On 09/07/15 10:34, Rowland Penny wrote:> > A bit lost here, if you are using samba as an AD client, you cannot have > a local user with the same name as an AD user. Users are either 'local' > or 'domain', I do not really understand your concept of a 'virtual' user. > > Rowland >In short: while my samba server is connected to the AD domain, I would also like to have some local (non domain) user for other tasks. It is my understanding that for a local samba user I _need_ to create the relative unix user (using useradd) and then use the samba-provided tool smbpasswd. I simply wonder if it is possible to create local users using _only_ smbpasswd (or equivalent), without messing with the real local unix user table stored in "/etc/passwd" (hence the world "virtual). Regards. -- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti at assyoma.it - info at assyoma.it GPG public key ID: FF5F32A8
Am 09.07.2015 um 12:15 schrieb Gionatan Danti:> On 09/07/15 10:34, Rowland Penny wrote: >> >> A bit lost here, if you are using samba as an AD client, you cannot have >> a local user with the same name as an AD user. Users are either 'local' >> or 'domain', I do not really understand your concept of a 'virtual' user. >> > In short: while my samba server is connected to the AD domain, I would > also like to have some local (non domain) user for other tasks. > > It is my understanding that for a local samba user I _need_ to create > the relative unix user (using useradd) and then use the samba-provided > tool smbpasswd. I simply wonder if it is possible to create local users > using _only_ smbpasswd (or equivalent), without messing with the real > local unix user table stored in "/etc/passwd" (hence the world "virtual)the smbd process is running as your user for security and permissions as which user should it run without a unix user root? -------------- next part -------------- A non-text attachment was scrubbed... Name: signature.asc Type: application/pgp-signature Size: 181 bytes Desc: OpenPGP digital signature URL: <http://lists.samba.org/pipermail/samba/attachments/20150709/4795ddcd/signature.sig>
On 09/07/15 11:15, Gionatan Danti wrote:> On 09/07/15 10:34, Rowland Penny wrote: >> >> A bit lost here, if you are using samba as an AD client, you cannot have >> a local user with the same name as an AD user. Users are either 'local' >> or 'domain', I do not really understand your concept of a 'virtual' >> user. >> >> Rowland >> > > In short: while my samba server is connected to the AD domain, I would > also like to have some local (non domain) user for other tasks. > > It is my understanding that for a local samba user I _need_ to create > the relative unix user (using useradd) and then use the samba-provided > tool smbpasswd. I simply wonder if it is possible to create local > users using _only_ smbpasswd (or equivalent), without messing with the > real local unix user table stored in "/etc/passwd" (hence the world > "virtual). > > Regards. >No, with an AD domain, a local user is just that, a local user, you *do not* add them to AD, so if you require local users, just add them with 'useradd', do nothing else. There are *no* local samba users with AD. Rowland
On 09/07/15 12:25, Reindl Harald wrote:>> In short: while my samba server is connected to the AD domain, I would >> also like to have some local (non domain) user for other tasks. >> >> It is my understanding that for a local samba user I _need_ to create >> the relative unix user (using useradd) and then use the samba-provided >> tool smbpasswd. I simply wonder if it is possible to create local users >> using _only_ smbpasswd (or equivalent), without messing with the real >> local unix user table stored in "/etc/passwd" (hence the world "virtual) > > the smbd process is running as your user for security and permissions > as which user should it run without a unix user > root? >Hi, I perfectly understand your reasons. My question stems from the fact that, while connected to an AD domain, samba (or better, winbind) is impersonating remote users without problems. This is done using the "winbind" keyword in /etc/nsswitch.conf So, I wonder if winbind is capable of doing something similar with tdbsam users, impersonating them _without_ a local entry in /etc/passwd. Basically, what I want is to tell samba/winbind "do the same thing you are doing for AD, but using tdbsam as backend". While I suspected that it is not possible, I liked a direct confirmation from the list... Thanks. -- Danti Gionatan Supporto Tecnico Assyoma S.r.l. - www.assyoma.it email: g.danti at assyoma.it - info at assyoma.it GPG public key ID: FF5F32A8