Home > Articles > Software Development & Management

  • Print
  • + Share This
This chapter is from the book

10.3 Account Management Tools

Samba provides two tools for management of user and machine accounts: smbpasswd and pdbedit.

The pdbedit can be used to manage account policies in addition to Samba user account information. The policy management capability is used to administer domain default settings for password aging and management controls to handle failed login attempts.

Some people are confused when reference is made to smbpasswd because the name refers to a storage mechanism for SambaSAMAccount information, but it is also the name of a utility tool. That tool is destined to eventually be replaced by new functionality that is being added to the net toolset (see Chapter 12, "Remote and Local Management: The Net Command".

10.3.1 The smbpasswd Tool

The smbpasswd utility is similar to the passwd and yppasswd programs. It maintains the two 32 byte password fields in the passdb backend. This utility operates independently of the actual account and password storage methods used (as specified by the passdb backend in the smb.conf file.

smbpasswd works in a client-server mode where it contacts the local smbd to change the user's password on its behalf. This has enormous benefits.

smbpasswd has the capability to change passwords on Windows NT servers (this only works when the request is sent to the NT PDC if changing an NT domain user's password).

smbpasswd can be used to:

  • add user or machine accounts.
  • delete user or machine accounts.
  • enable user or machine accounts.
  • disable user or machine accounts.
  • set to NULL user passwords.
  • manage interdomain trust accounts.

To run smbpasswd as a normal user, just type:

$ smbpasswd
Old SMB password: secret

For secret , type the old value here or press return if there is no old password.

New SMB Password: new secret
Repeat New SMB Password: new secret

If the old value does not match the current value stored for that user, or the two new values do not match each other, then the password will not be changed.

When invoked by an ordinary user, the command will allow only the user to change his or her own SMB password.

When run by root, smbpasswd may take an optional argument specifying the username whose SMB password you wish to change. When run as root, smbpasswd does not prompt for or check the old password value, thus allowing root to set passwords for users who have forgotten their passwords.

smbpasswd is designed to work in the way familiar to UNIX users who use the passwd or yppasswd commands. While designed for administrative use, this tool provides essential user-level password change capabilities.

For more details on using smbpasswd, refer to the man page (the definitive reference).

10.3.2 The pdbedit Tool

pdbedit is a tool that can be used only by root. It is used to manage the passdb backend, as well as domain-wide account policy settings. pdbedit can be used to:

  • add, remove, or modify user accounts.
  • list user accounts.
  • migrate user accounts.
  • migrate group accounts.
  • manage account policies.
  • manage domain access policy settings.

Under the terms of the Sarbanes-Oxley Act of 2002, American businesses and organizations are mandated to implement a series of internal controls and procedures to communicate, store, and protect financial data. The Sarbanes-Oxley Act has far reaching implications in respect of:

  1. Who has access to information systems that store financial data.
  2. How personal and finacial information is treated among employees and business partners.
  3. How security vulnerabilities are managed.
  4. Security and patch level maintenance for all information systems.
  5. How information systems changes are documented and tracked.
  6. How information access controls are implemented and managed.
  7. Auditability of all information systems in respect of change and security.
  8. Disciplinary procedures and controls to ensure privacy.

In short, the Sarbanes-Oxley Act of 2002 is an instrument that enforces accountability in respect of business related information systems so as to ensure the compliance of all information systems that are used to store personal information and particularly for financial records processing. Similar accountabilities are being demanded around the world.

The need to be familiar with the Samba tools and facilities that permit information systems operation in compliance with government laws and regulations is clear to all. The pdbedit is currently the only Samba tool that provides the capacity to manage account and systems access controls and policies. During the remaining life-cycle of the Samba-3 series it is possible the new tools may be implemented to aid in this important area.

Domain global policy controls available in Windows NT4 compared with Samba is shown in Table 10.1.

The pdbedit tool is the only one that can manage the account security and policy settings. It is capable of all operations that smbpasswd can do as well as a superset of them.

One particularly important purpose of the pdbedit is to allow the migration of account information from one passdb backend to another. See the Section 10.4.6 password backend section of this chapter.

10.3.2.1 User Account Management

The pdbedit tool, like the smbpasswd tool, requires that a POSIX user account already exists in the UNIX/Linux system accounts database (backend). Neither tool will call out to the operating system to create a user account because this is considered to be the responsibility of the system administrator. When the Windows NT4 domain user manager is used to add an account, Samba will implement the add user script (as well as the other interface scripts) to ensure that user, group and machine accounts are correctly created and changed. The use of the pdbedit tool does not make use of these interface scripts.

