10.3 Account Management Tools
Samba provides two tools for management of user and machine accounts: smbpasswd and pdbedit.
The pdbedit can be used to manage account policies in addition to Samba user account information. The policy management capability is used to administer domain default settings for password aging and management controls to handle failed login attempts.
Some people are confused when reference is made to smbpasswd because the name refers to a storage mechanism for SambaSAMAccount information, but it is also the name of a utility tool. That tool is destined to eventually be replaced by new functionality that is being added to the net toolset (see Chapter 12, "Remote and Local Management: The Net Command".
10.3.1 The smbpasswd Tool
The smbpasswd utility is similar to the passwd and yppasswd programs. It maintains the two 32 byte password fields in the passdb backend. This utility operates independently of the actual account and password storage methods used (as specified by the passdb backend in the smb.conf file.
smbpasswd works in a client-server mode where it contacts the local smbd to change the user's password on its behalf. This has enormous benefits.
smbpasswd has the capability to change passwords on Windows NT servers (this only works when the request is sent to the NT PDC if changing an NT domain user's password).
smbpasswd can be used to:
- add user or machine accounts.
- delete user or machine accounts.
- enable user or machine accounts.
- disable user or machine accounts.
- set to NULL user passwords.
- manage interdomain trust accounts.
To run smbpasswd as a normal user, just type:
$ smbpasswd Old SMB password: secret
For secret , type the old value here or press return if there is no old password.
New SMB Password: new secret Repeat New SMB Password: new secret
If the old value does not match the current value stored for that user, or the two new values do not match each other, then the password will not be changed.
When invoked by an ordinary user, the command will allow only the user to change his or her own SMB password.
When run by root, smbpasswd may take an optional argument specifying the username whose SMB password you wish to change. When run as root, smbpasswd does not prompt for or check the old password value, thus allowing root to set passwords for users who have forgotten their passwords.
smbpasswd is designed to work in the way familiar to UNIX users who use the passwd or yppasswd commands. While designed for administrative use, this tool provides essential user-level password change capabilities.
For more details on using smbpasswd, refer to the man page (the definitive reference).
10.3.2 The pdbedit Tool
pdbedit is a tool that can be used only by root. It is used to manage the passdb backend, as well as domain-wide account policy settings. pdbedit can be used to:
- add, remove, or modify user accounts.
- list user accounts.
- migrate user accounts.
- migrate group accounts.
- manage account policies.
- manage domain access policy settings.
Under the terms of the Sarbanes-Oxley Act of 2002, American businesses and organizations are mandated to implement a series of internal controls and procedures to communicate, store, and protect financial data. The Sarbanes-Oxley Act has far reaching implications in respect of:
- Who has access to information systems that store financial data.
- How personal and finacial information is treated among employees and business partners.
- How security vulnerabilities are managed.
- Security and patch level maintenance for all information systems.
- How information systems changes are documented and tracked.
- How information access controls are implemented and managed.
- Auditability of all information systems in respect of change and security.
- Disciplinary procedures and controls to ensure privacy.
In short, the Sarbanes-Oxley Act of 2002 is an instrument that enforces accountability in respect of business related information systems so as to ensure the compliance of all information systems that are used to store personal information and particularly for financial records processing. Similar accountabilities are being demanded around the world.
The need to be familiar with the Samba tools and facilities that permit information systems operation in compliance with government laws and regulations is clear to all. The pdbedit is currently the only Samba tool that provides the capacity to manage account and systems access controls and policies. During the remaining life-cycle of the Samba-3 series it is possible the new tools may be implemented to aid in this important area.
Domain global policy controls available in Windows NT4 compared with Samba is shown in Table 10.1.
The pdbedit tool is the only one that can manage the account security and policy settings. It is capable of all operations that smbpasswd can do as well as a superset of them.
One particularly important purpose of the pdbedit is to allow the migration of account information from one passdb backend to another. See the Section 10.4.6 password backend section of this chapter.
10.3.2.1 User Account Management
The pdbedit tool, like the smbpasswd tool, requires that a POSIX user account already exists in the UNIX/Linux system accounts database (backend). Neither tool will call out to the operating system to create a user account because this is considered to be the responsibility of the system administrator. When the Windows NT4 domain user manager is used to add an account, Samba will implement the add user script (as well as the other interface scripts) to ensure that user, group and machine accounts are correctly created and changed. The use of the pdbedit tool does not make use of these interface scripts.
