[Samba] possible to use samba without unix accounts for each user?

[Ben Cohen]

We use samba as a domain controller and file server for small separate network environments.  We've currently got samba configured to get posixAccount and sambaAccount information from ldap -- and have nss_ldap configured to feed the same posixaccount objects into the posix user account apis via nsswitch.conf (getpwent etc...).

In our environments we seem to regularly run into problems which result from having the unix accounts populated with information from ldap.  Here are some observations:

1. if ldap server(s) become unavailable all getpwent lookups experience long timeouts (default nss_ldap behavior)
	-- there are a number of gotchas resulting from this -- including having to be careful that nothing which does a passwd lookup starts before the ldap server on the server that's running the ldap server ...
2. for security reasons we don't want our samba users to be able to get a login shell on our server so we have to implement server access controls to prevent this

it seems it would be simpler for us if there was some way to get samba to work without requiring local unix accounts for each samba user ...

Is there anyway to get samba to to use ldap for passwd data without simultaneously modifying the system-wide settings?  I don't care if samba file operations result in files owned by uid's which don't correspond to  system-wide logins ...  I think it would be sufficient if there was some way to point the getpwent() call from samba to a different nsswitch.conf file than the api uses when called from everywhere else?

Thanks for any advice,

Ben Cohen
Programmer/Analyst (STS)
Scripps Institution of Oceanography
ncohen at ucsd.edu