[Samba] LDAP, checkpwnam and PDC

Edmundo Valle Neto edmundo.valle at terra.com.br
Mon Dec 4 18:03:12 GMT 2006

If you dont want some users to be able to login using their posix 
accounts give to them a null shell, put /bin/false in the shell 
attribute. I dont know what distribution do you use or what is the 
default of idealx scripts, but in Debian, smbldap-tools (the packaged 
idealx scripts) does that by default. That way any access that requires 
a shell will not work for these users.


Edmundo Valle Neto

Ben Wheare escreveu:
> Hiya,
> I'm trying to set up a Samba PDC with an LDAP backend.
> I experienced problems joining machines to domains, the machine 
> account was created, but Windows said user name cannot be found.
> I resolved this by adding ldap to /etc/nsswitch.conf, but this has the 
> side effect of allowing ldap users to login to the server via SSH.
> Whilst I can understand the need for LDAP users to be accessible to 
> the system, i.e. checkpwnam etc for permisisons, I don't want users to 
> be able to login to anywhere except the client Windows 2000/XP boxes.
> People (only 3) who can login via SSH already have "real" user 
> accounts in /etc/passwd etc.
> Is there a way to stop this being allowed?
> Thanks.
> Ben

More information about the samba mailing list