[Samba] possible to use samba without unix accounts for each user?

[David Adam]

On Tue, 1 Jun 2010, Ben Cohen wrote:
> We use samba as a domain controller and file server for small separate 
> network environments.  We've currently got samba configured to get 
> posixAccount and sambaAccount information from ldap -- and have nss_ldap 
> configured to feed the same posixaccount objects into the posix user 
> account apis via nsswitch.conf (getpwent etc...).
> 
> In our environments we seem to regularly run into problems which result 
> from having the unix accounts populated with information from ldap.  
> Here are some observations:
> 
> 1. if ldap server(s) become unavailable all getpwent lookups experience 
> long timeouts (default nss_ldap behavior)
> 	-- there are a number of gotchas resulting from this -- including 
> having to be careful that nothing which does a passwd lookup starts 
> before the ldap server on the server that's running the ldap server ... 
> 2. for security reasons we don't want our samba users to be able to get 
> a login shell on our server so we have to implement server access 
> controls to prevent this
> 
> it seems it would be simpler for us if there was some way to get samba 
> to work without requiring local unix accounts for each samba user ...
> 
> Is there anyway to get samba to to use ldap for passwd data without 
> simultaneously modifying the system-wide settings?  I don't care if 
> samba file operations result in files owned by uid's which don't 
> correspond to system-wide logins ...  I think it would be sufficient if 
> there was some way to point the getpwent() call from samba to a 
> different nsswitch.conf file than the api uses when called from 
> everywhere else?

I think the ldapsam:trusted option should do what you want (if I've read 
your email correctly and you already have passdb = ldapsam set).

David Adam
zanchey at ucc.gu.uwa.edu.au