Account Information Databases in Samba-3
Samba-3 implements a new capability to work concurrently with multiple account backends. The possible new combinations of password backends allows Samba-3 a degree of flexibility and scalability that previously could be achieved only with MS Windows Active Directory (ADS). This chapter describes the new functionality and how to get the most out of it.
The three passdb backends that are fully maintained (actively supported) by the Samba Team are: smbpasswd (being obsoleted), tdbsam (a tdb-based binary file format), and ldap-sam (LDAP directory). Of these, only the ldapsam backend stores both POSIX (UNIX) and Samba user and group account information in a single repository. The smbpasswd and tdbsam backends store only Samba user accounts.
In a strict sense, there are three supported account storage and access systems. One of these is considered obsolete (smbpasswd). It is recommended to use the tdbsam method for all simple systems. Use ldapsam for larger and more complex networks.
In a strict and literal sense, the passdb backends are account storage mechanisms (or methods) alone. The choice of terminology can be misleading, however we are stuck with this choice of wording. This chapter documents the nature of the account storage system with a focus on user and trust accounts. Trust accounts have two forms, machine trust accounts (computer accounts) and interdomain trust accounts. These are all treated as user-like entities.
10.1 Features and Benefits
Samba-3 provides for complete backward compatibility with Samba-2.2.x functionality as follows:
10.1.1 Backward Compatibility Account Storage Systems
- Plaintext This isn't really a backend at all, but is listed here for simplicity. Samba can be configured to pass plaintext authentication requests to the traditional UNIX/Linux /etc/passwd and /etc/shadow-style subsystems. On systems that have Pluggable Authentication Modules (PAM) support, all PAM modules are supported. The behavior is just as it was with Samba-2.2.x, and the protocol limitations imposed by MS Windows clients apply likewise. Please refer to Section 10.2, for more information regarding the limitations of plaintext password usage.
- smbpasswd This option allows continued use of the smbpasswd file that maintains a plain ASCII (text) layout that includes the MS Windows LanMan and NT-encrypted passwords as well as a field that stores some account information. This form of password backend does not store any of the MS Windows NT/200x SAM (Security Account Manager) information required to provide the extended controls that are needed for more comprehensive interoperation with MS Windows NT4/200x servers.This backend should be used only for backward compatibility with older versions of Samba. It may be deprecated in future releases.
- ldapsam_compat (Samba-2.2 LDAP Compatibility) There is a password backend option that allows continued operation with an existing OpenLDAP backend that uses the Samba-2.2.x LDAP schema extension. This option is provided primarily as a migration tool, although there is no reason to force migration at this time. This tool will eventually be deprecated.
10.1.2 New Account Storage Systems
Samba-3 introduces a number of new password backend capabilities.
tdbsam This backend provides a rich database backend for local servers. This backend is not suitable for multiple domain controllers (i.e., PDC + one or more BDC) installations.
The tdbsam password backend stores the old smbpasswd information plus the extended MS Windows NT/200x SAM information into a binary format TDB (trivial database) file. The inclusion of the extended information makes it possible for Samba-3 to implement the same account and system access controls that are possible with MS Windows NT4/200x-based systems.
The inclusion of the tdbsam capability is a direct response to user requests to allow simple site operation without the overhead of the complexities of running OpenLDAP. It is recommended to use this only for sites that have fewer than 250 users. For larger sites or implementations, the use of OpenLDAP or of Active Directory integration is strongly recommended.
ldapsam This provides a rich directory backend for distributed account installation.
Samba-3 has a new and extended LDAP implementation that requires configuration of OpenLDAP with a new format Samba schema. The new format schema file is included in the examples/LDAP directory of the Samba distribution.
The new LDAP implementation significantly expands the control abilities that were possible with prior versions of Samba. It is now possible to specify "per-user" profile settings, home directories, account access controls, and much more. Corporate sites will see that the Samba Team has listened to their requests both for capability and greater scalability.
- mysqlsam (MySQL-based backend) It is expected that the MySQL-based SAM will be very popular in some corners. This database backend will be of considerable interest to sites that want to leverage existing MySQL technology.
- pgsqlsam (PostGreSQL-based backend) Makes use of a PostgreSQL database to store account information. This backend is largely undocumented at the moment, though its configuration is very similar to that of the mysqlsam backend.
- xmlsam (XML-based datafile) Allows the account and password data to be stored in an XML format data file. This backend cannot be used for normal operation, it can only be used in conjunction with pdbedit's pdb2pdb functionality. The Document Type Definition (DTD) file that is used might be subject to changes in the future. (See the XML reference  for a definition of XML terms.)The xmlsam option can be useful for account migration between database backends or backups. Use of this tool allows the data to be edited before migration into another backend format.