On Tue, 1 Jun 2010, Ben Cohen wrote: > We use samba as a domain controller and file server for small separate > network environments. We've currently got samba configured to get > posixAccount and sambaAccount information from ldap -- and have nss_ldap > configured to feed the same posixaccount objects into the posix user > account apis via nsswitch.conf (getpwent etc...). > > In our environments we seem to regularly run into problems which result > from having the unix accounts populated with information from ldap. > Here are some observations: > > 1. if ldap server(s) become unavailable all getpwent lookups experience > long timeouts (default nss_ldap behavior) > -- there are a number of gotchas resulting from this -- including > having to be careful that nothing which does a passwd lookup starts > before the ldap server on the server that's running the ldap server ... > 2. for security reasons we don't want our samba users to be able to get > a login shell on our server so we have to implement server access > controls to prevent this > > it seems it would be simpler for us if there was some way to get samba > to work without requiring local unix accounts for each samba user ... > > Is there anyway to get samba to to use ldap for passwd data without > simultaneously modifying the system-wide settings? I don't care if > samba file operations result in files owned by uid's which don't > correspond to system-wide logins ... I think it would be sufficient if > there was some way to point the getpwent() call from samba to a > different nsswitch.conf file than the api uses when called from > everywhere else?
I think the ldapsam:trusted option should do what you want (if I've read your email correctly and you already have passdb = ldapsam set). David Adam [email protected] -- To unsubscribe from this list go to the following URL and read the instructions: https://lists.samba.org/mailman/options/samba
