diff --git a/docs/Samba3-ByExample/SBE-preface.xml b/docs/Samba3-ByExample/SBE-preface.xml
index 787e6ece208..d9d9cb94926 100644
--- a/docs/Samba3-ByExample/SBE-preface.xml
+++ b/docs/Samba3-ByExample/SBE-preface.xml
@@ -551,7 +551,33 @@
avoid Samba configuration options that will weigh the server down. MS distributed file
services to make your network fly and much more. This chapter contains a good deal of
Did I tell you about this...? type of hints to help keep your name on the top
- performers list. (John, should there be entries for Chapter 14 and Apps A & C ???????)
+ performers list.
+
+
+
+
+
+ Chapter 14 &smbmdash; Samba Support.
+
+ This chapter has been added specifically to help those who are seeking professional
+ paid support for Samba. The critics of Open Source Software often assert that
+ there is no support for free software. Some critics argue that free software
+ undermines the service that proprietary commercial software vendors depend on.
+ This chapter explains what are the support options for Samba and the fact that
+ a growing number of businesses make money by providing commercial paid-for
+ Samba support.
+
+
+
+
+
+ Appendix A &smbmdash; A Collection of Useful Tid-bits.
+
+ Sometimes it seems that there is not a good place for certain odds and ends that
+ impact Samba deployment. Some readers would argue that everyone can be expected
+ to know this information, or at least be able to find it easily. So to avoid
+ offending a reader's sensitivities, the tid-bits have been placed in this Appendix.
+ Do check out the contents, you may find something of value among the loose ends.
diff --git a/docs/Samba3-HOWTO/TOSHARG-Passdb.xml b/docs/Samba3-HOWTO/TOSHARG-Passdb.xml
index 5d2607f885c..4ff0e842de0 100644
--- a/docs/Samba3-HOWTO/TOSHARG-Passdb.xml
+++ b/docs/Samba3-HOWTO/TOSHARG-Passdb.xml
@@ -902,7 +902,7 @@ is being added to the net toolset (see
- The <command>pdbedit</command> Utility
+ The <command>pdbedit</command> ToolpdbeditUser Management
+ account policyUser AccountsAdding/Deletingpdbedit is a tool that can be used only by root. It is used to
- manage the passdb backend. pdbedit can be used to:
+ manage the passdb backend, as well as domain-wide account policy settings. pdbedit
+ can be used to:
add, remove, or modify user accounts.list user accounts.migrate user accounts.
+ migrate group accounts.
+ manage account policies.
+ manage domain access policy settings.
- Domain global policy controls available include:
+ Sarbanes-Oxley
+ Under the terms of the Sarbanes-Oxley Act of 2002, American businessies and organizations are mandated to
+ implement a series of internal controls and procedures to communicate, store,
+ and protect financial data. The Sarbanes-Oxley Act has far reaching implications in respect of:
-
- Maximum Password Age
- Minimum Password Age
- Mimimum Password Length
- Password Uniqueness (remembers number of prior passwords)
- Account Lockout
- Bad Logon Attempts
- Lockout Reset Delay
- Lockout Duration
-
+
+ Who has access to information systems that store financial data.
+ How personal and finacial information is treated among employees and business
+ partners.
+ How security vulnerabilities are managed.
+ Security and patch level maintenance for all information systems.
+ How information systems changes are documented and tracked.
+ How information access controls are implemented and managed.
+ Auditability of all information systems in respect of change and security.
+ Disciplinary procedures and controls to ensure privacy.
+
+
+
+ accountability
+ compliance
+ In short, the Sarbanes-Oxley Act of 2002 is an instrument that enforces accountability in respect of
+ business related information systems so as to ensure the compliance of all information systems that
+ are used to store personal information and particularly for financial records processing. Similar
+ accountabilities are being demanded around the world.
+
+
+
+ laws
+ regulations
+ pdbedit
+ access controls
+ manage accounts
+ The need to be familiar with the Samba tools and facilities that permit information systems operation
+ in compliance with government laws and regulations is clear to all. The pdbedit is
+ currently the only Samba tool that provides the capacity to manage account and systems access controls
+ and policies. During the remaining life-cycle of the Samba-3 series it is possible the new tools may
+ be implemented to aid in this important area.
