samba - Jan 2005 - Samba PDC + LDAP without local Unix accounts?

Greetings,

We are trying to use Samba 3.0.10 running on FreeBSD 5.3 to replace a legacy
NT4 PDC. Our goal is to use LDAP to centralize all user information and
authentication on the network. To that end, we've set up Samba to use LDAP
for
authentication of all the Windows users. This is working, but Samba seems to
require that all Windows account have a matching Unix account as well.

This would be fine, except that all of the user profile directories and Samba
shares are hosted on a separate machine, making the Unix accounts superfluous.
(As far as I know.) If at all possible, we'd like to avoid having to
maintain
user accounts on both the LDAP server and the Samba PDC. I had entertained the
idea of using an LDAP PAM module simulate the Unix accounts, but this is
looking more and more like the wrong way to go about it as PAM seems tied
strictly to authentication and Samba already handles that part.

So to summarize, I'd like to know if a Samba PDC can be authenticate users
via
an LDAP backand without having to contain local Unix accounts for those users
as well. I confess to not being a Windows or Samba guru, but I have read a lot
of documentation and none of it has shed any light on this particular problem.
If there's an easy and obvious way to do this, it has eluded me.

Thanks in advance for taking the time to respond.

-- 
Charles Ulrich
Ideal Solution, LLC - http://www.idealso.com

> We are trying to use Samba 3.0.10 running on FreeBSD 5.3 to replace a
legacy
> NT4 PDC. Our goal is to use LDAP to centralize all user information and
> authentication on the network. To that end, we've set up Samba to use
LDAP for
> authentication of all the Windows users. This is working, but Samba seems
to
> require that all Windows account have a matching Unix account as well.
YES
> This would be fine, except that all of the user profile directories and
Samba
> shares are hosted on a separate machine, making the Unix accounts
superfluous.
> (As far as I know.) If at all possible, we'd like to avoid having to
maintain
> user accounts on both the LDAP server and the Samba PDC. I had entertained
the
> idea of using an LDAP PAM module simulate the Unix accounts, but this is
> looking more and more like the wrong way to go about it as PAM seems tied
> strictly to authentication and Samba already handles that part.
Your confusing PAM and NSS.
> So to summarize, I'd like to know if a Samba PDC can be authenticate
users via
> an LDAP backand without having to contain local Unix accounts for those
users
> as well. 
You need to have a 'Unix' account;  but your using LDAP, so it
doesn't
need to be 'local'.
> I confess to not being a Windows or Samba guru, but I have read a lot
> of documentation and none of it has shed any light on this particular
problem.
> If there's an easy and obvious way to do this, it has eluded me.
NSS, you probably don't need PAM.