Before attempting to use the pdbedit tool to manage user and machine accounts, make certain that a system (POSIX) account has already been created.
Listing User and Machine Accounts
The following is an example of the user account information that is stored in a tdbsam password backend. This listing was produced by running:
$ pdbedit -Lv met UNIX username: met NT username: met Account Flags: [U ] User SID: S-1-5-21-1449123459-1407424037-3116680435-2004 Primary Group SID: S-1-5-21-1449123459-1407424037-3116680435-1201 Full Name: Melissa E Terpstra Home Directory: \\frodo\met\Win9Profile HomeDir Drive: H: Logon Script: scripts\logon.bat Profile Path: \\frodo\Profiles\met Domain: MIDEARTH Account desc: Workstations: melbelle Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 20:14:07 GMT Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT Password last set: Sat, 14 Dec 2002 14:37:03 GMT Password can change: Sat, 14 Dec 2002 14:37:03 GMT Password must change: Mon, 18 Jan 2038 20:14:07 GMT
Accounts can also be listed in the older smbpasswd format:
root# pdbedit -Lw root:0:84B0D8E14D158FF8417EAF50CFAC29C3: AF6DD3FD4E2EA8BDE1695A3F05EFBF52:[U ]:LCT-42681AB8: jht:1000:6BBC4159020A52741486235A2333E4D2: CC099521AD554A3C3CF2556274DBCFBC:[U ]:LCT-40D75B5B: rcg:1002:E95D4331A6F23AF8AAD3B435B51404EE: BB0F2C39B04CA6100F0E535DF8314B43:[U ]:LCT-40D7C5A3: afw:1003:1AAFA7F9F6DC1DEAAAD3B435B51404EE: CE92C2F9471594CDC4E7860CA6BC62DB:[T ]:LCT-40DA501F: met:1004:A2848CB7E076B435AAD3B435B51404EE: F25F5D3405085C555236B80B7B22C0D2:[U ]:LCT-4244FAB8: aurora$:1005:060DE593EA638B8ACC4A19F14D2FF2BB: 060DE593EA638B8ACC4A19F14D2FF2BB:[W ]:LCT-4173E5CC: temptation$:1006:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: A96703C014E404E33D4049F706C45EE9:[W ]:LCT-42BF0C57: vaioboss$:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX: 88A30A095160072784C88F811E89F98A:[W ]:LCT-41C3878D: frodo$:1008:15891DC6B843ECA41249940C814E316B: B68EADCCD18E17503D3DAD3E6B0B9A75:[W ]:LCT-42B7979F: marvel$:1011:BF709959C3C94E0B3958B7B84A3BB6F3: C610EFE9A385A3E8AA46ADFD576E6881:[W ]:LCT-40F07A4
Adding User Accounts
The pdbedit can be used to add a user account to a standalone server or to a domain. In the example shown here the account for the user vlaan has been created before attempting to add the SambaSAMAccount.
root# pdbedit -a vlaan new password: secretpw retype new password: secretpw Unix username: vlaan NT username: vlaan Account Flags: [U ] User SID: S-1-5-21-726309263-4128913605-1168186429-3014 Primary Group SID: S-1-5-21-726309263-4128913605-1168186429-513 Full Name: Victor Laan Home Directory: \\frodo\vlaan HomeDir Drive: H: Logon Script: scripts\logon.bat Profile Path: \\frodo\profiles\vlaan Domain: MIDEARTH Account desc: Guest User Workstations: Munged dial: Logon time: 0 Logoff time: Mon, 18 Jan 2038 20:14:07 GMT Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT Password last set: Wed, 29 Jun 2005 19:35:12 GMT Password can change : Wed, 29 Jun 2005 19:35:12 GMT Password must change: Mon, 18 Jan 2038 20:14:07 GMT Last bad password : 0 Bad password count : 0 Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
An account can be deleted from the SambaSAMAccount database
root# pdbedit -x vlaan
The account is removed without further screen output. The account is removed only from the SambaSAMAccount (passdb backend) database, it is not removed from the UNIX account backend.
