Hello all. I just joined the list, because I am interested in NUA features of Samba3. I got the MySQL passdb backend working, but it still requires a Unix System account. I need to use fully virtualized user accounts. Re: the release of Samba3 and NUA capabilities I have found this: <snip> In the development of Samba-3, a number of requests were received to provide the ability to migrate MS Windows NT4 SAM accounts to Samba-3 without the need to provide matching UNIX/Linux accounts. We called this the Non-UNIX Accounts (NUA) capability. The intent was that an administrator could decide to use the tdbsam backend and by simply specifying passdb backend = tdbsam_nua, this would allow Samba-3 to implement a solution that did not use UNIX accounts per se. Late in the development cycle, the team doing this work hit upon some obstacles that prevents this solution from being used. Given the delays with the Samba-3 release, a decision was made to not deliver this functionality until a better method of recognizing NT Group SIDs from NT User SIDs could be found. This feature may return during the life cycle for the Samba-3 series. </snip> Can anyone tell me what sort of progress has been made in the NUA areas? Specifically I want something like "passdb backend = mysql_nua". Does anyone know if something like this is in the works or is currently in existence? Thanks, Joel
> Re: the release of Samba3 and NUA capabilities I have found this: > > <snip>[...]> Late in the > development cycle, the team doing this work hit upon some obstacles that > prevents this solution from being used. > </snip> > > Can anyone tell me what sort of progress has been made in the NUA areas? > Specifically I want something like "passdb backend = mysql_nua".I would imagine the passwords would be the least of the problems. I don't know of any way you could completely do away with "user accounts" or at least, entries in /etc/passwd, given that most UNIX systems lookup passwd/NIS for UID/GID on file ownerships and whatnot. You might have all "locked" passwords in /etc/shadow [or equiv], with authentication for samba being all SQL driven, but at the end of the day, the smbd needs some EUID/EGID's for the file permissions stuff. I imagine there's quite a bit of funk to get through. =MB=
Joel Holder wrote:> Can anyone tell me what sort of progress has been> made in the NUA areas? This feature/experiment was removed before 3.0.0 was released and is no longer supported. cheers, jerry ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song" --Switchfoot (2003)
How sad. It's a great idea. Having virtual user/machine accounts would open up a lot of neat possibilities. Any plans for future attempts? Is it possible? I suppose LDAP will have to do for our purposes. Thanks for your replies. If anyone else knows of any other ways to accomplish having smb users with out the need for /etc/passwd entries, I am interested. Gratzi, Joel -- Network Logistic, Inc. http://www.networklogistic.com Chamleon Appliance http://www.chameleonappliance.com/home.html pub 1024D/13B1A500 2003-08-06 Joel Holder (Developer, Chameleon Appliance) <jholder@networklogistic.com> Key Found at http://www.keyserver.net -----Original Message----- From: Gerald (Jerry) Carter [mailto:jerry@samba.org] Sent: Monday, April 12, 2004 9:52 PM To: Joel Holder Cc: samba@lists.samba.org Subject: Re: [Samba] NUA + MYSQL? Joel Holder wrote:> Can anyone tell me what sort of progress has been> made in the NUA areas? This feature/experiment was removed before 3.0.0 was released and is no longer supported. cheers, jerry ---------------------------------------------------------------------- Hewlett-Packard ------------------------- http://www.hp.com SAMBA Team ---------------------- http://www.samba.org GnuPG Key ---- http://www.plainjoe.org/gpg_public.asc "If we're adding to the noise, turn off this song" --Switchfoot (2003)
That's true. However, using it purely as a authentication db for other services might work, because our users get /sbin/nologin as their shell and are chrooted to distinct home dirs for ftp,etc.. Does anyone know if it is possible to use ldapsam with /etc/passwd entries if you are also using ldap for posixaccount lookups? -----Original Message----- From: samba-bounces+jholder=networklogistic.com@lists.samba.org [mailto:samba-bounces+jholder=networklogistic.com@lists.samba.org] On Behalf Of Malcolm Baldridge Sent: Tuesday, April 13, 2004 5:16 PM To: samba mailing list Subject: Re: Re[2]: [Samba] NUA + MYSQL?> why don't you map your users to the nobody or guest account ?? > (is this possible ??)Sure, but you can kiss away all pretenses of file security between "users".> so all users are guests... > dunno how to do it, but would be a nice work around..It's easy. But very unwise. I highly doubt the original poster wants all of his users to have the same security contexts with respect to file ownership/access. =MB-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
I am a tard. The question below was supposed to be: Does anyone know if it is possible to use ldapsam WITHOUT /etc/passwd entries if you are also using ldap for posixaccount lookups? -----Original Message----- From: samba-bounces+jholder=networklogistic.com@lists.samba.org [mailto:samba-bounces+jholder=networklogistic.com@lists.samba.org] On Behalf Of Joel Holder Sent: Wednesday, April 14, 2004 12:39 AM To: Malcolm Baldridge; samba mailing list Subject: RE: Re[2]: [Samba] NUA + MYSQL? That's true. However, using it purely as a authentication db for other services might work, because our users get /sbin/nologin as their shell and are chrooted to distinct home dirs for ftp,etc.. Does anyone know if it is possible to use ldapsam with /etc/passwd entries if you are also using ldap for posixaccount lookups? -----Original Message----- From: samba-bounces+jholder=networklogistic.com@lists.samba.org [mailto:samba-bounces+jholder=networklogistic.com@lists.samba.org] On Behalf Of Malcolm Baldridge Sent: Tuesday, April 13, 2004 5:16 PM To: samba mailing list Subject: Re: Re[2]: [Samba] NUA + MYSQL?> why don't you map your users to the nobody or guest account ?? > (is this possible ??)Sure, but you can kiss away all pretenses of file security between "users".> so all users are guests... > dunno how to do it, but would be a nice work around..It's easy. But very unwise. I highly doubt the original poster wants all of his users to have the same security contexts with respect to file ownership/access. =MB-- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Joel Holder wrote:> I am a tard. The question below was supposed to be: > > Does anyone know if it is possible to use ldapsam WITHOUT /etc/passwd > entries if you are also using ldap for posixaccount lookups?Yes, it is the way it is intended to function. LDAP is good at glueing together different kind (objectclasses) of objects attributes (same). So an account not in /etc/passwd would have the person, posixAccount, and sambaSamAccount objectclasses and mandatory attributes associated to. Regards, J?r?me