[Samba] distributing samba users to the local systems

Rowland penny rpenny at samba.org
Thu Jul 14 07:39:21 UTC 2016 

On 13/07/16 23:13, Xen wrote:
> Jeremy Allison schreef op 12-07-2016 23:26:
>> On Tue, Jul 12, 2016 at 02:10:41AM +0200, Xen wrote:
>>> I want to ask what is the most common approach, and most functional
>>> smallest-subset-technology approach to achieving the following.
>>>
>>>
>>> - a samba server is using different users for its clients and these
>>> users are general unix users, owning files and whatnot on the fs.
>>>
>>> - a linux system as client now wants to "import" the users from the
>>> server without making them /fixed/ unix/passwd users on the local
>>> system
>>>
>>> - the users need to be imported from a kind of directory service
>>> (ldap or whatever) or perhaps "active directory" or whatever it
>>> might be, and those extra virtual users are only valid for as long
>>> as the samba shares themselves are valid and accessible.
>>>
>>> Mind you, I know nothing about "active directory" or "domain
>>> controllers" or what it might be. I also have very little
>>> understanding of what "nsswitch" is and the documentation for it and
>>> the entire system itself seems to be rather arcane.
>>>
>>> It would require on the client:
>>> - an additional source of local users that cannot actually be logged
>>> in to, but only serve as user interface elements.
>>> Perhaps these local users would need to be mapped onto random
>>> numbers or something, but normally with unix extensions you see the
>>> raw numbers of the users on the central system (server).
>>>
>>> So either those numbers would need to be replaced by names at domain
>>> while crossing the link and then mapped back to new numbers on the
>>> local system, that has imported the names at domain, or you'd need to
>>> find a fixed "range" of numbers for users that can stay fixed from
>>> system to system.
>>>
>>> I haven't even been able to get idmapping to work for NFS, it just
>>> won't work. I was using a "static" file for that but the thing would
>>> never read the static maps.
>>>
>>> It would require on the server:
>>>
>>> - a set of local users transformed into a directory service that
>>> clients can import or know about.
>>>
>>>
>>> Is this possible and what technologies would I need for it?
>>
>> This sounds like NIS/YP to me :-). But I'm old... :-).
>
> The Synology has 3-second total-configuration for it ;-).
>
> You click "Install Directory Server" and you select a few options and 
> it installs OpenLDAP.
>
> The thing comes prepopulated or generated with Samba entities, 
> apparently. Then you go to Directory Service in the configuration 
> screen, and enter your connection details; actually it offers to do 
> this automatically. Then you select "Enable LDAP for CIFS" and it will 
> modify smb.conf with a new authentication line.
>
> At that point LDAP users are shown as user at FQDN in the shell.
>
> They don't mingle with regular users but you can set permissions for 
> them the way you can for regular users and groups.
>
> And when you change the FQDN it deletes all users and groups :p.
>
> And it uses a different style user home directory for it. So it is not 
> as pretty. And if you don't care... well...
>
> Apparently you can select which user you want (with Samba logon) by 
> setting the domain to that FQDN you've chosen.
>
> So I have no clue how to actually export local users, but it is not 
> that necessary (and gives its own problems, I guess).
>
> The only downside is that I have to manually duplicate users and 
> groups, but I guess that's pretty manageable given the size of my 
> system ;-).

What you seem to be describing is a 'workgroup', the great-grandfather 
of AD :-)
If you only have a few computers that are close together, then yes, it 
probably will do what you require. If you have a lot of computers (and 
by this I mean more than about 12), it becomes a nightmare, every new 
user has to be added to every computer, then added to the required 
groups. This soon became apparent to MS, who then came up with the NT4 
style PDC, this then lead to AD. You do not need to have windows 
computers to use AD, you can use it with Unix computers and it will give 
you just one place of administration, you just need to set Samba up 
correctly, for this, see the Samba wiki.

Rowland
>
> And when I can get pam_exec and pam_group installed, maybe more is 
> possible.
>
>
>
>
>
>
>
>
>

More information about the samba mailing list