[Samba] Avoiding local unix accounts with "force user". Is that
a.nazarenko at gmail.com
Tue Sep 19 13:01:39 GMT 2006
> Yes, configure your nsswitch and your libnss to query
> your LDAP server and you will get your LDAP accounts as UN*X
Thanks for your reply. Are you essentially suggesting me to replace my
/etc/passwd authentication completely with with LDAP backend?
I know about this possibility, but I have two issues with it:
1) I am not sure if this is going to work for the "root" and a couple
of other (not related to Samba) UN*X accounts that do not exist on the
LDAP server. Or will such accounts be untouched and continue to be
working from /etc/passwd file?
2) Also, the LDAP idea is generally not that great because, as I said
in my previous post, my intention is to replace ANY samba user who is
mapping the share with the same UN*X account (that does not exist in
LDAP database). Like this:
"user1", "user2", etc. are auhenticated by Samba (via ADS/LDAP) and
become the same "samba_user:samba_group" for the actual file
operations through the "force user" and "force group" directives. The
"samba_user" exists only in /etc/passwd and not in LDAP database
and that is the way I want it.
What I want to avoid is having "user1", "user2", etc. in my
/etc/passwd file because they are NOT needed for any authentication or
In another words, why is there a need to have "user1", "user2" locally
*at all* if I use "force user/force group" directives for permissions
settings and LDAP for password checking?
More information about the samba