[Samba] multiple passdb backends for standalone fileserver?

Rowland Penny rpenny at samba.org
Mon Aug 20 19:29:40 UTC 2018 

On Mon, 20 Aug 2018 20:19:11 +0200
Harry Jede <walk2sun at arcor.de> wrote:

> Hi Rowland,
> 
> > On Mon, 20 Aug 2018 18:02:32 +0200
> > 
> > Harry Jede via samba <samba at lists.samba.org> wrote:
> > > Am Montag, 20. August 2018, 16:43:24 CEST schrieb Matthias Leopold
> > > 
> > > via samba:
> > > > Hi,
> > > > 
> > > > i (naively) would like to have local AND ldap users (and
> > > > groups...)
> > > > on my standalone fileserver (security = user). "passdb backend =
> > > > ldapsam" already works OK and i found some old posts on the
> > > > internet
> > > > about "chaining" passdb backends.
> > > 
> > > Round about 12 years ago "chaining passdb backends" was removed! 
> But
> > > their are other possibilities:
> > > 
> > > 1. You can map local unix users and groups to their windows
> > > entrys.
> > 
> > Well, yes you can, but the OP wanted to use users stored in ldap and
> > users stored in /etc/passwd, but you cannot do both at the same
> > time.
> Me can!
> 
> > > 2. You can use winbind's idmap feature; obey the "idmap ranges"
> > > and honor that the syntax has changed several times.
> > 
> > The OP referred to a 'standalone server' and these do not need to
> > run winbind
> yes, but i said you can!
> 
> > and if it is running, all the idmap backends need SID's,
> yes, local unix user sids are stored in /var/lib/samba/passdb.tdb
> 
> ldap user sids are stored in passdb.tdb if the server is a normal 
> standalone server and the ldap server has NOT loaded the 
> samba3.schema
> 
> but get stored in ldap if the server is configured as standalone, PDC
> or BDC and ldap has samba3.schema loaded. You must configure
> smb.conf, pam and nss a little different.
> 
> Maybe, i should write a howto. But time ...
> 
> > there
> > might not be any SID's in the OP's ldap.
> yes, their can be sids but this is not a must have, but a usual case.

If you have a SID, it is either from a Samba machine or a Windows
machine, but an LDAP user doesn't have to have a SID, in fact, unless
you extend LDAP with the Samba schema, you cannot add them.

> 
> > 
> > > Just read the man pages of the samba version you are using!!!
> > > before searching the web.
> > 
> > Very wise words, 
> > most web pages get something wrong ;-)
> Oh, I believe they are most right at time of writing, but the writers
> forget to tell the readers the version, release number and ofen do
> not mention if they are using vanilla samba or a distro modified
> package. At the end this are pages to inspire someone but not more.

Not from my experience, most pages tend to get a lot of things correct,
but then add things that are either not required or wrong, they also
tend to miss vital things.

Rowland

More information about the samba mailing list