal">guest</tt><a name="INDEX-31"/>
318<tt class="literal">account</tt> parameter can be used in the share to
319specify the Unix account that guest users should be assigned when
320connecting to the Samba server. The default value for this is set
321during compilation and is typically <tt class="literal">nobody</tt>, which
322works well with most Unix versions. However, on some systems the
323<tt class="literal">nobody</tt><a name="INDEX-32"/> account is not allowed to access some
324services (e.g., printing), and you might need to set the guest user
325to <tt class="literal">ftp</tt> or some other account instead.</p>
326
327<p>If you wish to restrict access in a share only to guests&mdash;in
328other words, all clients connect as the guest account when accessing
329the share&mdash;you can use the <tt class="literal">guest</tt>
330<tt class="literal">only</tt> option in conjunction with the
331<tt class="literal">guest</tt> <tt class="literal">ok</tt> option, as shown in
332the following example:</p>
333
334<blockquote><pre class="code">[sales]
335        path = /home/sales
336        comment = Sedona Real Estate Sales Data
337        writable = yes
338        guest ok = yes
339        guest account = ftp
340        guest only = yes</pre></blockquote>
341
342<p>Make sure you specify <tt class="literal">yes</tt> for both
343<tt class="literal">guest</tt> <tt class="literal">only</tt> and
344<tt class="literal">guest</tt> <tt class="literal">ok</tt>; otherwise, Samba will
345not use the guest account that you specify.</p>
346
347
348</div>
349
350
351<div class="sect2"><a name="samba2-CHP-9-SECT-2.2"/>
352
353<h3 class="head2">Access Control Options</h3>
354
355<p><a href="ch09.html#samba2-CHP-9-TABLE-1">Table 9-1</a> <a name="INDEX-33"/><a name="INDEX-34"/>summarizes the options that you can use
356to control access to shares.</p>
357
358<a name="samba2-CHP-9-TABLE-1"/><h4 class="head4">Table 9-1. Share-level access options</h4><table border="1">
359
360
361
362
363
364
365<tr>
366<th>
367<p>Option</p>
368</th>
369<th>
370<p>Parameters</p>
371</th>
372<th>
373<p>Function</p>
374</th>
375<th>
376<p>Default</p>
377</th>
378<th>
379<p>Scope</p>
380</th>
381</tr>
382
383
384<tr>
385<td>
386<p><tt class="literal">admin users</tt></p>
387</td>
388<td>
389<p>string (list of usernames)</p>
390</td>
391<td>
392<p>Users who can perform operations as root</p>
393</td>
394<td>
395<p>None</p>
396</td>
397<td>
398<p>Share</p>
399</td>
400</tr>
401<tr>
402<td>
403<p><tt class="literal">valid users</tt></p>
404</td>
405<td>
406<p>string (list of usernames)</p>
407</td>
408<td>
409<p>Users who can connect to a share</p>
410</td>
411<td>
412<p>None</p>
413</td>
414<td>
415<p>Share</p>
416</td>
417</tr>
418<tr>
419<td>
420<p><tt class="literal">invalid users</tt></p>
421</td>
422<td>
423<p>string (list of usernames)</p>
424</td>
425<td>
426<p>Users who will be denied access to a share</p>
427</td>
428<td>
429<p>None</p>
430</td>
431<td>
432<p>Share</p>
433</td>
434</tr>
435<tr>
436<td>
437<p><tt class="literal">read list</tt></p>
438</td>
439<td>
440<p>string (list of usernames)</p>
441</td>
442<td>
443<p>Users who have read-only access to a writable share</p>
444</td>
445<td>
446<p>None</p>
447</td>
448<td>
449<p>Share</p>
450</td>
451</tr>
452<tr>
453<td>
454<p><tt class="literal">write list</tt></p>
455</td>
456<td>
457<p>string (list of usernames)</p>
458</td>
459<td>
460<p>Users who have read/write access to a read-only share</p>
461</td>
462<td>
463<p>None</p>
464</td>
465<td>
466<p>Share</p>
467</td>
468</tr>
469<tr>
470<td>
471<p><tt class="literal">max connections</tt></p>
472</td>
473<td>
474<p>numeric</p>
475</td>
476<td>
477<p>Maximum number of connections for a share at a given time</p>
478</td>
479<td>
480<p><tt class="literal">0</tt></p>
481</td>
482<td>
483<p>Share</p>
484</td>
485</tr>
486<tr>
487<td>
488<p><tt class="literal">guest only</tt> <tt class="literal">(only guest)</tt></p>
489</td>
490<td>
491<p>Boolean</p>
492</td>
493<td>
494<p>If <tt class="literal">yes</tt>, allows only guest access</p>
495</td>
496<td>
497<p><tt class="literal">no</tt></p>
498</td>
499<td>
500<p>Share</p>
501</td>
502</tr>
503<tr>
504<td>
505<p><tt class="literal">guest account</tt></p>
506</td>
507<td>
508<p>string (name of account)</p>
509</td>
510<td>
511<p>Unix account that will be used for guest access</p>
512</td>
513<td>
514<p><tt class="literal">nobody</tt></p>
515</td>
516<td>
517<p>Share</p>
518</td>
519</tr>
520
521</table>
522
523
524<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.1"/>
525
526<a name="INDEX-35"/><h3 class="head3">admin users</h3>
527
528<p>This option specifies a list of users that perform file operations as
529if they were <tt class="literal">root</tt>. This means that they can modify
530or destroy any other user's files, regardless of the
531permissions. Any files that they create will have root ownership and
532will use the default group of the admin user. The
533<tt class="literal">admin</tt> <tt class="literal">users</tt> option allows PC
534users to act as administrators for particular shares. Be very careful
535when using this option, and make sure good password and other
536security policies are in place.</p>
537
538
539</div>
540
541
542
543<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.2"/>
544
545<a name="INDEX-36"/><a name="INDEX-37"/><h3 class="head3">valid users, invalid users</h3>
546
547<p>These two options let you enumerate the users and groups who are
548granted or denied access to a particular share. You can enter a list
549of user and/or group names. If a name is prefixed by an at sign
550(<tt class="literal">@</tt>), it is interpreted as a group name&mdash;with
551NIS groups searched before Unix groups. If the name is prefixed by a
552plus sign (<tt class="literal">+</tt>), it is interpreted as the name of a
553Unix group, and NIS is not searched. If the name is prefixed by an
554ampersand (<tt class="literal">&amp;</tt>), it is interpreted as an NIS
555group name rather than as a Unix group name. The plus sign and
556ampersand can be used together to specify whether NIS or Unix groups
557are searched first. For example:</p>
558
559<blockquote><pre class="code">[database]
560    valid users = mary ellen sue &amp;sales +marketing @dbadmin
561    invalid users = gavin syd dana &amp;techies +&amp;helpdesk</pre></blockquote>
562
563<p>In the <tt class="literal">valid</tt> <tt class="literal">users</tt> parameter,
564users <tt class="literal">mary</tt>, <tt class="literal">ellen</tt>, and
565<tt class="literal">sue</tt> are allowed access to the
566<tt class="literal">[database]</tt> share, as are the members of the Unix
567group <tt class="literal">marketing</tt> and NIS/Unix group
568<tt class="literal">dbadmin</tt>. The <tt class="literal">invalid</tt>
569<tt class="literal">users</tt> parameter denies access to the share by
570users <tt class="literal">gavin</tt>, <tt class="literal">syd</tt>, and
571<tt class="literal">dana</tt>, as well as members of the NIS group
572<tt class="literal">techies</tt> and Unix/NIS group
573<tt class="literal">helpdesk</tt>. In this last case, the list of Unix
574groups is searched first for the <tt class="literal">helpdesk</tt> group,
575and if it is not found there, the list of NIS groups is searched.</p>
576
577<p>The important rule to remember with these options is that any name or
578group in the <tt class="literal">invalid</tt> <tt class="literal">users</tt> list
579will <em class="emphasis">always</em> be denied access, even if it is
580included (in any form) in the <tt class="literal">valid</tt>
581<tt class="literal">users</tt> list.</p>
582
583
584</div>
585
586
587
588<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.3"/>
589
590<a name="INDEX-38"/><a name="INDEX-39"/><h3 class="head3">read list, write list</h3>
591
592<p>Like the <tt class="literal">valid</tt> <tt class="literal">users</tt>
593<tt class="literal">and</tt> <tt class="literal">invalid</tt>
594<tt class="literal">users</tt> options, this pair of options specifies
595which users have read-only access to a writable share and read/write
596access to a read-only share, respectively. The value of either
597options is a list of users. The <tt class="literal">read</tt>
598<tt class="literal">list</tt> parameter overrides any other Samba
599permissions granted&mdash;as well as Unix file permissions on the
600server system&mdash;to deny users write access.
601<tt class="literal">The</tt> <tt class="literal">write</tt>
602<tt class="literal">list</tt> parameter overrides other Samba permissions
603to grant write access, but cannot grant write access if the user
604lacks write permissions for the file on the Unix system. You can
605specify NIS or Unix group names by prefixing the name with an at sign
606(such as <tt class="literal">@users</tt>). Neither configuration option has
607a default value associated with it.</p>
608
609
610</div>
611
612
613
614<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.4"/>
615
616<a name="INDEX-40"/><h3 class="head3">max connections</h3>
617
618<p>This option specifies the maximum number of client connections that a
619share can have at any given time. Any connections that are attempted
620after the maximum is reached will be rejected. The default value is
621<tt class="literal">0</tt>, which is a special case that allows an
622unlimited number of connections. You can override it per share as
623follows:</p>
624
625<blockquote><pre class="code">[accounting]
626    max connections = 30</pre></blockquote>
627
628<p>This option is useful in the event that you need to limit the number
629of users who are accessing a licensed program or piece of data
630concurrently.</p>
631
632
633</div>
634
635
636
637<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.5"/>
638
639<a name="INDEX-41"/><h3 class="head3">guest only</h3>
640
641<p>This share-level option (also called <tt class="literal">only</tt>
642<tt class="literal">guest</tt>) forces a connection to a share to be
643performed with the user specified by the <tt class="literal">guest</tt>
644<tt class="literal">account</tt> option. The share to which this is applied
645must explicitly specify <tt class="literal">guest</tt>
646<tt class="literal">ok</tt> <tt class="literal">=</tt> <tt class="literal">yes</tt> for
647this option to be recognized by Samba. The default value for this
648option is <tt class="literal">no</tt>.</p>
649
650
651</div>
652
653
654
655<div class="sect3"><a name="samba2-CHP-9-SECT-2.2.6"/>
656
657<a name="INDEX-42"/><h3 class="head3">guest account</h3>
658
659<p>This option specifies the name of the account to be used for guest
660access to shares in Samba. The default for this option varies from
661system to system, but it is often set to <tt class="literal">nobody</tt>.
662Some default user accounts have trouble connecting as guest users. If
663that occurs on your system, the Samba Team recommends using the
664<tt class="literal">ftp</tt> account as the guest user. <a name="INDEX-43"/> <a name="INDEX-44"/><a name="INDEX-45"/></p>
665
666
667</div>
668
669
670</div>
671
672
673<div class="sect2"><a name="samba2-CHP-9-SECT-2.3"/>
674
675<h3 class="head2">Username Options</h3>
676
677<p><a href="ch09.html#samba2-CHP-9-TABLE-2">Table 9-2</a> shows two additional options that Samba
678can use to correct for incompatibilities in usernames between Windows
679and Unix.</p>
680
681<a name="samba2-CHP-9-TABLE-2"/><h4 class="head4">Table 9-2. Username options</h4><table border="1">
682
683
684
685
686
687
688<tr>
689<th>
690<p>Option</p>
691</th>
692<th>
693<p>Parameters</p>
694</th>
695<th>
696<p>Function</p>
697</th>
698<th>
699<p>Default</p>
700</th>
701<th>
702<p>Scope</p>
703</th>
704</tr>
705
706
707<tr>
708<td>
709<p><tt class="literal">username</tt> <tt class="literal">map</tt></p>
710</td>
711<td>
712<p>string (filename)</p>
713</td>
714<td>
715<p>Sets the name of the username mapping file</p>
716</td>
717<td>
718<p>None</p>
719</td>
720<td>
721<p>Global</p>
722</td>
723</tr>
724<tr>
725<td>
726<p><tt class="literal">username</tt> <tt class="literal">level</tt></p>
727</td>
728<td>
729<p>numeric</p>
730</td>
731<td>
732<p>Indicates the number of capital letters to use when trying to match a
733username</p>
734</td>
735<td>
736<p><tt class="literal">0</tt></p>
737</td>
738<td>
739<p>Global</p>
740</td>
741</tr>
742
743</table>
744
745
746<div class="sect3"><a name="samba2-CHP-9-SECT-2.3.1"/>
747
748<a name="INDEX-46"/><h3 class="head3">username map</h3>
749
750<p>Client usernames on an SMB network can be relatively long (up to 255
751characters), while usernames on a Unix network often cannot be longer
752than eight characters. This means that an individual user can have
753one username on a client and another (shorter) one on the Samba
754server. You can get past this issue by<em class="firstterm">
755</em><a name="INDEX-47"/>mapping a free-form client
756username to a Unix username of eight or fewer characters. It is
757placed in a standard text file, using a format that
758we'll describe shortly. You can then specify the
759pathname to Samba with the global <tt class="literal">username</tt>
760<tt class="literal">map</tt> option. Be sure to restrict access to this
761file; make the root user the file's owner and deny
762write access to others (with octal permissions of 744 or 644).
763Otherwise, an untrusted user with access to the file can easily map
764his client username to the root user of the Samba server.</p>
765
766<p>You can specify this option as follows:</p>
767
768<blockquote><pre class="code">[global]
769    username map = /usr/local/samba/private/usermap.txt</pre></blockquote>
770
771<p>Each entry in the username map file should be listed as follows: the
772Unix username, followed by an equal sign (<tt class="literal">=</tt>),
773followed by one or more whitespace-separated SMB client usernames.
774Note that unless instructed otherwise (i.e., a guest connection),
775Samba will expect both the client and the server user to have the
776same password. You can also map NT groups to one or more specific
777Unix groups using the <tt class="literal">@</tt> sign. Here are some
778examples:</p>
779
780<blockquote><pre class="code">jarwin = JosephArwin
781manderso = MarkAnderson
782users = @account</pre></blockquote>
783
784<p>You can also use the asterisk to specify a wildcard that matches any
785free-form client username as an entry in the username map file:</p>
786
787<blockquote><pre class="code">nobody = *</pre></blockquote>
788
789<p>Comments can be placed in the file by starting the line with a hash
790mark (<tt class="literal">#</tt>) or a semicolon (<tt class="literal">;</tt>).</p>
791
792<p>Note that you can also use this file to redirect one Unix user to
793another user. Be careful, though, as Samba and your client might not
794notify the user that the mapping has been made and Samba might be
795expecting a different password.</p>
796
797
798</div>
799
800
801
802<div class="sect3"><a name="samba2-CHP-9-SECT-2.3.2"/>
803
804<a name="INDEX-48"/><h3 class="head3">username level</h3>
805
806<p>SMB clients (such as Windows) will often send usernames in SMB
807connection requests entirely in capital letters; in other words,
808client usernames are not necessarily case-sensitive. On a Unix
809server, however, usernames <em class="emphasis">are</em> case-sensitive:
810the user <tt class="literal">ANDY</tt> is different from the user
811<tt class="literal">andy</tt>. By default, Samba attacks this problem by
812doing the following:</p>
813
814<ol><li>
815<p>Checking for a user account with the exact name sent by the client</p>
816</li><li>
817<p>Testing the username in all lowercase letters</p>
818</li><li>
819<p>Testing the username in lowercase letters with only the first letter
820capitalized</p>
821</li></ol>
822<p>If you wish to have Samba attempt more combinations of upper- and
823lowercase letters, you can use the <tt class="literal">username</tt>
824<tt class="literal">level</tt> global configuration option. This option
825takes an integer value that specifies how many letters in the
826username should be capitalized when attempting to connect to a share.
