[Samba] Newbie Authentication Questions

John H Terpstra jht at samba.org
Thu Oct 9 03:30:33 GMT 2003

On Wed, 8 Oct 2003, Bill Robinson wrote:

> Quoting John H Terpstra <jht at samba.org>:
> >
> > Bill,
> >
> > Have you looked at the Samba-HOWTO-Collection.pdf that ships with
> > Samba-3.0.0?
> >
> > The chapter "Account Information Databases" answers your questions. Please
> > let me know specifically what has not been well enough explained. What
> > needs to be better documented?
> Well - the begining of that section says:
> "Samba-3 does not support Non-UNIX Account (NUA) operation for user accounts.
> Samba-3 does support NUA operation for machine accounts."
> So I guess that's possibly half of my problem solved.
> I gather that even w/ tdbsam, mysqlsam or xmlsam the /etc/passwd entries are
> still required for user accounts, but it seems that xmlsam is not a functional
> backend.
> So it seems that the only way to do away w/ having Samba accts (users,
> machines) in /etc/passwd is to use ldap authentication for both Samba as well
> as the OS itself.  Maybe I'm missing something?
> Basically what I'm looking for is a way to have a unix box provide the NT
> Domain service to a group (uh domain) of NT/2k servers, but have all the
> authenticaton/accts/etc be compeletly self-contained in that service, and have
> no correlation to the OS authentication/accts/etc - which is guess is the NUA
> capability.
> So maybe my question should be when will NUA be ready?

The bottom line is that NUA did not happen for user accounts and it is
hardly useable for machine accounts. My advice is do not use the NUA
facility because when we re-introduce it what is there will most likely
not be compatible with the new mechanisms. At least if you have machine
accounts in your password back end (eg: /etc/passwd) there will be a
mechanism to migrate them to a new system.

- John T.
John H Terpstra
Email: jht at samba.org

More information about the samba mailing list