[Samba] Avoiding local unix accounts with "force user". Is that possible?

Andrei Nazarenko a.nazarenko at gmail.com
Tue Sep 19 13:01:39 GMT 2006

> Yes, configure your nsswitch and your libnss to query
> your LDAP server and you will get your LDAP accounts as UN*X
> accounts.

Thanks for your reply. Are you essentially suggesting me to replace my
/etc/passwd authentication completely with with LDAP backend?

I know about this possibility, but I have two issues with it:

1) I am not sure if this is going to work for the "root" and a couple
of other (not related to Samba) UN*X accounts that do not exist on the
LDAP server. Or will such accounts be untouched and continue to be
working from /etc/passwd file?

2) Also, the LDAP idea is generally not that great because, as I said
in my previous post, my intention is to replace ANY samba user who is
mapping the share with the same UN*X account (that does not exist in
LDAP database). Like this:

"user1", "user2", etc. are auhenticated by Samba (via ADS/LDAP) and
become the same "samba_user:samba_group" for the actual file
operations through the "force user" and "force group" directives. The
"samba_user" exists only in /etc/passwd and not in LDAP database
and that is the way I want it.

What I want to avoid is having "user1", "user2", etc. in my
/etc/passwd file because they are NOT needed for any authentication or
permissions settings.

In another words, why is there a need to have "user1", "user2" locally
*at all* if I use "force user/force group" directives for permissions
settings and LDAP for password checking?



More information about the samba mailing list