Re: [Samba] passdb requires /etc/passwd entry?
Apologies if this has already been answered, but I'd like to share my understanding, in too many words. The reason that the user must exist in a user database (such as /etc/passwd) accessible to the underlying system (such as Linux) is that in order to read and set permissions on the files, Linux -- and any other file sharing protocols, such as SMB, AppleTalk, XFS, NFS, NDS, etc., must know the user's login ID. Because the permissions are set in the filesystem, not an abstract access control list by the second-level software (such as Samba), the user must be identifiable to any software which may request access. Therefore, it is up to the kernel to control this access, and it needs to have a way to veryify that the user is indeed a valid user. With Samba, traditionally there have been two user databases: the Samba password database (smbpasswd) which Samba uses for authentication, and the unix password database (/etc/passwd and its brothers, /etc/shadow and /etc/group). The reason that Samba can't use /etc/passwd is because /etc/passwd has no facility for storing SIDs and GIDs. This however does not prevent the unix kernel from using an authentication facility that does store this information. It is very possible now to configure both Samba and unix to authenticate against the same LDAP directory server, along with your mail server, your secure web server, your virtual private network, your building security system, your telephone, and your photocopier, achieving the holy grail of single sign-on. I will leave the implementation of this as an exercise for the reader. --Jon Johnson Sutinen Consulting, Inc. [EMAIL PROTECTED] (360) 270-9317 cell On Tue, 27 Jul 2004, Cal Heldenbrand wrote: Greetings everyone, I have a question about the smbpasswd encrypted database and /etc/passwd -- why does the passdb backend require an entry in /etc/passwd? Is it possible to create samba encrypted users without a /etc/passwd entry? I have a samba PDC setup that is mainly just a login server, then a separate server for $HOME's. I have all of my PAM configs setup to remotely authenticate to another server with 8000+ users, then pam_smbpass migrates passwords to the PDC. The HOME server automatically creates $HOME directories, and uses winbind for UID mappings against my PDC. The problem is the password migration in smbpass won't work without an /etc/passwd entry, and I don't want to potentially have to add 8000 users from a constantly changing database. Is there any workaround for this? I've noticed in the source that the check for this is done in passdb/passdb.c approx line 947 if (!NT_STATUS_IS_OK(pdb_init_sam_new(sam_pass, user_name, 0))) But this is in the function local_password_change() -- If this is modifying the smbpasswd database, why would it need to check /etc/passwd? Is this just a sanity check, or do I have my samba configs incorrect? Call me naive, but could I just comment out this section of code and see what happens? Thanks for any help in advance, --Cal Heldenbrand ___ Do you Yahoo!? Express yourself with Y! Messenger! Free. Download now. http://messenger.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] passdb requires /etc/passwd entry?
I can't comment on the intentions of the samba authors as to the reasons that they have required the samba user to be a local unix user. I would venture to guess that a search of the samba archives would give you a lot of history on that. OK, but I want at least these unix accounts to be locked. So samba password is different than stored in /etc/shadow. However these users cannot use swat at this moment because it checks the normal unix password instead of samba content of /var/lib/samba/secrets.tdb. How can I reach swat to ignore /etc/shadow? (It is no LDAP here.) Gabor -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] passdb requires /etc/passwd entry?
On Tue, Jul 27, 2004 at 03:21:03PM -0700, Cal Heldenbrand wrote: Greetings everyone, I have a question about the smbpasswd encrypted database and /etc/passwd -- why does the passdb backend require an entry in /etc/passwd? Is it possible to create samba encrypted users without a /etc/passwd entry? Because Samba uses POSIX accounts to control ownership and permissions on files. Jeremy. -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
[Samba] passdb requires /etc/passwd entry?
Greetings everyone, I have a question about the smbpasswd encrypted database and /etc/passwd -- why does the passdb backend require an entry in /etc/passwd? Is it possible to create samba encrypted users without a /etc/passwd entry? I have a samba PDC setup that is mainly just a login server, then a separate server for $HOME's. I have all of my PAM configs setup to remotely authenticate to another server with 8000+ users, then pam_smbpass migrates passwords to the PDC. The HOME server automatically creates $HOME directories, and uses winbind for UID mappings against my PDC. The problem is the password migration in smbpass won't work without an /etc/passwd entry, and I don't want to potentially have to add 8000 users from a constantly changing database. Is there any workaround for this? I've noticed in the source that the check for this is done in passdb/passdb.c approx line 947 if (!NT_STATUS_IS_OK(pdb_init_sam_new(sam_pass, user_name, 0))) But this is in the function local_password_change() -- If this is modifying the smbpasswd database, why would it need to check /etc/passwd? Is this just a sanity check, or do I have my samba configs incorrect? Call me naive, but could I just comment out this section of code and see what happens? Thanks for any help in advance, --Cal Heldenbrand ___ Do you Yahoo!? Express yourself with Y! Messenger! Free. Download now. http://messenger.yahoo.com -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba
Re: [Samba] passdb requires /etc/passwd entry?
On Tue, 2004-07-27 at 15:21, Cal Heldenbrand wrote: Greetings everyone, I have a question about the smbpasswd encrypted database and /etc/passwd -- why does the passdb backend require an entry in /etc/passwd? Is it possible to create samba encrypted users without a /etc/passwd entry? --- winbind can handle this chore for you...but normallly, if you are using security = user, no --- I have a samba PDC setup that is mainly just a login server, then a separate server for $HOME's. I have all of my PAM configs setup to remotely authenticate to another server with 8000+ users, then pam_smbpass migrates passwords to the PDC. The HOME server automatically creates $HOME directories, and uses winbind for UID mappings against my PDC. The problem is the password migration in smbpass won't work without an /etc/passwd entry, and I don't want to potentially have to add 8000 users from a constantly changing database. Is there any workaround for this? --- try googling pam_mkhomedir - it can create the home directory on the fly. --- I've noticed in the source that the check for this is done in passdb/passdb.c approx line 947 if (!NT_STATUS_IS_OK(pdb_init_sam_new(sam_pass, user_name, 0))) But this is in the function local_password_change() -- If this is modifying the smbpasswd database, why would it need to check /etc/passwd? Is this just a sanity check, or do I have my samba configs incorrect? Call me naive, but could I just comment out this section of code and see what happens? --- I can't comment on the intentions of the samba authors as to the reasons that they have required the samba user to be a local unix user. I would venture to guess that a search of the samba archives would give you a lot of history on that. Craig -- To unsubscribe from this list go to the following URL and read the instructions: http://lists.samba.org/mailman/listinfo/samba