pam_smbpass.so passdb.tdb support
in [Samba]
|
Prev: [Samba] pam_smbpass.so passdb.tdb support
Next: [Samba] How to define an UID range for BUILTIN accounts
From: Kandukuru_Suresh on 5 Jul 2010 01:10 Dear Volker, We are facing problem with tdbsam support for pam_smbpass in samba. Below is the email conversion with John T . and I have created a bug at https://bugzilla.samba.org/show_bug.cgi?id=7546 . I think we have to use tdbsam for our NAS device. Can you help us on this?. Thanks Suresh -----Original Message----- From: Kandukuru, Suresh Sent: Saturday, July 03, 2010 9:02 PM To: 'jht(a)samba.org' Subject: RE: [Samba] pam_smbpass.so passdb.tdb support Thanks John, Created bug at https://bugzilla.samba.org/show_bug.cgi?id=7546. Thanks again. Suresh -----Original Message----- From: John H Terpstra [mailto:jht(a)samba.org] Sent: Saturday, July 03, 2010 7:56 PM To: Kandukuru, Suresh Cc: samba(a)lists.samba.org Subject: Re: [Samba] pam_smbpass.so passdb.tdb support On 07/03/2010 08:50 AM, Kandukuru_Suresh(a)emc.com wrote: > Dear JHT, > Thanks for the quick reply.in > http://www.samba.org/samba/history/samba-3.4.0.html . > Samba team is recommending to use tdbsam. Not just recommending - it is the default now. The smbpasswd file can not contain the information needed to fully support current MS Windows clients. The result is the smbpasswd format storage of MS Windows networking credentials has been obsoleted. > just wanted to know one thing, > from samba 3.4 default backend has been changed to tdbsam , why for one > of the module "pam_smbpass" in samba code is still looking for passwords > in smbpasswd?.is there any patch for that?. The pam_smbpasswd module has not been updated because noone has contributed the necessary patches. The tdbsam backend has been available since September 2003, so my take on this is that VERY few people use pam_smbpasswd. If more were using it, someone might by now have done something about the lack of support for tsbsam (and ldapsam for that matter) in the pam_smbpasswd module. > will this be removed in higher versions of samba than > 3.4? Probably. Why don't you file a bug report on https://bugzilla.samba.org ? - that is the only way you might get action on this. > I find several people asking the question on net.did not find any > answer.anticipating your reply. Sorry to disappoint you. cheers, John T. > Configuration changes > ===================== > > !!! ATTENTION !!! > The default passdb backend has been changed to 'tdbsam'! That breaks > existing > setups using the 'smbpasswd' backend without explicit declaration! > Please use > 'passdb backend = smbpasswd' if you would like to stick to the > 'smbpasswd' > backend or convert your smbpasswd entries using e.g. 'pdbedit -i > smbpasswd -e > tdbsam'. > > The 'tdbsam' backend is much more flexible concerning per user settings > like 'profile path' or 'home directory' and there are some commands > which do not > work with the 'smbpasswd' backend at all. > ------------------------- > > Thanks > Suresh > > > > -----Original Message----- > From: samba-bounces(a)lists.samba.org > [mailto:samba-bounces(a)lists.samba.org] On Behalf Of John H Terpstra > Sent: Saturday, July 03, 2010 6:31 PM > To: samba(a)lists.samba.org > Subject: Re: [Samba] pam_smbpass.so passdb.tdb support > > On 07/03/2010 05:29 AM, Kandukuru_Suresh(a)emc.com wrote: >> Hi, >> >> Recently I have installed samba 3.4.8 on my device. Since then ftp >> (vsftp,proftpd) which is taking users from samba database with >> pam_smbpass.so is not working. After enabling detailed log I have >> noticed it is looking for the passwords in smbpasswd >> (/etc/samba/private) which is of zero size . I think all users passwd >> are located in passwd.tdb.I could fix this by giving "passdb >> backend=smbpasswd" . >> >> >> >> somewhere I read smbpasswd is obsolete , and recommended to use tdbsam >> .. >> >> >> >> and /etc/pam.d/ftp file is >> --------------------- >> root(a)storage:/# cat /etc/pam.d/ftp >> auth required /lib/security/pam_smbpass.so >> account required /lib/security/pam_nologin.so >> account required /lib/security/pam_smbpass.so >> password required /lib/security/pam_smbpass.so >> session required /lib/security/pam_unix.so >> >> ------------------- >> >> >> >> How can I tell pam_smbpass module to use passdb.tdb (tdbsam) .?. > Please >> tell me I have been trying for last 2 days. Did not find anything. > > You can not do that without changing the pam_smbpasswd code. This module > specifically operates against the smbpasswd