possible to use samba without unix accounts for each user?
in [Samba]
|
Prev: [Samba] Unable to solve the problem in setting up PDC for network
Next: [Samba] possible to use samba without unix accounts for each user?
From: David Adam on 2 Jun 2010 09:40 On Tue, 1 Jun 2010, Ben Cohen wrote: > We use samba as a domain controller and file server for small separate > network environments. We've currently got samba configured to get > posixAccount and sambaAccount information from ldap -- and have nss_ldap > configured to feed the same posixaccount objects into the posix user > account apis via nsswitch.conf (getpwent etc...). > > In our environments we seem to regularly run into problems which result > from having the unix accounts populated with information from ldap. > Here are some observations: > > 1. if ldap server(s) become unavailable all getpwent lookups experience > long timeouts (default nss_ldap behavior) > -- there are a number of gotchas resulting from this -- including > having to be careful that nothing which does a passwd lookup starts > before the ldap server on the server that's running the ldap server ... > 2. for security reasons we don't want our samba users to be able to get > a login shell on our server so we have to implement server access > controls to prevent this > > it seems it would be simpler for us if there was some way to get samba > to work without requiring local unix accounts for each samba user ... > > Is there anyway to get samba to to use ldap for passwd data without > simultaneously modifying the system-wide settings? I don't care if > samba file operations result in files owned by uid's which don't > correspond to system-wide logins ... I think it would be sufficient if > there was some way to point the getpwent() call from samba to a > different nsswitch.conf file than the api uses when called from > everywhere else? I think the ldapsam:trusted option should do what you want (if I've read your email correctly and you already have passdb = ldapsam set). David Adam zanchey(a)ucc.gu.uwa.edu.au -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
From: Gaiseric Vandal on 2 Jun 2010 13:40
On 06/02/2010 09:34 AM, David Adam wrote: > On Tue, 1 Jun 2010, Ben Cohen wrote: > >> We use samba as a domain controller and file server for small separate >> network environments. We've currently got samba configured to get >> posixAccount and sambaAccount information from ldap -- and have nss_ldap >> configured to feed the same posixaccount objects into the posix user >> account apis via nsswitch.conf (getpwent etc...). >> >> In our environments we seem to regularly run into problems which result >> from having the unix accounts populated with information from ldap. >> Here are some observations: >> >> 1. if ldap server(s) become unavailable all getpwent lookups experience >> long timeouts (default nss_ldap behavior) >> -- there are a number of gotchas resulting from this -- including >> having to be careful that nothing which does a passwd lookup starts >> before the ldap server on the server that's running the ldap server ... >> 2. for security reasons we don't want our samba users to be able to get >> a login shell on our server so we have to implement server access >> controls to prevent this >> >> it seems it would be simpler for us if there was some way to get samba >> to work without requiring local unix accounts for each samba user ... >> >> Is there anyway to get samba to to use ldap for passwd data without >> simultaneously modifying the system-wide settings? I don't care if >> samba file operations result in files owned by uid's which don't >> correspond to system-wide logins ... I think it would be sufficient if >> there was some way to point the getpwent() call from samba to a >> different nsswitch.conf file than the api uses when called from >> everywhere else? >> > I think the ldapsam:trusted option should do what you want (if I've read > your email correctly and you already have passdb = ldapsam set). > > David Adam > zanchey(a)ucc.gu.uwa.edu.au > You should be able to set the shell to "/bin/false" to prevent unix shell logins. -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba |