[Samba] distributing samba users to the local systems

Xen list at xenhideout.nl
Wed Jul 13 22:13:07 UTC 2016 

Jeremy Allison schreef op 12-07-2016 23:26:
> On Tue, Jul 12, 2016 at 02:10:41AM +0200, Xen wrote:
>> I want to ask what is the most common approach, and most functional
>> smallest-subset-technology approach to achieving the following.
>> 
>> 
>> - a samba server is using different users for its clients and these
>> users are general unix users, owning files and whatnot on the fs.
>> 
>> - a linux system as client now wants to "import" the users from the
>> server without making them /fixed/ unix/passwd users on the local
>> system
>> 
>> - the users need to be imported from a kind of directory service
>> (ldap or whatever) or perhaps "active directory" or whatever it
>> might be, and those extra virtual users are only valid for as long
>> as the samba shares themselves are valid and accessible.
>> 
>> Mind you, I know nothing about "active directory" or "domain
>> controllers" or what it might be. I also have very little
>> understanding of what "nsswitch" is and the documentation for it and
>> the entire system itself seems to be rather arcane.
>> 
>> It would require on the client:
>> - an additional source of local users that cannot actually be logged
>> in to, but only serve as user interface elements.
>> Perhaps these local users would need to be mapped onto random
>> numbers or something, but normally with unix extensions you see the
>> raw numbers of the users on the central system (server).
>> 
>> So either those numbers would need to be replaced by names at domain
>> while crossing the link and then mapped back to new numbers on the
>> local system, that has imported the names at domain, or you'd need to
>> find a fixed "range" of numbers for users that can stay fixed from
>> system to system.
>> 
>> I haven't even been able to get idmapping to work for NFS, it just
>> won't work. I was using a "static" file for that but the thing would
>> never read the static maps.
>> 
>> It would require on the server:
>> 
>> - a set of local users transformed into a directory service that
>> clients can import or know about.
>> 
>> 
>> Is this possible and what technologies would I need for it?
> 
> This sounds like NIS/YP to me :-). But I'm old... :-).

The Synology has 3-second total-configuration for it ;-).

You click "Install Directory Server" and you select a few options and it 
installs OpenLDAP.

The thing comes prepopulated or generated with Samba entities, 
apparently. Then you go to Directory Service in the configuration 
screen, and enter your connection details; actually it offers to do this 
automatically. Then you select "Enable LDAP for CIFS" and it will modify 
smb.conf with a new authentication line.

At that point LDAP users are shown as user at FQDN in the shell.

They don't mingle with regular users but you can set permissions for 
them the way you can for regular users and groups.

And when you change the FQDN it deletes all users and groups :p.

And it uses a different style user home directory for it. So it is not 
as pretty. And if you don't care... well...

Apparently you can select which user you want (with Samba logon) by 
setting the domain to that FQDN you've chosen.

So I have no clue how to actually export local users, but it is not that 
necessary (and gives its own problems, I guess).

The only downside is that I have to manually duplicate users and groups, 
but I guess that's pretty manageable given the size of my system ;-).

And when I can get pam_exec and pam_group installed, maybe more is 
possible.

More information about the samba mailing list