[Samba] possible to use samba without unix accounts for each user?

Gaiseric Vandal gaiseric.vandal at gmail.com
Wed Jun 2 11:35:23 MDT 2010

On 06/02/2010 09:34 AM, David Adam wrote:
> On Tue, 1 Jun 2010, Ben Cohen wrote:
>> We use samba as a domain controller and file server for small separate
>> network environments.  We've currently got samba configured to get
>> posixAccount and sambaAccount information from ldap -- and have nss_ldap
>> configured to feed the same posixaccount objects into the posix user
>> account apis via nsswitch.conf (getpwent etc...).
>> In our environments we seem to regularly run into problems which result
>> from having the unix accounts populated with information from ldap.
>> Here are some observations:
>> 1. if ldap server(s) become unavailable all getpwent lookups experience
>> long timeouts (default nss_ldap behavior)
>> 	-- there are a number of gotchas resulting from this -- including
>> having to be careful that nothing which does a passwd lookup starts
>> before the ldap server on the server that's running the ldap server ...
>> 2. for security reasons we don't want our samba users to be able to get
>> a login shell on our server so we have to implement server access
>> controls to prevent this
>> it seems it would be simpler for us if there was some way to get samba
>> to work without requiring local unix accounts for each samba user ...
>> Is there anyway to get samba to to use ldap for passwd data without
>> simultaneously modifying the system-wide settings?  I don't care if
>> samba file operations result in files owned by uid's which don't
>> correspond to system-wide logins ...  I think it would be sufficient if
>> there was some way to point the getpwent() call from samba to a
>> different nsswitch.conf file than the api uses when called from
>> everywhere else?
> I think the ldapsam:trusted option should do what you want (if I've read
> your email correctly and you already have passdb = ldapsam set).
> David Adam
> zanchey at ucc.gu.uwa.edu.au

You should be able to set the shell to "/bin/false" to prevent unix 
shell logins.

More information about the samba mailing list