Greetings everyone, I have a question about the smbpasswd encrypted database and /etc/passwd -- why does the passdb backend require an entry in /etc/passwd? Is it possible to create samba encrypted users without a /etc/passwd entry? I have a samba PDC setup that is mainly just a login server, then a separate server for $HOME's. I have all of my PAM configs setup to remotely authenticate to another server with 8000+ users, then pam_smbpass migrates passwords to the PDC. The HOME server automatically creates $HOME directories, and uses winbind for UID mappings against my PDC. The problem is the password migration in smbpass won't work without an /etc/passwd entry, and I don't want to potentially have to add 8000 users from a constantly changing database. Is there any workaround for this? I've noticed in the source that the check for this is done in passdb/passdb.c approx line 947 if (!NT_STATUS_IS_OK(pdb_init_sam_new(&sam_pass, user_name, 0))) But this is in the function local_password_change() -- If this is modifying the smbpasswd database, why would it need to check /etc/passwd? Is this just a sanity check, or do I have my samba configs incorrect? Call me naive, but could I just comment out this section of code and see what happens? Thanks for any help in advance, --Cal Heldenbrand _______________________________ Do you Yahoo!? Express yourself with Y! Messenger! Free. Download now. http://messenger.yahoo.com
On Tue, 2004-07-27 at 15:21, Cal Heldenbrand wrote:> Greetings everyone, > > I have a question about the smbpasswd encrypted > database and /etc/passwd -- why does the passdb > backend require an entry in /etc/passwd? Is it > possible to create samba encrypted users without a > /etc/passwd entry?--- winbind can handle this chore for you...but normallly, if you are using security = user, no ---> > I have a samba PDC setup that is mainly just a login > server, then a separate server for $HOME's. I have > all of my PAM configs setup to remotely authenticate > to another server with 8000+ users, then pam_smbpass > migrates passwords to the PDC. The HOME server > automatically creates $HOME directories, and uses > winbind for UID mappings against my PDC. > > The problem is the password migration in smbpass won't > work without an /etc/passwd entry, and I don't want to > potentially have to add 8000 users from a constantly > changing database. > > Is there any workaround for this?--- try googling pam_mkhomedir - it can create the home directory on the fly. ---> > I've noticed in the source that the check for this is > done in passdb/passdb.c approx line 947 > > if (!NT_STATUS_IS_OK(pdb_init_sam_new(&sam_pass, > user_name, 0))) > > But this is in the function local_password_change() -- > If this is modifying the smbpasswd database, why would > it need to check /etc/passwd? Is this just a sanity > check, or do I have my samba configs incorrect? > > Call me naive, but could I just comment out this > section of code and see what happens?--- I can't comment on the intentions of the samba authors as to the reasons that they have required the samba user to be a local unix user. I would venture to guess that a search of the samba archives would give you a lot of history on that. Craig
On Tue, Jul 27, 2004 at 03:21:03PM -0700, Cal Heldenbrand wrote:> Greetings everyone, > > I have a question about the smbpasswd encrypted > database and /etc/passwd -- why does the passdb > backend require an entry in /etc/passwd? Is it > possible to create samba encrypted users without a > /etc/passwd entry?Because Samba uses POSIX accounts to control ownership and permissions on files. Jeremy.
Apologies if this has already been answered, but I'd like to share my understanding, in too many words. The reason that the user must exist in a user database (such as /etc/passwd) accessible to the underlying system (such as Linux) is that in order to read and set permissions on the files, Linux -- and any other file sharing protocols, such as SMB, AppleTalk, XFS, NFS, NDS, etc., must know the user's login ID. Because the permissions are set in the filesystem, not an abstract access control list by the second-level software (such as Samba), the user must be identifiable to any software which may request access. Therefore, it is up to the kernel to control this access, and it needs to have a way to veryify that the user is indeed a valid user. With Samba, traditionally there have been two user databases: the Samba password database (smbpasswd) which Samba uses for authentication, and the unix password database (/etc/passwd and its brothers, /etc/shadow and /etc/group). The reason that Samba can't use /etc/passwd is because /etc/passwd has no facility for storing SIDs and GIDs. This however does not prevent the unix kernel from using an authentication facility that does store this information. It is very possible now to configure both Samba and unix to authenticate against the same LDAP directory server, along with your mail server, your secure web server, your virtual private network, your building security system, your telephone, and your photocopier, achieving the holy grail of "single sign-on." I will leave the implementation of this as an exercise for the reader. --Jon Johnson Sutinen Consulting, Inc. jon@sutinen.com (360) 270-9317 cell On Tue, 27 Jul 2004, Cal Heldenbrand wrote:> Greetings everyone, > > I have a question about the smbpasswd encrypted > database and /etc/passwd -- why does the passdb > backend require an entry in /etc/passwd? Is it > possible to create samba encrypted users without a > /etc/passwd entry? > > I have a samba PDC setup that is mainly just a login > server, then a separate server for $HOME's. I have > all of my PAM configs setup to remotely authenticate > to another server with 8000+ users, then pam_smbpass > migrates passwords to the PDC. The HOME server > automatically creates $HOME directories, and uses > winbind for UID mappings against my PDC. > > The problem is the password migration in smbpass won't > work without an /etc/passwd entry, and I don't want to > potentially have to add 8000 users from a constantly > changing database. > > Is there any workaround for this? > > I've noticed in the source that the check for this is > done in passdb/passdb.c approx line 947 > > if (!NT_STATUS_IS_OK(pdb_init_sam_new(&sam_pass, > user_name, 0))) > > But this is in the function local_password_change() -- > If this is modifying the smbpasswd database, why would > it need to check /etc/passwd? Is this just a sanity > check, or do I have my samba configs incorrect? > > Call me naive, but could I just comment out this > section of code and see what happens? > > Thanks for any help in advance, > > --Cal Heldenbrand > > > > _______________________________ > Do you Yahoo!? > Express yourself with Y! Messenger! Free. Download now. > http://messenger.yahoo.com > -- > To unsubscribe from this list go to the following URL and read the > instructions: http://lists.samba.org/mailman/listinfo/samba >
Seemingly Similar Threads
- SV: Error with usrmgr and groups.
- Segmentation Fault when trying to set root samba password, IPA as a backend
- Segmentation Fault when trying to set root samba password, IPA as a backend
- Issue with acl_xattr:ignore system acls in 4.5rc2
- Issue with acl_xattr:ignore system acls in 4.5rc2