samba - Mar 2004 - How to enable both remote and local users?

Is there any way to enable both local (/etc/passwd or smbpasswd) users 
and users
authenticated remotely by winbindd?

I have a problem with samba-3.0.2a not recognizing local users at all, 
if winbindd is enabled
(and vice versa, of course).  However, I'd like to have local users 
take precedence over
networked users, i.e. samba would let in a user, if he/she is a local 
one and only ask the password server, if none is found by that name. 
This way, it would be easiest to implement a small amount of users able 
to log in with a shell account the rest being samba-only users.

So far, I have found no workaround to this problem, especially, if 
there is the same username in the active directory domain and local 
/etc/passwd. In this case, samba gets a real attack of schitzophrenia 
and doesn't know whom to obey - with a result that nobody with such a 
duplicate username can get a samba mount.


--
ArNO
     2

take a look in /etc/nsswitch.conf

make an entry like : "passwd: files winbind" should solve your problem

regards odi



Am Mo, den 08.03.2004 schrieb Arno Hahma um 10:08:
> Is there any way to enable both local (/etc/passwd or smbpasswd) users 
> and users
> authenticated remotely by winbindd?
> 
> I have a problem with samba-3.0.2a not recognizing local users at all, 
> if winbindd is enabled
> (and vice versa, of course).  However, I'd like to have local users 
> take precedence over
> networked users, i.e. samba would let in a user, if he/she is a local 
> one and only ask the password server, if none is found by that name. 
> This way, it would be easiest to implement a small amount of users able 
> to log in with a shell account the rest being samba-only users.
> 
> So far, I have found no workaround to this problem, especially, if 
> there is the same username in the active directory domain and local 
> /etc/passwd. In this case, samba gets a real attack of schitzophrenia 
> and doesn't know whom to obey - with a result that nobody with such a 
> duplicate username can get a samba mount.
> 
> 
> --
> ArNO
>      2

On 8. Mar, 2004, at 11:26, Manfred Odenstein wrote:
> take a look in /etc/nsswitch.conf
>
> make an entry like : "passwd: files winbind" should solve your
problem
I forgot to mention, that I already have it that way. No, it does not 
work.

My PAM configuration looks like this:

/etc/pam.d/samba:

#%PAM-1.0
# pam_smbpass.so authenticates against the smbpasswd file
auth       required     pam_smbpass.so nodelay
account    required     /lib/security/pam_stack.so 
service=system-auth-winbind
session    required     /lib/security/pam_stack.so 
service=system-auth-winbind
password   required     pam_smbpass.so nodelay 
smbconf=/etc/samba/smb.conf

So, this one tries to search smbpasswd first.

/etc/pam.d/system-auth-winbind:

#%PAM-1.0

auth        required      /lib/security/pam_env.so
auth        sufficient    /lib/security/pam_unix.so likeauth nullok 
use_first_pa
ss
auth        sufficient    /lib/security/pam_winbind.so
auth        required      /lib/security/pam_deny.so

account     sufficient    /lib/security/pam_unix.so
account     required      /lib/security/pam_winbind.so

password    required      /lib/security/pam_cracklib.so retry=3
password    sufficient    /lib/security/pam_unix.so nullok use_authtok 
md5 shado
w
password    required      /lib/security/pam_deny.so

session     required      /lib/security/pam_mkhomedir.so 
skel=/etc/skel/ umask=0
022
session     required      /lib/security/pam_limits.so
session     required      /lib/security/pam_unix.so


This one tries to search /etc/passwd, failing that, goes on to winbind. 
So,
_both_ smbpasswd and /etc/passwd should be checked before winbind, but 
not avail.


>
> regards odi
--
ArNO
     2