Before attempting to use the pdbedit tool to manage user and machine accounts, make certain that a system (POSIX) account has already been created.

Listing User and Machine Accounts

The following is an example of the user account information that is stored in a tdbsam password backend. This listing was produced by running:

$ pdbedit -Lv met
UNIX username:        met
NT username:          met
Account Flags:        [U          ]
User SID:             S-1-5-21-1449123459-1407424037-3116680435-2004
Primary Group SID:    S-1-5-21-1449123459-1407424037-3116680435-1201
Full Name:            Melissa E Terpstra
Home Directory:       \\frodo\met\Win9Profile
HomeDir Drive:        H:
Logon Script:         scripts\logon.bat
Profile Path:         \\frodo\Profiles\met
Domain:               MIDEARTH
Account desc:
Workstations:         melbelle
Munged dial:
Logon time:           0
Logoff time:          Mon, 18 Jan 2038 20:14:07 GMT
Kickoff time:         Mon, 18 Jan 2038 20:14:07 GMT
Password last set:    Sat, 14 Dec 2002 14:37:03 GMT
Password can change:  Sat, 14 Dec 2002 14:37:03 GMT
Password must change: Mon, 18 Jan 2038 20:14:07 GMT

Accounts can also be listed in the older smbpasswd format:

root# pdbedit -Lw
root:0:84B0D8E14D158FF8417EAF50CFAC29C3:
     AF6DD3FD4E2EA8BDE1695A3F05EFBF52:[U          ]:LCT-42681AB8:
jht:1000:6BBC4159020A52741486235A2333E4D2:
     CC099521AD554A3C3CF2556274DBCFBC:[U          ]:LCT-40D75B5B:
rcg:1002:E95D4331A6F23AF8AAD3B435B51404EE:
     BB0F2C39B04CA6100F0E535DF8314B43:[U          ]:LCT-40D7C5A3:
afw:1003:1AAFA7F9F6DC1DEAAAD3B435B51404EE:
     CE92C2F9471594CDC4E7860CA6BC62DB:[T          ]:LCT-40DA501F:
met:1004:A2848CB7E076B435AAD3B435B51404EE:
     F25F5D3405085C555236B80B7B22C0D2:[U          ]:LCT-4244FAB8:
aurora$:1005:060DE593EA638B8ACC4A19F14D2FF2BB:
     060DE593EA638B8ACC4A19F14D2FF2BB:[W          ]:LCT-4173E5CC:
temptation$:1006:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:
     A96703C014E404E33D4049F706C45EE9:[W          ]:LCT-42BF0C57:
vaioboss$:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:
     88A30A095160072784C88F811E89F98A:[W          ]:LCT-41C3878D:
frodo$:1008:15891DC6B843ECA41249940C814E316B:
     B68EADCCD18E17503D3DAD3E6B0B9A75:[W          ]:LCT-42B7979F:
marvel$:1011:BF709959C3C94E0B3958B7B84A3BB6F3:
     C610EFE9A385A3E8AA46ADFD576E6881:[W          ]:LCT-40F07A4

Adding User Accounts

The pdbedit can be used to add a user account to a standalone server or to a domain. In the example shown here the account for the user vlaan has been created before attempting to add the SambaSAMAccount.

root# pdbedit -a vlaan
new password: secretpw
retype new password: secretpw
Unix username:        vlaan
NT username:          vlaan
Account Flags:        [U      ]
User SID:             S-1-5-21-726309263-4128913605-1168186429-3014
Primary Group SID:    S-1-5-21-726309263-4128913605-1168186429-513
Full Name:            Victor Laan
Home Directory:       \\frodo\vlaan
HomeDir Drive:        H:
Logon Script:         scripts\logon.bat
Profile Path:         \\frodo\profiles\vlaan
Domain:               MIDEARTH
Account desc:         Guest User
Workstations:
Munged dial:
Logon time:           0
Logoff time:          Mon, 18 Jan 2038 20:14:07 GMT
Kickoff time:         Mon, 18 Jan 2038 20:14:07 GMT
Password last set:    Wed, 29 Jun 2005 19:35:12 GMT
Password can change : Wed, 29 Jun 2005 19:35:12 GMT
Password must change: Mon, 18 Jan 2038 20:14:07 GMT
Last bad password   : 0
Bad password count  : 0
Logon hours         : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF

Deleting Accounts

An account can be deleted from the SambaSAMAccount database

root# pdbedit -x vlaan

The account is removed without further screen output. The account is removed only from the SambaSAMAccount (passdb backend) database, it is not removed from the UNIX account backend.