file. > > -John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Ryan Novosielski on 5 Jul 2010 03:30 -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 07/03/2010 10:25 AM, John H Terpstra wrote: > On 07/03/2010 08:50 AM, Kandukuru_Suresh(a)emc.com wrote: >> Dear JHT, >> Thanks for the quick reply.in >> http://www.samba.org/samba/history/samba-3.4.0.html . >> Samba team is recommending to use tdbsam. > > Not just recommending - it is the default now. The smbpasswd file can > not contain the information needed to fully support current MS Windows > clients. The result is the smbpasswd format storage of MS Windows > networking credentials has been obsoleted. > >> just wanted to know one thing, >> from samba 3.4 default backend has been changed to tdbsam , why for one >> of the module "pam_smbpass" in samba code is still looking for passwords >> in smbpasswd?.is there any patch for that?. > > The pam_smbpasswd module has not been updated because noone has > contributed the necessary patches. The tdbsam backend has been > available since September 2003, so my take on this is that VERY few > people use pam_smbpasswd. If more were using it, someone might by now > have done something about the lack of support for tsbsam (and ldapsam > for that matter) in the pam_smbpasswd module. I was using it, and was somewhat disappointed to lose it when I had to switch to tdbsam, but by that time it had become much less important to share Windows and UNIX credentials on the same system. - -- - ---- _ _ _ _ ___ _ _ _ |Y#| | | |\/| | \ |\ | | |Ryan Novosielski - Sr. Systems Programmer |$&| |__| | | |__/ | \| _| |novosirj(a)umdnj.edu - 973/972.0922 (2-0922) \__/ Univ. of Med. and Dent.|IST/CST-Academic Svcs. - ADMC 450, Newark -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkwxe7IACgkQmb+gadEcsb5OgQCggR+d7JHCYt8Q8/S4nwIAlAtr VHoAn2HEMUP3h/8Oq6TXQe4GR9SZ/Une =YFIu -----END PGP SIGNATURE-----
From: Kandukuru_Suresh on 6 Jul 2010 00:40 Dear John T and samba list, Can you please help me to understand following things. I have browsed the net , points are not clear to me. 1) What exactly doesn't work with the existing smbpasswd based mechanism? -------------- from http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#i d2593073 This form of password backend does not store any of the MS Windows NT/200x SAM (Security Account Manager) information required to provide the extended controls that are needed for more comprehensive interoperation with MS Windows NT4/200x servers. ------------ what exactly is the above point? is it the only one limitation?. is there any other limitations?.please let me know if any other. 2) Can we easily convert an existing smbpasswd file to the new format and allow system authentication to work uninterrupted? Thanks Suresh -----Original Message----- From: Kandukuru, Suresh Sent: Saturday, July 03, 2010 9:02 PM To: 'jht(a)samba.org' Subject: RE: [Samba] pam_smbpass.so passdb.tdb support Thanks John, Created bug at https://bugzilla.samba.org/show_bug.cgi?id=7546. Thanks again. Suresh -----Original Message----- From: John H Terpstra [mailto:jht(a)samba.org] Sent: Saturday, July 03, 2010 7:56 PM To: Kandukuru, Suresh Cc: samba(a)lists.samba.org Subject: Re: [Samba] pam_smbpass.so passdb.tdb support On 07/03/2010 08:50 AM, Kandukuru_Suresh(a)emc.com wrote: > Dear JHT, > Thanks for the quick reply.in > http://www.samba.org/samba/history/samba-3.4.0.html . > Samba team is recommending to use tdbsam. Not just recommending - it is the default now. The smbpasswd file can not contain the information needed to fully support current MS Windows clients. The result is the smbpasswd format storage of MS Windows networking credentials has been obsoleted. > just wanted to know one thing, > from samba 3.4 default backend has been changed to tdbsam , why for one > of the module "pam_smbpass" in samba code is still looking for passwords > in smbpasswd?.is there any patch for that?. The pam_smbpasswd module has not been updated because noone has contributed the necessary patches. The tdbsam backend has been available since September 2003, so my take on this is that VERY few people use pam_smbpasswd. If more were using it, someone might by now have done something about the lack of support for tsbsam (and ldapsam for that matter) in the pam_smbpasswd module. > will this be removed in higher versions of samba than > 3.4? Probably. Why don't you file a bug report on https://bugzilla.samba.org ? - that is the only way you might get action on this. > I find several people asking the question on net.did not find any > answer.anticipating your reply. Sorry to disappoint you. cheers, John T. > Configuration changes > ===================== > > !!! ATTENTION !!! > The default passdb backend has been changed to 'tdbsam'! That breaks > existing > setups using the 'smbpasswd' backend without explicit declaration! > Please use > 'passdb backend = smbpasswd' if you would like to stick to the > 'smbpasswd' > backend or convert your smbpasswd entries using e.g. 