[Samba] possible to use samba without unix accounts for each user?
David Adam
zanchey at ucc.gu.uwa.edu.au
Wed Jun 2 07:34:17 MDT 2010
On Tue, 1 Jun 2010, Ben Cohen wrote:
> We use samba as a domain controller and file server for small separate
> network environments. We've currently got samba configured to get
> posixAccount and sambaAccount information from ldap -- and have nss_ldap
> configured to feed the same posixaccount objects into the posix user
> account apis via nsswitch.conf (getpwent etc...).
>
> In our environments we seem to regularly run into problems which result
> from having the unix accounts populated with information from ldap.
> Here are some observations:
>
> 1. if ldap server(s) become unavailable all getpwent lookups experience
> long timeouts (default nss_ldap behavior)
> -- there are a number of gotchas resulting from this -- including
> having to be careful that nothing which does a passwd lookup starts
> before the ldap server on the server that's running the ldap server ...
> 2. for security reasons we don't want our samba users to be able to get
> a login shell on our server so we have to implement server access
> controls to prevent this
>
> it seems it would be simpler for us if there was some way to get samba
> to work without requiring local unix accounts for each samba user ...
>
> Is there anyway to get samba to to use ldap for passwd data without
> simultaneously modifying the system-wide settings? I don't care if
> samba file operations result in files owned by uid's which don't
> correspond to system-wide logins ... I think it would be sufficient if
> there was some way to point the getpwent() call from samba to a
> different nsswitch.conf file than the api uses when called from
> everywhere else?
I think the ldapsam:trusted option should do what you want (if I've read
your email correctly and you already have passdb = ldapsam set).
David Adam
zanchey at ucc.gu.uwa.edu.au
More information about the samba
mailing list