+
+
+
+ Domain global policy controls available in Windows NT4 compared with Samba
+ is shown in NT4 Domain v's Samba Policy Controls.
+
+
+
+ NT4 Domain v's Samba Policy Controls
+
+
+
+
+
+
+
+
+ NT4 policy Name
+ Samba Policy Name
+ NT4 Range
+ Samba Range
+ Samba Default
+
+
+
+
+ Maximum Password Age
+ maximum password age
+ 0 - 999 (days)
+ 0 - 4294967295 (sec)
+ 4294967295
+
+
+ Minimum Password Age
+ minimum password age
+ 0 - 999 (days)
+ 0 - 4294967295 (sec)
+ 0
+
+
+ Mimimum Password Length
+ min password length
+ 1 - 14 (Chars)
+ 0 - 4294967295 (Chars)
+ 5
+
+
+ Password Uniqueness
+ password history
+ 0 - 23 (#)
+ 0 - 4294967295 (#)
+ 0
+
+
+ Account Lockout - Reset count after
+ reset count minutes
+ 1 - 99998 (min)
+ 0 - 4294967295 (min)
+ 30
+
+
+ Lockout after bad logon attempts
+ bad lockout attempt
+ 0 - 998 (#)
+ 0 - 4294967295 (#)
+ 0
+
+
+ *** Not Known ***
+ disconnect time
+ TBA
+ 0 - 4294967295
+ 0
+
+
+ Lockout Duration
+ lockout duration
+ 1 - 99998 (min)
+ 0 - 4294967295 (min)
+ 30
+
+
+ Users must log on in order to change password
+ user must logon to change password
+ 0/1
+ 0 - 4294967295
+ 0
+
+
+ *** Registry Setting ***
+ refuse machine password change
+ 0/1
+ 0 - 4294967295
+ 0
+
+
+
+
pdbedit
@@ -1053,17 +1181,47 @@ is being added to the net toolset (see XML password backend section of this chapter.
+
+ User Account Management
+
-tdbsam
- The following is an example of the user account information that is stored in
- a tdbsam password backend. This listing was produced by running:
+pdbedit
+smbpasswd
+system accounts
+user account
+domain user manager
+add user script
+interface scripts
+ The pdbedit tool, like the smbpasswd tool, requires
+ that a POSIX user account already exists in the UNIX/Linux system accounts database (backend).
+ Neither tool will call out to the operating system to create a user account because this is
+ considered to be the responsibility of the system administrator. When the Windows NT4 domain
+ user manager is used to add an account, Samba will implement the add user script
+ (as well as the other interface scripts) to ensure that user, group and machine accounts are
+ correctly created and changed. The use of the pdbedit tool does not
+ make use of these interface scripts.
+
+pdbedit
+POSIX account
+ Before attempting to use the pdbedit tool to manage user and machine
+ accounts, make certain that a system (POSIX) account has already been created.
+
+
+
+ Listing User and Machine Accounts
+
+
+tdbsam
+password backend
+ The following is an example of the user account information that is stored in
+ a tdbsam password backend. This listing was produced by running:
&prompt;pdbedit -Lv met
UNIX username: met
-NT username:
-Account Flags: [UX ]
+NT username: met
+Account Flags: [U ]
User SID: S-1-5-21-1449123459-1407424037-3116680435-2004
Primary Group SID: S-1-5-21-1449123459-1407424037-3116680435-1201
Full Name: Melissa E Terpstra
@@ -1082,6 +1240,272 @@ Password last set: Sat, 14 Dec 2002 14:37:03 GMT
Password can change: Sat, 14 Dec 2002 14:37:03 GMT
Password must change: Mon, 18 Jan 2038 20:14:07 GMT
+
+
+
+smbpasswd format
+ Accounts can also be listed in the older smbpasswd format:
+
+&rootprompt;pdbedit -Lw
+root:0:84B0D8E14D158FF8417EAF50CFAC29C3:
+ AF6DD3FD4E2EA8BDE1695A3F05EFBF52:[U ]:LCT-42681AB8:
+jht:1000:6BBC4159020A52741486235A2333E4D2:
+ CC099521AD554A3C3CF2556274DBCFBC:[U ]:LCT-40D75B5B:
+rcg:1002:E95D4331A6F23AF8AAD3B435B51404EE:
