[Samba] samba password server without Unix users?

Dominique Petitpierre Dominique.Petitpierre at adm.unige.ch
Fri Jan 28 16:20:33 GMT 2005 

Hello,

I am setting up a samba server that will be used only for
password checking. It is configured with the ldapsam backend.

- is there a way to configure samba to not check the existence of
users on the underlying Unix OS?

I mean, the search performed in the LDAP server provides all the
useful passwd information that is available with getpwnam(), namely:
uid uidNumber gidNumber homeDirectory.  The existence of a
corresponding Unix user is only important on the client samba servers
that will provide data (shares, home, etc).

Here is the LDAP search performed by samba when checking a password:

  SRCH base="dc=unige,dc=ch" \
       scope=2 \
       filter="(&(uid=test)(objectClass=sambaSamAccount))" \
       attrs="uid uidNumber gidNumber homeDirectory sambaPwdLastSet \
              sambaPwdCanChange sambaPwdMustChange sambaLogonTime \
              sambaLogoffTime sambaKickoffTime cn displayName \
              sambaHomeDrive sambaHomePath sambaLogonScript \
              sambaProfilePath description sambaUserWorkstations \
              sambaSID sambaPrimaryGroupSID sambaLMPassword \
              sambaNTPassword sambaDomainName objectClass \
              sambaAcctFlags sambamungeddial sambabadpasswordcount \
              sambabadpasswordtime sambapasswordhistory \
              modifyTimestamp sambalogonhours modifyTimestamp"

To make the password checking work, I had to configure nss_ldap, which
causes the following LDAP search:

SRCH base="dc=unige,dc=ch"
      scope=2 \
      filter="(&(objectClass=posixAccount)(uid=test))" \
      attrs="uid userPassword uidNumber gidNumber cn homeDirectory \
             loginShell gecos description objectClass"

If nss_ldap is not configured, samba complains with the debug
message:
   User test in passdb, but getpwnam() fails!


It would be nice to avoid that useless secondary LDAP search
(and the trouble of configuring nss_ldap).

Best regards,

-- 
Mr Dominique Petitpierre       Email: User at Domain
Division Informatique                 User=Dominique.Petitpierre
University of Geneva                  Domain=adm.unige.ch

More information about the samba mailing list