10.5.1 Users Cannot Logon " I've installed Samba, but now I can't log on with my UNIX account! " Make sure your user has been added to the current Samba passdb backend . Read the section Section 10.3 for details. 10.5.2 Users Being Added to the Wrong Backend Database A few complaints have been received from users that just moved to Samba-3. The following smb.conf file entries were causing problems, new accounts were being added to the old smbpasswd file, not to the tdbsam passdb.tdb file: ... passdb backend = smbpasswd, tdbsam ... Samba will add new accounts to the first entry in the passdb backend parameter entry. If you want to update to the tdbsam, then change the entry to: passdb backend = tdbsam, smbpasswd 10.5.3 Configuration of auth methods When explicitly setting an auth methods parameter, guest must be specified as the first entry on the line, for example, auth methods = guest sam. This is the exact opposite of the requirement for the passdb backend option, where it must be the LAST parameter on the line. Table 10.1. Attributes in the sambaSamAccount objectclass (LDAP) ” Part A sambaLMPassword | The LANMAN password 16-byte hash stored as a character representation of a hexadecimal string. | sambaNTPassword | The NT password hash 16-byte stored as a character representation of a hexadecimal string. | sambaPwdLastSet | The integer time in seconds since 1970 when the sambaLMPassword and sambaNTPassword attributes were last set. | sambaAcctFlags | String of 11 characters surrounded by square brackets [] representing account flags such as U (user), W (workstation), X (no password expiration), I (Domain trust account), H (Home dir required), S (Server trust account), and D (disabled). | sambaLogonTime | Integer value currently unused | sambaLogoffTime | Integer value currently unused | sambaKickoffTime | Specifies the time (UNIX time format) when the user will be locked down and cannot login any longer. If this attribute is ommited, then the account will never expire. If you use this attribute together with 'shadowExpire' of the 'shadowAccount' objectClass, will enable accounts to expire completly on an exact date. | sambaPwdCanChange | Specifies the time (UNIX time format) from which on the user is allowed to change his password. If attribute is not set, the user will be free to change his password whenever he wants. | sambaPwdMustChange | Specifies the time (UNIX time format) since when the user is forced to change his password. If this value is set to '0', the user will have to change his password at first login. If this attribute is not set, then the password will never expire. | sambaHomeDrive | Specifies the drive letter to which to map the UNC path specified by sambaHomePath. The drive letter must be specified in the form " X: " where X is the letter of the drive to map. Refer to the " logon drive " parameter in the smb.conf(5) man page for more information. | sambaLogonScript | The sambaLogonScript property specifies the path of the user's logon script, .CMD, .EXE, or .BAT file. The string can be null. The path is relative to the netlogon share. Refer to the logon script parameter in the smb.conf man page for more information. | sambaProfilePath | Specifies a path to the user's profile. This value can be a null string, a local absolute path, or a UNC path. Refer to the logon path parameter in the smb.conf man page for more information. | sambaHomePath | The sambaHomePath property specifies the path of the home directory for the user. The string can be null. If sambaHomeDrive is set and specifies a drive letter, sambaHomePath should be a UNC path. The path must be a network UNC path of the form \\server\share\directory . This value can be a null string. Refer to the logon home parameter in the smb.conf man page for more information. | Table 10.2. Attributes in the sambaSamAccount objectclass (LDAP) ” Part B sambaUserWorkstations | Here you can give a comma-seperated list of machines on which the user is allowed to login. You may observe problems when you try to connect to an Samba Domain Member. Bacause Domain Members are not in this list, the Domain Controllers will reject them. Where this attribute is ommited, the default implies no restrictions. | sambaSID | The security identifier(SID) of the user. The Windows equivalent of UNIX UIDs. | sambaPrimaryGroupSID | The Security IDentifier (SID) of the primary group of the user. | sambaDomainName | Domain the user is part of. | Table 10.3. Possible ldap passwd sync values Value | Description | yes | When the user changes his password, update ntPassword , lmPassword and the password fields. | no | Only update ntPassword and lmPassword . | only | Only update the LDAP password and let the LDAP server worry about the other fields. This option is only available on some LDAP servers. Only when the LDAP server supports LDAP_EXOP_X_MODIFY_PASSWD. | Table 10.4. Basic smb.conf options for MySQL passdb backend Field | Contents | mysql host | Host name , defaults to 'localhost' | mysql password | | mysql user | Defaults to 'samba' | mysql database | Defaults to 'samba' | mysql port | Defaults to 3306 | table | Name of the table containing the users | Table 10.5. MySQL field names for MySQL passdb backend Field | Type | Contents | logon time column | int(9) | UNIX time stamp of last logon of user | logoff time column | int(9) | UNIX time stamp of last logoff of user | kickoff time column | int(9) | UNIX time stamp of moment user should be kicked off workstation (not enforced) | pass last set time column | int(9) | UNIX time stamp of moment password was last set | pass can change time column | int(9) | UNIX time stamp of moment from which password can be changed | pass must change time column | int(9) | UNIX time stamp of moment on which password must be changed | username column | varchar(255) | UNIX username | domain column | varchar(255) | NT domain user belongs to | nt username column | varchar(255) | NT username | fullname column | varchar(255) | Full name of user | home dir column | varchar(255) | UNIX homedir path | dir drive column | varchar(2) | Directory drive path (e.g., " H: ") | logon script column | varchar(255) | Batch file to run on client side when logging on | profile path column | varchar(255) | Path of profile | acct desc column | varchar(255) | Some ASCII NT user data | workstations column | varchar(255) | Workstations user can logon to (or NULL for all) | unknown string column | varchar(255) | Unknown string | munged dial column | varchar(255) | Unknown | user sid column | varchar(255) | NT user SID | group sid column | varchar(255) | NT group SID | lanman pass column | varchar(255) | Encrypted lanman password | nt pass column | varchar(255) | Encrypted nt passwd | plain pass column | varchar(255) | Plaintext password | acct ctrl column | int(9) | NT user data | unknown 3 column | int(9) | Unknown | logon divs column | int(9) | Unknown | hours len column | int(9) | Unknown | bad password count column | int(5) | Number of failed password tries before disabling an account | logon count column | int(5) | Number of logon attempts | unknown 6 column | int(9) | Unknown | |