Ben Cohen
2010-Jun-01 20:22 UTC
[Samba] possible to use samba without unix accounts for each user?
We use samba as a domain controller and file server for small separate network environments. We've currently got samba configured to get posixAccount and sambaAccount information from ldap -- and have nss_ldap configured to feed the same posixaccount objects into the posix user account apis via nsswitch.conf (getpwent etc...). In our environments we seem to regularly run into problems which result from having the unix accounts populated with information from ldap. Here are some observations: 1. if ldap server(s) become unavailable all getpwent lookups experience long timeouts (default nss_ldap behavior) -- there are a number of gotchas resulting from this -- including having to be careful that nothing which does a passwd lookup starts before the ldap server on the server that's running the ldap server ... 2. for security reasons we don't want our samba users to be able to get a login shell on our server so we have to implement server access controls to prevent this it seems it would be simpler for us if there was some way to get samba to work without requiring local unix accounts for each samba user ... Is there anyway to get samba to to use ldap for passwd data without simultaneously modifying the system-wide settings? I don't care if samba file operations result in files owned by uid's which don't correspond to system-wide logins ... I think it would be sufficient if there was some way to point the getpwent() call from samba to a different nsswitch.conf file than the api uses when called from everywhere else? Thanks for any advice, Ben Cohen Programmer/Analyst (STS) Scripps Institution of Oceanography ncohen at ucsd.edu
David Adam
2010-Jun-02 13:34 UTC
[Samba] possible to use samba without unix accounts for each user?
On Tue, 1 Jun 2010, Ben Cohen wrote:> We use samba as a domain controller and file server for small separate > network environments. We've currently got samba configured to get > posixAccount and sambaAccount information from ldap -- and have nss_ldap > configured to feed the same posixaccount objects into the posix user > account apis via nsswitch.conf (getpwent etc...). > > In our environments we seem to regularly run into problems which result > from having the unix accounts populated with information from ldap. > Here are some observations: > > 1. if ldap server(s) become unavailable all getpwent lookups experience > long timeouts (default nss_ldap behavior) > -- there are a number of gotchas resulting from this -- including > having to be careful that nothing which does a passwd lookup starts > before the ldap server on the server that's running the ldap server ... > 2. for security reasons we don't want our samba users to be able to get > a login shell on our server so we have to implement server access > controls to prevent this > > it seems it would be simpler for us if there was some way to get samba > to work without requiring local unix accounts for each samba user ... > > Is there anyway to get samba to to use ldap for passwd data without > simultaneously modifying the system-wide settings? I don't care if > samba file operations result in files owned by uid's which don't > correspond to system-wide logins ... I think it would be sufficient if > there was some way to point the getpwent() call from samba to a > different nsswitch.conf file than the api uses when called from > everywhere else?I think the ldapsam:trusted option should do what you want (if I've read your email correctly and you already have passdb = ldapsam set). David Adam zanchey at ucc.gu.uwa.edu.au