827You can specify this option as follows:</p>
828
829<blockquote><pre class="code">[global]
830    username level = 3</pre></blockquote>
831
832<p>In this case, Samba attempts all possible permutations of usernames
833having three capital letters. The larger the number, the more
834computations Samba has to perform to match the username, and the
835longer the authentication will take.</p>
836
837
838</div>
839
840
841</div>
842
843
844</div>
845
846
847
848<div class="sect1"><a name="samba2-CHP-9-SECT-3"/>
849
850<h2 class="head1">Authentication of Clients</h2>
851
852<p><a name="INDEX-49"/>At
853this point, we should discuss how Samba authenticates users. Each
854user who attempts to connect to a share not allowing guest access
855must provide a password to
856<a name="INDEX-50"/>make a successful connection. What
857Samba does with that password&mdash;and consequently the strategy
858Samba will use to handle user authentication&mdash;is the arena of
859the <tt class="literal">security</tt> configuration option. Samba currently
860supports <a name="INDEX-51"/><a name="INDEX-52"/><a name="INDEX-53"/>four
861<a name="INDEX-54"/>security levels on its network:
862<em class="firstterm">share</em>, <em class="firstterm">user</em>,
863<em class="firstterm">server</em>, and <em class="firstterm">domain</em>.</p>
864
865<dl>
866<dt><b><a name="INDEX-55"/>Share-level security</b></dt>
867<dd>
868<p>Each share in the workgroup has one or more passwords associated with
869it. Anyone who knows a valid password for the share can access it.</p>
870</dd>
871
872
873
874<dt><b><a name="INDEX-56"/>User-level security</b></dt>
875<dd>
876<p>Each share in the workgroup is configured to allow access from
877certain users. With each initial tree connection, the Samba server
878verifies users and their passwords to allow them access to the share.</p>
879</dd>
880
881
882
883<dt><b><a name="INDEX-57"/>Server-level security</b></dt>
884<dd>
885<p>This is the same as user-level security, except that the Samba server
886uses another server to validate users and their passwords before
887granting access to the share.</p>
888</dd>
889
890
891
892<dt><b><a name="INDEX-58"/>Domain-level security</b></dt>
893<dd>
894<p>Samba becomes a member of a Windows NT domain and uses one of the
895domain's domain controllers&mdash;either the PDC or
896a BDC&mdash;to perform authentication. Once authenticated, the user
897is given a special token that allows her access to any share with
898appropriate access rights. With this token, the domain controller
899will not have to revalidate the user's password each
900time she attempts to access another share within the domain. The
901domain controller can be a Windows NT/2000 PDC or BDC, or Samba
902acting as a Windows NT PDC.</p>
903</dd>
904
905</dl>
906
907<p>Each security policy can be implemented with the global
908<tt class="literal">security</tt> option, as shown in <a href="ch09.html#samba2-CHP-9-TABLE-3">Table 9-3</a>.</p>
909
910<a name="samba2-CHP-9-TABLE-3"/><h4 class="head4">Table 9-3. Security option</h4><table border="1">
911
912
913
914
915
916
917<tr>
918<th>
919<p>Option</p>
920</th>
921<th>
922<p>Parameters</p>
923</th>
924<th>
925<p>Function</p>
926</th>
927<th>
928<p>Default</p>
929</th>
930<th>
931<p>Scope</p>
932</th>
933</tr>
934
935
936<tr>
937<td>
938<p><tt class="literal">security</tt><a name="INDEX-59"/></p>
939</td>
940<td>
941<p><tt class="literal">domain</tt>, <tt class="literal">server</tt>,
942<tt class="literal">share</tt>, or <tt class="literal">user</tt></p>
943</td>
944<td>
945<p>Indicates the type of security that the Samba server will use</p>
946</td>
947<td>
948<p><tt class="literal">user</tt></p>
949</td>
950<td>
951<p>Global</p>
952</td>
953</tr>
954
955</table>
956
957
958<div class="sect2"><a name="samba2-CHP-9-SECT-3.1"/>
959
960<h3 class="head2">Share-Level Security</h3>
961
962<p>With share-level security, each share has one or more passwords
963associated with it, with the client being authenticated when first
964connecting to the share. This differs from the other modes of
965security in that there are no restrictions as to whom can access a
966share, as long as that individual knows the correct password. Shares
967often have multiple passwords. For example, one password might grant
968read-only access, while another might grant read/write access.
969Security is maintained as long as unauthorized users do not discover
970the password for a share to which they shouldn't
971have access.</p>
972
973<p>OS/2 and Windows 95/98/Me both support share-level security on their
974resources. You can set up share-level security with Windows 95/98/Me
975by first enabling share-level security using the Access Control tab
976of the Network Control Panel dialog. Then select the
977&quot;Share-level access control&quot; radio
978button (which deselects the &quot;User-level access
979control&quot; radio button), as shown in <a href="ch09.html#samba2-CHP-9-FIG-1">Figure 9-1</a>, and click the OK button. Reboot as requested.</p>
980
981<div class="figure"><a name="samba2-CHP-9-FIG-1"/><img src="figs/sam2_0901.gif"/></div><h4 class="head4">Figure 9-1. Selecting share-level security on a Windows 95/98/Me system</h4>
982
983<p>Next, right-click a resource&mdash;such as a hard drive or a
984CD-ROM&mdash;and select the Properties menu item. This will bring up
985the Resource Properties dialog box. Select the Sharing tab at the top
986of the dialog box, and enable the resource as Shared As. From here,
987you can configure how the shared resource will appear to individual
988users, as well as assign whether the resource will appear as
989read-only, read/write, or a mix, depending on the password that is
990supplied.</p>
991
992<p>You might be thinking that this security model is not a good fit for
993Samba&mdash;and you would be right. In fact, if you set the
994<tt class="literal">security</tt> <tt class="literal">=</tt>
995<tt class="literal">share</tt> option in the Samba configuration file,
996Samba will still reuse the username/password combinations in the
997system password files to authenticate access. More precisely, Samba
998will take the following steps when a client requests a connection
999using share-level security:</p>
1000
1001<ol><li>
1002<p>When a connection is requested, Samba will accept the password and
1003(if sent) the username of the client.</p>
1004</li><li>
1005<p>If the share is <tt class="literal">guest</tt> <tt class="literal">only</tt> ,
1006the user is immediately granted access to the share with the rights
1007of the user specified by the <tt class="literal">guest</tt>
1008<tt class="literal">account</tt> parameter; no password checking is
1009performed.</p>
1010</li><li>
1011<p>For other shares, Samba appends the username to a list of users who
1012are allowed access to the share. It then attempts to validate the
1013password given in association with that username. If successful,
1014Samba grants the user access to the share with the rights assigned to
1015that user. The user will not need to authenticate again unless a
1016<tt class="literal">revalidate</tt> <tt class="literal">=</tt>
1017<tt class="literal">yes</tt> option has been set inside the share.</p>
1018</li><li>
1019<p>If the authentication is unsuccessful, Samba attempts to validate the
1020password against the list of users previously compiled during
1021attempted connections, as well as those specified under the share in
1022the configuration file. If the password matches that of any username
1023(as specified in the system password file, typically
1024<em class="filename">/etc/passwd </em>), the user is granted access to the
1025share under that username.</p>
1026</li><li>
1027<p>However, if the share has a <tt class="literal">guest</tt>
1028<tt class="literal">ok</tt> or <tt class="literal">public</tt> option set, the
1029user will default to access with the rights of the user specified by
1030the <tt class="literal">guest</tt> <tt class="literal">account</tt> option.</p>
1031</li></ol>
1032<p>You can indicate in the configuration file which users should be
1033initially placed on the share-level security user list by using the
1034<tt class="literal">username</tt> configuration option, as shown here:</p>
1035
1036<blockquote><pre class="code">[global]
1037    security = share
1038
1039[accounting1]
1040    path = /home/samba/accounting1
1041    guest ok = no
1042    writable = yes
1043    username = davecb, pkelly, andyo</pre></blockquote>
1044
1045<p>Here, when a user attempts to connect to a share, Samba verifies the
1046sent password against each user in its own list, in addition to the
1047passwords of users <tt class="literal">davecb</tt>,
1048<tt class="literal">pkelly</tt>, and <tt class="literal">andyo</tt>. If any of
1049the passwords match, the connection is verified, and the user is
1050allowed. Otherwise, connection to the specific share will fail.</p>
1051
1052
1053</div>
1054
1055
1056<div class="sect2"><a name="samba2-CHP-9-SECT-3.2"/>
1057
1058<h3 class="head2">Share-Level Security Options</h3>
1059
1060<p><a href="ch09.html#samba2-CHP-9-TABLE-4">Table 9-4</a> shows the options typically associated
1061with <em class="firstterm">share-level
1062security</em><a name="INDEX-60"/>.</p>
1063
1064<a name="samba2-CHP-9-TABLE-4"/><h4 class="head4">Table 9-4. Share-level access options</h4><table border="1">
1065
1066
1067
1068
1069
1070
1071<tr>
1072<th>
1073<p>Option</p>
1074</th>
1075<th>
1076<p>Parameters</p>
1077</th>
1078<th>
1079<p>Function</p>
1080</th>
1081<th>
1082<p>Default</p>
1083</th>
1084<th>
1085<p>Scope</p>
1086</th>
1087</tr>
1088
1089
1090<tr>
1091<td>
1092<p><tt class="literal">only user</tt></p>
1093</td>
1094<td>
1095<p>Boolean</p>
1096</td>
1097<td>
1098<p>If <tt class="literal">yes</tt>, usernames specified by
1099<tt class="literal">username</tt> are the only ones allowed</p>
1100</td>
1101<td>
1102<p><tt class="literal">no</tt></p>
1103</td>
1104<td>
1105<p>Share</p>
1106</td>
1107</tr>
1108<tr>
1109<td>
1110<p><tt class="literal">username</tt> (<tt class="literal">user</tt> or
1111<tt class="literal">users</tt>)</p>
1112</td>
1113<td>
1114<p>string (list of usernames)</p>
1115</td>
1116<td>
1117<p>Users against which a client's password is tested</p>
1118</td>
1119<td>
1120<p>None</p>
1121</td>
1122<td>
1123<p>Share</p>
1124</td>
1125</tr>
1126
1127</table>
1128
1129
1130<div class="sect3"><a name="samba2-CHP-9-SECT-3.2.1"/>
1131
1132<a name="INDEX-61"/><h3 class="head3">only user</h3>
1133
1134<p>This Boolean option indicates whether Samba will allow connections to
1135a share using share-level security based solely on the individuals
1136specified in the <tt class="literal">username</tt> option, instead of those
1137users compiled on Samba's internal list. The default
1138value for this option is <tt class="literal">no</tt>. You can override it
1139per share as follows:</p>
1140
1141<blockquote><pre class="code">[global]
1142    security = share
1143[data]
1144    username = andy, peter, valerie
1145    only user = yes</pre></blockquote>
1146
1147
1148</div>
1149
1150
1151
1152<div class="sect3"><a name="samba2-CHP-9-SECT-3.2.2"/>
1153
1154<a name="INDEX-62"/><h3 class="head3">username</h3>
1155
1156<p>This option presents a list of usernames and/or group names against
1157which Samba tests a connection password to allow access. It is
1158typically used with clients that have share-level security to allow
1159connections to a particular service based solely on a qualifying
1160password&mdash;in this case, one that matches a password set up for a
1161specific user:</p>
1162
1163<blockquote><pre class="code">[global]
1164    security = share
1165[data]
1166    username = andy, peter, terry</pre></blockquote>
1167
1168<p>You can enter a list of usernames and/or group names. If a name is
1169prefixed by an at sign (<tt class="literal">@</tt>), it is interpreted as a
1170group name, with NIS groups searched before Unix groups. If the name
1171is prefixed by a plus sign (<tt class="literal">+</tt>), it is interpreted
1172as the name of a Unix group, and NIS is not searched. If the name is
1173prefixed by an ampersand (<tt class="literal">&amp;</tt>), it is
1174interpreted as an NIS group name rather than a Unix group name. The
1175plus sign and ampersand can be used together to specify whether NIS
1176or Unix groups are searched first. When Samba encounters a group name
1177in this option, it attempts to authenticate each user in the group
1178until if finds one that succeeds. Beware that this can be very
1179inefficient.</p>
1180
1181<p>We recommend against using this option unless you are implementing a
1182Samba server with share-level security.</p>
1183
1184
1185</div>
1186
1187
1188</div>
1189
1190
1191<div class="sect2"><a name="samba2-CHP-9-SECT-3.3"/>
1192
1193<h3 class="head2">User-Level Security</h3>
1194
1195<p>The default mode of security with Samba is <em class="firstterm">user-level
1196security</em><a name="INDEX-63"/>. With this method, each share is
1197assigned specific users that can access it. When a user requests a
1198connection to a share, Samba authenticates by validating the given
1199username and password with the authorized users in the configuration
1200file and the passwords in the password database of the Samba server.
1201As mentioned earlier in the chapter, one way to isolate which users
1202are allowed access to a specific share is by using the
1203<tt class="literal">valid</tt> <tt class="literal">users</tt> option for each
1204share:</p>
1205
1206<blockquote><pre class="code">[global]
1207    security = user
1208
1209[accounting1]
1210    writable = yes
1211    valid users = bob, joe, sandy</pre></blockquote>
1212
1213<p>Each user listed can connect to the share if the password provided
1214matches the password stored in the system password database on the
1215server. Once the initial authentication succeeds, the client will not
1216need to supply a password again to access that share unless the
1217<tt class="literal">revalidate</tt> <tt class="literal">=</tt>
1218<tt class="literal">yes</tt> option has been set.</p>
1219
1220<p>Passwords can be sent to the Samba server in either an encrypted or a
1221nonencrypted format. If you have both types of systems on your
1222network, you should ensure that the passwords represented by each
1223user are stored both in a traditional account database and
1224Samba's encrypted password database. This way,
1225authorized users can gain access to their shares from any type of
1226client.<a name="FNPTR-1"/><a href="#FOOTNOTE-1">[1]</a> However, we recommend that you
1227move your system to encrypted passwords and abandon nonencrypted
1228passwords if security is an issue. <a href="ch09.html#samba2-CHP-9-SECT-4">Section 9.4</a> of this chapter
1229explains how to use encrypted as well as nonencrypted passwords.</p>
1230
1231
1232</div>
1233
1234
1235<div class="sect2"><a name="samba2-CHP-9-SECT-3.4"/>
1236
1237<h3 class="head2">Server-Level Security</h3>
1238
1239<p><em class="firstterm">Server-level
1240security</em><a name="INDEX-64"/> is similar to user-level security.
