PASSDB: local and domain accounts

Gerald Carter gcarter at
Wed Nov 15 16:10:28 GMT 2000

Simo Sorce wrote:
> > 4)
> >   o NT as a BDC replicates the domain SAM into a
> >     copy in the local sam
> >
> >   + Samba as a BDC should replicate the domain SAM
> >     into a copy in the local passdb storage
> BDC as PDC has only one local db (replicated from 
> PDC) why you put it in "security = domain" section and 
> not in "security = user" section?

A BDC should be configured by 

	security = domain
	domain logons = yes

You are in effect saying, I'm getting the accounts from 
a PDC.  And since I can authenticate domain logons, that
should make be a BDC.  (Or we need to come up with a better 
way of defining behavior)

The fact is that the BDC gets the entire SAM from 
the PDC and store a copy of it locally.

> > No you may be thinking to yourself, "but local
> > Samba accounts already exist in /etc/passwd.  You can
> > use those."  However, consider the unification of
Should be "synchronization"

> > passwords.  What if the Samba lanman/nt password is
> > different than /etc/passwd?  Also consider the case
> > of uid allocation upon demand for creating new local
> > accounts in samba.  These would never exist in
> > /etc/passwd.  Only as a uid in a Samba TDB.
> Hey, wait!
> You mean that local passdb and /etc/passwd will 
> be unallineated?

ok.  Think for a second.  Have I ever advocated the removal
of Samba's dependence on UNIX uids?  Nope.  :) btw...that 
proposal is being discussed on tng-technical right now
if anyone is interested.

> Generating local uid only in local passdb and not 
> in /etc/passwd may cause big troubles. How do you serve 
> files to users not present in /etc/passwd? what about 
> file permissions and ownership?

You do not need an entry in /etc/passwd per say.  Rather 
just a uid.  Think about for a second.  Have you ever
deleted an entry from /etc/passwd and later found files
that only showed up a uid in the output from '/bin/ls -l'?
Same principle.  

Take a look at the winbind implementation first.  Read the 
paper Tim and Andrew wrote on  Winbindd allows
you to define a range of uids and gids from which it can 
allocate as necessary for domain accounts.  This mapping
is stored in a TDB.

Since you as the sysadmin have defined the range to be used,
the only way you can have a conflict with an entry in 
/etc/passwd is if you do it yourself.

> What happen if a user created on /etc/passwd maps 
> to the same uid of an existent local passdb user will 
> the samba user be able to read /etc/passwd user files?

See above comments.

> I think that local passdb users should always be present 
> in local /etc/passwd (also through nis or other nss modules).

If my explanation above doesn't convinve you of my intent,
let me know and I'll try again.

> We should also define a configurable uid range to be 
> reserved on /etc/passwd to generate global users 
> mappings (for domain members) but I think 
> again nss_passdb+pam_winbind should be highly 
> recommended.

Huh?  Winbindd does this now.  I don't see your point.
You lost me.  Sorry. up on the current winbindd implementation
and let's talk again.

Cheers, jerry
   /\  Gerald (Jerry) Carter                     Professional Services
 \/  VA Linux Systems   gcarter at       SAMBA Team          jerry at                     jerry at

       "...a hundred billion castaways looking for a home."
                                - Sting "Message in a Bottle" ( 1979 )

More information about the samba-technical mailing list