Christian Aichinger
2011-Mar-01 19:12 UTC
[Samba] Map multiple NT users to the same Unix user with tdbsam
Hi! I have an NTFS partition on an USB HDD mounted with uid=1000, gid=1000. Several users should be able to backup to that partition via Samba shares. They should be able to log in each with their own user/pass. I'd rather not have a separate unix account (/etc/passwd) for each of them (plus that runs into trouble with the uid==gid==1000 problem on the NTFS partition; I'd rather not set the whole NTFS disk world-writeable to circumvent that). And I'd really like to avoid ldap, sticking with tdbsam. What I wish I could do was having multiple user/password combinations on the Windows side and map them all to one user on the unix side. username map looked like the solution, but isn't; quoting the documentation: "... for user or share mode security, the username map is applied prior to validating the user credentials." Thus AIUI all the users would be required to share a password (that of the user they are mapped to). The only other thing I can think of is using share level security, and giving every user one share he can use. Seems possible but suboptimal. Having something like username map, but with it being applied after credential validation would exactly solve my problem (if smbpasswd let me create users absent from /etc/passwd). Is there any way to achieve something like this? Anyone got another solution for my scenario? Cheers, Christian PS: running Samba 3.5.6 on Debian Squeeze Linux on i386, currently security=user PPS: please CC me as I'm not on the list
Chris Weiss
2011-Mar-01 19:45 UTC
[Samba] Map multiple NT users to the same Unix user with tdbsam
On Tue, Mar 1, 2011 at 1:12 PM, Christian Aichinger <Greek0 at gmx.net> wrote:> Hi! > > I have an NTFS partition on an USB HDD mounted with uid=1000, gid=1000. > Several users should be able to backup to that partition via Samba shares. > They should be able to log in each with their own user/pass. I'd rather not > have a separate unix account (/etc/passwd) for each of them (plus that runs > into trouble with the uid==gid==1000 problem on the NTFS partition; I'd > rather not set the whole NTFS disk world-writeable to circumvent that). ?And > I'd really like to avoid ldap, sticking with tdbsam. > > What I wish I could do was having multiple user/password combinations on the > Windows side and map them all to one user on the unix side. > > username map looked like the solution, but isn't; quoting the documentation: > "... for user or share mode security, the username map is applied prior to > validating the user credentials." Thus AIUI all the users would be required > to share a password (that of the user they are mapped to). > > The only other thing I can think of is using share level security, and > giving every user one share he can use. Seems possible but suboptimal. > > Having something like username map, but with it being applied after > credential validation would exactly solve my problem (if smbpasswd let me > create users absent from /etc/passwd). > > Is there any way to achieve something like this? Anyone got another solution > for my scenario?check out the "force user" and "force group" share options.
Jean-Pierre
2011-Mar-02 09:25 UTC
[Samba] Map multiple NT users to the same Unix user with tdbsam
Christian Aichinger wrote:> Hi! > > I have an NTFS partition on an USB HDD mounted with uid=1000, gid=1000. > Several users should be able to backup to that partition via Samba shares. > They should be able to log in each with their own user/pass. I'd ratherWith ntfs-3g you can have standard Posix ownership and protections. A simple way to do that is to use the mount option "permissions" instead of forcing uid and gid. You can even define a per-user SID to record the permissions with the same parameters as you would get if the ntfs device were plugged into the user Windows workstation. See http://www.tuxera.com/community/ntfs-3g-advanced/ownership-and-permissions/> not have a separate unix account (/etc/passwd) for each of them (plus > that runs into trouble with the uid==gid==1000 problem on the NTFS > partition; I'd rather not set the whole NTFS disk world-writeable to > circumvent that). And I'd really like to avoid ldap, sticking with tdbsam. > > What I wish I could do was having multiple user/password combinations on > the Windows side and map them all to one user on the unix side.Having individual protections imply having different accounts, of course. Jean-Pierre
Chris Weiss
2011-Mar-02 15:04 UTC
[Samba] Map multiple NT users to the same Unix user with tdbsam
reply below, and please cc the list with your replies. On Wed, Mar 2, 2011 at 12:22 AM, Christian Aichinger <Greek0 at gmx.net> wrote:> On 01.03.2011 20:45, Chris Weiss wrote: >> >> check out the "force user" and "force group" share options. > > Thank you, that looks like it would work. > > So, with tdbsam there's absolutely no way around adding all the Samba users > to /etc/passwd? It's not a big problem, but I'm rather curious why it was > designed this way?there is a smbusers file that can map samba/windows users to unix users like you want, but it's a pain to maintain and adds a level of "magic" that can bite you when you go to debug something in the future. smbusers is also global, so it would apply to shares on POSIX filesystems as well, which you may or may not want now or in the furture. Doing it share level makes the mapping easy to see, doesn't require maintenance when you add or remove users, and gives you future flexibility. Also, as Jean-Pierre stated on the list, NTFS-3G supports a "permissions" mount option so that POSIX permissions can be used directly.
Apparently Analagous Threads
- 2 questions: Linux filesystems that truly compare to NTFS / winbind causes Linux to lockup when connectivity to AD is lost
- NT/UNIX username mapping possible directly via tdbsam?
- samba4 and ntfs
- backup to NTFS USB disk
- migrate from physical disk problems in xen