[Samba] multiple passdb backends for standalone fileserver?
Rowland Penny
rpenny at samba.org
Mon Aug 20 19:29:40 UTC 2018
On Mon, 20 Aug 2018 20:19:11 +0200
Harry Jede <walk2sun at arcor.de> wrote:
> Hi Rowland,
>
> > On Mon, 20 Aug 2018 18:02:32 +0200
> >
> > Harry Jede via samba <samba at lists.samba.org> wrote:
> > > Am Montag, 20. August 2018, 16:43:24 CEST schrieb Matthias Leopold
> > >
> > > via samba:
> > > > Hi,
> > > >
> > > > i (naively) would like to have local AND ldap users (and
> > > > groups...)
> > > > on my standalone fileserver (security = user). "passdb backend =
> > > > ldapsam" already works OK and i found some old posts on the
> > > > internet
> > > > about "chaining" passdb backends.
> > >
> > > Round about 12 years ago "chaining passdb backends" was removed!
> But
> > > their are other possibilities:
> > >
> > > 1. You can map local unix users and groups to their windows
> > > entrys.
> >
> > Well, yes you can, but the OP wanted to use users stored in ldap and
> > users stored in /etc/passwd, but you cannot do both at the same
> > time.
> Me can!
>
> > > 2. You can use winbind's idmap feature; obey the "idmap ranges"
> > > and honor that the syntax has changed several times.
> >
> > The OP referred to a 'standalone server' and these do not need to
> > run winbind
> yes, but i said you can!
>
> > and if it is running, all the idmap backends need SID's,
> yes, local unix user sids are stored in /var/lib/samba/passdb.tdb
>
> ldap user sids are stored in passdb.tdb if the server is a normal
> standalone server and the ldap server has NOT loaded the
> samba3.schema
>
> but get stored in ldap if the server is configured as standalone, PDC
> or BDC and ldap has samba3.schema loaded. You must configure
> smb.conf, pam and nss a little different.
>
> Maybe, i should write a howto. But time ...
>
> > there
> > might not be any SID's in the OP's ldap.
> yes, their can be sids but this is not a must have, but a usual case.
If you have a SID, it is either from a Samba machine or a Windows
machine, but an LDAP user doesn't have to have a SID, in fact, unless
you extend LDAP with the Samba schema, you cannot add them.
>
> >
> > > Just read the man pages of the samba version you are using!!!
> > > before searching the web.
> >
> > Very wise words,
> > most web pages get something wrong ;-)
> Oh, I believe they are most right at time of writing, but the writers
> forget to tell the readers the version, release number and ofen do
> not mention if they are using vanilla samba or a distro modified
> package. At the end this are pages to inspire someone but not more.
Not from my experience, most pages tend to get a lot of things correct,
but then add things that are either not required or wrong, they also
tend to miss vital things.
Rowland
More information about the samba
mailing list