+ BB0F2C39B04CA6100F0E535DF8314B43:[U ]:LCT-40D7C5A3:
+afw:1003:1AAFA7F9F6DC1DEAAAD3B435B51404EE:
+ CE92C2F9471594CDC4E7860CA6BC62DB:[T ]:LCT-40DA501F:
+met:1004:A2848CB7E076B435AAD3B435B51404EE:
+ F25F5D3405085C555236B80B7B22C0D2:[U ]:LCT-4244FAB8:
+aurora$:1005:060DE593EA638B8ACC4A19F14D2FF2BB:
+ 060DE593EA638B8ACC4A19F14D2FF2BB:[W ]:LCT-4173E5CC:
+temptation$:1006:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:
+ A96703C014E404E33D4049F706C45EE9:[W ]:LCT-42BF0C57:
+vaioboss$:1001:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:
+ 88A30A095160072784C88F811E89F98A:[W ]:LCT-41C3878D:
+frodo$:1008:15891DC6B843ECA41249940C814E316B:
+ B68EADCCD18E17503D3DAD3E6B0B9A75:[W ]:LCT-42B7979F:
+marvel$:1011:BF709959C3C94E0B3958B7B84A3BB6F3:
+ C610EFE9A385A3E8AA46ADFD576E6881:[W ]:LCT-40F07A4
+
+
+
+
+
+
+ Adding User Accounts
+
+
+pdbedit
+add a user account
+standalone server
+domain
+SambaSAMAccount
+ The pdbedit can be used to add a user account to a standalone server
+ or to a domain. In the example shown here the account for the user vlaan
+ has been created before attempting to add the SambaSAMAccount.
+
+&rootprompt; pdbedit -a vlaan
+new password: secretpw
+retype new password: secretpw
+Unix username: vlaan
+NT username: vlaan
+Account Flags: [U ]
+User SID: S-1-5-21-726309263-4128913605-1168186429-3014
+Primary Group SID: S-1-5-21-726309263-4128913605-1168186429-513
+Full Name: Victor Laan
+Home Directory: \\frodo\vlaan
+HomeDir Drive: H:
+Logon Script: scripts\logon.bat
+Profile Path: \\frodo\profiles\vlaan
+Domain: &example.workgroup;
+Account desc: Guest User
+Workstations:
+Munged dial:
+Logon time: 0
+Logoff time: Mon, 18 Jan 2038 20:14:07 GMT
+Kickoff time: Mon, 18 Jan 2038 20:14:07 GMT
+Password last set: Wed, 29 Jun 2005 19:35:12 GMT
+Password can change: Wed, 29 Jun 2005 19:35:12 GMT
+Password must change: Mon, 18 Jan 2038 20:14:07 GMT
+Last bad password : 0
+Bad password count : 0
+Logon hours : FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+
+
+
+
+
+
+ Deleting Accounts
+
+
+account deleted
+SambaSAMAccount
+pdbedit
+passdb backend
+ An account can be deleted from the SambaSAMAccount database
+
+&rootprompt; pdbedit -x vlaan
+
+ The account is removed without further screen output. The account is removed only from the
+ SambaSAMAccount (passdb backend) database, it is not removed from the UNIX account backend.
+
+
+
+delete user script
+pdbedit
+ The use of the NT4 domain user manager to delete an account will trigger the delete user
+ script, but not the pdbedit tool.
+
+
+
+
+
+ Changing User Accounts
+
+
+pdbedit
+ Refer to the pdbedit man page for a full synopsis of all operations
+ that are available with this tool.
+
+
+
+pdbedit
+ An example of a simple change in the user account information is the change of the full name
+ information shown here:
+
+&rootprompt; pdbedit -r --fullname="Victor Aluicious Laan" vlaan
+...
+Primary Group SID: S-1-5-21-726309263-4128913605-1168186429-513
+Full Name: Victor Aluicious Laan
+Home Directory: \\frodo\vlaan
+...
+
+
+
+
+grace time
+password expired
+expired password
+ Let us assume for a moment that a user's password has expired and the user is unable to
+ change the password at this time. It may be necessary to give the user additional grace time
+ so that it is possible to continue to work with the account and the original password. This
+ demonstrates how the password expiration settings may be updated
+
+&rootprompt; pdbedit -Lv vlaan
+...
