samba - Sep 1998 - managing users from smbpasswd rather than /etc/passwd

I have samba installed on a web server (behind a firewall).  It's working
fine with all the WINS networking here (eg, password authentication from
the NT servers, etc).

I (we) want this web server - a linux redhat 5.x box currently running
samba-1.9.18p8 - to have as few actual unix login accounts as possible.

What I want/need to do is to allow LOTS of people in the faculty here
"network neighbourhood" read/write access on this machine for the
purpose
of managing:

(1) their own home web page
(2) unit/subject areas (which more than one person may need to have write
    access to)
(3) specific subject/unit areas in /home/ftp

I would much rather do this without touching /etc/passwd at all.

So, my question is...

Is it possible to specify user/group IDs and home directories for samba to
use for specific (NT-server authenticated) users from the smbpasswd file
alone?

Or am I restricted to using /etc/passwd for this sort of management, with
disabled unix login password fields and /bin/false as a login shell for
these users?

Cheers                                                         .
Tony  __________  Tony Nugent            >> - Linux -  <<  _--_|\
 / / / / __/ __ \ linux@usq.edu.au       >> UNIX power << /     *\
/ /_/ /\ \/ /_/ / Tony.Nugent@usq.edu.au >>  on a pc!  << \_.--._/
\____/___/\___\_\ UNIX Systems Officer, Faculty of Science      v
 University of Southern Queensland, Toowoomba Oueensland Australia
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-

>From my experience, Samba needs a login to exist in /etc/passwd in order to
be
possible to have it in smbpasswd. The Unix password in /etc/passwd (or shadow)
is irrelevant, though. You might even make all Samba users un-loginnable,
shell-wise (by assigning then bogus passwords).

It should be a simple matter to write administrative shell scripts that create
a user both in /etc/passwd and /usr/blahblah/samba/blahblah/smbpasswd, then
run the smbpasswd program to assign the proper Samba password.

Hasn't anybody already written a friendly interface for that? I mean,
besides
the dumb mksmbpasswd.sh, which only knows how to generate a template file from
/etc/passwd.

Xeers,
- Juan

Tony Nugent wrote:
> I have samba installed on a web server (behind a firewall).  It's
working
> fine with all the WINS networking here (eg, password authentication from
> the NT servers, etc).
>
> I (we) want this web server - a linux redhat 5.x box currently running
> samba-1.9.18p8 - to have as few actual unix login accounts as possible.
>
> What I want/need to do is to allow LOTS of people in the faculty here
> "network neighbourhood" read/write access on this machine for the
purpose
> of managing:
>
> (1) their own home web page
> (2) unit/subject areas (which more than one person may need to have write
>     access to)
> (3) specific subject/unit areas in /home/ftp
>
> I would much rather do this without touching /etc/passwd at all.
>
> So, my question is...
>
> Is it possible to specify user/group IDs and home directories for samba to
> use for specific (NT-server authenticated) users from the smbpasswd file
> alone?
>
> Or am I restricted to using /etc/passwd for this sort of management, with
> disabled unix login password fields and /bin/false as a login shell for
> these users?
--

