Andrei Nazarenko
2006-Sep-11 17:58 UTC
[Samba] Avoiding local unix accounts with "force user". Is that possible?
Hello all, I am using Samba as a file server with LDAP authentication. Here is my samba.conf file: [global] server string = Samba map to guest = Bad User guest account = nobody workgroup = OAAD realm = OA.PNRAD.NET security = ADS [fileshare] path = /srv/shared valid users = user1, user2, user3 write list = user1, user2, user3 force user = samba force group = samba create mask = 0660 directory mask = 0770 browseable = No Essentially, all the users like "user1", "user2", "user3" authenticate via LDAP server, so no local user accounts database (like smbpasswd) is needed. I also want all the authenticated users to become just *one* actual unix user "samba" after successful authentication, so that all files have the same ownership, hence the "force user / force group" directives. The above configuration works well for me, however, I still must have Unix accounts user1, user2, etc., present in /etc/passwd, /etc/group and /etc/shadow files for this configuration to work. So my question is, basically, about getting rid of those local Unix accounts. Is that possible somehow? I simply would like to have just one local Unix user account "samba" belonging to the Unix group "samba" and no other user accounts. It is a tedious task to create (and especially manage!) Unix user accounts if they are replaced at the end of the login procedure with a common account anyway. -- Regards, Andrei Nazarenko
Felipe Augusto van de Wiel
2006-Sep-18 13:46 UTC
[Samba] Avoiding local unix accounts with "force user". Is that possible?
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 09/11/2006 02:50 PM, Andrei Nazarenko escreveu:> Hello all, > > I am using Samba as a file server with LDAP authentication. > Here is my samba.conf file:[...]> Essentially, all the users like "user1", "user2", "user3" authenticate > via LDAP server, so no local user accounts database (like smbpasswd) > is needed. I also want all the authenticated users to become just > *one* actual unix user "samba" after successful authentication, so > that all files have the same ownership, hence the "force user / force > group" directives. > > The above configuration works well for me, however, I still must have > Unix accounts user1, user2, etc., present in /etc/passwd, /etc/group > and /etc/shadow files for this configuration to work. > > So my question is, basically, about getting rid of those local Unix > accounts. Is that possible somehow? I simply would like to have just > one local Unix user account "samba" belonging to the Unix group > "samba" and no other user accounts.Yes, configure your nsswitch and your libnss to query your LDAP server and you will get your LDAP accounts as UN*X accounts.> It is a tedious task to create (and especially manage!) Unix > user accounts if they are replaced at the end of the login > procedure with a common account anyway.Kind regards, - -- Felipe Augusto van de Wiel <felipe@paranacidade.org.br> Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE http://www.paranacidade.org.br/ Phone: (+55 41 3350 3300) -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Debian - http://enigmail.mozdev.org iD8DBQFFDqMgCj65ZxU4gPQRAuX3AJ9ev9CQm9b7fbLjmrOLlPqINfDJswCfZubH Kk72pgvChw3WzY6LDyPG7tQ=Ea6c -----END PGP SIGNATURE-----
Andrei Nazarenko
2006-Sep-19 13:02 UTC
[Samba] Avoiding local unix accounts with "force user". Is that possible?
> Yes, configure your nsswitch and your libnss to query > your LDAP server and you will get your LDAP accounts as UN*X > accounts.Thanks for your reply. Are you essentially suggesting me to replace my /etc/passwd authentication completely with with LDAP backend? I know about this possibility, but I have two issues with it: 1) I am not sure if this is going to work for the "root" and a couple of other (not related to Samba) UN*X accounts that do not exist on the LDAP server. Or will such accounts be untouched and continue to be working from /etc/passwd file? 2) Also, the LDAP idea is generally not that great because, as I said in my previous post, my intention is to replace ANY samba user who is mapping the share with the same UN*X account (that does not exist in LDAP database). Like this: "user1", "user2", etc. are auhenticated by Samba (via ADS/LDAP) and become the same "samba_user:samba_group" for the actual file operations through the "force user" and "force group" directives. The "samba_user" exists only in /etc/passwd and not in LDAP database and that is the way I want it. What I want to avoid is having "user1", "user2", etc. in my /etc/passwd file because they are NOT needed for any authentication or permissions settings. In another words, why is there a need to have "user1", "user2" locally *at all* if I use "force user/force group" directives for permissions settings and LDAP for password checking? -- Regards, A\N