[Samba] Re: Sharing Accounts between Servers and SIDs

Peter Daum gator_ml at yahoo.de
Mon Jul 23 09:57:52 GMT 2007

To answer my own question: No, it doesn't work like this!
Samba coumplained about any SID I tried as being invalid.
(Unfortunately, I couldn't find any hint about what constitutes
a "valid" SID). Furthermore, It seems like when using the samba3
ldap_sam backend, samba wants to write all kinds of stuff into
the ldap directory (which does not work because the directory is
replicated and samba only has access to a read-only copy. For many
reasons, I also don't want samba to be able to write the LDAP

Is it possible at all to use the Samba3 ldapsam backend with this
setup? (With Samba2 it worked without any problem, starting with
Samba3 the focus of Samba shifted obviously mostly towards beeing as
windows-like as possible; right now I am using Samba 3.0.23b).

I am trying to keep out everything that only makes sense within a pure
windows domain controller based network - all I want is a bunch of
samba servers using a shared account database. The clients don't do
domain logons but just connect to single servers, which should consider
all users with a valid unix account as local users and authenticate based
on the lm/nt password hashes stored in the ldap directory.

Any help is appreciated,

                 Peter Daum

Peter Daum wrote:
> I maintain a heterogenous network with a shared LDAP account database.
> The user accounts have globally unique user names, UIDs and RIDs.
> Some, but not all accounts are valid on all machines, but there is no
> need for samba to care about this, because there simply won't be a
> unix account for invalid users. There are no MS servers involved, and
> because every samba server has the same user account base and does its
> own authentification, there is no need for winbind.
> The samba servers currently still use the old samba2-compatible
> ldapsam_compat passdb backend which I eventually want to migrate to the
> current sambaSamAccount. While most attributes just changed their names,
> which shouldn't make much any difference, I am a little uncertain,
> how to handle the new sambaSID attribute without breaking my setup:
> Would it work to just put a dummy domain with SID "S-1-0-0" in the
> directory and use this as a prefix for all the user SIDs?
> Currently, every server has its own SID (which is created by Samba,
> so far there was no reason to worry about this), but with the new
> LDAP schema, I am afraid that Samba might not accept such an account
> as a valid local account ...
> Any recommendations?
> Regards,
>                    Peter Daum

More information about the samba mailing list