We use samba as a domain controller and file server for small separate network
environments. We've currently got samba configured to get posixAccount and
sambaAccount information from ldap -- and have nss_ldap configured to feed the
same posixaccount objects into the posix user account apis via nsswitch.conf
(getpwent etc...).
In our environments we seem to regularly run into problems which result from
having the unix accounts populated with information from ldap. Here are some
observations:
1. if ldap server(s) become unavailable all getpwent lookups experience long
timeouts (default nss_ldap behavior)
-- there are a number of gotchas resulting from this -- including
having to be careful that nothing which does a passwd lookup starts before the
ldap server on the server that's running the ldap server ...
2. for security reasons we don't want our samba users to be able to get a login
shell on our server so we have to implement server access controls to prevent
this
it seems it would be simpler for us if there was some way to get samba to work
without requiring local unix accounts for each samba user ...
Is there anyway to get samba to to use ldap for passwd data without
simultaneously modifying the system-wide settings? I don't care if samba file
operations result in files owned by uid's which don't correspond to
system-wide logins ... I think it would be sufficient if there was some way to
point the getpwent() call from samba to a different nsswitch.conf file than the
api uses when called from everywhere else?
Thanks for any advice,
Ben Cohen
Programmer/Analyst (STS)
Scripps Institution of Oceanography
nco...@ucsd.edu
--
To unsubscribe from this list go to the following URL and read the
instructions: https://lists.samba.org/mailman/options/samba