1241However, with server-level security, Samba delegates password
1242authentication to another SMB password server&mdash;typically another
1243Samba server or a Windows NT/2000 server acting as a PDC on the
1244network. Note that Samba still maintains its list of shares and their
1245configuration in its <em class="filename">smb.conf</em> file. When a
1246client attempts to make a connection to a particular share, Samba
1247validates that the user is indeed authorized to connect to the share.
1248Samba then attempts to validate the password by passing the username
1249and password to the SMB password server. If the password is accepted,
1250a session is established with the client. See <a href="ch09.html#samba2-CHP-9-FIG-2">Figure 9-2</a> for an illustration of this setup.</p>
1251
1252<div class="figure"><a name="samba2-CHP-9-FIG-2"/><img src="figs/sam2_0902.gif"/></div><h4 class="head4">Figure 9-2. A typical system setup using server-level security</h4>
1253
1254<p>You can configure Samba to use a separate password server under
1255server-level security with the use of the
1256<tt class="literal">password</tt><a name="INDEX-65"/> <tt class="literal">server</tt>
1257global configuration option, as follows:</p>
1258
1259<blockquote><pre class="code">[global]
1260    security = server
1261    password server = mixtec toltec</pre></blockquote>
1262
1263<p>Note that you can specify more than one machine as the target of the
1264<tt class="literal">password</tt> <tt class="literal">server</tt>; Samba moves
1265down the list of servers in the event that its first choice is
1266unreachable. The servers identified by the
1267<tt class="literal">password</tt> <tt class="literal">server</tt> option are
1268given as NetBIOS names, not their DNS names or equivalent IP
1269addresses. Also, if any of the servers reject the given password, the
1270connection automatically fails&mdash;Samba will not attempt another
1271server.</p>
1272
1273<p>One caveat: when using this option, you still need an account
1274representing that user on the regular Samba server. This is because
1275the Unix operating system needs a username to perform various I/O
1276operations. The preferable method of handling this is to give the
1277user an account on the Samba server but disable the
1278account's password by replacing it in the system
1279password file (e.g., <em class="filename">/etc/passwd </em>) with an
1280asterisk (*).</p>
1281
1282
1283</div>
1284
1285
1286<div class="sect2"><a name="samba2-CHP-9-SECT-3.5"/>
1287
1288<h3 class="head2">Domain-Level Security</h3>
1289
1290<p>With <em class="firstterm">domain-level
1291security</em><a name="INDEX-66"/>, the Samba server acts as a member of
1292a Windows domain. Recall from <a href="ch01.html">Chapter 1</a> that each
1293domain has a primary domain controller, which can be a Windows
1294NT/2000 or Samba server offering password authentication. The domain
1295controller keeps track of users and passwords in its own database and
1296authenticates each user when she first logs on and wishes to access
1297another machine's shares.</p>
1298
1299<p>As mentioned earlier in this chapter, Samba has a similar ability to
1300offer user-level security, but that option is Unix-centric and
1301assumes that the authentication occurs via Unix password files. If
1302the Unix machine is part of an NIS or NIS+ domain, Samba
1303authenticates users transparently against a shared password file in
1304typical Unix fashion. Samba then provides access to the NIS or NIS+
1305domain from Windows. There is, of course, no relationship between the
1306NIS concept of a domain and a Windows NT domain.</p>
1307
1308<p>Configuring Samba for domain-level security is covered in <a href="ch04.html">Chapter 4</a> in <a href="ch04.html#samba2-CHP-4-SECT-7">Section 4.7</a>. <a name="INDEX-67"/></p>
1309
1310
1311</div>
1312
1313
1314</div>
1315
1316
1317
1318<div class="sect1"><a name="samba2-CHP-9-SECT-4"/>
1319
1320<h2 class="head1">Passwords</h2>
1321
1322<p><a name="INDEX-68"/>Passwords
1323are a thorny issue with Samba. So much so, in fact, that they are
1324often the first major problem that users encounter when they install
1325Samba. At this point, we need to delve deeper into Samba to discover
1326what is happening on the network.</p>
1327
1328<p>Passwords sent from individual clients can be either encrypted or
1329nonencrypted. Encrypted passwords are, of course, more secure. A
1330nonencrypted, plain-text password can be easily read with a
1331packet-sniffing program, such as the modified
1332<em class="emphasis">tcpdump</em> program for Samba that we used in <a href="ch01.html">Chapter 1</a>. Whether passwords are encrypted by default
1333depends on the operating system that the client is using to connect
1334to the Samba server. <a href="ch09.html#samba2-CHP-9-TABLE-5">Table 9-5</a> lists which
1335<a name="INDEX-69"/>Windows operating
1336systems encrypt their passwords and which send plain-text passwords
1337by default.</p>
1338
1339<a name="samba2-CHP-9-TABLE-5"/><h4 class="head4">Table 9-5. Windows operating systems with encrypted passwords</h4><table border="1">
1340
1341
1342
1343<tr>
1344<th>
1345<p>Operating system</p>
1346</th>
1347<th>
1348<p>Encrypted or plain text</p>
1349</th>
1350</tr>
1351
1352
1353<tr>
1354<td>
1355<p>Windows for Workgroups</p>
1356</td>
1357<td>
1358<p>Plain text</p>
1359</td>
1360</tr>
1361<tr>
1362<td>
1363<p>Windows 95</p>
1364</td>
1365<td>
1366<p>Plain text</p>
1367</td>
1368</tr>
1369<tr>
1370<td>
1371<p>Windows 95 with SMB Update</p>
1372</td>
1373<td>
1374<p>Encrypted</p>
1375</td>
1376</tr>
1377<tr>
1378<td>
1379<p>Windows 98</p>
1380</td>
1381<td>
1382<p>Encrypted</p>
1383</td>
1384</tr>
1385<tr>
1386<td>
1387<p>Windows Me</p>
1388</td>
1389<td>
1390<p>Encrypted</p>
1391</td>
1392</tr>
1393<tr>
1394<td>
1395<p>Windows NT 3.x</p>
1396</td>
1397<td>
1398<p>Plain text</p>
1399</td>
1400</tr>
1401<tr>
1402<td>
1403<p>Windows NT 4.0 before SP <tt class="literal">3</tt></p>
1404</td>
1405<td>
1406<p>Plain text</p>
1407</td>
1408</tr>
1409<tr>
1410<td>
1411<p>Windows NT 4.0 after SP 3</p>
1412</td>
1413<td>
1414<p>Encrypted</p>
1415</td>
1416</tr>
1417<tr>
1418<td>
1419<p>Windows 2000</p>
1420</td>
1421<td>
1422<p>Encrypted</p>
1423</td>
1424</tr>
1425<tr>
1426<td>
1427<p>Windows XP</p>
1428</td>
1429<td>
1430<p>Encrypted</p>
1431</td>
1432</tr>
1433
1434</table>
1435
1436<p>Three different encryption methods are used. Windows 95/98/Me clients
1437use a method inherited from Microsoft's LAN Manager
1438network software. Windows NT/2000/XP systems use a newer system,
1439called NT LAN Manager, or NTLM. A newer version of this (called NT
1440LAN Manager Version 2, or NTLMv2) uses a different method for
1441password hashing.</p>
1442
1443<p>If encrypted passwords are supported, Samba stores the encrypted
1444passwords in a file called <em class="filename">smbpasswd</em>. By
1445default, this file is located in the <em class="filename">private</em>
1446directory of the Samba distribution (typically
1447<em class="filename">/usr/local/samba/private</em>). At the same time, the
1448client stores an encrypted version of a user's
1449password on its own system. The plain-text password is never stored
1450on either system. Each system encrypts the password automatically
1451using a standard algorithm when the password is set or changed.</p>
1452
1453<p>When a client requests a connection to an SMB server that supports
1454encrypted passwords (such as Samba or Windows NT/2000/XP), the two
1455computers undergo the following negotiations:</p>
1456
1457<ol><li>
1458<p>The client attempts to negotiate a protocol with the server.</p>
1459</li><li>
1460<p>The server responds with a protocol and indicates that it supports
1461encrypted passwords. At this time, it sends back a randomly generated
14628-byte challenge string.</p>
1463</li><li>
1464<p>The client uses the challenge string as a key to encrypt its already
1465encrypted password using an algorithm predefined by the negotiated
1466protocol. It then sends the result to the server.</p>
1467</li><li>
1468<p>The server does the same thing with the encrypted password stored in
1469its database. If the results match, the passwords are equivalent, and
1470the user is authenticated.</p>
1471</li></ol>
1472<p>Note that even though the original passwords are not involved in the
1473authentication process, you need to be very careful that the
1474encrypted passwords located inside the <em class="filename">smbpasswd</em>
1475file are guarded from unauthorized users. If they are compromised, an
1476unauthorized user can break into the system by replaying the steps of
1477the previous algorithm. The encrypted passwords are just as sensitive
1478as the plain-text passwords&mdash;this is known as
1479<em class="firstterm">plain-text-equivalent</em> data in the cryptography
1480world. Of course, your local security policy should require that the
1481clients safeguard their plain-text-equivalent passwords as well.</p>
1482
1483<p>You can configure Samba to accept encrypted passwords with the
1484following global additions to <em class="filename">smb.conf</em>. Note
1485that we explicitly name the location of the Samba password file:</p>
1486
1487<blockquote><pre class="code">[global]
1488    security = user
1489    encrypt passwords = yes
1490    smb passwd file = /usr/local/samba/private/smbpasswd</pre></blockquote>
1491
1492<p>Samba, however, will not accept any users until the
1493<em class="filename">smbpasswd</em> file has been created and the users
1494have been added to it with the <em class="emphasis">smbpasswd</em>
1495command, as we showed you in <a href="ch02.html">Chapter 2</a>.</p>
1496
1497
1498<div class="sect2"><a name="samba2-CHP-9-SECT-4.1"/>
1499
1500<h3 class="head2">Disabling Encrypted Passwords on the Client</h3>
1501
1502<p><a name="INDEX-70"/><a name="INDEX-71"/>While Unix authentication has been
1503in use for decades&mdash;including the use of
1504<em class="emphasis">telnet</em> and <em class="emphasis">rlogin</em> access
1505across the Internet&mdash;it embodies well-known security risks.
1506Plaintext passwords are sent over the Internet and can be retrieved
1507from TCP packets by malicious snoopers. However, if you feel that
1508your network is secure and you wish to use standard Unix
1509<em class="filename">/etc/passwd</em> authentication for all clients, you
1510can do so, but you must disable encrypted passwords on those Windows
1511clients that default to using them.</p>
1512
1513<p>To do this, you must modify the Windows registry on each client
1514system. The Samba distribution includes the <em class="filename">.reg</em>
1515files you need for this, located in the source
1516distribution's <em class="filename">/docs/Registry</em>
1517directory. Depending on the platform, you use one of the following
1518files:</p>
1519
1520<blockquote class="simplelist">
1521
1522<p><em class="filename">Win95_PlainPassword.reg</em></p>
1523
1524<p><em class="filename">Win98_PlainPassword.reg</em></p>
1525
1526<p><em class="filename">WinME_PlainPassword.reg</em></p>
1527
1528<p><em class="filename">NT_PlainPassword.reg</em></p>
1529
1530<p><em class="filename">Win2000_PlainPassword.reg</em></p>
1531
1532</blockquote>
1533
1534<p>(For Windows XP, use the <em class="filename">.reg</em> file for Windows
15352000.) You can perform the installation by copying the appropriate
1536<em class="filename">.reg</em> file to a DOS floppy, inserting the floppy
1537in the client's floppy drive, and running the
1538<em class="filename">.reg</em> file from the Run menu item in the
1539client's Start menu. (Or you can just double-click
1540the file's icon.)</p>
1541
1542<p>After you reboot the machine, the client will not encrypt its hashed
1543passwords before sending them to the server. This means that the
1544plain-text passwords can been seen in the TCP packets that are
1545broadcast across the network. Again, we encourage you not to do this
1546unless you are absolutely sure that your network is secure.</p>
1547
1548<p>If passwords are not encrypted, use these two lines in your Samba
1549configuration file:</p>
1550
1551<blockquote><pre class="code">[global]
1552    security = user
1553    encrypt passwords = no</pre></blockquote>
1554
1555
1556</div>
1557
1558
1559<div class="sect2"><a name="samba2-CHP-9-SECT-4.2"/>
1560
1561<h3 class="head2">The smbpasswd File</h3>
1562
1563<p>Samba stores its encrypted passwords in a file called
1564<em class="filename">smbpasswd</em><a name="INDEX-72"/>,
1565which by default resides in the
1566<em class="filename">/usr/local/samba/private</em> directory. The
1567<em class="filename">smbpasswd</em> file should be guarded as closely as
1568the Unix system's password file (either
1569<em class="filename">/etc/passwd</em> or
1570<em class="filename">/etc/shadow</em>). Only the root user should have
1571read/write access to the <em class="filename">private</em> directory, and
1572no other users should have access to it at all. In addition, the
1573<em class="filename">smbpasswd</em> file should have all access denied to
1574all users except for root. When things are set up for good security,
1575long listings of the <em class="filename">private</em> directory and
1576<em class="filename">smbpasswd</em> file look like the following:</p>
1577
1578<blockquote><pre class="code"># <tt class="userinput"><b>ls -ld /usr/local/samba/private</b></tt>
1579drwx- - - - - -   2 root   root   4096 Nov 26 01:11 /usr/local/samba/private
1580# <tt class="userinput"><b>ls -l /usr/local/samba/private/smbpasswd</b></tt>
1581-rw- - - - - - -   1 root   root    204 Nov 26 01:11 /usr/local/samba/private/smbpasswd</pre></blockquote>
1582
1583<p>Before you can use encrypted passwords, you need to create an entry
1584for each Unix user in the <em class="filename">smbpasswd</em> file. The
1585structure of the file is somewhat similar to a Unix
1586<em class="filename">passwd</em> file, but has different fields. <a href="ch09.html#samba2-CHP-9-FIG-3">Figure 9-3</a> illustrates the layout of the
1587<em class="filename">smbpasswd</em> file; the entry shown is actually one
1588line in the file.</p>
1589
1590<div class="figure"><a name="samba2-CHP-9-FIG-3"/><img src="figs/sam2_0903.gif"/></div><h4 class="head4">Figure 9-3. Structure of the smbpasswd file entry (actually one line)</h4>
1591
1592<p>Normally, entries in the <em class="filename">smbpasswd</em> file are
1593created automatically by the <em class="emphasis">smbpasswd</em> command.