****************************************
*    Depois de tudo que aconteceu,     *
*            voc? AINDA vai            *
*   botar dinheiro na m?o da NIKE??    *  OGY IS POLICY @ THE END
****************************************  L     *****************
                                          O     *     FIGHT     *
TRUST NO ONE @ DE  E @ BELIEVE THE LIE @ AP     *      THE      *
                N  T                            *   FUTURE!!!   *
   ___THE___    Y  A                            *****************
   \  \ /  /       CSUFBO @ EVRES RO TSISER @ ELGIEVNI @ EVIECED @ ET E @
    \  V  /     E  _______________________________________________  O L
     \   /      V |Juan Carlos Castro y Castro                    | H   S
     /   \      E |jcastro@pcshop.com.br                          |   A E
    /  ^  \     R |Linuxeiro, alvinegro, X-Phile e Carioca Folgado| O A I
   /  / \  \    Y |Diretor de Inform?tica e Eventos Sobrenaturais | GIN D
   ~~~   ~~~    T |da E-RACE CORPORATION                          |
     RACER      H  -----------------------------------------------      G
                ING @ E PUR SI MUOVE @ THE TRUTH IS OUT THERE @ EVERYTHIN

Juan Carlos replied:
> From my experience, Samba needs a login to exist in /etc/passwd in order
> to be possible to have it in smbpasswd.
That's the crux of what I was asking.  And the answer that I didn't want
to
hear :-(

Pity it can't be a (configurable) "either-and-or" situation.
> The Unix password in /etc/passwd (or shadow) is irrelevant, though. You
> might even make all Samba users un-loginnable, shell-wise (by assigning
> then bogus passwords).
Yes, this part is ok, but with around 200-300 new user accounts about to be
created - all of who will only have (and need) samba access, managing them
from /etc/passwd is a real PITA.

I would much rather manage these people from /etc/smbpasswd (wherever it
may live) and leave /etc/passwd alone for managing REAL unix accounts.

I'm not sure if any of the developers are listening (I'm only new to the
list), but can this be a suggestion to put into the TODO list?
> Tony Nugent wrote:
> > What I want/need to do is to allow LOTS of people in the faculty here
> > "network neighbourhood" read/write access on this machine
for the purpose
> > of managing:
> >
> > (1) their own home web page
> > (2) unit/subject areas (which more than one person may need to have
write
> >     access to)
> > (3) specific subject/unit areas in /home/ftp
> >
> > I would much rather do this without touching /etc/passwd at all.
> >
> > So, my question is...
> >
> > Is it possible to specify user/group IDs and home directories for
samba to
> > use for specific (NT-server authenticated) users from the smbpasswd
file
> > alone?
> >
> > Or am I restricted to using /etc/passwd for this sort of management,
with
> > disabled unix login password fields and /bin/false as a login shell
for
> > these users?
Cheers                                                         .
Tony  __________  Tony Nugent            >> - Linux -  <<  _--_|\
 / / / / __/ __ \ linux@usq.edu.au       >> UNIX power << /     *\
/ /_/ /\ \/ /_/ / Tony.Nugent@usq.edu.au >>  on a pc!  << \_.--._/
\____/___/\___\_\ UNIX Systems Officer, Faculty of Science      v
 University of Southern Queensland, Toowoomba Oueensland Australia
-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-

Tony,

FYI: I have a few hunderd smb user by the end of every school year.  Since
90% of them are only there for one service (printing), I have created a
shell ( or was it perl ) script to add them to /etc/passwd with the same
UID/home/group...  it makes controling the account very easy, and gives smb
just wat it needs for that user.  This setup is great for bulk read-only
access and printing with a password.

For those users that need read/write or special priveleges, I have real
accounts ( unique UID/group/home ), so I can use unix permissions on the
files I'm sharing to them.

This is all under solaris using useradd scripted.

Eric Warnke
System Admin - ResNet
University at Albany, NY
eric@snowmoon.com / ericw@albany.edu
>Juan Carlos replied:
>
>> From my experience, Samba needs a login to exist in /etc/passwd in
order
>> to be possible to have it in smbpasswd.
>
>That's the crux of what I was asking.  And the answer that I didn't
want to
>hear :-(
>
>Pity it can't be a (configurable) "either-and-or" situation.
>

Authentication with server does not require you to have Unix account. If it
exists, smbd will run as such user. If not, smbd will run as guest user
(defaults to nobody). the same applies to NT domain support in current
samba-2 alpha.

Home shares is no problem using standard substitutions.

What is *really* tricky, is access control. It is no more possible to manage
access rights to single file. The only thing you can do, is to restrict
