[Samba] Disable Pam checking for Samba4 Standalone role server with samdb_dbds as passdb backend !

Rowland Penny rowlandpenny at googlemail.com
Mon Jun 16 09:47:01 MDT 2014

On 16/06/14 16:12, CpServiceSPb . wrote:
> > At the moment your samba4 AD DC is only doing authentication i.e. your windows machines are asking your samba4 AD 'Do you
> > know this user?' Your samba4 AD DC will answer 'yes' or 'no'.
> Let's assume.
> > Your user then attempts to connect to a share stored on the samba4 AD DC which knows the user BUT the underlying OS has to know
> > the user as well,
> So, very intellegent man, why so, that' s why does underlying OS have to know that the user is well also ?

Because your users are storing information on the underlying OS, if the 
underlying OS doesn't know the user, it will not store the information 
or allow connection to it.

> If Samba4 provide access to shares and serve access to it.
> > Specifically: Make domain users/groups available locally through winbind.
> For 2 lines just above: I DON'T NEED access locally - I don' t want to use Samba4 users for access OS and OS non shared folders.
> I need only access to shares from the net, not to localequivalentof its shares
If your users cannot connect to the 'local equivalent of its shares', 
then they cannot connect to them over the net.

> If it is your se..al fantasies, that' s ok, but don' t neet to show your bad manners saying that "rather stupid question" .
> Even if you have not understood partially or fully the question.

I fully understand the question, you seem to be unable to understand the 
answers, or are unwilling to do so.

> Otherwise, firstly, provide some proofs/link/rfcs or some look like this or try to understand more deeply the question.

> I can in my own make assumption that in the case of Samba4 and Linux OS for Samba4 handled shares Samba4 only check user existence,
> but password checking for such user makes Linux OS but I don' t know exactly is there so or not.
> But why is it not necessary in case of Samba4 AD DC mode. I made such question also (in one of previous message) .
> I added user only to Samba4 (AD DC) , and not also to OS.

You do not need to create the users as Unix users as well, you just need 
to make the underlying OS be able to get the users from AD, on the 
samba4 AD you need to set up the winbind links and edit 
/etc/nsswitch.conf, again I suggest you READ THE WIKI.

> And access is for net share from a net, not to the physical folder locally. And to shares are handled by Samba4.

If you are accessing the shares over the net, you are accessing them 
locally on the OS.

> May be there is some info I simply don' t know about. But I don' t have any internal plans/info from Samba4 devteam regarding
> this 'question' . That is such is had to be: Samba4+OS pam for Samba4 shares access from net, not using Samba4 users for access
> to OS and not shared folders.
> May be or if you have such info, it is not a reason to say that "rather stupid question" without doing logical, reasonable
> and senseable explanation and without providing current and real (valid) info.
> As shortly: I need acces to Samba4 shares from a net using Samba4 users, not access to OS using Samba4 users.
> In case of having access to OS locally using Samba4 users (users who re in Samba4) winbindd connections to OS pam is necessary. I agree with it.
> More over, when I used Samba3 I was compelled to use winbindd with nss.
> If such combinations for my situation is necessary, please provide a link to some proof.

Look, I think that I may have said this before, go and read the samba 
wiki, all the info that you require is there, whether you will like what 
you read is another thing entirely.


More information about the samba mailing list