[Samba] LDAP, checkpwnam and PDC
Matt Skerritt
matt.skerritt at agrav.net
Tue Dec 5 00:03:48 GMT 2006
On 05/12/2006, at 4:28 AM, Ben Wheare wrote:
> Hiya,
>
> I'm trying to set up a Samba PDC with an LDAP backend.
> I experienced problems joining machines to domains, the machine
> account was created, but Windows said user name cannot be found.
> I resolved this by adding ldap to /etc/nsswitch.conf, but this has
> the side effect of allowing ldap users to login to the server via SSH.
> Whilst I can understand the need for LDAP users to be accessible to
> the system, i.e. checkpwnam etc for permisisons, I don't want users
> to be able to login to anywhere except the client Windows 2000/XP
> boxes.
>
> People (only 3) who can login via SSH already have "real" user
> accounts in /etc/passwd etc.
Do these people have multiple user accounts? (one for samba and one
for their "real" one?) ... I would consider it a bad idea to do so
(IMHO).
> Is there a way to stop this being allowed?
The way I achieve this (since in my setup I'm the only person who is
allowed to log into the linux boxes) is to make sure all other users
have no password entry in the ldap database (note: they have the
samba passowrd entries, just not the posix one), and to make sure
their home folder is /dev/null and their login shell is /bin/false.
I think if there's also probably a shadow option that disables the
posix account (haven't checked yet) - since my method may be able to
be bypassed by a user executing a given command at the ssh command
line - actually I'll look into that as soon as I get into work today.
I'm not sure if doing that would actually prevent samba from using
the account for SMB purposes.
--
Matt Skerritt
matt.skerritt at agrav.net
More information about the samba
mailing list