[Samba] Samba local user without /etc/passwd

Rowland Penny rowlandpenny241155 at gmail.com
Thu Jul 9 20:01:10 UTC 2015 

On 09/07/15 20:48, Gionatan Danti wrote:
> Il 09-07-2015 14:05 Rowland Penny ha scritto:
>>
>> You can have users in /etc/passwd or AD, you cannot have the same user
>> in both, or anywhere else. A local user cannot connect to anything but
>> local directories and then only if they have the required permissions
>> set.
>>
>> Rowland
>
> Uhm, I think there is an misunderstanding here, possibly due to my bad 
> english.
>
> 1) I 100% agree that local users are, well, local users. So the domain 
> does not know anything about that users (how it could?)
>
> 2) I 100% agree that domain users are _remote_ users, that don't need 
> to exists on the local machine.
>
> 3) What I am wondering is if, domain take aside, I can create a local 
> user _only inside the tdbsam database_, without touching the 
> /etc/passwd file at all. Basically, I would like to have 
> "samba-private" users, without messing with the real Linux users. I 
> understand that this pose a permission problems - after all, samba 
> runs with user's credential. However, I wonder if something like 
> windbind can solve these issues.
>
> To tell it with a graph, it would be nice if, issuing a "getent user" 
> command, the system:
> - using the nsswitch, asks winbind (or something similar) to find the 
> user;
> - winbind (or the likes) search the tdbsam database and return a 
> UID/GID values (similar to how domain users works)
> - files/ACL can be then matched against the windbind (or the likes) 
> assigned UID/GID, even without a real backing Unix user.
>
> Sorry if it seems a strange question, I'm only trying to understand here.
> Regards.
>
No misunderstanding on my part, but a very big one on *your* part.

I will say it again but in slightly different words: there are no 
'remote' users, there are local Unix users and there are domain users, 
local users can only connect to directories and files on the local 
computer. Domain users can connect to directories and files on any 
domain computer that is set up with the correct permissions.

So:
There are local users
There are active directory domain users
These cannot be the same users
There is no where else to store user info except in either /etc/passwd 
(which makes them local users) or in AD (which makes them active 
directory domain users).

Rowland

More information about the samba mailing list