According to smb.conf man page ldapsam trusted is supposed to turn off the use of getpwnam and use ldap for all account information. "ldapsam:trusted = yes can be activated and Samba can completely bypass the NSS system to query user information. " If a user is in ldap (all prerequisites mentioned in smb.conf are met) but removed from the local user database you get the following error log. [2007/01/16 14:05:51, 0] passdb/pdb_get_set.c:pdb_get_group_sid(164) pdb_get_group_sid: Failed to find Unix account for someuser [2007/01/16 14:05:51, 1] auth/auth_util.c:make_server_info_sam(572) User someuser in passdb, but getpwnam() fails! [2007/01/16 14:05:51, 0] auth/auth_sam.c:check_sam_security(352) check_sam_security: make_server_info_sam() failed with 'NT_STATUS_NO_SUCH_USER'
The docs are wrong. This option simply queries the DIT directly for some group information which would be very slow to obtain through NSS. I've updated the docs.
As far as I can see the docs are the only documentation of the options functional spec. So you've just used M$ bug fix method: Fix the bug by changing the spec. Night is now officially day. This is a pity as the original documented behavior would mean that samba would behave well on a server that did not have any 'local' users. This is really handy for a virtual server without local logons. This is something REALLY NEED! I've been looking at the code and I don't think that it'd be hard to change it so it did behave as originally documented. I'm marking this as reopened because although the documentation is now consistent with the behavior the behavior is still not what's needed - an ability to run samba so that all user information comes from ldap without using the name services
Unless you are willing to submit a patch, don't reopen a bug because you disagree with me. I was here when the original code was written and I am well aware of the original intent. I'm closing this bug report. Please submit your patch to samba-technical@samba.org for review once you are done. Thanks.