1594Still, you might like to know how to interpret data within the
1595<em class="filename">smbpasswd</em> file, in case you'd
1596like to see what accounts are stored in it or even modify it
1597manually. Here is a breakdown of the individual fields:</p>
1598
1599<dl>
1600<dt><b>Username</b></dt>
1601<dd>
1602<p>This is the username of the account. It is taken directly from the
1603system password file.</p>
1604</dd>
1605
1606
1607
1608<dt><b>UID</b></dt>
1609<dd>
1610<p>This is the user ID (UID) of the account. Like the username, it is
1611taken directly from the system password file and must match the UID
1612there.</p>
1613</dd>
1614
1615
1616
1617<dt><b>LAN Manager Password Hash</b></dt>
1618<dd>
1619<p>This is a 32-bit hexadecimal sequence that represents the password
1620Windows 95/98/Me clients will use. It is derived by splitting the
1621password into two 7-character strings, with all lowercase letters
1622forced into uppercase. If fewer than 14 characters are in the
1623password, the strings are padded with nulls. Then each 7-character
1624string is converted to a 56-bit DES key and used to encrypt the
1625constant string <tt class="literal">KGS!@#$%</tt>. The two 64-bit results
1626are concatenated and stored as the password hash.</p>
1627
1628
1629<p>If there is currently no password for the user, the first 11
1630characters of the hash will consist of the sequence
1631<tt class="literal">NO</tt> <tt class="literal">PASSWORD</tt> followed by
1632<tt class="literal">X</tt> characters for the remainder. If the password
1633has been disabled, it will consist of 32 <tt class="literal">X</tt>
1634characters.</p>
1635</dd>
1636
1637
1638<dt><b>NT LAN Manager (NTLM) Password Hash</b></dt>
1639<dd>
1640<p>This is a 32-bit hexadecimal sequence that represents the password
1641Windows NT/2000/XP clients will use. It is derived by hashing the
1642user's password (represented as a 16-bit
1643little-endian Unicode sequence) with an MD4 hash. The password is not
1644converted to uppercase letters first.</p>
1645</dd>
1646
1647
1648
1649<dt><b>Account Flags</b></dt>
1650<dd>
1651<p>This field consists of 11 characters between two braces ( [ ] ). Any
1652of the following characters can appear in any order; the remaining
1653characters should be spaces:</p>
1654
1655
1656<dl>
1657<dt><b>U</b></dt>
1658<dd>
1659<p>This account is a standard user account.</p>
1660</dd>
1661
1662
1663
1664<dt><b>D</b></dt>
1665<dd>
1666<p>This account is currently disabled, and Samba should not allow any
1667logins.</p>
1668</dd>
1669
1670
1671
1672<dt><b>N</b></dt>
1673<dd>
1674<p>This account has no password associated with it.</p>
1675</dd>
1676
1677
1678
1679<dt><b>W</b></dt>
1680<dd>
1681<p>This is a workstation trust account that can be used to configure
1682Samba as a PDC when allowing Windows NT machines to join its domain.</p>
1683</dd>
1684
1685</dl>
1686</dd>
1687
1688
1689<dt><b>Last Change Time</b></dt>
1690<dd>
1691<p>This code consists of the characters <tt class="literal">LCT-</tt> followed
1692by a hexadecimal representation of the number of seconds since the
1693epoch (midnight on January 1, 1970) that the entry was last changed.
1694<a name="INDEX-73"/></p>
1695</dd>
1696
1697</dl>
1698
1699
1700</div>
1701
1702
1703<div class="sect2"><a name="samba2-CHP-9-SECT-4.3"/>
1704
1705<h3 class="head2">Password Synchronization</h3>
1706
1707<p><a name="INDEX-74"/><a name="INDEX-75"/>Having a regular password (either in
1708<em class="filename">/etc/passwd</em> or <em class="filename">/etc/shadow</em>)
1709and an encrypted version of the same password (in the
1710<em class="filename">smbpasswd</em> file) can be troublesome when you need
1711to change both of them. Luckily, Samba affords you a limited ability
1712to keep your passwords synchronized. Samba has a pair of
1713configuration options to update a user's regular
1714Unix password automatically when the encrypted password is changed on
1715the system. The feature can be activated by specifying the
1716<tt class="literal">unix</tt><a name="INDEX-76"/> <tt class="literal">password</tt>
1717<tt class="literal">sync</tt> global configuration option:</p>
1718
1719<blockquote><pre class="code">[global]
1720    unix password sync = yes</pre></blockquote>
1721
1722<p>With this option enabled, Samba attempts to change the
1723user's regular password (as <tt class="literal">root</tt>)
1724when the encrypted version is changed with
1725<em class="filename">smbpasswd</em>. However, two other options have to be
1726set correctly for this to work.</p>
1727
1728<p>The easier of the two is <tt class="literal">passwd</tt>
1729<tt class="literal">program</tt>. This option simply specifies the Unix
1730command used to change a user's standard system
1731password. It is set to <tt class="literal">/bin/passwd</tt>
1732<tt class="literal">%u</tt> by default. With some Unix systems, this is
1733sufficient, and you do not need to change anything. Others, such as
1734Red Hat Linux, use <em class="emphasis">/usr/bin/passwd</em> instead. In
1735addition, you might want to change this to another program or script
1736at some point in the future. For example, let's
1737assume that you want to use a script called
1738<em class="emphasis">changepass</em> to change a user's
1739password. Recall that you can use the variable <tt class="literal">%u</tt>
1740to represent the current Unix username. So the example becomes:</p>
1741
1742<blockquote><pre class="code">[global]
1743    unix password sync = yes
1744    passwd program = changepass %u</pre></blockquote>
1745
1746<p>Note that this program is called as the <tt class="literal">root</tt> user
1747when the <tt class="literal">unix</tt> <tt class="literal">password</tt>
1748<tt class="literal">sync</tt> option is set to <tt class="literal">yes</tt>. This
1749is because Samba does not necessarily have the old plain-text
1750password of the user.</p>
1751
1752<p>The harder option to configure is
1753<tt class="literal">passwd</tt><a name="INDEX-77"/> <tt class="literal">chat</tt>. The
1754<tt class="literal">passwd</tt> <tt class="literal">chat</tt> option works like a
1755Unix chat script. It specifies a series of strings to send, as well
1756as responses to expect from the program specified by the
1757<tt class="literal">passwd</tt> <tt class="literal">program</tt> option. For
1758example, this is what the default <tt class="literal">passwd</tt>
1759<tt class="literal">chat</tt> looks like. The delimiters are the spaces
1760between each grouping of characters:</p>
1761
1762<blockquote><pre class="code">passwd chat = *old*password* %o\n *new*password* %n\n *new*password* %n\n *changed*</pre></blockquote>
1763
1764<p>The first grouping represents a response expected from the
1765password-changing program. Note that it can contain wildcards
1766(<tt class="literal">*</tt>), which help to generalize the chat programs to
1767handle a variety of similar outputs. Here,
1768<tt class="literal">*old*password*</tt> indicates that Samba is expecting
1769any line from the password program containing the letters
1770<tt class="literal">old</tt> followed by the letters
1771<tt class="literal">password</tt>, without regard for what comes before,
1772after, or between them. If Samba does not receive the expected
1773response, the password change will fail.</p>
1774
1775<p>The second grouping indicates what Samba should send back once the
1776data in the first grouping has been matched. In this case, you see
1777<tt class="literal">%o\n</tt>. This response is actually two items: the
1778variable <tt class="literal">%o</tt> represents the old password, while the
1779<tt class="literal">\n</tt> is a newline character. So, in effect, this
1780will &quot;type&quot; the old password into
1781the standard input of the password-changing program, and then
1782&quot;press&quot; Enter.</p>
1783
1784<p>Following that is another response grouping, followed by data that
1785will be sent back to the password-changing program. (In fact, this
1786response/send pattern continues indefinitely in any standard Unix
1787<em class="emphasis">chat</em> script.) The script continues until the
1788final pattern is matched.</p>
1789
1790<p>You can help match the response strings sent from the password
1791program with the characters listed in <a href="ch09.html#samba2-CHP-9-TABLE-6">Table 9-6</a>.
1792In addition, you can use the characters listed in <a href="ch09.html#samba2-CHP-9-TABLE-7">Table 9-7</a> to help formulate your response.</p>
1793
1794<a name="samba2-CHP-9-TABLE-6"/><h4 class="head4">Table 9-6. Password chat response characters</h4><table border="1">
1795
1796
1797
1798<tr>
1799<th>
1800<p>Character</p>
1801</th>
1802<th>
1803<p>Definition</p>
1804</th>
1805</tr>
1806
1807
1808<tr>
1809<td>
1810<p><tt class="literal">*</tt></p>
1811</td>
1812<td>
1813<p>Zero or more occurrences of any character.</p>
1814</td>
1815</tr>
1816<tr>
1817<td>
1818<p>&quot;<tt class="literal"> </tt>&quot;</p>
1819</td>
1820<td>
1821<p>Allows you to include matching strings that contain spaces. Asterisks
1822are still considered wildcards even inside of quotes, and you can
1823represent a null response with empty quotes.</p>
1824</td>
1825</tr>
1826
1827</table>
1828
1829<a name="samba2-CHP-9-TABLE-7"/><h4 class="head4">Table 9-7. Password chat send characters</h4><table border="1">
1830
1831
1832
1833<tr>
1834<th>
1835<p>Character</p>
1836</th>
1837<th>
1838<p>Definition</p>
1839</th>
1840</tr>
1841
1842
1843<tr>
1844<td>
1845<p><tt class="literal">%o</tt></p>
1846</td>
1847<td>
1848<p>The user's old password</p>
1849</td>
1850</tr>
1851<tr>
1852<td>
1853<p><tt class="literal">%n</tt></p>
1854</td>
1855<td>
1856<p>The user's new password</p>
1857</td>
1858</tr>
1859<tr>
1860<td>
1861<p><tt class="literal">\n</tt></p>
1862</td>
1863<td>
1864<p>The linefeed character</p>
1865</td>
1866</tr>
1867<tr>
1868<td>
1869<p><tt class="literal">\r</tt></p>
1870</td>
1871<td>
1872<p>The carriage-return character</p>
1873</td>
1874</tr>
1875<tr>
1876<td>
1877<p><tt class="literal">\t</tt></p>
1878</td>
1879<td>
1880<p>The tab character</p>
1881</td>
1882</tr>
1883<tr>
1884<td>
1885<p><tt class="literal">\s</tt></p>
1886</td>
1887<td>
1888<p>A space</p>
1889</td>
1890</tr>
1891
1892</table>
1893
1894<p>For example, you might want to change your password chat to the
1895following entry. This handles scenarios in which you do not have to
1896enter the old password. In addition, this also handles the new
1897<tt class="literal">all</tt> <tt class="literal">tokens</tt>
1898<tt class="literal">updated</tt> <tt class="literal">successfully</tt> string
1899that Red Hat Linux sends:</p>
1900
1901<blockquote><pre class="code">passwd chat = *New password* %n\n *new password* %n\n *success*</pre></blockquote>
1902
1903<p>Again, the default chat should be sufficient for many Unix systems.
1904If it isn't, you can use the
1905<tt class="literal">passwd</tt> <tt class="literal">chat</tt>
1906<tt class="literal">debug</tt> global option to set up a new chat script
1907for the password change program. The <tt class="literal">passwd</tt>
1908<tt class="literal">chat</tt> <tt class="literal">debug</tt> option logs
1909everything during a password chat. This option is a simple Boolean,
1910as shown here:</p>
1911
1912<blockquote><pre class="code">[global]
1913    unix password sync = yes
1914    passwd chat debug = yes
1915    log level = 100</pre></blockquote>
1916
1917<p>After you activate the password chat debug feature, all I/O received
1918by Samba through the password chat can be sent to the
1919<em class="filename">log.smbd</em> Samba log file with a debug level of
1920100, which is why we entered a new <tt class="literal">log</tt>
1921<tt class="literal">level</tt> option as well. As this can often generate
1922multitudes of error logs, it can be more efficient to use your own
1923script&mdash;by setting the <tt class="literal">passwd</tt>
1924<tt class="literal">program</tt> option&mdash;in place of
1925<em class="filename">/bin/passwd</em> to record what happens during the
1926exchange. Be careful because the log file contains the passwords in
1927plain text. Keeping files containing plain-text passwords can (or
1928<em class="emphasis">should</em>) be against local security policy in your
1929organization, and it also might raise serious legal issues. Make sure
1930to protect your log files with strict file permissions and to delete
1931them as soon as you've grabbed the information you
1932need. If possible, use the <tt class="literal">passwd</tt>
1933<tt class="literal">chat</tt> <tt class="literal">debug</tt> option only while
1934your own password is being changed.</p>
1935
1936<p>The operating system on which Samba is running might have strict
1937requirements for valid passwords to make them more impervious to
1938dictionary attacks and the like. Users should be made aware of these
1939restrictions when changing their passwords.</p>
1940
1941<p>Earlier we said that password synchronization is limited. This is
1942because there is no reverse synchronization of the encrypted
1943<em class="filename">smbpasswd</em> file when a standard Unix password is
1944updated by a user. There are various strategies to get around this,
1945including NIS and freely available implementations of the Pluggable
1946Authentication Modules (PAM) standard, but none of them really solves
1947all the problems.</p>
1948
1949<p>More information regarding passwords can be found in the in the Samba
1950source distribution file
1951<em class="filename">docs/htmldocs/ENCRYPTION.html</em>.<a name="INDEX-80"/></p>
1952
1953
1954</div>
1955
1956
1957<div class="sect2"><a name="samba2-CHP-9-SECT-4.4"/>
1958
1959<h3 class="head2">Password Configuration Options</h3>
1960
1961<p><a name="INDEX-81"/><a name="INDEX-82"/>The options in <a href="ch09.html#samba2-CHP-9-TABLE-8">Table 9-8</a> will help you work with passwords in Samba.</p>
1962
1963<a name="samba2-CHP-9-TABLE-8"/><h4 class="head4">Table 9-8. Password configuration options</h4><table border="1">
1964
1965
1966
1967
1968
1969
1970<tr>
1971<th>
1972<p>Option</p>
1973</th>
1974<th>
1975<p>Parameters</p>
1976</th>
1977<th>
1978<p>Function</p>
1979</th>
1980<th>
1981<p>Default</p>
1982</th>
1983<th>
1984<p>Scope</p>
1985</th>
1986</tr>
1987
1988
1989<tr>
1990<td>
1991<p><tt class="literal">encrypt</tt> <tt class="literal">passwords</tt></p>
1992</td>
1993<td>
1994<p>Boolean</p>
1995</td>
1996<td>
1997<p>If <tt class="literal">yes</tt>, enables encrypted passwords.</p>
1998</td>
1999<td>
2000<p><tt class="literal">no</tt></p>
2001</td>
2002<td>
2003<p>Global</p>
2004</td>
2005</tr>
2006<tr>
2007<td>
2008<p><tt class="literal">unix password</tt> <tt class="literal">sync</tt></p>
2009</td>
2010<td>
2011<p>Boolean</p>
2012</td>
2013<td>
2014<p>If <tt class="literal">yes</tt>, updates the standard Unix password
2015database when a user changes his encrypted password.</p>
2016</td>
2017<td>
2018<p><tt class="literal">no</tt></p>
2019</td>
2020<td>
2021<p>Global</p>
2022</td>
2023</tr>
2024<tr>
2025<td>
2026<p><tt class="literal">passwd chat</tt></p>
2027</td>
2028<td>
2029<p>string (chat commands)</p>
2030</td>
2031<td>
2032<p>Sequence of commands sent to the password program.</p>
2033</td>
2034<td>
2035<p>See earlier section on this option</p>
2036</td>
2037<td>
2038<p>Global</p>
2039</td>
2040</tr>
2041<tr>
2042<td>
2043<p><tt class="literal">passwd chat</tt> <tt class="literal">debug</tt></p>
2044</td>
2045<td>
2046<p>Boolean</p>
2047</td>
2048<td>
2049<p>If <tt class="literal">yes</tt>, sends debug logs of the password-change
2050process to the log files with a level of 100.</p>
2051</td>
2052<td>
2053<p><tt class="literal">no</tt></p>
2054</td>
2055<td>
2056<p>Global</p>
2057</td>
2058</tr>
2059<tr>
2060<td>
2061<p><tt class="literal">passwd program</tt></p>
2062</td>
2063<td>
2064<p>string (Unix command)</p>
2065</td>
2066<td>
2067<p>Program to be used to change passwords.</p>
2068</td>
2069<td>
2070<p><tt class="literal">/bin/passwd</tt> <tt class="literal">%u</tt></p>
2071</td>
2072<td>
2073<p>Global</p>
2074</td>
2075</tr>
2076<tr>
2077<td>
2078<p><tt class="literal">password level</tt></p>
2079</td>
2080<td>
2081<p>numeric</p>
2082</td>
2083<td>
2084<p>Number of capital-letter permutations to attempt when matching a
2085client's password.</p>
2086</td>
2087<td>
2088<p>None</p>
2089</td>
2090<td>
2091<p>Global</p>
2092</td>
2093</tr>
2094<tr>
2095<td>
2096<p><tt class="literal">update</tt> <tt class="literal">encrypted</tt></p>
2097</td>
2098<td>
2099<p>Boolean</p>
2100</td>
2101<td>
2102<p>If <tt class="literal">yes</tt>, updates the encrypted password file when a
2103client connects to a share with a plain-text password.</p>
2104</td>
2105<td>
2106<p><tt class="literal">no</tt></p>
2107</td>
2108<td>
2109<p>Global</p>
2110</td>
2111</tr>
2112<tr>
2113<td>
2114<p><tt class="literal">null passwords</tt></p>
2115</td>
2116<td>
2117<p>Boolean</p>
2118</td>
2119<td>
2120<p>If <tt class="literal">yes</tt>, allows access for users with null
2121passwords.</p>
2122</td>
2123<td>
2124<p><tt class="literal">no</tt></p>
2125</td>
2126<td>
2127<p>Global</p>
2128</td>
2129</tr>
2130<tr>
2131<td>
2132<p><tt class="literal">smb passwd file</tt></p>
2133</td>
2134<td>
2135<p>string (filename)</p>
2136</td>
2137<td>
2138<p>Name of the encrypted password file.</p>
2139</td>
2140<td>
2141<p><tt class="literal">/usr/local/samba/private/smbpasswd</tt></p>
2142</td>
2143<td>
2144<p>Global</p>
2145</td>
2146</tr>
2147<tr>
2148<td>
2149<p><tt class="literal">hosts equiv</tt></p>
2150</td>
2151<td>
2152<p>string (filename)</p>
2153</td>
2154<td>
2155<p>Name of a file that contains hosts and users that can connect without
2156using a password.</p>
2157</td>
2158<td>
2159<p>None</p>
2160</td>
2161<td>
2162<p>Global</p>
2163</td>
2164</tr>
2165<tr>
2166<td>
2167<p><tt class="literal">use rhosts</tt></p>
2168</td>
2169<td>
2170<p>string (filename)</p>
2171</td>
2172<td>
2173<p>Name of a .<em class="emphasis">rhosts</em> file that allows users to
2174connect without using a password.</p>
2175</td>
2176<td>
2177<p>None</p>
2178</td>
2179<td>
2180<p>Global</p>
2181</td>
2182</tr>
2183
2184</table>
2185
2186
2187<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.1"/>
2188
2189<h3 class="head3">encrypt passwords</h3>
2190
2191<p>The <tt class="literal">encrypt</tt><a name="INDEX-83"/>
2192<tt class="literal">passwords</tt> global option switches Samba from using
2193plain-text passwords to encrypted passwords for authentication.