The use of the NT4 domain user manager to delete an account will trigger the delete user script , but not the pdbedit tool.

Changing User Accounts

Refer to the pdbedit man page for a full synopsis of all operations that are available with this tool.

An example of a simple change in the user account information is the change of the full name information shown here:

root# pdbedit -r --fullname="Victor Aluicious Laan" vlaan
...
Primary Group SID: S-1-5-21-726309263-4128913605-1168186429-513
Full Name:         Victor Aluicious Laan
Home Directory:    \\frodo\vlaan
...

Let us assume for a moment that a user's password has expired and the user is unable to change the password at this time. It may be necessary to give the user additional grace time so that it is possible to continue to work with the account and the original password. This demonstrates how the password expiration settings may be updated

root# pdbedit -Lv vlaan
...
Password last set:    Sun, 09 Sep 2001 22:21:40 GMT
Password can change:  Thu, 03 Jan 2002 15:08:35 GMT
Password must change: Thu, 03 Jan 2002 15:08:35 GMT
Last bad password:    Thu, 03 Jan 2002 15:08:35 GMT
Bad password count :  2
...

The user has recorded 2 bad logon attempts and the next will lock the account, but the password is also expired. Here is how this account can be reset:

root# pdbedit -z vlaan
...
Password last set   : Sun, 09 Sep 2001 22:21:40 GMT
Password can change : Thu, 03 Jan 2002 15:08:35 GMT
Password must change: Thu, 03 Jan 2002 15:08:35 GMT
Last bad password   : 0
Bad password count  : 0
...

The Password must change: parameter can be reset like this:

root# pdbedit --pwd-must-change-time=1200000000 vlaan
...
Password last set:    Sun, 09 Sep 2001 22:21:40 GMT
Password can change:  Thu, 03 Jan 2002 15:08:35 GMT
Password must change: Thu, 10 Jan 2008 14:20:00 GMT
...

Another way to use this tools is to set the date like this:

root# pdbedit --pwd-must-change-time="2010-01-01"              --time-format="%Y-%m-%d" vlaan
...
Password last set:    Sun, 09 Sep 2001 22:21:40 GMT
Password can change:  Thu, 03 Jan 2002 15:08:35 GMT
Password must change: Fri, 01 Jan 2010 00:00:00 GMT
...

Refer to the strptime man page for specific time format information.

Please refer to the pdbedit man page for further information relating to SambaSAMAccount management.

Domain Account Policy Managment

To view the domain account access policies that may be configured execute:

root# pdbedit -P ?
No account policy by that name
Account policy names are :
min password length
password history
user must logon to change password
maximum password age
minimum password age
lockout duration
reset count minutes
bad lockout attempt
disconnect time
refuse machine password change

Commands will be executed to establish controls for our domain as follows:

  1. min password length = 8 characters.
  2. password history = last 4 passwords.
  3. maximum password age = 90 days.
  4. minimum password age = 7 days.
  5. bad lockout attempt = 8 bad logon attempts.
  6. lockout duration = forever, account must be manually reenabled.

The following command execution will achieve these settings:

root#  pdbedit -P "min password length" -C 8
account policy value for min password length was 5
account policy value for min password length is now 8
root#  pdbedit -P "password history" -C 4
account policy value for password history was 0
account policy value for password history is now 4
root#  pdbedit -P "maximum password age" -C 90
account policy value for maximum password age was 4294967295
account policy value for maximum password age is now 90
root#  pdbedit -P "minimum password age" -C 7
account policy value for minimum password age was 0
account policy value for minimum password age is now 7
root#  pdbedit -P "bad lockout attempt" -C 8
account policy value for bad lockout attempt was 0
account policy value for bad lockout attempt is now 8
root#  pdbedit -P "lockout duration" -C -1
account policy value for lockout duration was 30
account policy value for lockout duration is now 4294967295

10.3.2.2 Account Migration

The pdbedit tool allows migration of authentication (account) databases from one backend to another. For example, to migrate accounts from an old smbpasswd database to a tdbsam backend:

  1. Set the passdb backend = tdbsam, smbpasswd.
  2. Execute: root# pdbedit -i smbpasswd -e tdbsam
  3. Remove the smbpasswd from the passdb backend configuration in smb.conf.
  • + Share This
  • 🔖 Save To Your Account