43.3. Managing Samba Users
As mentioned in the introduction, the SMB protocol uses a password encryption format that is incompatible with the standard UNIX format. This was not originally a problem, as old versions of Windows (95 and earlier) sent unencrypted passwords to SMB servers. This allowed Samba to encrypt and verify them against the UNIX password list, just like the FTP or telnet servers do. Unfortunately, recent Windows releases will only send passwords in the new NTLM encrypted format unless a particular obscure registry key is changed. Samba must now maintain a separate list of passwords to validate modern clients.
Unless your server is only going to be accessed by old Windows hosts or Linux systems, you will need to enable this separate encrypted password list. To do this, complete the following steps:
1. | |
2. | On the form that appears, change the Use encrypted passwords? field to Yes. |
3. | Click Save at the bottom of the form to return to the main page and activate the new setting. If it did not appear before, the Encrypted Passwords section containing three links should be visible now. |
Now that Samba's separate password list is enabled, you will need to add some of your existing UNIX users to it. This can be done easily using Webmin by following these steps:
1. | |
2. | The Don't convert or remove these users field lists users that will be excluded from conversion, and, by default, contains all system accounts. You may want to add others; however, there is no harm in converting accounts that will never be used. |
3. | If you have used this form before, the Update existing Samba users from their UNIX details option can be checked to have existing Samba users updated to match the corresponding UNIX users. |
4. | Similarly, the Delete Samba users who do not exist under UNIX can be checked to see if it is set to delete Samba users who no longer have a corresponding UNIX user. |
5. | The For newly created users, set the password to field determines the password that will be assigned, as there is no way to convert the users' existing passwords. The best choice is Account locked, which prevents the converted users from being used until a password is later set. You can also choose No password to leave new accounts password-less (a bad idea in terms of security), or Use this password to specify a password for all converted users. |
6. |
After conversion, you will probably need to set passwords for the new Samba users. This must be done one-by-one, by following these instructions for each user:
1. | On the module's main page, click on the Edit Samba users and passwords link to bring up a list of existing users. |
2. | Click on the name of the user whose password you want to set. |
3. | In the Password field, select the New password option and fill in the text box next to it. You can also choose No access to block all Samba logins by this user, No password to allow logins without a password, or Current password to leave the password unchanged. |
4. | None of the other fields on the form should be changed—just hit the Save button to return to the user list. |
5. | You should now be able to log in to your Samba server as this user with the chosen password and access files in some share. Assuming that the special homes share exists, every user will have access to share with the same name as his username. |
Because converting and setting the password for each new user is a tiresome waste of effort, you can configure the module to automatically create a Samba user for each UNIX user created in Webmin. It is also possible to have a Samba user renamed, deleted, or his password changed when the corresponding UNIX user is changed in the Users and Groups module. To set up this synchronization, follow these steps:
1. | Click on the Configure automatic UNIX and Samba user synchronization link in the Encrypted Passwords section of the Samba module's main page. |
2. | Check the Add a Samba user when a UNIX user is added on the synchronization form to have a Samba user created with the right UID and password for each new UNIX user. |
3. | Check the Change the Samba user when a UNIX user is changed box to make sure the corresponding Samba user is renamed or his password changed when a UNIX user is modified. |
4. | Check the Delete the Samba user when a UNIX user is deleted to have Webmin remove the matching Samba user when a UNIX user is removed. |
5. | Click the Apply button to save your settings. Any actions performed in the Users and Groups module (when the in other modules options are used) will effect the Samba user list as well. |
Unfortunately, this synchronization only applies to the Users and Groups, Change Passwords, and Cluster Users and Groups modules in Webmin. If you add a user at the command (like with adduser) or change a password with the passwd command, no Samba user will be added or updated.