2194Encrypted passwords will be expected from clients if the option is
2195set to <tt class="literal">yes</tt>:</p>
2196
2197<blockquote><pre class="code">encrypt passwords = yes</pre></blockquote>
2198
2199<p>In Samba 2.2.x versions and with previous versions, encrypted
2200passwords are disabled by default. This was changed in Samba 3.0 to
2201make encrypted passwords enabled by default.</p>
2202
2203<p>If you use encrypted passwords, you must have a valid
2204<em class="filename">smbpasswd</em> file in place and populated with
2205usernames that authenticate with encrypted passwords. (See <a href="ch09.html#samba2-CHP-9-SECT-4.2">Section 9.4.2</a> earlier in
2206this chapter.) In addition, Samba must know the location of the
2207<em class="filename">smbpasswd</em> file; if it is not in the default
2208location (typically
2209<em class="filename">/usr/local/samba/private/smbpasswd</em> ), you can
2210explicitly name it using the <tt class="literal">smb</tt>
2211<tt class="literal">passwd</tt> <tt class="literal">file</tt> option.</p>
2212
2213<p>If you wish, you can use <tt class="literal">update</tt>
2214<tt class="literal">encrypted</tt> to force Samba to update the
2215<em class="filename">smbpasswd</em> file with encrypted passwords each
2216time a client connects using a nonencrypted password.</p>
2217
2218<p>If you have a mixture of clients on your network, with some of them
2219using encrypted passwords and others using plain-text passwords, you
2220can use the <tt class="literal">include</tt> option to make Samba treat
2221each client appropriately. To do this, create individual
2222configuration files based on the client name (<tt class="literal">%m</tt>).
2223These host-specific configuration files can contain an
2224<tt class="literal">encrypted</tt> <tt class="literal">passwords</tt>
2225<tt class="literal">=</tt> <tt class="literal">yes</tt> option that activates
2226only when those clients are connecting to the server.</p>
2227
2228
2229</div>
2230
2231
2232
2233<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.2"/>
2234
2235<a name="INDEX-84"/><h3 class="head3">unix password sync</h3>
2236
2237<p>The <tt class="literal">unix</tt> <tt class="literal">password</tt>
2238<tt class="literal">sync</tt> global option allows Samba to update the
2239standard Unix password file when a user changes her encrypted
2240password. The encrypted password is stored on a Samba server in the
2241<em class="filename">smbpasswd</em> file, which is located by default in
2242<em class="filename">/usr/local/samba/private</em>. You can activate this
2243feature as follows:</p>
2244
2245<blockquote><pre class="code">[global]
2246    unix password sync = yes</pre></blockquote>
2247
2248<p>If this option is enabled, Samba changes the encrypted password and,
2249in addition, attempts to change the standard Unix password by passing
2250the username and new password to the program specified by the
2251<tt class="literal">passwd</tt> <tt class="literal">program</tt> option
2252(described earlier). Note that Samba does not necessarily have access
2253to the plain-text password for this user, so the password changing
2254program must be invoked as <tt class="literal">root</tt>.<a name="FNPTR-2"/><a href="#FOOTNOTE-2">[2]</a> If the Unix password change does not
2255succeed, for whatever reason, the SMB password is not changed either.</p>
2256
2257
2258</div>
2259
2260
2261
2262<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.3"/>
2263
2264<a name="INDEX-85"/><h3 class="head3">passwd chat</h3>
2265
2266<p>This option specifies a series of send/response strings similar to a
2267Unix chat script, which interface with the password-changing program
2268on the Samba server. <a href="ch09.html#samba2-CHP-9-SECT-4.3">Section 9.4.3</a> earlier in this
2269chapter covers this option in detail.</p>
2270
2271
2272</div>
2273
2274
2275
2276<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.4"/>
2277
2278<h3 class="head3">passwd chat debug</h3>
2279
2280<p>If set to <tt class="literal">yes</tt>, the
2281<tt class="literal">passwd</tt><a name="INDEX-86"/> <tt class="literal">chat</tt>
2282<tt class="literal">debug</tt> global option logs everything sent or
2283received by Samba during a password chat. All the I/O received by
2284Samba through the password chat is sent to the Samba logs with a
2285debug level of 100; you must specify <tt class="literal">log</tt>
2286<tt class="literal">level</tt> <tt class="literal">=</tt> <tt class="literal">100</tt>
2287for the information to be recorded. <a href="ch09.html#samba2-CHP-9-SECT-4.3">Section 9.4.3</a> earlier in this
2288chapter describes this option in more detail. Be aware that if you do
2289set this option, the plain-text passwords will be visible in the
2290debugging logs, which could be a security hazard if they are not
2291properly secured. It is against the security policy of some
2292organizations for system administrators to have access to
2293users' passwords.</p>
2294
2295
2296</div>
2297
2298
2299
2300<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.5"/>
2301
2302<h3 class="head3">passwd program</h3>
2303
2304<p>The <tt class="literal">passwd</tt><a name="INDEX-87"/>
2305<tt class="literal">program</tt> option specifies a program on the Unix
2306Samba server that Samba can use to update the standard system
2307password file when the encrypted password file is updated. This
2308option defaults to the standard <em class="emphasis">passwd</em> program,
2309usually located in the <em class="filename">/bin</em> directory. The
2310<tt class="literal">%u</tt> variable is typically used as the requesting
2311user when the command is executed. The actual handling of input and
2312output to this program during execution is handled through the
2313<tt class="literal">passwd</tt> <tt class="literal">chat</tt> option. <a href="ch09.html#samba2-CHP-9-SECT-4.3">Section 9.4.3</a> earlier in this
2314chapter covers this option in detail.</p>
2315
2316
2317</div>
2318
2319
2320
2321<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.6"/>
2322
2323<a name="INDEX-88"/><h3 class="head3">password level</h3>
2324
2325<p>With SMB, nonencrypted (or plain-text) passwords are sent with
2326capital letters, just like the usernames mentioned previously. Many
2327Unix users, however, choose passwords with both upper- and lowercase
2328letters. Samba, by default, only attempts to match the password
2329entirely in lowercase letters and not capitalizing the first letter.</p>
2330
2331<p>Like <tt class="literal">username</tt> <tt class="literal">level</tt>, a
2332<tt class="literal">password</tt> <tt class="literal">level</tt> option can be
2333used to attempt various permutations of the password with capital
2334letters. This option takes an integer value that specifies how many
2335letters in the password should be capitalized when attempting to
2336connect to a share. You can specify this option as follows:</p>
2337
2338<blockquote><pre class="code">[global]
2339    password level = 3</pre></blockquote>
2340
2341<p>In this case, Samba then attempts all permutations of the password it
2342can compute having three capital letters. The larger the number, the
2343more computations Samba has to perform to match the password, and the
2344longer a connection to a specific share might take.</p>
2345
2346
2347</div>
2348
2349
2350
2351<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.7"/>
2352
2353<a name="INDEX-89"/><h3 class="head3">update encrypted</h3>
2354
2355<p>For sites switching over to the encrypted password format, Samba
2356provides an option that should help with the transition. The
2357<tt class="literal">update</tt> <tt class="literal">encrypted</tt> option allows
2358a site to ease into using encrypted passwords from plain-text
2359passwords. You can activate this option as follows:</p>
2360
2361<blockquote><pre class="code">[global]
2362    update encrypted = yes</pre></blockquote>
2363
2364<p>This instructs Samba to create an encrypted version of each
2365user's Unix password in the
2366<em class="filename">smbpasswd</em> file each time she connects to a
2367share. When this option is enabled, you must have the
2368<tt class="literal">encrypt</tt> <tt class="literal">passwords</tt> option set to
2369<tt class="literal">no</tt> so that the client passes plain-text passwords
2370to Samba to update the files. Once each user has connected at least
2371once, you can set <tt class="literal">encrypted</tt>
2372<tt class="literal">passwords</tt> <tt class="literal">=</tt>
2373<tt class="literal">yes</tt>, allowing you to use only the encrypted
2374passwords. The user must already have a valid entry in the
2375<em class="filename">smbpasswd</em> file for this option to work.</p>
2376
2377
2378</div>
2379
2380
2381
2382<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.8"/>
2383
2384<a name="INDEX-90"/><h3 class="head3">null passwords</h3>
2385
2386<p>This global option tells Samba whether to allow access from users
2387that have null passwords (encrypted or nonencrypted) set in their
2388accounts. The default value is <tt class="literal">no</tt>. You can
2389override it as follows:</p>
2390
2391<blockquote><pre class="code">null passwords = yes</pre></blockquote>
2392
2393<p>We highly recommend against doing so because of the security risks
2394this option can present to your system, including inadvertent access
2395to system users (such as <tt class="literal">bin</tt>) in the system
2396password file who have null passwords set.</p>
2397
2398
2399</div>
2400
2401
2402
2403<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.9"/>
2404
2405<a name="INDEX-91"/><h3 class="head3">smb passwd file</h3>
2406
2407<p>This global option identifies the location of the encrypted password
2408database. By default, it is set to
2409<em class="filename">/usr/local/samba/private/smbpasswd</em>. You can
2410override it as follows:</p>
2411
2412<blockquote><pre class="code">[global]
2413    smb passwd file = /etc/samba/smbpasswd</pre></blockquote>
2414
2415<p>This location, for example, is common on many Red Hat distributions
2416on which Samba has been installed using an RPM package.</p>
2417
2418
2419</div>
2420
2421
2422
2423<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.10"/>
2424
2425<a name="INDEX-92"/><h3 class="head3">hosts equiv</h3>
2426
2427<p>This global option specifies the name of a standard Unix
2428<em class="filename">hosts.equiv</em> file that allows hosts or users to
2429access shares without specifying a password. You can specify the
2430location of such a file as follows:</p>
2431
2432<blockquote><pre class="code">[global]
2433    hosts equiv = /etc/hosts.equiv</pre></blockquote>
2434
2435<p>The default value for this option does not specify any
2436<em class="filename">hosts.equiv</em> file. Because using a
2437<em class="filename">hosts.equiv</em> file is a huge security risk, we
2438strongly recommend against using this option.</p>
2439
2440
2441</div>
2442
2443
2444
2445<div class="sect3"><a name="samba2-CHP-9-SECT-4.4.11"/>
2446
2447<a name="INDEX-93"/><h3 class="head3">use rhosts</h3>
2448
2449<p>This global option specifies the name of a standard Unix
2450user's <em class="filename">.rhosts</em> file that allows
2451foreign hosts to access shares without specifying a password. You can
2452specify the location of such a file as follows:</p>
2453
2454<blockquote><pre class="code">[global]
2455    use rhosts = /home/dave/.rhosts</pre></blockquote>
2456
2457<p>The default value for this option does not specify any
2458<em class="filename">.rhosts</em> file. Like the <tt class="literal">hosts</tt>
2459<tt class="literal">equiv</tt> option discussed earlier, using such a file
2460is a security risk. We highly recommend that you do not use this
2461option unless you are confident in the security of your network.