'pdbedit -i > smbpasswd -e > tdbsam'. > > The 'tdbsam' backend is much more flexible concerning per user settings > like 'profile path' or 'home directory' and there are some commands > which do not > work with the 'smbpasswd' backend at all. > ------------------------- > > Thanks > Suresh > > > > -----Original Message----- > From: samba-bounces(a)lists.samba.org > [mailto:samba-bounces(a)lists.samba.org] On Behalf Of John H Terpstra > Sent: Saturday, July 03, 2010 6:31 PM > To: samba(a)lists.samba.org > Subject: Re: [Samba] pam_smbpass.so passdb.tdb support > > On 07/03/2010 05:29 AM, Kandukuru_Suresh(a)emc.com wrote: >> Hi, >> >> Recently I have installed samba 3.4.8 on my device. Since then ftp >> (vsftp,proftpd) which is taking users from samba database with >> pam_smbpass.so is not working. After enabling detailed log I have >> noticed it is looking for the passwords in smbpasswd >> (/etc/samba/private) which is of zero size . I think all users passwd >> are located in passwd.tdb.I could fix this by giving "passdb >> backend=smbpasswd" . >> >> >> >> somewhere I read smbpasswd is obsolete , and recommended to use tdbsam >> .. >> >> >> >> and /etc/pam.d/ftp file is >> --------------------- >> root(a)storage:/# cat /etc/pam.d/ftp >> auth required /lib/security/pam_smbpass.so >> account required /lib/security/pam_nologin.so >> account required /lib/security/pam_smbpass.so >> password required /lib/security/pam_smbpass.so >> session required /lib/security/pam_unix.so >> >> ------------------- >> >> >> >> How can I tell pam_smbpass module to use passdb.tdb (tdbsam) .?. > Please >> tell me I have been trying for last 2 days. Did not find anything. > > You can not do that without changing the pam_smbpasswd code. This module > specifically operates against the smbpasswd file. > > -John T. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: John H Terpstra on 6 Jul 2010 01:50 On 07/05/2010 11:33 PM, Kandukuru_Suresh(a)emc.com wrote: > Dear John T and samba list, > > Can you please help me to understand following things. I have browsed > the net , points are not clear to me. > > 1) What exactly doesn't work with the existing smbpasswd based > mechanism? > -------------- > from > http://www.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html#i > d2593073 This form of password backend does not store any of the MS > Windows NT/200x SAM (Security Account Manager) information required to > provide the extended controls that are needed for more comprehensive > interoperation with MS Windows NT4/200x servers. Here is a comparison of what is stored in smbpasswd v's tdbsam/ldapsam: Description smbpasswd tdbsam/ldapsam ------------- ---------- --------------- unix username yes yes Unix UID yes no LanManPassword (*) can can NTPassword yes yes NT username no yes Account Flags yes yes User SID no yes Primary Group SID no yes Full Name no yes Home Directory no yes Homedir Drive no yes Logon script no yes Profile Path no yes Domain no yes Account Description no yes Workstations no yes Munged dial string no yes Logon time no yes Logoff time no yes Password last set yes (**) yes Password can change no yes Password must change no yes Last bad password no yes Bad password count no yes Logon hours no yes Note (*): LanManPassword is obsoleted, is needed only for Windows 9X clients. Note (**): The password last set info is represented as LCT time in smbpasswd. The information that can not be stored in smbpasswd can be generated on-the-fly from smb.conf default settings, but it is not possible to store these on a per-user basis. > ------------ > what exactly is the above point? is it the only one limitation?. is > there any other limitations?.please let me know if any other. Please refer to Microsoft Windows NT4 knowledge-base resource to learn more of why the tsbsam and ldapsam parameters are important. > 2) Can we easily convert an existing smbpasswd file to the new format > and allow system authentication to work uninterrupted? The smbpasswd file can be migrated to the tdbsam/ldapsam formats by executing: pdbedit -i