[Samba] LDAP, checkpwnam and PDC

Matt Skerritt matt.skerritt at agrav.net
Tue Dec 5 00:03:48 GMT 2006

On 05/12/2006, at 4:28 AM, Ben Wheare wrote:

> Hiya,
> I'm trying to set up a Samba PDC with an LDAP backend.
> I experienced problems joining machines to domains, the machine  
> account was created, but Windows said user name cannot be found.
> I resolved this by adding ldap to /etc/nsswitch.conf, but this has  
> the side effect of allowing ldap users to login to the server via SSH.
> Whilst I can understand the need for LDAP users to be accessible to  
> the system, i.e. checkpwnam etc for permisisons, I don't want users  
> to be able to login to anywhere except the client Windows 2000/XP  
> boxes.
> People (only 3) who can login via SSH already have "real" user  
> accounts in /etc/passwd etc.

Do these people have multiple user accounts? (one for samba and one  
for their "real" one?) ... I would consider it a bad idea to do so  

> Is there a way to stop this being allowed?

The way I achieve this (since in my setup I'm the only person who is  
allowed to log into the linux boxes) is to make sure all other users  
have no password entry in the ldap database (note: they have the  
samba passowrd entries, just not the posix one), and to make sure  
their home folder is /dev/null and their login shell is /bin/false.

I think if there's also probably a shadow option that disables the  
posix account (haven't checked yet) - since my method may be able to  
be  bypassed by a user executing a given command at the ssh command  
line - actually I'll look into that as soon as I get into work today.  
I'm not sure if doing that would actually prevent samba from using  
the account for SMB purposes.

Matt Skerritt
matt.skerritt at agrav.net

More information about the samba mailing list