2462<a name="INDEX-94"/>
2463<a name="INDEX-95"/><a name="INDEX-96"/></p>
2464
2465
2466</div>
2467
2468
2469</div>
2470
2471
2472</div>
2473
2474
2475
2476<div class="sect1"><a name="samba2-CHP-9-SECT-5"/>
2477
2478<h2 class="head1">Authentication with winbind</h2>
2479
2480<p><a name="INDEX-97"/><a name="INDEX-98"/>In <a href="ch03.html">Chapter 3</a>, we
2481showed you how to add Windows clients to a network in which user
2482accounts were maintained on the Samba server. We added a user account
2483to the Windows client using the same username and password as an
2484account on the Unix system. This method works well in many computing
2485environments. However, if a Samba server is added to a Windows
2486network that already has a Windows NT/2000 primary domain controller,
2487the PDC has a preexisting database of user accounts and group
2488information that is used for authentication. It can be a big chore to
2489transfer that database manually to the Unix server, and later
2490maintain and synchronize the Unix and Windows databases.</p>
2491
2492<p>In <a href="ch04.html">Chapter 4</a>, we showed you how to add a Samba
2493server as a domain member server to a network having a Windows
2494NT/2000 primary domain controller. We set <tt class="literal">security</tt>
2495<tt class="literal">=</tt> <tt class="literal">domain</tt> in the Samba
2496configuration file to have the Samba server hand off authentication
2497to the Windows PDC. Using that method, passwords are kept only on the
2498PDC, but it is still necessary to set up user accounts on the Unix
2499side to make sure each client has a valid Unix UID and group ID
2500(GID). This is necessary for maintaining the file ownerships and
2501permissions of the Unix security model. Whenever Samba performs an
2502operation on the Unix filesystem on behalf of the Windows client, the
2503user must have a valid UID and GID on the local Unix system.</p>
2504
2505<p>A facility that has recently been added to Samba, winbind, allows the
2506Windows <a name="INDEX-99"/>PDC to handle
2507not only authentication, but the user and group information as well.
2508Winbind works by extending the Unix user and group databases beyond
2509the standard <em class="filename">/etc/passwd</em> and
2510<em class="filename">/etc/group</em> files such that users and groups on
2511the Windows PDC also exist as valid users and groups on the Unix
2512system. The extension applies to the entire Unix system and allows
2513users who are members of a Windows domain to perform any action on
2514the Unix system that a local user would, including logging in to the
2515Unix system by <em class="emphasis">telnet</em> or even on the local
2516system, using their domain usernames and passwords.</p>
2517
2518<p>When winbind is in use, administration of user accounts can be done
2519on the Windows PDC, without having to repeat the tasks on the Unix
2520side. This includes password expiration and allowing users to change
2521their passwords, which would otherwise not be practical. Aside from
2522simplifying domain administration and being a great time saver,
2523winbind lets Samba be used in computing environments where it
2524otherwise might not be allowed.</p>
2525<a name="samba2-CHP-9-NOTE-143"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
2526<p>Because this is a chapter on security, we want to point out that some
2527issues might relate to allowing a Windows system to authenticate
2528users accessing a Unix system! Whatever you might think of the
2529relative merits of Unix and Windows security models (and even more
2530importantly, their <em class="emphasis">implementations</em>), one thing
2531is certain: adding winbind support to your Samba server greatly
2532complicates the authentication system overall&mdash;and quite
2533possibly allows more opportunities for crackers.</p>
2534
2535<p>We present winbind in this chapter not as a means of improving
2536security, but rather as a further example of Samba's
2537ability to integrate itself into a modern Windows environment.</p>
2538</blockquote>
2539
2540
2541<div class="sect2"><a name="samba2-CHP-9-SECT-5.1"/>
2542
2543<h3 class="head2">Installing winbind</h3>
2544
2545<p><a name="INDEX-100"/>Installing
2546and configuring winbind is fairly complicated and involves the
2547following steps:</p>
2548
2549<ol><li>
2550<p>Reconfigure, recompile, and reinstall Samba&mdash;to add support for
2551winbind.</p>
2552</li><li>
2553<p>Configure the Unix name server switch.</p>
2554</li><li>
2555<p>Modify the Samba configuration file.</p>
2556</li><li>
2557<p>Start and test the <em class="emphasis">winbindd</em> daemon.</p>
2558</li><li>
2559<p>Configure the system to start and stop the
2560<em class="emphasis">winbindd</em> daemon automatically.</p>
2561</li><li>
2562<p>Optionally, configure PAM for use with winbind.</p>
2563</li></ol>
2564<p>At the time this book was written, winbind was supported only on
2565Linux, so all of the following directions are specific to it. Other
2566Unix flavors might be supported at a later time. In addition, we
2567assume you have a Windows NT/2000 primary domain controller running
2568on your network.</p>
2569
2570<p>First, you will need to configure and compile Samba using the
2571<tt class="literal">--with-winbind</tt> configure option. Directions for
2572doing this are included in <a href="ch02.html">Chapter 2</a> in <a href="ch02.html#samba2-CHP-2-SECT-3">Section 2.3</a>. As usual, run
2573<em class="emphasis">make install</em> to reinstall the Samba binaries.</p>
2574
2575
2576</div>
2577
2578
2579<div class="sect2"><a name="samba2-CHP-9-SECT-5.2"/>
2580
2581<h3 class="head2">Configuring nsswitch</h3>
2582
2583<p><a name="INDEX-101"/>When
2584Samba is compiled after being configured with the
2585<tt class="literal">--with-winbind</tt> option, the compilation process
2586produces a library called
2587<em class="filename">libnss_winbind.so</em><a name="INDEX-102"/> in the
2588<em class="filename">source/nsswitch</em> directory. This library needs to
2589be copied to the <em class="filename">/lib</em> directory:</p>
2590
2591<blockquote><pre class="code"># <tt class="userinput"><b>cp nsswitch/libnss_winbind.so /lib</b></tt></pre></blockquote>
2592
2593<p>Also, a symbolic link must be created for winbind to be fully
2594functional:</p>
2595
2596<blockquote><pre class="code"># <tt class="userinput"><b>ln -s /lib/libnss_winbind.so /lib/libnss_winbind.so.2</b></tt></pre></blockquote>
2597
2598<a name="samba2-CHP-9-NOTE-144"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
2599<p>The name of this symbolic link is correct for Samba 2.2.3 and Red Hat
26007.1. The name might change&mdash;with a higher version number in the
2601extension&mdash;in future releases. See the
2602<em class="emphasis">winbindd</em> manual page for details.</p>
2603</blockquote>
2604
2605<p>Next, we need to modify <em class="filename">/etc/nsswitch.conf</em> to
2606make the lines for <tt class="literal">passwd</tt> and
2607<tt class="literal">group</tt> look like this:</p>
2608
2609<blockquote><pre class="code">passwd:     files winbind
2610group:      files winbind</pre></blockquote>
2611
2612<p>Then activate these changes by issuing the following command:</p>
2613
2614<blockquote><pre class="code"># <tt class="userinput"><b>/sbin/ldconfig</b></tt></pre></blockquote>
2615
2616<p>What we've just done is reconfigure the Linux name
2617service switch, which allows name service and other tasks to be
2618configured to use the traditional method (files in the
2619<em class="filename">/etc</em> directory) or an extension coded in a
2620library, such as the <em class="filename">libnss_winbind.so</em> library
2621we've just installed. We've
2622specified in our configuration that Samba will search for user and
2623group information first in the <em class="filename">/etc/passwd</em> and
2624<em class="filename">/etc/group files</em>, and if they are not found
2625there, in the winbind service.</p>
2626
2627
2628</div>
2629
2630
2631<div class="sect2"><a name="samba2-CHP-9-SECT-5.3"/>
2632
2633<h3 class="head2">Modifying smb.conf</h3>
2634
2635<p><a name="INDEX-103"/><a name="INDEX-104"/>To use winbind, we must have our Samba
2636server added to the Windows NT domain as a domain member server (as
2637we described in <a href="ch04.html">Chapter 4</a>) and also add some
2638parameters to the Samba configuration file to configure winbind. In
2639addition to the options required to configure Samba as a domain
2640member server, we need:</p>
2641
2642<blockquote><pre class="code">[global]
2643    winbind uid = 10000-20000
2644    winbind gid = 10000-20000</pre></blockquote>
2645
2646<p>The <tt class="literal">winbind</tt> <tt class="literal">uid</tt> and
2647<tt class="literal">winbind</tt> <tt class="literal">gid</tt> options tell
2648winbind how to map between Windows relative identifiers (RIDs) and
2649Unix UIDs and GIDs. Windows uses RIDs to identify users and groups
2650within the domain, and to function, the Unix system must have a UID
2651and GID associated with every user and group RID that is received
2652from the Windows primary domain controller. The
2653<tt class="literal">winbind</tt> <tt class="literal">uid</tt> and
2654<tt class="literal">winbind</tt> <tt class="literal">gid</tt> parameters simply
2655provide winbind with a range of UIDs and GIDs, respectively, that are
2656allocated by the system administrator for Windows NT domain users and
2657groups. You can use whatever range you want for each; just make sure
2658the lowest number in the range does not conflict with any entries in
2659your <em class="filename">/etc/passwd</em> or
2660<em class="filename">/etc/group</em> files at any time, either now or in
2661the future. It is important to be conservative about this. Once
2662winbind adds an RID to UID/GID mapping to its database, it is very
2663difficult to modify the mapping.</p>
2664<a name="samba2-CHP-9-NOTE-145"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
2665<p><a name="INDEX-105"/>The file
2666<em class="filename">/usr/local/samba/locks/winbindd_idmap.tdb</em>
2667contains winbind's RID mapping file by default. We
2668suggest you regard this file as extremely sensitive and make sure to
2669guard it carefully against any kind of harm or loss. If you lose it,
2670you will have to re-create it manually, which can be a very
2671labor-intensive task.</p>
2672</blockquote>
2673
2674<a name="samba2-CHP-9-NOTE-145a"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
2675<p>Be careful when adding local users after domain users have started
2676accessing the Samba server. The domain users will have entries
2677created for them by winbind in <em class="filename">/etc/passwd,</em> with
2678UIDs in the range you specify. If you are using a method of creating
2679new accounts that automatically assigns UIDs, it might choose UIDs by
2680adding 1 to the highest UID assigned thus far, which will be the most
2681recent UID added by winbind. (This is the case on Red Hat Linux, with
2682the <em class="emphasis">useradd</em> script, for example.) The UID for
2683the new local user will be within the range allocated for winbind,
2684which will have undesired effects. Make sure to add new local users
2685using a method that assigns them UIDs in the proper range. For
2686example, you can use the <em class="emphasis">-u</em> option of
2687<em class="emphasis">useradd</em> to specify the UID to assign to the new
2688user.</p>
2689</blockquote>
2690
2691<p>Restart the Samba daemons to put your changes to the configuration
2692file into effect. If you have not already done so while adding your
2693Samba server as a domain member server, you must issue the command:</p>
2694
2695<blockquote><pre class="code"># <tt class="userinput"><b>smbpasswd -j </b></tt><em class="replaceable">domain</em><tt class="userinput"><b> -r </b></tt><em class="replaceable">pdc</em><tt class="userinput"><b> -U Administrator</b></tt></pre></blockquote>
2696
2697<p>as we described in <a href="ch04.html">Chapter 4</a>. At this point, you
2698can start the <em class="emphasis">winbindd</em> daemon:</p>
2699
2700<blockquote><pre class="code"># <tt class="userinput"><b>winbindd</b></tt></pre></blockquote>
2701
2702<p><a name="INDEX-106"/>You might want to
2703run a <em class="emphasis">ps ax</em> command to see that the
2704<em class="emphasis">winbindd</em> daemon is running. Now, to make sure
2705everything we've done up to this point works, we can
2706use Samba's <em class="emphasis">wbinfo</em> command:</p>
2707
2708<blockquote><pre class="code">$ <tt class="userinput"><b>wbinfo -u</b></tt>
2709METRAN\Administrator
2710METRAN\bebe
2711METRAN\Guest
2712METRAN\jay
2713METRAN\linda
2714$ <tt class="userinput"><b>wbinfo -g</b></tt>
2715METRAN\Domain Admins
2716METRAN\Domain Guests
2717METRAN\Domain Users</pre></blockquote>
2718
2719<p>The <em class="emphasis">-u</em> option queries the domain controller for
2720a list of domain users, and the <em class="emphasis">-g</em> option asks
2721for the list of groups. The output shows that the Samba host system
2722can query the Windows PDC through winbind.</p>
2723
2724<p>Another thing to check is the list of users and groups, using the
2725<em class="emphasis">getent</em> command:</p>
2726
2727<blockquote><pre class="code"># <tt class="userinput"><b>getent passwd</b></tt>
2728root:x:0:0:root:/root:/bin/bash
2729bin:x:1:1:bin:/bin:
2730daemon:x:2:2:daemon:/sbin:
2731    <i class="lineannotation">... deleted ...</i>
2732jay:x:500:500:Jay Ts:/home/jay:/bin/bash
2733rik:x:501:501::/home/rik:/bin/bash
2734METRAN\Administrator:x:10000:10000::/home/METRAN/administrator:/bin/bash
2735METRAN\bebe:x:10001:10000:Bebe Larta:/home/METRAN/bebe:/bin/bash
2736METRAN\Guest:x:10002:10000::/home/METRAN/guest:/bin/bash
2737METRAN\jay:x:10003:10000:Jay Ts:/home/METRAN/jay:/bin/bash
2738METRAN\linda:x:10004:10000:Linda Lewis:/home/METRAN/linda:/bin/bash
2739
2740# getent group
2741root:x:0:root
2742bin:x:1:root,bin,daemon
2743daemon:x:2:root,bin,daemon
2744    <i class="lineannotation">... deleted ...</i>
2745jay:x:500:
2746rik:x:501:
2747METRAN\Domain Admins:x:10001:METRAN\Administrator
2748METRAN\Domain Guests:x:10002:METRAN\Guest
2749METRAN\Domain Users:x:10000:METRAN\Administrator,METRAN\jay,METRAN\linda,METRAN\bebe</pre></blockquote>
2750
2751<p>This shows that the Linux system is finding the domain users and
2752groups through winbind, in addition to those in the
2753<em class="filename">/etc/passwd</em> and <em class="filename">/etc/group</em>
2754files. If this part doesn't work as shown earlier,
2755with the domain users and groups listed after the local ones, check
2756to make sure you made the symbolic link to
2757<em class="filename">libnss_winbind.so</em> in <em class="filename">/lib</em>
2758correctly.</p>
2759
2760<p>Now you can try connecting to a Samba share from a Windows system
2761using a domain account. You can either log on to the domain from a
2762Windows NT/2000/XP workstation or use <em class="emphasis">smbclient</em>
2763with the <em class="emphasis">-U</em> option to specify a username.</p>
2764
2765<a name="samba2-CHP-9-NOTE-147"/><blockquote class="note"><h4 class="objtitle">NOTE</h4>
2766<p>If you get errors while attempting to log on to the domain, it is
2767probably because you had previously configured the client system with
2768a computer account on another domain controller. Commonly, you get a
2769dialog box that says, &quot;The domain
2770<em class="replaceable">NAME</em> is not available.&quot;
2771On a Windows 2000 system, the fix is to log in to the system as an
2772administrative user and open the Control Panel, double-click the
2773System icon, click the Network Identification tab, then click the
2774Properties button. In the dialog that comes up, click the
2775&quot;Workgroup:&quot; radio button and fill
2776in the name of the workgroup (you can use the same name as the
2777domain). Click the OK buttons in the dialogs, and reboot if
2778requested.</p>
2779
2780<p>This removes the computer account from the primary domain controller.
