[OT] Re: [Samba] Avoiding local unix accounts with "force user". Is that possible?

Felipe Augusto van de Wiel felipe at paranacidade.org.br
Tue Sep 19 13:13:39 GMT 2006

Hash: SHA1

On 09/19/2006 10:01 AM, Andrei Nazarenko escreveu:
>> Yes, configure your nsswitch and your libnss to query
>> your LDAP server and you will get your LDAP accounts as UN*X
>> accounts.
> Thanks for your reply. Are you essentially suggesting me to replace my
> /etc/passwd authentication completely with with LDAP backend?

	No, I was suggesting you to integrate you authentication
system using passwd/shadow and LDAP.

> I know about this possibility, but I have two issues with it:
> 1) I am not sure if this is going to work for the "root" and a couple
> of other (not related to Samba) UN*X accounts that do not exist on the
> LDAP server. Or will such accounts be untouched and continue to be
> working from /etc/passwd file?

	Exactly, and it should not work for that type of accounts.
There are several ways to integrate LDAP and one of them is keep
the system accounts (including) root out of LDAP and individually
in each server.

> 2) Also, the LDAP idea is generally not that great because, as I said
> in my previous post, my intention is to replace ANY samba user who is
> mapping the share with the same UN*X account (that does not exist in
> LDAP database). Like this:
> "user1", "user2", etc. are auhenticated by Samba (via ADS/LDAP) and
> become the same "samba_user:samba_group" for the actual file
> operations through the "force user" and "force group" directives. The
> "samba_user" exists only in /etc/passwd and not in LDAP database
> and that is the way I want it.

	Why? That sounds really *stange* and starts to be a little
bit off-topic on this mail list. I don't know exactly why are you
using 'force user' and 'force group', but it starts to look like
that you could easily solve this using some type of system account
or a generic "nobody user", of course, it will depend on your setup
and on your needs, but there are several ways to go.

> What I want to avoid is having "user1", "user2", etc. in my
> /etc/passwd file because they are NOT needed for any authentication or
> permissions settings.

	That's what LDAP is for, you can extend you sambaUser object
to have UN*X information and you can do it per user. It could make
your life easier, but just if you want to. :)

> In another words, why is there a need to have "user1", "user2" locally
> *at all* if I use "force user/force group" directives for permissions
> settings and LDAP for password checking?

	There is no need. Special configurations needs special
workarounds, you could have your special account inside the
LDAP, or you can keep creating it by hand, or by NIS or with
some magic script.

> -- 
> Regards,
> A\N

	Kind regards,

- --
Felipe Augusto van de Wiel <felipe at paranacidade.org.br>
Coordenadoria de Tecnologia da Informação (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org


More information about the samba mailing list