Linkage dependencies

Mayers, Philip J p.mayers at
Wed Dec 6 12:41:11 GMT 2000

bdb was an example. Insert your favourite multiple-index transactional DB.

IIRC, Win2K LDAP replication is a proprietary multi-master protocol (oh,
there's a f***ing surprise). Their KDC replication runs over that, and if
someone wants to use their current infrastructure (e.g. MIT kpropd) we
should let them. Also, I'm certainly not going to do any work towards
decoding MS's crap protocol anytime soon.

Why should PDC/BDC replication only ever be supported when in mixed-mode? At
least we *know* how that protocol works (even if it is crap). The Win2K one
we don't. Also, NT4 PDC/BDC replication would allow a slow migration from
NT4 to Samba PDCs, at which point you could switch them to native samba mode
and enter the 21st century.

I'm not proposing developing a "third samba" way. I'm proposing letting the
backend handle that in native mode, and the NT4 protocol in NT4/Samba mixed
mode (we do *want* to implement the Win2K protocol in Win2K/Samba mixed
mode, but it's a pain in the backside). So, in native mode you just setup
LDAP replication as appropriate (or SQL, or rsync, or whatever). Samba isn't
a database replication tool, and shouldn't have to be (IMHO).

I wasn't proposing moving user-level restrictions out of passdb (although
how they tie in with PAM-level restrictions is an interesting point) - I was
asking where the appropriate place to *apply* the restrictions was. Do we
fail authentication, or do we succeed and let Samba handle the details. I'm
in favour of the former - a restriction is a restriction, and you should
never let a user know why they login failed. Information leakage is bad.


| Phil Mayers, Network Support     |
| Centre for Computing Services    |
| Imperial College                 |

-----Original Message-----
From: Simo Sorce [mailto:simo.sorce at]
Sent: 06 December 2000 12:19
To: Mayers, Philip J
Cc: 'Gerald Carter'; 'samba-technical at'
Subject: RE: Linkage dependencies

On Wed, 6 Dec 2000, Mayers, Philip J wrote:


> 1) What's the best way to make the LM/NT# available to multiple Samba
> servers. In (what I'm going to call) a samba-native domain, I recommend
> replicated/distributed LDAP, using the host LDAP keytab to get service
> tickets on behalf of Samba, and SASL GSSAPI authentication to the LDAP
> directory, with appropriate ACLs. I think this is how Win2K does it.

As Samba aim to support also Win2k domains implementing a third
(samba-only) way would be useless, so win2k way may be just good.

> "Downlevel" samba-native or "mixed-mode" samba/NT domains can use
> and/or berkleydb storage, which could be replicated using the standard
> PDC/BDC replication mechanisms.

I think Berkleydb is not so portable and does not add anything to tdb!
Also I think standard PDC/BDC replication should be supported only when
you have mixed samba/NT DCs in the same domain (if ever ;).

> 2) Where's the best place to put account restriction info? In sambas code?
> In the user info storage db (called either by Samba, or by the
> authentication API)? In the authentication code?

user level restriction info (time, workstation ... maybe adding IP?) are
yet in passdb so why moving it?

> There are other questions. I'm hoping to provoke some discussion though.
> Thoughts?
> Regards,
> Phil


Simo Sorce - Integrazione Sistemi Unix/Windows - Politecnico di Milano
E-mail: simo.sorce at 02 2399 2425 - 02 2399 2451
Be happy, use Linux!

More information about the samba-technical mailing list