samba - Aug 2018 - multiple passdb backends for standalone fileserver?

Hi,

i (naively) would like to have local AND ldap users (and groups...) on 
my standalone fileserver (security = user). "passdb backend = ldapsam"
already works OK and i found some old posts on the internet about 
"chaining" passdb backends. so i tried "chaining" ldapsam
and tdbsam,
but although testparm doesn't complain and i can add local users with 
"pdbedit -b tdbsam" this setup doesn't actually work (ldap users
are
found, local are not)

is this supposed to work? are there other ways to achieve this?

samba version: 4.7.1 (on CentOS)

thx
matthias

On Mon, 20 Aug 2018 16:43:24 +0200
Matthias Leopold via samba <samba at lists.samba.org> wrote:
> Hi,
> 
> i (naively) would like to have local AND ldap users (and groups...)
> on my standalone fileserver (security = user). "passdb backend >
ldapsam" already works OK and i found some old posts on the internet
> about "chaining" passdb backends. so i tried "chaining"
ldapsam and
> tdbsam, but although testparm doesn't complain and i can add local
> users with "pdbedit -b tdbsam" this setup doesn't actually
work (ldap
> users are found, local are not)
> 
> is this supposed to work? are there other ways to achieve this?
> 
> samba version: 4.7.1 (on CentOS)
> 
> thx
> matthias
> 
> 
> 
By its very definition, a standalone server is just that, so ALL its
users are LOCAL. You need users in Samba to match the local Unix users,
whether you use tdbsam or ldapsam is up to you, but you cannot use
both.

Why do you want to do what you are trying to do ?
What do you want to achieve ?

Rowland

Am Montag, 20. August 2018, 16:43:24 CEST schrieb Matthias Leopold via 
samba:
> Hi,
> 
> i (naively) would like to have local AND ldap users (and groups...) on
> my standalone fileserver (security = user). "passdb backend >
ldapsam" already works OK and i found some old posts on the internet
> about "chaining" passdb backends.
Round about 12 years ago "chaining passdb backends" was removed! But 
their are other possibilities:

1. You can map local unix users and groups to their windows entrys.

2. You can use winbind's idmap feature; obey the "idmap ranges"
and
honor that the syntax has changed several times.

Just read the man pages of the samba version you are using!!! before 
searching the web.
> so i tried "chaining" ldapsam and
> tdbsam, but although testparm doesn't complain and i can add local
> users with "pdbedit -b tdbsam" this setup doesn't actually
work (ldap
> users are found, local are not)
> 
> is this supposed to work? are there other ways to achieve this?
> 
> samba version: 4.7.1 (on CentOS)
> 
> thx
> matthias

-- 

Gruss
	Harry Jede

On Mon, 20 Aug 2018 18:02:32 +0200
Harry Jede via samba <samba at lists.samba.org> wrote:
> Am Montag, 20. August 2018, 16:43:24 CEST schrieb Matthias Leopold
> via samba:
> > Hi,
> > 
> > i (naively) would like to have local AND ldap users (and groups...)
> > on my standalone fileserver (security = user). "passdb backend
> > ldapsam" already works OK and i found some old posts on the
internet
> > about "chaining" passdb backends.
> Round about 12 years ago "chaining passdb backends" was removed!
But
> their are other possibilities:
> 
> 1. You can map local unix users and groups to their windows entrys.
Well, yes you can, but the OP wanted to use users stored in ldap and
users stored in /etc/passwd, but you cannot do both at the same time.
> 
> 2. You can use winbind's idmap feature; obey the "idmap
ranges" and
> honor that the syntax has changed several times.
The OP referred to a 'standalone server' and these do not need to run
winbind and if it is running, all the idmap backends need SID's, there
might not be any in the OP's ldap.
> 
> Just read the man pages of the samba version you are using!!! before 
> searching the web.
Very wise words, most web pages get something wrong ;-)

Rowland

Am 2018-08-20 um 17:15 schrieb Rowland Penny via samba:
> On Mon, 20 Aug 2018 16:43:24 +0200
> Matthias Leopold via samba <samba at lists.samba.org> wrote:
> 
>> Hi,
>>
>> i (naively) would like to have local AND ldap users (and groups...)
>> on my standalone fileserver (security = user). "passdb backend
>> ldapsam" already works OK and i found some old posts on the
internet
>> about "chaining" passdb backends. so i tried
"chaining" ldapsam and
>> tdbsam, but although testparm doesn't complain and i can add local
>> users with "pdbedit -b tdbsam" this setup doesn't
actually work (ldap
>> users are found, local are not)
>>
>> is this supposed to work? are there other ways to achieve this?
>>
>> samba version: 4.7.1 (on CentOS)
>>
>> thx
>> matthias
>>
>>
>>
> 
> By its very definition, a standalone server is just that, so ALL its
> users are LOCAL. You need users in Samba to match the local Unix users,
> whether you use tdbsam or ldapsam is up to you, but you cannot use
> both.
> 
> Why do you want to do what you are trying to do ?
> What do you want to achieve ?
> 
> Rowland
> 
> 
> 
thanks for your explanation, you're right of course and i already 
suspected there wouldn't be a way, because it actually doesn't make much
sense. in my case it was only a question of convenience, because the 
ldap server used isn't designed for a samba backend and servers mainly 
other purposes (although ldapsam does work). it's rather costly to get 
users in there, but i'll go this way

thx
matthias