samba - Sep 2006 - Avoiding local unix accounts with "force user". Is that possible?

Hello all,

I am using Samba as a file server with LDAP authentication.
Here is my samba.conf file:


[global]
        server string = Samba
        map to guest = Bad User
        guest account = nobody
        workgroup = OAAD
        realm = OA.PNRAD.NET
        security = ADS

[fileshare]
        path = /srv/shared
        valid users = user1, user2, user3
        write list = user1, user2, user3
        force user = samba
        force group = samba
        create mask = 0660
        directory mask = 0770
        browseable = No

Essentially, all the users like "user1", "user2",
"user3" authenticate
via LDAP server, so no local user accounts database (like smbpasswd)
is needed. I also want all the authenticated users to become just
*one* actual unix user "samba" after successful authentication, so
that all files have the same ownership, hence the "force user / force
group" directives.

The above configuration works well for me, however, I still must have
Unix accounts user1, user2, etc., present in /etc/passwd, /etc/group
and /etc/shadow files for this configuration to work.

So my question is, basically, about getting rid of those local Unix
accounts. Is that possible somehow? I simply would like to have just
one local Unix user account "samba" belonging to the Unix group
"samba" and no other user accounts.

It is a tedious task to create (and especially manage!) Unix user
accounts if they are replaced at the end of the login procedure with a
common account anyway.

-- 
Regards,

Andrei Nazarenko

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 09/11/2006 02:50 PM, Andrei Nazarenko escreveu:
> Hello all,
> 
> I am using Samba as a file server with LDAP authentication.
> Here is my samba.conf file:
[...]
> Essentially, all the users like "user1", "user2",
"user3" authenticate
> via LDAP server, so no local user accounts database (like smbpasswd)
> is needed. I also want all the authenticated users to become just
> *one* actual unix user "samba" after successful authentication,
so
> that all files have the same ownership, hence the "force user / force
> group" directives.
> 
> The above configuration works well for me, however, I still must have
> Unix accounts user1, user2, etc., present in /etc/passwd, /etc/group
> and /etc/shadow files for this configuration to work.
> 
> So my question is, basically, about getting rid of those local Unix
> accounts. Is that possible somehow? I simply would like to have just
> one local Unix user account "samba" belonging to the Unix group
> "samba" and no other user accounts.
	Yes, configure your nsswitch and your libnss to query
your LDAP server and you will get your LDAP accounts as UN*X
accounts.

> It is a tedious task to create (and especially manage!) Unix 
> user accounts if they are replaced at the end of the login
> procedure with a common account anyway.
	Kind regards,

- --
Felipe Augusto van de Wiel <felipe@paranacidade.org.br>
Coordenadoria de Tecnologia da Informa??o (CTI) - SEDU/PARANACIDADE
http://www.paranacidade.org.br/           Phone: (+55 41 3350 3300)
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (GNU/Linux)
Comment: Using GnuPG with Debian - http://enigmail.mozdev.org

iD8DBQFFDqMgCj65ZxU4gPQRAuX3AJ9ev9CQm9b7fbLjmrOLlPqINfDJswCfZubH
Kk72pgvChw3WzY6LDyPG7tQ=Ea6c
-----END PGP SIGNATURE-----

> Yes, configure your nsswitch and your libnss to query
> your LDAP server and you will get your LDAP accounts as UN*X
> accounts.
Thanks for your reply. Are you essentially suggesting me to replace my
/etc/passwd authentication completely with with LDAP backend?

I know about this possibility, but I have two issues with it:

1) I am not sure if this is going to work for the "root" and a couple
of other (not related to Samba) UN*X accounts that do not exist on the
LDAP server. Or will such accounts be untouched and continue to be
working from /etc/passwd file?

2) Also, the LDAP idea is generally not that great because, as I said
in my previous post, my intention is to replace ANY samba user who is
mapping the share with the same UN*X account (that does not exist in
LDAP database). Like this:

"user1", "user2", etc. are auhenticated by Samba (via
ADS/LDAP) and
become the same "samba_user:samba_group" for the actual file
operations through the "force user" and "force group"
directives. The
"samba_user" exists only in /etc/passwd and not in LDAP database
and that is the way I want it.

What I want to avoid is having "user1", "user2", etc. in my
/etc/passwd file because they are NOT needed for any authentication or
permissions settings.

In another words, why is there a need to have "user1",
"user2" locally
*at all* if I use "force user/force group" directives for permissions
settings and LDAP for password checking?

--
Regards,

A\N