[Samba] passdb requires /etc/passwd entry?

[Jonathan Johnson]

Apologies if this has already been answered, but I'd like to share my
understanding, in too many words.

The reason that the user must exist in a user database (such as
/etc/passwd) accessible to the underlying system (such as Linux) is
that in order to read and set permissions on the files, Linux -- and
any other file sharing protocols, such as SMB, AppleTalk, XFS, NFS,
NDS, etc., must know the user's login ID. Because the permissions are
set in the filesystem, not an abstract access control list by the
second-level software (such as Samba), the user must be identifiable to
any software which may request access. Therefore, it is up to the
kernel to control this access, and it needs to have a way to veryify
that the user is indeed a valid user.

With Samba, traditionally there have been two user databases: the Samba
password database (smbpasswd) which Samba uses for authentication, and
the unix password database (/etc/passwd and its brothers, /etc/shadow
and /etc/group). The reason that Samba can't use /etc/passwd is because
/etc/passwd has no facility for storing SIDs and GIDs. This however
does not prevent the unix kernel from using an authentication facility
that does store this information.

It is very possible now to configure both Samba and unix to
authenticate against the same LDAP directory server, along with your
mail server, your secure web server, your virtual private network, your
building security system, your telephone, and your photocopier,
achieving the holy grail of "single sign-on." I will leave the
implementation of this as an exercise for the reader.

--Jon Johnson
Sutinen Consulting, Inc.
jon at sutinen.com
(360) 270-9317 cell


On Tue, 27 Jul 2004, Cal Heldenbrand wrote:

> Greetings everyone,
> 
> I have a question about the smbpasswd encrypted
> database and /etc/passwd --  why does the passdb
> backend require an entry in /etc/passwd?  Is it
> possible to create samba encrypted users without a
> /etc/passwd entry?
> 
> I have a samba PDC setup that is mainly just a login
> server, then a separate server for $HOME's.  I have
> all of my PAM configs setup to remotely authenticate
> to another server with 8000+ users, then pam_smbpass
> migrates passwords to the PDC.  The HOME server
> automatically creates $HOME directories, and uses
> winbind for UID mappings against my PDC.
> 
> The problem is the password migration in smbpass won't
> work without an /etc/passwd entry, and I don't want to
> potentially have to add 8000 users from a constantly
> changing database.
> 
> Is there any workaround for this?
> 
> I've noticed in the source that the check for this is
> done in passdb/passdb.c approx line 947
> 
> if (!NT_STATUS_IS_OK(pdb_init_sam_new(&sam_pass,
> user_name, 0)))
> 
> But this is in the function local_password_change() --
> If this is modifying the smbpasswd database, why would
> it need to check /etc/passwd?  Is this just a sanity
> check, or do I have my samba configs incorrect?
> 
> Call me naive, but could I just comment out this
> section of code and see what happens?
> 
> Thanks for any help in advance,
> 
> --Cal Heldenbrand
> 
> 
> 		
> _______________________________
> Do you Yahoo!?
> Express yourself with Y! Messenger! Free. Download now. 
> http://messenger.yahoo.com
> -- 
> To unsubscribe from this list go to the following URL and read the
> instructions:  http://lists.samba.org/mailman/listinfo/samba
>