MySQL Password Database backend Jelmer Vernooij Samba Team
jelmer@samba.org
Creating the Database You can set up your own table and specify the field names to pdb_mysql (see MySQL field names for MySQL passdb backend for the column names) or use the default table. The file examples/pdb/mysql/mysql.dump contains the correct queries to create the required tables. Use the command: # mysql -uusername -hhostname -ppassword \ databasename < /path/to/samba/examples/pdb/mysql/mysql.dump
Configuring This plug-in lacks some good documentation, but here is some brief information. Add the following to the passdb backend variable in your smb.conf: passdb backend = [other-plugins] mysql:identifier [other-plugins] The identifier can be any string you like, as long as it does not collide with the identifiers of other plugins or other instances of pdb_mysql. If you specify multiple pdb_mysql.so entries in passdb backend, you also need to use different identifiers. Additional options can be given through the smb.conf file in the [global] section. Refer to Basic smb.conf Options for MySQL passdb Backend. Basic smb.conf Options for MySQL passdb Backend FieldContentsmysql hostHost name, defaults to `localhost'mysql passwordmysql userDefaults to `samba'mysql databaseDefaults to `samba'mysql portDefaults to 3306tableName of the table containing the users
Since the password for the MySQL user is stored in the smb.conf file, you should make the smb.conf file readable only to the user who runs Samba. This is considered a security bug and will soon be fixed. Names of the columns are given in MySQL field names for MySQL passdb backend. The default column names can be found in the example table dump. MySQL field names for MySQL passdb backend FieldTypeContentslogon time columnint(9)UNIX timestamp of last logon of userlogoff time columnint(9)UNIX timestamp of last logoff of userkickoff time columnint(9)UNIX timestamp of moment user should be kicked off workstation (not enforced)pass last set time columnint(9)UNIX timestamp of moment password was last setpass can change time columnint(9)UNIX timestamp of moment from which password can be changedpass must change time columnint(9)UNIX timestamp of moment on which password must be changedusername columnvarchar(255)UNIX usernamedomain columnvarchar(255)NT domain user belongs tont username columnvarchar(255)NT usernamefullname columnvarchar(255)Full name of userhome dir columnvarchar(255)UNIX homedir path (equivalent of the logon home parameter.dir drive columnvarchar(2)Directory drive path (e.g., H:)logon script columnvarchar(255)Batch file to run on client side when logging onprofile path columnvarchar(255)Path of profileacct desc columnvarchar(255)Some ASCII NT user dataworkstations columnvarchar(255)Workstations user can logon to (or NULL for all)unknown string columnvarchar(255)Unknown stringmunged dial columnvarchar(255)Unknownuser sid columnvarchar(255)NT user SIDgroup sid columnvarchar(255)NT group SIDlanman pass columnvarchar(255)Encrypted lanman passwordnt pass columnvarchar(255)Encrypted nt passwdplain pass columnvarchar(255)Plaintext passwordacct ctrl columnint(9)NT user dataunknown 3 columnint(9)Unknownlogon divs columnint(9)Unknownhours len columnint(9)Unknownbad password count columnint(5)Number of failed password tries before disabling an accountlogon count columnint(5)Number of logon attemptsunknown 6 columnint(9)Unknown
You can put a colon (:) after the name of each column, which should specify the column to update when updating the table. You can also specify nothing behind the colon, in which case the field data will not be updated. Setting a column name to NULL means the field should not be used. An example configuration is shown in Example Configuration for the MySQL passdb Backend. Example Configuration for the MySQL passdb Backend [global] passdb backend = mysql:foo foo:mysql user = samba foo:mysql password = abmas foo:mysql database = samba # domain name is static and can't be changed foo:domain column = 'MYWORKGROUP': # The fullname column comes from several other columns foo:fullname column = CONCAT(firstname,' ',surname): # Samba should never write to the password columns foo:lanman pass column = lm_pass: foo:nt pass column = nt_pass: # The unknown 3 column is not stored foo:unknown 3 column = NULL
Using Plaintext Passwords or Encrypted Password The use of plaintext passwords is strongly discouraged; however, you can use them if you really want to. If you would like to use plaintext passwords, set `identifier:lanman pass column' and `identifier:nt pass column' to `NULL' (without the quotes) and `identifier:plain pass column' to the name of the column containing the plaintext passwords. If you use encrypted passwords, set the 'identifier:plain pass column' to 'NULL' (without the quotes). This is the default.
Getting Non-Column Data from the Table It is possible to have not all data in the database by making some "constant." For example, you can set `identifier:fullname column' to something like CONCAT(Firstname,' ',Surname) Or, set `identifier:workstations column' to: NULL. See the MySQL documentation for more language constructs.