2781Now log in again as the administrative user and repeat the previous
2782directions, but change from the workgroup back to the domain. This
2783creates a new computer account that
2784&quot;fits&quot; the workstation to the new
2785primary domain controller. If your network has backup domain
2786controllers, it will take up to 15 minutes for the new computer
2787account to propagate to the BDCs.</p>
2788
2789<p>If you are using Windows NT/XP, the method is slightly different. For
2790the exact procedure, see the section in <a href="ch04.html">Chapter 4</a>
2791that is specific to your Windows version.</p>
2792</blockquote>
2793
2794<p>After logging in as a domain user, try creating a file or two in a
2795Samba share. (You might need to change the permissions on the shared
2796directory&mdash;say, to 777&mdash;to allow this access. This is very
2797permissive, but after you finish reading this section, you will
2798understand how to change ownership and permissions on the directory
2799to restrict access to selected domain users.) After
2800you've created files by one or more domain users,
2801take a look at the directory's contents from a Linux
2802shell. You will see something like this:</p>
2803
2804<blockquote><pre class="code">$ <tt class="userinput"><b>ls -l /u</b></tt>
2805-rwxrw-rw-    1 METRAN\b METRAN\D        0 Apr 13 00:00 bebes-file.doc
2806-rwxrw-rw-    1 METRAN\l METRAN\D        0 Apr 12 23:58 lindas-file.doc
2807drwxrwxr-x    6 jay      jay          4096 Jan 15 05:12 snd
2808<b class="emphasis-bold">$ ls -ln /u</b>
2809total 4
2810-rwxrw-rw-    1 10001    10000           0 Apr 13 00:00 bebes-file.doc
2811-rwxrw-rw-    1 10004    10000           0 Apr 12 23:58 lindas-file.doc
2812drwxrwxr-x    6 500      500          4096 Jan 15 05:12 snd</pre></blockquote>
2813
2814<p>We can even use the domain usernames and groups from the Linux shell:</p>
2815
2816<blockquote><pre class="code"># <tt class="userinput"><b>chown 'METRAN\linda:METRAN\Domain Users' /u</b></tt>
2817# <tt class="userinput"><b>ls -ldu /u</b></tt>
2818drwxrwxrwx    3 METRAN\l METRAN\D     4096 Apr 13 00:44 /u
2819# <tt class="userinput"><b>ls -ldn /u</b></tt>
2820drwxrwxrwx    3 10004    10000        4096 Apr 13 00:00 /u</pre></blockquote>
2821
2822<p>Notice how the owner and group are listed as being those of the
2823domain user and group. Unfortunately, the GNU <em class="emphasis">ls</em>
2824command won't show the full names of the domain
2825users and groups, but we can use the <em class="emphasis">-ln</em> listing
2826to show the UIDs and GIDs and then translate with the
2827<em class="emphasis">wbinfo</em> command:</p>
2828
2829<blockquote><pre class="code">$ <tt class="userinput"><b>wbinfo -s `wbinfo -U 10004`</b></tt>
2830METRAN\LINDA 1
2831$ <tt class="userinput"><b>wbinfo -s `wbinfo -G 10000`</b></tt>
2832METRAN\Domain Users 2</pre></blockquote>
2833
2834<p>(It's a bit messy, but it works, and it shows that
2835the winbind system is working!) At this point, you might want to
2836modify your <em class="filename">/etc/rc.d/init.d/smb</em> script to start
2837and stop the <em class="emphasis">winbindd</em> daemon automatically along
2838with the <em class="emphasis">smbd</em> and <em class="emphasis">nmbd</em>
2839daemons. Starting with the script we presented in <a href="ch02.html">Chapter 2</a>, we first add this code to the
2840<em class="emphasis">start( )</em> function:</p>
2841
2842<blockquote><pre class="code">echo -n $&quot;Starting WINBIND services: &quot;
2843/usr/local/samba/bin/winbindd
2844ERROR2=$?
2845if [ $ERROR2 -ne 0 ]
2846then
2847    ERROR=1
2848fi
2849echo</pre></blockquote>
2850
2851<p>The previous code should be located after the code that starts
2852<em class="emphasis">nmbd</em> and before the <em class="emphasis">return</em>
2853statement.</p>
2854
2855<a name="samba2-CHP-9-NOTE-148"/><blockquote class="note"><h4 class="objtitle">TIP</h4>
2856<p>We start <em class="emphasis">winbindd</em> after
2857<em class="emphasis">nmbd</em> because <em class="emphasis">winbindd</em> needs
2858<em class="emphasis">nmbd</em> to be running to work properly.</p>
2859</blockquote>
2860
2861<p>In the <tt class="function">stop( )</tt> function, we add the following:</p>
2862
2863<blockquote><pre class="code">echo -n $&quot;Shutting down WINBIND services: &quot;
2864/bin/kill -TERM -a winbindd
2865ERROR2=$?
2866if [ $ERROR2 -ne 0 ]
2867then
2868    ERROR=1
2869fi
2870echo</pre></blockquote>
2871
2872<p>Again, this code should be located after the code that stops
2873<em class="emphasis">nmbd</em> and before the <em class="emphasis">return</em>
2874statement. <a name="INDEX-107"/></p>
2875
2876
2877</div>
2878
2879
2880<div class="sect2"><a name="samba2-CHP-9-SECT-5.4"/>
2881
2882<h3 class="head2">Configuring PAM</h3>
2883
2884<p><a name="INDEX-108"/>Most
2885popular Linux distributions use <a name="INDEX-109"/>Pluggable
2886Authentication Modules (PAM), a suite of shared libraries that
2887provide a centralized source of authentication for applications
2888running on the Unix system. PAM can be configured differently for
2889each application (or service) that uses it, without needing to
2890recompile the application. As a hypothetical example, if an
2891organization's security policy mandated the use of
2892passwords exactly 10 characters in length, a PAM module could be
2893written to check the length of passwords submitted by users and
2894reject any attempts to use a longer or shorter password. PAM would
2895then be reconfigured to include the new module for services such as
2896<em class="emphasis">ftp</em>, console login, and GUI login that call upon
2897PAM to authenticate users.</p>
2898
2899<p>If you are not already familiar with PAM, we suggest you read the
2900documentation provided with the Linux PAM package before continuing.
2901On most Linux systems, it is located in the
2902<em class="filename">/usr/share/doc</em> directory hierarchy. Another
2903resource is the <em class="citetitle">Linux-PAM System
2904Administrator's
2905Guide</em><a name="INDEX-110"/>, which you can find
2906on the Internet at <a href="http://www.kernel.org/pub/linux/libs/pam">http://www.kernel.org/pub/linux/libs/pam</a>.</p>
2907
2908<p>The rest of this section is about using the PAM module provided in
2909the Samba distribution to enable Windows domain users to authenticate
2910on the Linux system hosting Samba. Depending on which services you
2911choose to configure, this allows Windows domain users to log in on a
2912local console (or through <em class="emphasis">telnet</em>), log in to a
2913GUI desktop on the Linux system, authenticate with an FTP server
2914running on the Linux system, or use other services normally limited
2915to users who have an account on the Linux system. The PAM module
2916authenticates Windows domain users by querying winbind, which passes
2917the authentication off to a Windows NT domain controller.</p>
2918
2919<p>As an example, we will show how to allow Windows domain users to log
2920in to a text console on the Linux system and get a command shell and
2921home directory. The method used in our example can be applied (with
2922variations) to other services.</p>
2923
2924<p>All users who can log in to the Linux system need a shell and a home
2925directory. Unix and Linux keep this user information in the password
2926file (<em class="filename">/etc/passwd</em> ), but information about
2927Windows users isn't located there. Instead, in the
2928Samba configuration file, we add the following to notify winbind what
2929the shell and home directory for Windows domain users will be:</p>
2930
2931<blockquote><pre class="code">[global]
2932    template shell = /bin/bash
2933    template homedir = /home/%D/%U</pre></blockquote>
2934
2935<p>The first line sets the
2936<tt class="literal">template</tt><a name="INDEX-111"/> <tt class="literal">shell</tt>
2937parameter, which tells winbind what shell to use for domain users
2938that are logging in to the Unix host. The
2939<tt class="literal">template</tt><a name="INDEX-112"/>
2940<tt class="literal">homedir</tt> parameter specifies the location of
2941users' home directories. The <tt class="literal">%D</tt>
2942variable is replaced by the name of the domain in which the
2943user's account resides, and <tt class="literal">%U</tt> is
2944replaced by the user's username in that domain.</p>
2945
2946<p>Before the domain users can successfully log in, their home
2947directories must be created manually. To add a single account for
2948<tt class="literal">linda</tt> in the METRAN domain, we would use these
2949commands:</p>
2950
2951<blockquote><pre class="code"># <tt class="userinput"><b>mkdir /home/METRAN</b></tt>
2952# <tt class="userinput"><b>chmod 755 /home/METRAN</b></tt>
2953
2954# <tt class="userinput"><b>mkdir /home/METRAN/linda</b></tt>
2955# <tt class="userinput"><b>chown 'METRAN\linda:METRAN\Domain Users' /home/METRAN/linda</b></tt>
2956# <tt class="userinput"><b>chmod 700 /home/METRAN/linda</b></tt></pre></blockquote>
2957<a name="samba2-CHP-9-NOTE-149"/><blockquote class="note"><h4 class="objtitle">WARNING</h4>
2958<p>One side effect of creating the home directories is that if the Samba
2959server is configured with a <tt class="literal">[homes]</tt> share, the
2960domain users can see and access their home directories through
2961Samba's file sharing.</p>
2962</blockquote>
2963
2964<p>Next, we need to compile and install the PAM module in the Samba
2965distribution. From the source directory in the Samba distribution,
2966issue the following commands:</p>
2967
2968<blockquote><pre class="code"># <tt class="userinput"><b>make nsswitch/pam_winbind.so</b></tt>
2969# <tt class="userinput"><b>cp nsswitch/pam_winbind.so /lib/security</b></tt></pre></blockquote>
2970
2971<p>and check that it was copied over correctly:</p>
2972
2973<blockquote><pre class="code"># <tt class="userinput"><b>ls /lib/security/pam_winbind.so</b></tt>
2974/lib/security/pam_winbind.so</pre></blockquote>
2975
2976<p>On Red Hat Linux, the PAM configuration files reside in
2977<em class="filename">/etc/pam.d</em>. Before making any modifications, we
2978strongly advise making a backup of this directory:</p>
2979
2980<blockquote><pre class="code"># cp -pR /etc/pam.d /etc/pam.d.backup</pre></blockquote>
2981
2982<p>The reason for this is that we will be modifying the Linux
2983system's means of authenticating logins, and if our
2984configuration goes awry, all users (including
2985<tt class="literal">root</tt>) will be locked out of the system. In case
2986the worst happens, we would reboot into single-user mode (by typing
2987<tt class="literal">linux</tt> <tt class="literal">single</tt> at the LILO:
2988prompt) or boot a rescue disk, and then we would issue these two
2989commands:</p>
2990
2991<blockquote><pre class="code"># <tt class="userinput"><b>mv /etc/pam.d /etc/pam.d.bad</b></tt>
2992# <tt class="userinput"><b>mv /etc/pam.d.backup /etc/pam.d</b></tt></pre></blockquote>
2993
2994<p>Be very careful to make sure you can recover from any errors you make
2995because when PAM encounters any configuration information it
2996doesn't understand, its action is not to allow
2997access. This means you must be sure to enter everything correctly!
2998You might want to leave yourself logged in as root on a spare virtual
2999terminal while you are modifying your PAM configuration to ensure
3000yourself a means of easy recovery.</p>
3001
3002<p>In the <em class="filename">/etc/pam.d</em> directory, you will encounter
3003a file for each service that uses PAM. We are interested only in the
3004file corresponding to the login service, which is called
3005<em class="filename">login</em>. It contains the following lines:</p>
3006
3007<blockquote><pre class="code">auth       required     /lib/security/pam_securetty.so
3008auth       required     /lib/security/pam_stack.so service=system-auth
3009auth       required     /lib/security/pam_nologin.so
3010account    required     /lib/security/pam_stack.so service=system-auth
3011password   required     /lib/security/pam_stack.so service=system-auth
3012session    required     /lib/security/pam_stack.so service=system-auth
3013session    optional     /lib/security/pam_console.so</pre></blockquote>
3014
3015<p>The lines starting with <tt class="literal">auth</tt> are related to the
3016function of authentication&mdash;that is, printing a password prompt,
3017accepting the password, verifying that it is correct, and matching
3018the user to a valid user and group ID. The line starting with
3019<tt class="literal">account</tt> is for account management, which allows
3020access to be controlled by other factors, such as what times during
3021the day a user is allowed access. We are not concerned with the lines
3022starting with <tt class="literal">password</tt> or
3023<tt class="literal">session</tt> because winbind does not add to either of
3024those functions.</p>
3025
3026<p>The third column lists the PAM module, possibly with arguments, that
3027is called in for the task. The
3028<em class="filename">pam_stack.so</em><a name="INDEX-113"/> module has been added by Red Hat to act
3029somewhat like a macro or a subroutine. It calls the file in the
3030<em class="filename">pam.d</em> directory named by the service argument.
3031In this case, the file <em class="filename">/etc/pam.d/system-auth</em>
3032contains a common set of lines that are used as a default for many
3033services. Because we want to customize the login service for winbind,
3034we first replace the <em class="filename">pam_stack.so</em> lines for
3035<tt class="literal">auth</tt> and <tt class="literal">account</tt> with the
3036<tt class="literal">auth</tt> and <tt class="literal">account</tt> lines from
3037<em class="filename">/etc/pam.d/system-auth</em>. This yields:</p>
3038
3039<blockquote><pre class="code">auth       required     /lib/security/pam_securetty.so
3040<b class="emphasis-bold">auth       required     /lib/security/pam_env.so</b>
3041<b class="emphasis-bold">auth       sufficient   /lib/security/pam_unix.so likeauth nullok</b>
3042<b class="emphasis-bold">auth       required     /lib/security/pam_deny.so</b>
3043auth       required     /lib/security/pam_nologin.so
3044<b class="emphasis-bold">account    required     /lib/security/pam_unix.so</b>
3045password   required     /lib/security/pam_stack.so service=system-auth
3046session    required     /lib/security/pam_stack.so service=system-auth
3047session    optional     /lib/security/pam_console.so</pre></blockquote>
3048
3049<p>To add winbind support, we need to add a line in both the
3050<tt class="literal">auth</tt> and <tt class="literal">account</tt> sections to
3051call the
3052<em class="filename">pam_winbind.so</em><a name="INDEX-114"/> module:</p>
3053
3054<blockquote><pre class="code">auth       required     /lib/security/pam_securetty.so
3055auth       required     /lib/security/pam_env.so
3056<b class="emphasis-bold">auth       sufficient   /lib/security/pam_winbind.so</b>
3057auth       sufficient   /lib/security/pam_unix.so <b class="emphasis-bold">use_first_pass</b> likeauth nullok
3058auth       required     /lib/security/pam_deny.so
3059auth       required     /lib/security/pam_nologin.so
3060<b class="emphasis-bold">account    sufficient   /lib/security/pam_winbind.so</b>
3061account    required     /lib/security/pam_unix.so
3062password   required     /lib/security/pam_stack.so service=system-auth
3063session    required     /lib/security/pam_stack.so service=system-auth
3064session    optional     /lib/security/pam_console.so</pre></blockquote>
3065
3066<p>The keywords <tt class="literal">required</tt> and
3067<tt class="literal">sufficient</tt> in the second column are significant.