smbpasswd -e tdbsam or pdbedit -i smbpasswd -e ldapsam The reverse is also possible. - John T. > Thanks > Suresh > > -----Original Message----- > From: Kandukuru, Suresh > Sent: Saturday, July 03, 2010 9:02 PM > To: 'jht(a)samba.org' > Subject: RE: [Samba] pam_smbpass.so passdb.tdb support > > Thanks John, Created bug at > https://bugzilla.samba.org/show_bug.cgi?id=7546. > > Thanks again. > Suresh > > -----Original Message----- > From: John H Terpstra [mailto:jht(a)samba.org] > Sent: Saturday, July 03, 2010 7:56 PM > To: Kandukuru, Suresh > Cc: samba(a)lists.samba.org > Subject: Re: [Samba] pam_smbpass.so passdb.tdb support > > On 07/03/2010 08:50 AM, Kandukuru_Suresh(a)emc.com wrote: >> Dear JHT, >> Thanks for the quick reply.in >> http://www.samba.org/samba/history/samba-3.4.0.html . >> Samba team is recommending to use tdbsam. > > Not just recommending - it is the default now. The smbpasswd file can > not contain the information needed to fully support current MS Windows > clients. The result is the smbpasswd format storage of MS Windows > networking credentials has been obsoleted. > >> just wanted to know one thing, >> from samba 3.4 default backend has been changed to tdbsam , why for > one >> of the module "pam_smbpass" in samba code is still looking for > passwords >> in smbpasswd?.is there any patch for that?. > > The pam_smbpasswd module has not been updated because noone has > contributed the necessary patches. The tdbsam backend has been > available since September 2003, so my take on this is that VERY few > people use pam_smbpasswd. If more were using it, someone might by now > have done something about the lack of support for tsbsam (and ldapsam > for that matter) in the pam_smbpasswd module. > >> will this be removed in higher versions of samba than > 3.4? > > Probably. Why don't you file a bug report on https://bugzilla.samba.org > ? - that is the only way you might get action on this. > >> I find several people asking the question on net.did not find any >> answer.anticipating your reply. > > Sorry to disappoint you. > > cheers, > John T. > >> Configuration changes >> ===================== >> >> !!! ATTENTION !!! >> The default passdb backend has been changed to 'tdbsam'! That breaks >> existing >> setups using the 'smbpasswd' backend without explicit declaration! >> Please use >> 'passdb backend = smbpasswd' if you would like to stick to the >> 'smbpasswd' >> backend or convert your smbpasswd entries using e.g. 'pdbedit -i >> smbpasswd -e >> tdbsam'. >> >> The 'tdbsam' backend is much more flexible concerning per user > settings >> like 'profile path' or 'home directory' and there are some commands >> which do not >> work with the 'smbpasswd' backend at all. >> ------------------------- >> >> Thanks >> Suresh >> >> >> >> -----Original Message----- >> From: samba-bounces(a)lists.samba.org >> [mailto:samba-bounces(a)lists.samba.org] On Behalf Of John H Terpstra >> Sent: Saturday, July 03, 2010 6:31 PM >> To: samba(a)lists.samba.org >> Subject: Re: [Samba] pam_smbpass.so passdb.tdb support >> >> On 07/03/2010 05:29 AM, Kandukuru_Suresh(a)emc.com wrote: >>> Hi, >>> >>> Recently I have installed samba 3.4.8 on my device. Since then > ftp >>> (vsftp,proftpd) which is taking users from samba database with >>> pam_smbpass.so is not working. After enabling detailed log I have >>> noticed it is looking for the passwords in smbpasswd >>> (/etc/samba/private) which is of zero size . I think all users passwd >>> are located in passwd.tdb.I could fix this by giving "passdb >>> backend=smbpasswd" . >>> >>> >>> >>> somewhere I read smbpasswd is obsolete , and recommended to use > tdbsam >>> .. >>> >>> >>> >>> and /etc/pam.d/ftp file is >>> --------------------- >>> root(a)storage:/# cat /etc/pam.d/ftp >>> auth required /lib/security/pam_smbpass.so >>> account required /lib/security/pam_nologin.so >>> account required /lib/security/pam_smbpass.so >>> password required /lib/security/pam_smbpass.so >>> session required /lib/security/pam_unix.so >>> >>> ------------------- >>> >>> >>> >>> How can I tell pam_smbpass module to use passdb.tdb (tdbsam) .?. >> Please >>> tell me I have been trying for last 2 days. Did not find anything. >> >> You can not do that without changing the pam_smbpasswd code. This > module >> specifically operates against the smbpasswd file. >> >> -John T. > > -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
First
|
Prev
|
Pages: 1 2 Prev: [Samba] pam_smbpass.so passdb.tdb support Next: [Samba] How to define an UID range for BUILTIN accounts |