[Samba] Samba local user without /etc/passwd

Rowland Penny rowlandpenny241155 at gmail.com
Thu Jul 9 12:05:05 UTC 2015

On 09/07/15 12:19, Gionatan Danti wrote:
> On 09/07/15 12:25, Reindl Harald wrote:
>>> In short: while my samba server is connected to the AD domain, I would
>>> also like to have some local (non domain) user for other tasks.
>>> It is my understanding that for a local samba user I _need_ to create
>>> the relative unix user (using useradd) and then use the samba-provided
>>> tool smbpasswd. I simply wonder if it is possible to create local users
>>> using _only_ smbpasswd (or equivalent), without messing with the real
>>> local unix user table stored in "/etc/passwd" (hence the world 
>>> "virtual)
>> the smbd process is running as your user for security and permissions
>> as which user should it run without a unix user
>> root?
> Hi,
> I perfectly understand your reasons.
> My question stems from the fact that, while connected to an AD domain, 
> samba (or better, winbind) is impersonating remote users without 
> problems. This is done using the "winbind" keyword in /etc/nsswitch.conf

What you have to understand is that, when a machine is part of a domain, 
you can have local users that authenticate
via /etc/passwd, but these local users are unknown to the domain. You 
also have domain users that can be made known to the local system.

> So, I wonder if winbind is capable of doing something similar with 
> tdbsam users, impersonating them _without_ a local entry in 
> /etc/passwd. Basically, what I want is to tell samba/winbind "do the 
> same thing you are doing for AD, but using tdbsam as backend".

You can have users in /etc/passwd or AD, you cannot have the same user 
in both, or anywhere else. A local user cannot connect to anything but 
local directories and then only if they have the required permissions set.

> While I suspected that it is not possible, I liked a direct 
> confirmation from the list...
> Thanks.

More information about the samba mailing list