The use of the NT4 domain user manager to delete an account will trigger the delete user script , but not the pdbedit tool.
Changing User Accounts
Refer to the pdbedit man page for a full synopsis of all operations that are available with this tool.
An example of a simple change in the user account information is the change of the full name information shown here:
root# pdbedit -r --fullname="Victor Aluicious Laan" vlaan ... Primary Group SID: S-1-5-21-726309263-4128913605-1168186429-513 Full Name: Victor Aluicious Laan Home Directory: \\frodo\vlaan ...
Let us assume for a moment that a user's password has expired and the user is unable to change the password at this time. It may be necessary to give the user additional grace time so that it is possible to continue to work with the account and the original password. This demonstrates how the password expiration settings may be updated
root# pdbedit -Lv vlaan ... Password last set: Sun, 09 Sep 2001 22:21:40 GMT Password can change: Thu, 03 Jan 2002 15:08:35 GMT Password must change: Thu, 03 Jan 2002 15:08:35 GMT Last bad password: Thu, 03 Jan 2002 15:08:35 GMT Bad password count : 2 ...
The user has recorded 2 bad logon attempts and the next will lock the account, but the password is also expired. Here is how this account can be reset:
root# pdbedit -z vlaan ... Password last set : Sun, 09 Sep 2001 22:21:40 GMT Password can change : Thu, 03 Jan 2002 15:08:35 GMT Password must change: Thu, 03 Jan 2002 15:08:35 GMT Last bad password : 0 Bad password count : 0 ...
The Password must change: parameter can be reset like this:
root# pdbedit --pwd-must-change-time=1200000000 vlaan ... Password last set: Sun, 09 Sep 2001 22:21:40 GMT Password can change: Thu, 03 Jan 2002 15:08:35 GMT Password must change: Thu, 10 Jan 2008 14:20:00 GMT ...
Another way to use this tools is to set the date like this:
root# pdbedit --pwd-must-change-time="2010-01-01" --time-format="%Y-%m-%d" vlaan ... Password last set: Sun, 09 Sep 2001 22:21:40 GMT Password can change: Thu, 03 Jan 2002 15:08:35 GMT Password must change: Fri, 01 Jan 2010 00:00:00 GMT ...
Refer to the strptime man page for specific time format information.
Please refer to the pdbedit man page for further information relating to SambaSAMAccount management.
Domain Account Policy Managment
To view the domain account access policies that may be configured execute:
root# pdbedit -P ? No account policy by that name Account policy names are : min password length password history user must logon to change password maximum password age minimum password age lockout duration reset count minutes bad lockout attempt disconnect time refuse machine password change
Commands will be executed to establish controls for our domain as follows:
- min password length = 8 characters.
- password history = last 4 passwords.
- maximum password age = 90 days.
- minimum password age = 7 days.
- bad lockout attempt = 8 bad logon attempts.
- lockout duration = forever, account must be manually reenabled.
The following command execution will achieve these settings:
root# pdbedit -P "min password length" -C 8 account policy value for min password length was 5 account policy value for min password length is now 8 root# pdbedit -P "password history" -C 4 account policy value for password history was 0 account policy value for password history is now 4 root# pdbedit -P "maximum password age" -C 90 account policy value for maximum password age was 4294967295 account policy value for maximum password age is now 90 root# pdbedit -P "minimum password age" -C 7 account policy value for minimum password age was 0 account policy value for minimum password age is now 7 root# pdbedit -P "bad lockout attempt" -C 8 account policy value for bad lockout attempt was 0 account policy value for bad lockout attempt is now 8 root# pdbedit -P "lockout duration" -C -1 account policy value for lockout duration was 30 account policy value for lockout duration is now 4294967295
10.3.2.2 Account Migration
The pdbedit tool allows migration of authentication (account) databases from one backend to another. For example, to migrate accounts from an old smbpasswd database to a tdbsam backend:
- Set the passdb backend = tdbsam, smbpasswd.
- Execute: root# pdbedit -i smbpasswd -e tdbsam
- Remove the smbpasswd from the passdb backend configuration in smb.conf.