[Samba] Newbie Authentication Questions

Andrew Bartlett abartlet at samba.org
Thu Oct 9 03:29:29 GMT 2003

On Wed, Oct 08, 2003 at 11:11:45PM -0400, Bill Robinson wrote:
> Quoting John H Terpstra <jht at samba.org>:
> > 
> > Bill,
> > 
> > Have you looked at the Samba-HOWTO-Collection.pdf that ships with
> > Samba-3.0.0?
> > 
> > The chapter "Account Information Databases" answers your questions. Please
> > let me know specifically what has not been well enough explained. What
> > needs to be better documented?
> Well - the begining of that section says:
> "Samba-3 does not support Non-UNIX Account (NUA) operation for user accounts. 
> Samba-3 does support NUA operation for machine accounts."  
> So I guess that's possibly half of my problem solved.  

This is incorrect.  We don't support NUA for anything.  It was an experiment,
which was removed before release.

> I gather that even w/ tdbsam, mysqlsam or xmlsam the /etc/passwd entries are 
> still required for user accounts, but it seems that xmlsam is not a functional 
> backend.  
> So it seems that the only way to do away w/ having Samba accts (users, 
> machines) in /etc/passwd is to use ldap authentication for both Samba as well 
> as the OS itself.  Maybe I'm missing something?  

Correct.  Even then, you need POSIX entries somewhere - but LDAP allows that 
somewhere to be other than the /etc/passwd file.

> Basically what I'm looking for is a way to have a unix box provide the NT 
> Domain service to a group (uh domain) of NT/2k servers, but have all the 
> authenticaton/accts/etc be compeletly self-contained in that service, and have 
> no correlation to the OS authentication/accts/etc - which is guess is the NUA 
> capability. 

The problem is, what UID should act on the filesystem - when reading/writing 
profiles, the netlogon share etc.

> So maybe my question should be when will NUA be ready?

It will not be.  Even when it existed, it 'used' the uids that algorithmic
mapped to those RIDs were mapping to.  Only when we loose posix (like Samba4
might allow) may we get to loose the need for 'unix' backing for all accounts.

Even machines may 'own' files, so we can't really have 'non unix' accounts.

That doens't mean that the accounts must be in /etc/passwd - they can be in
LDAP, or winbind can crated them inside a TDB.  But they must exist.

What NUA was really about was IDMAP - and the seperation and careful merging
of unix and NT identities.  This is a ongoing project. 

Andrew Bartlett

More information about the samba mailing list