MySQL Password Database backendJelmerVernooijSamba Teamjelmer@samba.orgCreating the Database
You can set up your own table and specify the field names to pdb_mysql (see
MySQL field names for MySQL passdb backend for
the column names) or use the default table. The file
examples/pdb/mysql/mysql.dump contains the correct queries to
create the required tables. Use the command:
# mysql -uusername -hhostname -ppassword \
databasename < /path/to/samba/examples/pdb/mysql/mysql.dumpConfiguringThis plug-in lacks some good documentation, but here is some brief information. Add the following to the
passdb backend variable in your smb.conf:
passdb backend = [other-plugins] mysql:identifier [other-plugins]
The identifier can be any string you like, as long as it does not collide with
the identifiers of other plugins or other instances of pdb_mysql. If you
specify multiple pdb_mysql.so entries in passdb backend, you also need to
use different identifiers.
Additional options can be given through the smb.conf file in the [global] section.
Refer to Basic smb.conf Options for MySQL passdb Backend.
Basic smb.conf Options for MySQL passdb BackendFieldContentsmysql hostHost name, defaults to `localhost'mysql passwordmysql userDefaults to `samba'mysql databaseDefaults to `samba'mysql portDefaults to 3306tableName of the table containing the users
Since the password for the MySQL user is stored in the smb.conf file, you should make the smb.conf file
readable only to the user who runs Samba. This is considered a security bug and will soon be fixed.
Names of the columns are given in MySQL field names for MySQL
passdb backend. The default column names can be found in the example table dump.
MySQL field names for MySQL passdb backendFieldTypeContentslogon time columnint(9)UNIX timestamp of last logon of userlogoff time columnint(9)UNIX timestamp of last logoff of userkickoff time columnint(9)UNIX timestamp of moment user should be kicked off workstation (not enforced)pass last set time columnint(9)UNIX timestamp of moment password was last setpass can change time columnint(9)UNIX timestamp of moment from which password can be changedpass must change time columnint(9)UNIX timestamp of moment on which password must be changedusername columnvarchar(255)UNIX usernamedomain columnvarchar(255)NT domain user belongs tont username columnvarchar(255)NT usernamefullname columnvarchar(255)Full name of userhome dir columnvarchar(255)UNIX homedir path (equivalent of the logon home parameter.dir drive columnvarchar(2)Directory drive path (e.g., H:)logon script columnvarchar(255)Batch file to run on client side when logging onprofile path columnvarchar(255)Path of profileacct desc columnvarchar(255)Some ASCII NT user dataworkstations columnvarchar(255)Workstations user can logon to (or NULL for all)unknown string columnvarchar(255)Unknown stringmunged dial columnvarchar(255)Unknownuser sid columnvarchar(255)NT user SIDgroup sid columnvarchar(255)NT group SIDlanman pass columnvarchar(255)Encrypted lanman passwordnt pass columnvarchar(255)Encrypted nt passwdplain pass columnvarchar(255)Plaintext passwordacct ctrl columnint(9)NT user dataunknown 3 columnint(9)Unknownlogon divs columnint(9)Unknownhours len columnint(9)Unknownbad password count columnint(5)Number of failed password tries before disabling an accountlogon count columnint(5)Number of logon attemptsunknown 6 columnint(9)Unknown
You can put a colon (:) after the name of each column, which
should specify the column to update when updating the table. You can also specify nothing behind the colon, in which case the field data will not be updated. Setting a column name to NULL means the field should not be used.
An example configuration is shown in Example Configuration for the MySQL passdb Backend.
Example Configuration for the MySQL passdb Backend
[global]
passdb backend = mysql:foo
foo:mysql user = samba
foo:mysql password = abmas
foo:mysql database = samba
# domain name is static and can't be changed
foo:domain column = 'MYWORKGROUP':
# The fullname column comes from several other columns
foo:fullname column = CONCAT(firstname,' ',surname):
# Samba should never write to the password columns
foo:lanman pass column = lm_pass:
foo:nt pass column = nt_pass:
# The unknown 3 column is not stored
foo:unknown 3 column = NULL
Using Plaintext Passwords or Encrypted Password
The use of plaintext passwords is strongly discouraged; however, you can use them if you really want to.
If you would like to use plaintext passwords, set
`identifier:lanman pass column' and `identifier:nt pass column' to
`NULL' (without the quotes) and `identifier:plain pass column' to the
name of the column containing the plaintext passwords.
If you use encrypted passwords, set the 'identifier:plain pass
column' to 'NULL' (without the quotes). This is the default.
Getting Non-Column Data from the Table
It is possible to have not all data in the database by making some "constant."
For example, you can set `identifier:fullname column' to
something like CONCAT(Firstname,' ',Surname)
Or, set `identifier:workstations column' to:
NULL.See the MySQL documentation for more language constructs.