samba - Jan 2019 - force re-authentication when accessing different shares

On Mon, 21 Jan 2019 10:43:35 -0400
Robert Marcano via samba <samba at lists.samba.org> wrote:
> On 1/21/19 10:24 AM, Harald Glanzer via samba wrote:
> > hello & thx for your fast response!
> > 
> > i need a way to create samba shares without creating system user
> > accounts:
> > 
> > - add users via smbpasswd with unique password
> > - no need for a corresponding useraccount in /etc/passwd
> > - access to the corresponding shares should be independent from any
> > domain (i.e. the share should be accessable
> > via windows client)
> 
> Is't this a reimplementation on winbind nss interface?. Why not just
> use winbind with one of it's mapping strategies. I am pretty sure it
> should work for standalone servers.
> 
idmap_nss maps Unix users to Domain users, it needs users
in /etc/passwd, the OP doesn't want this.

Rowland

On 1/21/19 11:04 AM, Rowland Penny via samba wrote:
> On Mon, 21 Jan 2019 10:43:35 -0400
> Robert Marcano via samba <samba at lists.samba.org> wrote:
> 
>> On 1/21/19 10:24 AM, Harald Glanzer via samba wrote:
>>> hello & thx for your fast response!
>>>
>>> i need a way to create samba shares without creating system user
>>> accounts:
>>>
>>> - add users via smbpasswd with unique password
>>> - no need for a corresponding useraccount in /etc/passwd
>>> - access to the corresponding shares should be independent from any
>>> domain (i.e. the share should be accessable
>>> via windows client)
>>
>> Is't this a reimplementation on winbind nss interface?. Why not
just
>> use winbind with one of it's mapping strategies. I am pretty sure
it
>> should work for standalone servers.
>>
> 
> idmap_nss maps Unix users to Domain users, it needs users
> in /etc/passwd, the OP doesn't want this.
But shouldn't something like

   idmap config * : backend = tdb
   idmap config * : range = 1000000-2000000

and the propper winbind entries on /etc/nsswitch.conf be enough?

I am assuming Samba working on standalone mode will try to locate the 
user on the passwd database via nss and then the idmap config is used, 
looking for the user and creating a new mapping if not found.
> 
> Rowland
> 
>

On Mon, 21 Jan 2019 12:54:00 -0400
Robert Marcano via samba <samba at lists.samba.org> wrote:
> On 1/21/19 11:04 AM, Rowland Penny via samba wrote:
> > On Mon, 21 Jan 2019 10:43:35 -0400
> > Robert Marcano via samba <samba at lists.samba.org> wrote:
> > 
> >> On 1/21/19 10:24 AM, Harald Glanzer via samba wrote:
> >>> hello & thx for your fast response!
> >>>
> >>> i need a way to create samba shares without creating system
user
> >>> accounts:
> >>>
> >>> - add users via smbpasswd with unique password
> >>> - no need for a corresponding useraccount in /etc/passwd
> >>> - access to the corresponding shares should be independent
from
> >>> any domain (i.e. the share should be accessable
> >>> via windows client)
> >>
> >> Is't this a reimplementation on winbind nss interface?. Why
not
> >> just use winbind with one of it's mapping strategies. I am
pretty
> >> sure it should work for standalone servers.
> >>
> > 
> > idmap_nss maps Unix users to Domain users, it needs users
> > in /etc/passwd, the OP doesn't want this.
> 
> But shouldn't something like
> 
>    idmap config * : backend = tdb
>    idmap config * : range = 1000000-2000000
> 
> and the propper winbind entries on /etc/nsswitch.conf be enough?
No, it probably wouldn't, he would still need users in
/etc/passwd.
> 
> I am assuming Samba working on standalone mode will try to locate the 
> user on the passwd database via nss and then the idmap config is
> used, looking for the user and creating a new mapping if not found.
The OP does not want users in /etc/passwd. I think the only way to do
this using the default Samba packages will be to run Samba as a
standalone server with users in ldap, but this still requires the users
to be stored in ldap. The OP seems to want the users creating as they
connect.

Rowland