smbpasswd: Encrypted Password Database
Traditionally, when configuring
encrypt passwords = yes
smb.conf file, user account information such as username, LM/NT password hashes,
password change times, and account flags have been stored in the
file. There are several disadvantages to this approach for sites with large numbers of users
(counted in the thousands).
The first problem is that all lookups must be performed sequentially. Given that
there are approximately two lookups per domain logon (one during intial logon validation
and one for a session connection setup, such as when mapping a network drive or printer), this
is a performance bottleneck for large sites. What is needed is an indexed approach
such as that used in databases.
The second problem is that administrators who desire to replicate an smbpasswd file
to more than one Samba server are left to use external tools such as
and write custom,
Finally, the amount of information that is stored in an smbpasswd entry leaves
no room for additional attributes such as a home directory, password expiration time,
or even a relative identifier (RID).
As a result of these deficiencies, a more robust means of storing user attributes
used by smbd was developed. The API that defines access to user accounts
is commonly referred to as the samdb interface (previously, this was called the passdb
API and is still so named in the Samba source code trees).
Samba provides an enhanced set of passdb backends that overcome the deficiencies
of the smbpasswd plaintext database. These are tdbsam and ldapsam.
Of these, ldapsam will be of most interest to large corporate or enterprise sites.