3068The keyword <tt class="literal">required</tt> specifies that the result
3069returned by the module (either to pass or fail the authentication)
3070must be taken into account, whereas the keyword
3071<tt class="literal">sufficient</tt> specifies that if the module
3072successfully authenticates the user, no further lines need to be
3073processed. By specifying <tt class="literal">sufficient</tt> for the
3074<em class="filename">pam_winbind.so</em> module, we let winbind attempt to
3075authenticate users, and if it succeeds, the PAM system returns to the
3076application. If the <em class="filename">pam_winbind.so</em> module
3077doesn't find the user or the password does not
3078match, the PAM system continues with the next line, which performs
3079authentication according to the usual Linux user authentication. This
3080way, both domain users and local users can log in.</p>
3081
3082<p>Notice that we also added the <tt class="literal">use_first_pass</tt>
3083argument to the <em class="filename">pam_unix.so</em> module in the
3084<tt class="literal">auth</tt> section. By default, both the
3085<em class="filename">pam_winbind.so</em> and
3086<em class="filename">pam_unix.so</em> modules print a password prompt and
3087accept a password. In cases where users are logging in to the Linux
3088system using their local accounts, this would require them to enter
3089their password twice. The <tt class="literal">user_first_pass</tt> argument
3090tells the <em class="filename">pam_unix.so</em> module to reuse the
3091password that was given to the <em class="filename">pam_winbind.so</em>
3092module, which results in users having to enter the password only
3093once.</p>
3094
3095<p>After modifying the <em class="filename">login</em> configuration file,
3096switch to a spare virtual console and make sure you can still log in
3097using a regular Linux account. If not, check your modifications
3098carefully and try again until you get it right. Then log in using a
3099domain user account from the Windows PDC database to check that the
3100winbind authentication works. You will need to specify the username
3101in <em class="replaceable">DOMAIN</em>\<em class="replaceable">user</em>
3102format, like this:</p>
3103
3104<blockquote><pre class="code">login: METRAN\linda
3105Password:</pre></blockquote>
3106
3107<p>More information on configuring winbind can be found in the Samba
3108source distribution file
3109<em class="filename">docs/htmldocs/winbind.html</em>, and in the
3110<em class="emphasis">winbindd</em> manual page. If you would like to learn
3111more about configuring PAM, we recommend the web page <a href="http://www.kernel.org/pub/linux/libs/pam/">http://www.kernel.org/pub/linux/libs/pam/</a> as
3112a starting place. Some of the documentation for Linux PAM, including
3113Red Hat's extensions, can also be found on Red Hat
3114Linux in
3115<em class="filename">/usr/share/doc/pam-</em><em class="replaceable">version</em>.
3116<a name="INDEX-115"/></p>
3117
3118
3119</div>
3120
3121
3122<div class="sect2"><a name="samba2-CHP-9-SECT-5.5"/>
3123
3124<h3 class="head2">winbind Configuration Options</h3>
3125
3126<p><a href="ch09.html#samba2-CHP-9-TABLE-9">Table 9-9</a> <a name="INDEX-116"/><a name="INDEX-117"/>summarizes some commonly used options
3127that you can use to configure winbind.</p>
3128
3129<a name="samba2-CHP-9-TABLE-9"/><h4 class="head4">Table 9-9. winbind options</h4><table border="1">
3130
3131
3132
3133
3134
3135
3136<tr>
3137<th>
3138<p>Option</p>
3139</th>
3140<th>
3141<p>Parameters</p>
3142</th>
3143<th>
3144<p>Function</p>
3145</th>
3146<th>
3147<p>Default</p>
3148</th>
3149<th>
3150<p>Scope</p>
3151</th>
3152</tr>
3153
3154
3155<tr>
3156<td>
3157<p><tt class="literal">winbind</tt> <tt class="literal">separator</tt></p>
3158</td>
3159<td>
3160<p>string (single character)</p>
3161</td>
3162<td>
3163<p>Character to use as a separator in domain usernames and group names</p>
3164</td>
3165<td>
3166<p>Backslash (<tt class="literal">\</tt>)</p>
3167</td>
3168<td>
3169<p>Global</p>
3170</td>
3171</tr>
3172<tr>
3173<td>
3174<p><tt class="literal">winbind uid</tt></p>
3175</td>
3176<td>
3177<p>string (numeric range)</p>
3178</td>
3179<td>
3180<p>Range of UIDs for RID-to-UID mapping</p>
3181</td>
3182<td>
3183<p>None</p>
3184</td>
3185<td>
3186<p>Global</p>
3187</td>
3188</tr>
3189<tr>
3190<td>
3191<p><tt class="literal">winbind gid</tt></p>
3192</td>
3193<td>
3194<p>string (numeric range)</p>
3195</td>
3196<td>
3197<p>Range of GIDs for RID-to-GID mapping</p>
3198</td>
3199<td>
3200<p>None</p>
3201</td>
3202<td>
3203<p>Global</p>
3204</td>
3205</tr>
3206<tr>
3207<td>
3208<p><tt class="literal">winbind cache time</tt></p>
3209</td>
3210<td>
3211<p>numeric</p>
3212</td>
3213<td>
3214<p>Number of seconds the <em class="emphasis">winbindd</em> daemon caches
3215user and group data</p>
3216</td>
3217<td>
3218<p><tt class="literal">15</tt></p>
3219</td>
3220<td>
3221<p>Global</p>
3222</td>
3223</tr>
3224<tr>
3225<td>
3226<p><tt class="literal">template</tt> <tt class="literal">homedir</tt></p>
3227</td>
3228<td>
3229<p>string (directory name)</p>
3230</td>
3231<td>
3232<p>Directory to be used as the home directory of the logged-in domain
3233user</p>
3234</td>
3235<td>
3236<p><tt class="literal">/home/%D/%U</tt></p>
3237</td>
3238<td>
3239<p>Global</p>
3240</td>
3241</tr>
3242<tr>
3243<td>
3244<p><tt class="literal">template</tt> <tt class="literal">shell</tt></p>
3245</td>
3246<td>
3247<p>string (command name)</p>
3248</td>
3249<td>
3250<p>The program to use as the logged-in domain user's
3251shell</p>
3252</td>
3253<td>
3254<p><tt class="literal">/bin/false</tt></p>
3255</td>
3256<td>
3257<p>Global</p>
3258</td>
3259</tr>
3260
3261</table>
3262
3263
3264<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.1"/>
3265
3266<a name="INDEX-118"/><h3 class="head3">winbind separator</h3>
3267
3268<p>On Windows systems, the backslash (<tt class="literal">\</tt>) is commonly
3269used as a separator in file names, UNCs, and the names of domain
3270users and groups. For example, an account in the METRAN domain with a
3271username of <tt class="literal">linda</tt> would be written as
3272<tt class="literal">METRAN\linda</tt>. On Unix systems, the backslash is
3273commonly used as a metacharacter for quoting, so the account would
3274have to be specified as <tt class="literal">METRAN\\linda</tt> or
3275'<tt class="literal">METRAN\linda</tt>'. The winbind separator parameter
3276allows another character to be used instead of the backslash
3277character, making it much easier to type in domain user and group
3278names. For example, with:</p>
3279
3280<blockquote><pre class="code">[global]
3281    winbind separator = +</pre></blockquote>
3282
3283<p>the aforementioned account could be written simply as
3284<tt class="literal">METRAN+linda</tt> on the Unix host, making it
3285unnecessary to use additional backslashes or single quotes. Winbind
3286then uses the same format for reporting domain user and group names.</p>
3287
3288
3289</div>
3290
3291
3292
3293<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.2"/>
3294
3295<a name="INDEX-119"/><h3 class="head3">winbind uid</h3>
3296
3297<p>As part of <em class="emphasis">winbindd</em> 's task of
3298letting Windows NT domain users function as local users on the Unix
3299host, <em class="emphasis">winbindd</em> supplies a Unix UID that is
3300linked to the Windows RID of the domain user. The
3301<tt class="literal">winbind</tt> <tt class="literal">uid</tt> parameter allows
3302the Unix system administrator to allocate a range of UIDs for this
3303purpose. It is very important that this range not overlap any UIDs
3304used for other purposes on the Unix system, so we recommend you begin
3305your range at a very high number, one much larger than the number of
3306local users and NIS users that will ever exist. For example,
3307<tt class="literal">winbind</tt> <tt class="literal">uid</tt> might be defined
3308as:</p>
3309
3310<blockquote><pre class="code">[global]
3311    winbind uid = 10000-15000</pre></blockquote>
3312
3313<p>on a system that would never have more than 9,999 local and NIS
3314users, or for that matter, any other entries in
3315<em class="filename">/etc/passwd</em> that would use up another UID.
3316Because the example allocates 5,000 UIDs to
3317<em class="emphasis">winbindd</em>, the assumption is that there will
3318never be more than 5,000 domain users accessing the Samba host.</p>
3319
3320<p>If your method for adding new local users to the system assigns UIDs
3321automatically, make sure it does not assign them within the range of
3322UIDs allocated to winbind. This might happen if the algorithm used
3323adds 1 to the highest UID assigned thus far.</p>
3324
3325<p>There is no default for <tt class="literal">winbind</tt>
3326<tt class="literal">uid</tt>, so you must specify it in your Samba
3327configuration file for winbind to work.</p>
3328
3329
3330</div>
3331
3332
3333
3334<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.3"/>
3335
3336<a name="INDEX-120"/><h3 class="head3">winbind gid</h3>
3337
3338<p>This option works like <tt class="literal">winbind</tt>
3339<tt class="literal">uid</tt>, except that it is for allocating a range of
3340GIDs for use with <em class="emphasis">winbindd</em>. You might not need
3341to allocate as many GIDs as UIDs because you probably have relatively
3342few domain groups that need corresponding GIDs. (In many cases, users
3343are all members of the Domain Users group, requiring only one GID.)
3344However, it is best to play it safe, so make sure to allocate many
3345more GIDs than you think you will need.</p>
3346
3347<p>As with <tt class="literal">winbind</tt> <tt class="literal">uid</tt>, if you are
3348using a method of adding new local users to your Unix host that
3349automatically assigns GIDs, either make sure the method used
3350doesn't conflict with winbind or set the GIDs
3351manually.</p>
3352
3353<p>There is no default for <tt class="literal">winbind</tt>
3354<tt class="literal">gid</tt>, so you must specify it in your Samba
3355configuration file for winbind to work.</p>
3356
3357
3358</div>
3359
3360
3361
3362<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.4"/>
3363
3364<a name="INDEX-121"/><h3 class="head3">winbind cache time</h3>
3365
3366<p>The <em class="emphasis">winbindd</em> daemon maintains a cache of user
3367and group data that has been retrieved from the Windows PDC to reduce
3368network queries and increase performance. The
3369<tt class="literal">winbind</tt> <tt class="literal">cache</tt>
3370<tt class="literal">time</tt> parameter allows the amount of time (in
3371seconds) <em class="emphasis">winbindd</em> can use the cached data before
3372querying the PDC to check for an update. By default, this interval is
3373set to 15 seconds. This means that when any part of a user or group
3374account on the PDC is modified, it can take up to 15 seconds for
3375<em class="emphasis">winbindd</em> to update its own database.</p>
3376
3377
3378</div>
3379
3380
3381
3382<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.5"/>
3383
3384<a name="INDEX-122"/><h3 class="head3">template homedir</h3>
3385
3386<p>When the local Unix system is configured to allow domain users to log
3387in, the user must be provided with a home directory for many
3388programs, including command shells, to function properly. The
3389<tt class="literal">template</tt> <tt class="literal">homedir</tt> option is used
3390to set the name of the home directory. In the name of the directory,
3391<tt class="literal">%D</tt> is replaced by the name of the Windows NT
3392domain the user is in, and <tt class="literal">%U</tt> is replaced by his
3393username. By default, <tt class="literal">template</tt>
3394<tt class="literal">homedir</tt> is set to <tt class="literal">/home/%D/%U</tt>,
3395which works fine for a network in which there might be more than one
3396Windows NT domain, and it is possible for different people in
3397different domains to have the same username. If you are sure you will
3398never have more than one Windows NT domain on your network, or you
3399have more than one domain but know for sure that unique users have
3400identical usernames in each multiple domain, you might prefer to set
3401<tt class="literal">template</tt> <tt class="literal">homedir</tt> like this:</p>
3402
3403<blockquote><pre class="code">[global]
3404    template homedir = /home/%U</pre></blockquote>
3405
3406
3407</div>
3408
3409
3410
3411<div class="sect3"><a name="samba2-CHP-9-SECT-5.5.6"/>
3412
3413<a name="INDEX-123"/><h3 class="head3">template shell</h3>
3414
3415<p>This option specifies the program to use as the shell for domain
3416users who are logged in to the Unix host. By default, it is set to
3417<em class="emphasis">/bin/false</em>, which effectively denies domain
3418users to log in. If you wish to allow logins for domain users, set
3419<tt class="literal">template</tt> <tt class="literal">shell</tt> to a valid
3420command shell (or other program) that you want to act as the textual
3421interface the domain users will receive when logged in. A common
3422setting on Linux would be:</p>
3423
3424<blockquote><pre class="code">[global]
3425    template shell = /bin/bash</pre></blockquote>
3426
3427<p>which would give users the Bash shell for their interactive login
3428sessions. <a name="INDEX-124"/><a name="INDEX-125"/> <a name="INDEX-126"/><a name="INDEX-127"/></p>
3429
3430
3431</div>
3432
3433
3434</div>
3435
3436
3437</div>
3438
3439<hr/><h4 class="head4">Footnotes</h4><blockquote><a name="FOOTNOTE-1"/> <p><a href="#FNPTR-1">[1]</a> Having both encrypted and nonencrypted
3440password clients on your network is one of the reasons why Samba
3441allows you to include (or not include) various options in the Samba
3442configuration file based on the client operating system or machine
3443name variables.</p> <a name="FOOTNOTE-2"/>
3444<p><a href="#FNPTR-2">[2]</a> This is because the Unix <em class="emphasis">passwd</em> program,
3445which is the usual target for this operation, allows
3446<tt class="literal">root</tt> to change a user's password
3447without the security restriction that requests the old password of
3448that user.</p> </blockquote><hr/><h4 class="head4"><a href="toc.html">TOC</a></h4></body></html>
3449