access to share using config file includes/substitutions. This is very
tedious - so far there is no access to NT groups (not in samba-2 as well),
so you will have to list every user - hardly acceptable.

There are plans to support "userless" samba server with true NT domain
security model, I cannot even imagine when it can be released.

Probably your best bet is to use some tool to sync NT users with Unix. There
were plenty discussed here; even Microsoft provides some.

/Andrej
> -----Original Message-----
> From: samba@samba.anu.edu.au [mailto:samba@samba.anu.edu.au]On Behalf Of
> Tony Nugent
> Sent: Wednesday, September 23, 1998 6:02 AM
> To: Multiple recipients of list
> Subject: managing users from smbpasswd rather than /etc/passwd
>
>
> I have samba installed on a web server (behind a firewall).  It's
working
> fine with all the WINS networking here (eg, password authentication from
> the NT servers, etc).
>
> I (we) want this web server - a linux redhat 5.x box currently running
> samba-1.9.18p8 - to have as few actual unix login accounts as possible.
>
> What I want/need to do is to allow LOTS of people in the faculty here
> "network neighbourhood" read/write access on this machine for the
purpose
> of managing:
>
> (1) their own home web page
> (2) unit/subject areas (which more than one person may need to have write
>     access to)
> (3) specific subject/unit areas in /home/ftp
>
> I would much rather do this without touching /etc/passwd at all.
>
> So, my question is...
>
> Is it possible to specify user/group IDs and home directories for samba to
> use for specific (NT-server authenticated) users from the smbpasswd file
> alone?
>
> Or am I restricted to using /etc/passwd for this sort of management, with
> disabled unix login password fields and /bin/false as a login shell for
> these users?
>
> Cheers                                                         .
> Tony  __________  Tony Nugent            >> - Linux -  << 
_--_|\
>  / / / / __/ __ \ linux@usq.edu.au       >> UNIX power << /    
*\
> / /_/ /\ \/ /_/ / Tony.Nugent@usq.edu.au >>  on a pc!  <<
\_.--._/
> \____/___/\___\_\ UNIX Systems Officer, Faculty of Science      v
>  University of Southern Queensland, Toowoomba Oueensland Australia
> -=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-=*#*=-
>
>

> > From my experience, Samba needs a login to exist in /etc/passwd in
order
> > to be possible to have it in smbpasswd.
> 
> That's the crux of what I was asking.  And the answer that I didn't
want to
> hear :-(
> 
> Pity it can't be a (configurable) "either-and-or" situation.
> 
> > The Unix password in /etc/passwd (or shadow) is irrelevant, though.
You
> > might even make all Samba users un-loginnable, shell-wise (by
assigning
> > then bogus passwords).
> 
> Yes, this part is ok, but with around 200-300 new user accounts about to be
> created - all of who will only have (and need) samba access, managing them
> from /etc/passwd is a real PITA.
> 
> I would much rather manage these people from /etc/smbpasswd (wherever it
> may live) and leave /etc/passwd alone for managing REAL unix accounts.
> 
> I'm not sure if any of the developers are listening (I'm only new
to the
> list), but can this be a suggestion to put into the TODO list?
This problem has been diskussed before (may about 6 Weeks ago, may be 
in samba-ntdom). The main ponits are (as far as I remenber, I'm not a 
developer):
- Unix needs a User-ID to maintain the owners of the files stored in 
  the shares. If you want to have seperate owners you need seperate 
  User-ID's.
- The unix user-id's are maintained in /etc/passwd
- There has to be a mapping of NT-Rid's to Unix-Uid's. This is quite 
  complex (and as far as I know, good guys are working on it.)
- If you have ../smbpasswd and /etc/passwd on the same system it  
  should not be that much work to write a skript/program to maintain 
  them in your individual way.

Christian

On Thu, 24 Sep 1998 samba@samba.anu.edu.au wrote:

Hello,

I have basically the same problem, and would like to know if there is a
solution...
> >From my experience, Samba needs a login to exist in /etc/passwd in
order to be
> possible to have it in smbpasswd. The Unix password in /etc/passwd (or
shadow)
> is irrelevant, though. You might even make all Samba users un-loginnable,
> shell-wise (by assigning then bogus passwords).
My Problem is: I'm not allowed to add ANY account to /etc/passwd...
(basically nobody around is... we have to request them...) 

another Problem is: The guy who administrates the 'Publishing-shares'
won't be allowed to fiddle arround in any root-owend files, so he/she
would have to call somebody to add an account (of a type which is not of
any known procedure (it is hard to get a login with a home diffrent from 
/home/$USER, you can imagine what they would say if a want to have a 
