筆記：smbpasswd 與 pdbedit

http://us1.samba.org/samba/docs/man/Samba-HOWTO-Collection/passdb.html

Account Management Tools

Samba provides two tools for management of user and machine accounts: smbpasswd and pdbedit.

The pdbedit can be used to manage account policies in addition to Samba user account information. The policy management capability is used to administer domain default settings for password aging and management controls to handle failed login attempts.

Some people are confused when reference is made to smbpasswd because the name refers to a storage mechanism for SambaSAMAccount information, but it is also the name of a utility tool. That tool is destined to eventually be replaced by new functionality that is being added to the net toolset.

The smbpasswd Tool

The smbpasswd utility is similar to the passwd and yppasswd programs. It maintains the two 32 byte password fields in the passdb backend. This utility operates independently of the actual account and password storage methods used (as specified by the passdb backend in the smb.conf file).

smbpasswd works in a client-server mode where it contacts the local smbd to change the user's password on its behalf. This has enormous benefits.

smbpasswd has the capability to change passwords on Windows NT servers (this only works when the request is sent to the NT PDC if changing an NT domain user's password).

smbpasswd can be used to:

* add user or machine accounts.
* delete user or machine accounts.
* enable user or machine accounts.
* disable user or machine accounts.
* set to NULL user passwords.
* manage interdomain trust accounts.

To run smbpasswd as a normal user, just type:

$ smbpasswd
Old SMB password: secret

For secret, type the old value here or press return if there is no old password.

New SMB Password: new secret
Repeat New SMB Password: new secret

If the old value does not match the current value stored for that user, or the two new values do not match each other, then the password will not be changed.

When invoked by an ordinary user, the command will allow only the user to change his or her own SMB password.

When run by root, smbpasswd may take an optional argument specifying the username whose SMB password you wish to change. When run as root, smbpasswd does not prompt for or check the old password value, thus allowing root to set passwords for users who have forgotten their passwords.

smbpasswd is designed to work in the way familiar to UNIX users who use the passwd or yppasswd commands. While designed for administrative use, this tool provides essential user-level password change capabilities.

For more details on using smbpasswd, refer to the man page (the definitive reference).

The pdbedit Tool

pdbedit is a tool that can be used only by root. It is used to manage the passdb backend, as well as domain-wide account policy settings. pdbedit can be used to:

* add, remove, or modify user accounts.
* list user accounts.
* migrate user accounts.
* migrate group accounts.
* manage account policies.
* manage domain access policy settings.

Under the terms of the Sarbanes-Oxley Act of 2002, American businesses and organizations are mandated to implement a series of internal controls and procedures to communicate, store, and protect financial data. The Sarbanes-Oxley Act has far reaching implications in respect of:

1. Who has access to information systems that store financial data.
2. How personal and financial information is treated among employees and business partners.
3. How security vulnerabilities are managed.
4. Security and patch level maintenance for all information systems.
5. How information systems changes are documented and tracked.
6. How information access controls are implemented and managed.
7. Auditability of all information systems in respect of change and security.
8. Disciplinary procedures and controls to ensure privacy.

In short, the Sarbanes-Oxley Act of 2002 is an instrument that enforces accountability in respect of business related information systems so as to ensure the compliance of all information systems that are used to store personal information and particularly for financial records processing. Similar accountabilities are being demanded around the world.

The need to be familiar with the Samba tools and facilities that permit information systems operation in compliance with government laws and regulations is clear to all. The pdbedit is currently the only Samba tool that provides the capacity to manage account and systems access controls and policies. During the remaining life-cycle of the Samba-3 series it is possible the new tools may be implemented to aid in this important area.