[Samba] Samba PDC + LDAP without local Unix accounts?

Adam Tauno Williams awilliam at whitemice.org
Thu Jan 20 03:05:56 GMT 2005

> We are trying to use Samba 3.0.10 running on FreeBSD 5.3 to replace a legacy
> NT4 PDC. Our goal is to use LDAP to centralize all user information and
> authentication on the network. To that end, we've set up Samba to use LDAP for
> authentication of all the Windows users. This is working, but Samba seems to
> require that all Windows account have a matching Unix account as well.


> This would be fine, except that all of the user profile directories and Samba
> shares are hosted on a separate machine, making the Unix accounts superfluous.
> (As far as I know.) If at all possible, we'd like to avoid having to maintain
> user accounts on both the LDAP server and the Samba PDC. I had entertained the
> idea of using an LDAP PAM module simulate the Unix accounts, but this is
> looking more and more like the wrong way to go about it as PAM seems tied
> strictly to authentication and Samba already handles that part.

Your confusing PAM and NSS.

> So to summarize, I'd like to know if a Samba PDC can be authenticate users via
> an LDAP backand without having to contain local Unix accounts for those users
> as well. 

You need to have a 'Unix' account;  but your using LDAP, so it doesn't
need to be 'local'.

> I confess to not being a Windows or Samba guru, but I have read a lot
> of documentation and none of it has shed any light on this particular problem.
> If there's an easy and obvious way to do this, it has eluded me.

NSS, you probably don't need PAM.

More information about the samba mailing list