disabled user, with no password at all AND no home..))
> It should be a simple matter to write administrative shell scripts that
create
> a user both in /etc/passwd and /usr/blahblah/samba/blahblah/smbpasswd, then
> run the smbpasswd program to assign the proper Samba password.
The solution I would like to have is: I'm already doing a forceuser to a
dummy user in each shareconfig, Authentification for the share would be
normal NT-Domain logons and passwords (so I would ask a PDC or BDC if the
requesting user is giving the correct password)...

so a solution would be that samba is honouring the user in the ForceUser
tag as the 'working' User, combined with configured restrictions for
accessing the share in mind. (without trying to find a lokal User with the
same name as the Domain\User)
or
it should be possible to have a 'fake' passwd for samba, so it
doesn't
look into /etc/passwd but into /etc/smbpasswd, shouldn't it?

Regards, 
	Frank Berger

    --------------------------------------------------------------------
    | Frank Berger              | E-Mail  : berger@isoit235.bbn.hp.com |
    | (ASE-WWW)                 | Phone   : (49)7031 626 1203          |
    | Hewlett Packard GmbH      |           [telnet] 702 1203          |
    | Boeblingen, Germany       | Location: Bldg. A1 Lev.4 C2          |
    --------------------------------------------------------------------
    |  seen on a white board   \  if (you.canRead(this))               |
    |  during a Java conference \     you.canGet(new job(!problem));   |
    --------------------------------------------------------------------

[...]
> > So, my question is...
> >
> > Is it possible to specify user/group IDs and home directories for
samba to
> > use for specific (NT-server authenticated) users from the smbpasswd
file
> > alone?
> >
> > Or am I restricted to using /etc/passwd for this sort of management,
with
> > disabled unix login password fields and /bin/false as a login shell
for
> > these users?
[...]

Thanks Eric, Andrej and Christian for your replies.  I'm starting to get a
pretty good idea of the implications and potential problems of what I was
hoping to be able to do.

It seems that there is no real practical alternative - without changing
some of the basics of how unix works - to using the /etc/passwd file for
managing user/group access, even for non-login "samba" accounts.

I need to write a series of perl scripts to generate staff lists for web
pages anyway (eg, generating html-ised phone lists etc), so it is looking
very likely now that I'll also be extending these scripts to managing (and
doing sanity checks) of /etc/passwd, /etc/smbpasswd and user home
directories and home pages.  Hmmm....

Now, there are a couple of other (minor) problems that I'm having with
things like defining the location of shares, but I'll leave this for
another message...

Thanks again.

Cheers
Tony

You said:
|	with around 200-300 new user accounts about to be
| created - all of who will only have (and need) samba access, managing
them
| from /etc/passwd is a real PITA.
| 
| I would much rather manage these people from /etc/smbpasswd (wherever
it
| may live) and leave /etc/passwd alone for managing REAL unix accounts.
|
| I'm not sure if any of the developers are listening (I'm only new to
the
| list), but can this be a suggestion to put into the TODO list?

	Something of the sort has been discussed in the -tech list,
	and there is a full-fledged api in the works.  Whether or not
	the behavior will change in the short run is not obvious.

	Right now, Samba is a ``good unix citizen'', and quietly uses
	all the standard unix mechanisms for getting services.  A few
	things have to be done specially (MS-format encryption, notably),
	but in general, Samba just adds to Unix: it hardly ever takes away.

	I'll argue **strongly** that this is a good thing: it's quite
	complex enough.  I'd hate to have to remember what special deals
	it makes in order to analyze its behavior (i.e., debug its
	configuration).

--dave 
-- 
David Collier-Brown,  | Cherish your enemies.  They're harder to
185 Ellerslie Ave.,   | come by than friends and more motivated.
Willowdale, Ontario   | davecb@canada.sun.com, hobbes.ss.org
N2M 1Y3. 416-223-8968 | http://java.science.yorku.ca/~davecb

> 	Right now, Samba is a ``good unix citizen'', and quietly uses
> 	all the standard unix mechanisms for getting services.  A few
> 	things have to be done specially (MS-format encryption, notably),
> 	but in general, Samba just adds to Unix: it hardly ever takes away.
> 
> 	I'll argue **strongly** that this is a good thing: it's quite
> 	complex enough.  I'd hate to have to remember what special deals
> 	it makes in order to analyze its behavior (i.e., debug its
> 	configuration).
That's my opinion!!

Christian