Re: [Samba] multiple passdb backends for standalone fileserver?
- Date: Mon, 20 Aug 2018 20:29:40 +0100
- From: Rowland Penny via samba <samba@xxxxxxxxxxxxxxx>
- Subject: Re: [Samba] multiple passdb backends for standalone fileserver?
On Mon, 20 Aug 2018 20:19:11 +0200
Harry Jede <walk2sun@xxxxxxxx> wrote:
> Hi Rowland,
> > On Mon, 20 Aug 2018 18:02:32 +0200
> > Harry Jede via samba <samba@xxxxxxxxxxxxxxx> wrote:
> > > Am Montag, 20. August 2018, 16:43:24 CEST schrieb Matthias Leopold
> > >
> > > via samba:
> > > > Hi,
> > > >
> > > > i (naively) would like to have local AND ldap users (and
> > > > groups...)
> > > > on my standalone fileserver (security = user). "passdb backend =
> > > > ldapsam" already works OK and i found some old posts on the
> > > > internet
> > > > about "chaining" passdb backends.
> > >
> > > Round about 12 years ago "chaining passdb backends" was removed!
> > > their are other possibilities:
> > >
> > > 1. You can map local unix users and groups to their windows
> > > entrys.
> > Well, yes you can, but the OP wanted to use users stored in ldap and
> > users stored in /etc/passwd, but you cannot do both at the same
> > time.
> Me can!
> > > 2. You can use winbind's idmap feature; obey the "idmap ranges"
> > > and honor that the syntax has changed several times.
> > The OP referred to a 'standalone server' and these do not need to
> > run winbind
> yes, but i said you can!
> > and if it is running, all the idmap backends need SID's,
> yes, local unix user sids are stored in /var/lib/samba/passdb.tdb
> ldap user sids are stored in passdb.tdb if the server is a normal
> standalone server and the ldap server has NOT loaded the
> but get stored in ldap if the server is configured as standalone, PDC
> or BDC and ldap has samba3.schema loaded. You must configure
> smb.conf, pam and nss a little different.
> Maybe, i should write a howto. But time ...
> > there
> > might not be any SID's in the OP's ldap.
> yes, their can be sids but this is not a must have, but a usual case.
If you have a SID, it is either from a Samba machine or a Windows
machine, but an LDAP user doesn't have to have a SID, in fact, unless
you extend LDAP with the Samba schema, you cannot add them.
> > > Just read the man pages of the samba version you are using!!!
> > > before searching the web.
> > Very wise words,
> > most web pages get something wrong ;-)
> Oh, I believe they are most right at time of writing, but the writers
> forget to tell the readers the version, release number and ofen do
> not mention if they are using vanilla samba or a distro modified
> package. At the end this are pages to inspire someone but not more.
Not from my experience, most pages tend to get a lot of things correct,
but then add things that are either not required or wrong, they also
tend to miss vital things.
To unsubscribe from this list go to the following URL and read the