Il 09-07-2015 14:05 Rowland Penny ha scritto:> > You can have users in /etc/passwd or AD, you cannot have the same user > in both, or anywhere else. A local user cannot connect to anything but > local directories and then only if they have the required permissions > set. > > RowlandUhm, I think there is an misunderstanding here, possibly due to my bad english. 1) I 100% agree that local users are, well, local users. So the domain does not know anything about that users (how it could?) 2) I 100% agree that domain users are _remote_ users, that don't need to exists on the local machine. 3) What I am wondering is if, domain take aside, I can create a local user _only inside the tdbsam database_, without touching the /etc/passwd file at all. Basically, I would like to have "samba-private" users, without messing with the real Linux users. I understand that this pose a permission problems - after all, samba runs with user's credential. However, I wonder if something like windbind can solve these issues. To tell it with a graph, it would be nice if, issuing a "getent user" command, the system: - using the nsswitch, asks winbind (or something similar) to find the user; - winbind (or the likes) search the tdbsam database and return a UID/GID values (similar to how domain users works) - files/ACL can be then matched against the windbind (or the likes) assigned UID/GID, even without a real backing Unix user. Sorry if it seems a strange question, I'm only trying to understand here. Regards. -- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti at assyoma.it - info at assyoma.it GPG public key ID: FF5F32A8
On 09/07/15 20:48, Gionatan Danti wrote:> Il 09-07-2015 14:05 Rowland Penny ha scritto: >> >> You can have users in /etc/passwd or AD, you cannot have the same user >> in both, or anywhere else. A local user cannot connect to anything but >> local directories and then only if they have the required permissions >> set. >> >> Rowland > > Uhm, I think there is an misunderstanding here, possibly due to my bad > english. > > 1) I 100% agree that local users are, well, local users. So the domain > does not know anything about that users (how it could?) > > 2) I 100% agree that domain users are _remote_ users, that don't need > to exists on the local machine. > > 3) What I am wondering is if, domain take aside, I can create a local > user _only inside the tdbsam database_, without touching the > /etc/passwd file at all. Basically, I would like to have > "samba-private" users, without messing with the real Linux users. I > understand that this pose a permission problems - after all, samba > runs with user's credential. However, I wonder if something like > windbind can solve these issues. > > To tell it with a graph, it would be nice if, issuing a "getent user" > command, the system: > - using the nsswitch, asks winbind (or something similar) to find the > user; > - winbind (or the likes) search the tdbsam database and return a > UID/GID values (similar to how domain users works) > - files/ACL can be then matched against the windbind (or the likes) > assigned UID/GID, even without a real backing Unix user. > > Sorry if it seems a strange question, I'm only trying to understand here. > Regards. >No misunderstanding on my part, but a very big one on *your* part. I will say it again but in slightly different words: there are no 'remote' users, there are local Unix users and there are domain users, local users can only connect to directories and files on the local computer. Domain users can connect to directories and files on any domain computer that is set up with the correct permissions. So: There are local users There are active directory domain users These cannot be the same users There is no where else to store user info except in either /etc/passwd (which makes them local users) or in AD (which makes them active directory domain users). Rowland
Il 09-07-2015 22:01 Rowland Penny ha scritto:> I will say it again but in slightly different words: there are no > 'remote' users, there are local Unix users and there are domain users, > local users can only connect to directories and files on the local > computer. Domain users can connect to directories and files on any > domain computer that is set up with the correct permissions.Let's forget about the domain part. I included it trying to better explain my thought, but let forget about it for the moment.> So: > There are local usersOK> There are active directory domain usersOK> These cannot be the same usersOK> There is no where else to store user info except in either /etc/passwd > (which makes them local users) or in AD (which makes them active > directory domain users).This is the one that let me a bit perplexed. The tdbsam-backed accout can store _any_ required information (eg: username, password, full name, etc). After all, using pdbedit we can see (and edit) all of them. So I imagined that perhaps it was possible to store users directly inside the tdb database, and nothing more. Well, it seems I was wrong ;) Thank you all. -- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti at assyoma.it - info at assyoma.it GPG public key ID: FF5F32A8