On 09/07/15 12:25, Reindl Harald wrote:>> In short: while my samba server is connected to the AD domain, I would >> also like to have some local (non domain) user for other tasks. >> >> It is my understanding that for a local samba user I _need_ to create >> the relative unix user (using useradd) and then use the samba-provided >> tool smbpasswd. I simply wonder if it is possible to create local users >> using _only_ smbpasswd (or equivalent), without messing with the real >> local unix user table stored in "/etc/passwd" (hence the world "virtual) > > the smbd process is running as your user for security and permissions > as which user should it run without a unix user > root? >Hi, I perfectly understand your reasons. My question stems from the fact that, while connected to an AD domain, samba (or better, winbind) is impersonating remote users without problems. This is done using the "winbind" keyword in /etc/nsswitch.conf So, I wonder if winbind is capable of doing something similar with tdbsam users, impersonating them _without_ a local entry in /etc/passwd. Basically, what I want is to tell samba/winbind "do the same thing you are doing for AD, but using tdbsam as backend". While I suspected that it is not possible, I liked a direct confirmation from the list... Thanks. -- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti at assyoma.it - info at assyoma.it GPG public key ID: FF5F32A8
On 09/07/15 12:19, Gionatan Danti wrote:> > On 09/07/15 12:25, Reindl Harald wrote: >>> In short: while my samba server is connected to the AD domain, I would >>> also like to have some local (non domain) user for other tasks. >>> >>> It is my understanding that for a local samba user I _need_ to create >>> the relative unix user (using useradd) and then use the samba-provided >>> tool smbpasswd. I simply wonder if it is possible to create local users >>> using _only_ smbpasswd (or equivalent), without messing with the real >>> local unix user table stored in "/etc/passwd" (hence the world >>> "virtual) >> >> the smbd process is running as your user for security and permissions >> as which user should it run without a unix user >> root? >> > > Hi, > I perfectly understand your reasons. > > My question stems from the fact that, while connected to an AD domain, > samba (or better, winbind) is impersonating remote users without > problems. This is done using the "winbind" keyword in /etc/nsswitch.confWhat you have to understand is that, when a machine is part of a domain, you can have local users that authenticate via /etc/passwd, but these local users are unknown to the domain. You also have domain users that can be made known to the local system.> > So, I wonder if winbind is capable of doing something similar with > tdbsam users, impersonating them _without_ a local entry in > /etc/passwd. Basically, what I want is to tell samba/winbind "do the > same thing you are doing for AD, but using tdbsam as backend".You can have users in /etc/passwd or AD, you cannot have the same user in both, or anywhere else. A local user cannot connect to anything but local directories and then only if they have the required permissions set. Rowland> > > While I suspected that it is not possible, I liked a direct > confirmation from the list... > > Thanks. >
Well put, Rowland! Regards Davor -- Skickat från mobilusken! -- ----- Ursprungligt meddelande ----- Från: "Rowland Penny" <rowlandpenny241155 at gmail.com> Skickat: 2015-07-09 14:07 Till: "samba at lists.samba.org" <samba at lists.samba.org> Ämne: Re: [Samba] Samba local user without /etc/passwd On 09/07/15 12:19, Gionatan Danti wrote:> > On 09/07/15 12:25, Reindl Harald wrote: >>> In short: while my samba server is connected to the AD domain, I would >>> also like to have some local (non domain) user for other tasks. >>> >>> It is my understanding that for a local samba user I _need_ to create >>> the relative unix user (using useradd) and then use the samba-provided >>> tool smbpasswd. I simply wonder if it is possible to create local users >>> using _only_ smbpasswd (or equivalent), without messing with the real >>> local unix user table stored in "/etc/passwd" (hence the world >>> "virtual) >> >> the smbd process is running as your user for security and permissions >> as which user should it run without a unix user >> root? >> > > Hi, > I perfectly understand your reasons. > > My question stems from the fact that, while connected to an AD domain, > samba (or better, winbind) is impersonating remote users without > problems. This is done using the "winbind" keyword in /etc/nsswitch.confWhat you have to understand is that, when a machine is part of a domain, you can have local users that authenticate via /etc/passwd, but these local users are unknown to the domain. You also have domain users that can be made known to the local system.> > So, I wonder if winbind is capable of doing something similar with > tdbsam users, impersonating them _without_ a local entry in > /etc/passwd. Basically, what I want is to tell samba/winbind "do the > same thing you are doing for AD, but using tdbsam as backend".You can have users in /etc/passwd or AD, you cannot have the same user in both, or anywhere else. A local user cannot connect to anything but local directories and then only if they have the required permissions set. Rowland> > > While I suspected that it is not possible, I liked a direct > confirmation from the list... > > Thanks. >-- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
Il 09-07-2015 14:05 Rowland Penny ha scritto:> > You can have users in /etc/passwd or AD, you cannot have the same user > in both, or anywhere else. A local user cannot connect to anything but > local directories and then only if they have the required permissions > set. > > RowlandUhm, I think there is an misunderstanding here, possibly due to my bad english. 1) I 100% agree that local users are, well, local users. So the domain does not know anything about that users (how it could?) 2) I 100% agree that domain users are _remote_ users, that don't need to exists on the local machine. 3) What I am wondering is if, domain take aside, I can create a local user _only inside the tdbsam database_, without touching the /etc/passwd file at all. Basically, I would like to have "samba-private" users, without messing with the real Linux users. I understand that this pose a permission problems - after all, samba runs with user's credential. However, I wonder if something like windbind can solve these issues. To tell it with a graph, it would be nice if, issuing a "getent user" command, the system: - using the nsswitch, asks winbind (or something similar) to find the user; - winbind (or the likes) search the tdbsam database and return a UID/GID values (similar to how domain users works) - files/ACL can be then matched against the windbind (or the likes) assigned UID/GID, even without a real backing Unix user. Sorry if it seems a strange question, I'm only trying to understand here. Regards. -- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti at assyoma.it - info at assyoma.it GPG public key ID: FF5F32A8