PostgreSQL Password Database backendJelmerVernooijSamba Teamjelmer@samba.orgCreating the Database
You can set up your own table and specify the field names to pdb_pgsql (see
PostgreSQL field names for PostgreSQL passdb backend for
the column names) or use the default table. The file
examples/pdb/pgsql/pgsql.dump contains the correct queries to
create the required tables. Use the command:
# psql -h hostname -U username -f /path/to/samba/examples/pdb/pgsql/pgsql.dumpdatabasenameConfiguringThis plug-in lacks some good documentation, but here is some brief information. Add the following to the
passdb backend variable in your smb.conf:
passdb backend = [other-plugins] pgsql:identifier [other-plugins]
The identifier can be any string you like, as long as it does not collide with
the identifiers of other plugins or other instances of pdb_pgsql. If you
specify multiple pdb_pgsql.so entries in passdb backend, you also need to
use different identifiers.
Additional options can be given through the smb.conf file in the [global] section.
Refer to Basic smb.conf Options for PostgreSQL passdb Backend.
Basic smb.conf Options for PostgresSQL passdb BackendFieldContentspgsql hostHost name, defaults to `localhost'pgsql passwordpgsql userDefaults to `samba'pgsql databaseDefaults to `samba'pgsql portDefaults to 5432tableName of the table containing the users
Since the password for the PostgreSQL user is stored in the smb.conf file, you should make the smb.conf file
readable only to the user who runs Samba. This is considered a security bug and will soon be fixed.
Names of the columns are given in PostgreSQL field names for PostgreSQL
passdb backend. The default column names can be found in the example table dump.
PostgreSQL field names for PostgreSQL passdb backendFieldTypeContentslogon time columnint(9)UNIX timestamp of last logon of userlogoff time columnint(9)UNIX timestamp of last logoff of userkickoff time columnint(9)UNIX timestamp of moment user should be kicked off workstation (not enforced)pass last set time columnint(9)UNIX timestamp of moment password was last setpass can change time columnint(9)UNIX timestamp of moment from which password can be changedpass must change time columnint(9)UNIX timestamp of moment on which password must be changedusername columnvarchar(255)UNIX usernamedomain columnvarchar(255)NT domain user belongs tont username columnvarchar(255)NT usernamefullname columnvarchar(255)Full name of userhome dir columnvarchar(255)UNIX homedir path (equivalent of the logon home parameter.dir drive columnvarchar(2)Directory drive path (e.g., H:)logon script columnvarchar(255)Batch file to run on client side when logging onprofile path columnvarchar(255)Path of profileacct desc columnvarchar(255)Some ASCII NT user dataworkstations columnvarchar(255)Workstations user can logon to (or NULL for all)unknown string columnvarchar(255)Unknown stringmunged dial columnvarchar(255)Unknownuser sid columnvarchar(255)NT user SIDgroup sid columnvarchar(255)NT group SIDlanman pass columnvarchar(255)Encrypted lanman passwordnt pass columnvarchar(255)Encrypted nt passwdplain pass columnvarchar(255)Plaintext passwordacct ctrl columnint(9)NT user dataunknown 3 columnint(9)Unknownlogon divs columnint(9)Unknownhours len columnint(9)Unknownbad password count columnint(5)Number of failed password tries before disabling an accountlogon count columnint(5)Number of logon attemptsunknown 6 columnint(9)Unknown
You can put a colon (:) after the name of each column, which
should specify the column to update when updating the table. You can also specify nothing behind the colon, in which case the field data will not be updated. Setting a column name to NULL means the field should not be used.
An example configuration is shown in Example Configuration for the PostgreSQL passdb Backend.
Example Configuration for the PostgreSQL passdb Backend
[global]
passdb backend = pgsql:foo
foo:pgsql user = samba
foo:pgsql password = abmas
foo:pgsql database = samba
# domain name is static and can't be changed
foo:domain column = 'MYWORKGROUP':
# The fullname column comes from several other columns
foo:fullname column = firstname || ' ' || surname:
# Samba should never write to the password columns
foo:lanman pass column = lm_pass:
foo:nt pass column = nt_pass:
# The unknown 3 column is not stored
foo:unknown 3 column = NULL
Using Plaintext Passwords or Encrypted Password
The use of plaintext passwords is strongly discouraged; however, you can use them if you really want to.
If you would like to use plaintext passwords, set
`identifier:lanman pass column' and `identifier:nt pass column' to
`NULL' (without the quotes) and `identifier:plain pass column' to the
name of the column containing the plaintext passwords.
If you use encrypted passwords, set the 'identifier:plain pass
column' to 'NULL' (without the quotes). This is the default.
Getting Non-Column Data from the Table
It is possible to have not all data in the database by making some "constant."
For example, you can set `identifier:fullname column' to
something like Firstname || ' ' || Surname
Or, set `identifier:workstations column' to:
NULL.See the PostgresSQL documentation for more language constructs.