+Password last set: Sun, 09 Sep 2001 22:21:40 GMT
+Password can change: Thu, 03 Jan 2002 15:08:35 GMT
+Password must change: Thu, 03 Jan 2002 15:08:35 GMT
+Last bad password : Thu, 03 Jan 2002 15:08:35 GMT
+Bad password count : 2
+...
+
+bad logon attempts
+lock the account
+ The user has recorded 2 bad logon attempts and the next will lock the account, but the
+ password is also expired. Here is how this account can be reset:
+
+&rootprompt; pdbedit -z vlaan
+...
+Password last set: Sun, 09 Sep 2001 22:21:40 GMT
+Password can change: Thu, 03 Jan 2002 15:08:35 GMT
+Password must change: Thu, 03 Jan 2002 15:08:35 GMT
+Last bad password : 0
+Bad password count : 0
+...
+
+ The Password must change: parameter can be reset like this:
+
+&rootprompt; pdbedit --pwd-must-change-time=1200000000 vlaan
+...
+Password last set: Sun, 09 Sep 2001 22:21:40 GMT
+Password can change: Thu, 03 Jan 2002 15:08:35 GMT
+Password must change: Thu, 10 Jan 2008 14:20:00 GMT
+...
+
+ Another way to use this tools is to set the date like this:
+
+&rootprompt; pdbedit --pwd-must-change-time="2010-01-01" \
+ --time-format="%Y-%m-%d" vlaan
+...
+Password last set: Sun, 09 Sep 2001 22:21:40 GMT
+Password can change: Thu, 03 Jan 2002 15:08:35 GMT
+Password must change: Fri, 01 Jan 2010 00:00:00 GMT
+...
+
+strptime
+time format
+ Refer to the strptime man page for specific time format information.
+
+
+
+pdbedit
+SambaSAMAccount
+ Please refer to the pdbedit man page for further information relating to SambaSAMAccount
+ management.
+
+
+
+
+
+ Domain Account Policy Managment
+
+
+domain account access policies
+access policies
+ To view the domain account access policies that may be configured execute:
+
+&rootprompt; pdbedit -P ?
+No account policy by that name
+Account policy names are :
+min password length
+password history
+user must logon to change password
+maximum password age
+minimum password age
+lockout duration
+reset count minutes
+bad lockout attempt
+disconnect time
+refuse machine password change
+
+
+
+
+ Commands will be executed to establish controls for our domain as follows:
+
+
+
+ min password length = 8 characters.
+ password history = last 4 passwords.
+ maximum password age = 90 days.
+ minimum password age = 7 days.
+ bad lockout attempt = 8 bad logon attempts.
+ lockout duration = forever, account must be manually reenabled.
+
+
+
+ The following command execution will achieve these settings:
+
+&rootprompt; pdbedit -P "min password length" -C 8
+account policy value for min password length was 5
+account policy value for min password length is now 8
+&rootprompt; pdbedit -P "password history" -C 4
+account policy value for password history was 0
+account policy value for password history is now 4
+&rootprompt; pdbedit -P "maximum password age" -C 90
+account policy value for maximum password age was 4294967295
+account policy value for maximum password age is now 90
+&rootprompt; pdbedit -P "minimum password age" -C 7
+account policy value for minimum password age was 0
+account policy value for minimum password age is now 7
+&rootprompt; pdbedit -P "bad lockout attempt" -C 8
+account policy value for bad lockout attempt was 0
+account policy value for bad lockout attempt is now 8
+&rootprompt; pdbedit -P "lockout duration" -C -1
+account policy value for lockout duration was 30
+account policy value for lockout duration is now 4294967295
+
+
+
+
+To set the maximum (infinite) lockout time use the value of -1.
+
+
+
+Account policies must be set individually on each PDC and BDC. At this time (Samba 3.0.11 to Samba 3.0.14a)
+account policies are not replicated automatically. This may be fixed before Samba 3.0.20 ships or some
+time there after.
+
+
+
+
+
+
+
+ Account Migrationpdbedit
@@ -1113,6 +1537,7 @@ Password must change: Mon, 18 Jan 2038 20:14:07 GMT
+