On 06/02/2010 09:34 AM, David Adam wrote:
On Tue, 1 Jun 2010, Ben Cohen wrote:
We use samba as a domain controller and file server for small separate
network environments. We've currently got samba configured to get
posixAccount and sambaAccount information from ldap -- and have nss_ldap
configured to feed the same posixaccount objects into the posix user
account apis via nsswitch.conf (getpwent etc...).
In our environments we seem to regularly run into problems which result
from having the unix accounts populated with information from ldap.
Here are some observations:
1. if ldap server(s) become unavailable all getpwent lookups experience
long timeouts (default nss_ldap behavior)
-- there are a number of gotchas resulting from this -- including
having to be careful that nothing which does a passwd lookup starts
before the ldap server on the server that's running the ldap server ...
2. for security reasons we don't want our samba users to be able to get
a login shell on our server so we have to implement server access
controls to prevent this
it seems it would be simpler for us if there was some way to get samba
to work without requiring local unix accounts for each samba user ...
Is there anyway to get samba to to use ldap for passwd data without
simultaneously modifying the system-wide settings? I don't care if
samba file operations result in files owned by uid's which don't
correspond to system-wide logins ... I think it would be sufficient if
there was some way to point the getpwent() call from samba to a
different nsswitch.conf file than the api uses when called from
everywhere else?
I think the ldapsam:trusted option should do what you want (if I've read
your email correctly and you already have passdb = ldapsam set).
David Adam
[email protected]
You should be able to set the shell to "/bin/false" to prevent unix
shell logins.
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
