[PATCH] sam backend parameter

Simo Sorce simo.sorce at xsec.it
Wed Oct 2 21:32:01 GMT 2002


Multi domain DC is never going to happen in samba, it just doesn't make
sense, as the protocols used (eg. SMB) will not be able to support such
thing, so please let's stop to talk about multi-DC samba.

Also, the winbindd argument is bogus. Winbind will not use at all the
sam interface to look for user name->uid mapping, it should just ask the
simgle domain present on the interfaces of the machine to resolve the
names, exactly in the same way it currently do against NT domains, and
then just call the SID mapping code do resolve the uid.

The SID mapping code should be the only shared code beetween winbind and
the account management system. We need to evolve the current
winbind_idmap code to become the new SID Mapping System.

LAst I find it really dummy to think at nuiltin as a separate domain. It
isn't at all, and makes things bad.

Every single backend module should contain the entire domain, every
domain has "normal" SIDs and some special SID, we do not need to threat
special entirely into the interface, we can easily handle them inside
the backend. Ther's no problem to do so, except if someone want at all
cost try to support multiple domain in sam interface, a thing many of us
already said is not going to happen anyway.
Buitin are intimately connected to the rest of the domain, having to
heavily switch operations between two backends makes really little
sense, and bultin accounts are also very few, you cannot add bultin
accounts, and least but not last, builtin grops will contain users as
members, what sense does it make to have builtin groups to contain SID
of foreign domains (as it will be most probably shared beetwen domains)
what security problmes does it pose to have all thi promiscuity?
What happen when in one domain we want to change some builtin account
proprty to something differnt than what other domains will like?
I really think that even in a ipothetical multi-DC environment a
separate "builtin" backend is a plain worng solution.

Plus I have some questions about the current sam interface:

- what is all the context thing needed for?
- what is the handle thing needed for ?
- what is access desired meant to do ? Authorization is a different
thing then storage, a backend is a storage!
- why do we insist to have a thing called unix accounts? It just does
not make sense to me. We need "real" users/groups mapping instead
(opposed to created on the fly by winbind based accounts).

Simo.

On Wed, 2002-10-02 at 16:47, Jelmer Vernooij wrote:
> On Wed, Oct 02, 2002 at 09:19:47AM -0500, Gerald Carter wrote about 'Re: [PATCH] sam backend parameter':
> > On Tue, 1 Oct 2002, Eddie Lania wrote:
> 
> > > Like I've said, I'm not a developer, but maybe the "multiple domain
> > > support" parameter could be extended with the backend method? Like this:
> 
> > > "multiple domain support = DOMA:backendA, DOMB:backendB, etc"
> > Can someone please explain the purpose of supporting accounts from 
> > different domains in a single SAM ?  Why would we ever want to do 
> > this?
> Builtin or multi-domain DC afaik - Kai and Andrew know all the how's
> and why's.
> 
> 
> Jelmer
> 
> -- 
> Jelmer Vernooij                                      <jelmer at samba.org>
> Pending (unfinished) patches                         http://samba.org/~jelmer/diffs.php
-- 
Simo Sorce - simo.sorce at xsec.it
Xsec s.r.l.
via Durando 10 Ed. G - 20158 - Milano
tel. +39 02 2399 7130 - fax: +39 02 700 442 399
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20021002/f626a3a3/attachment.bin


More information about the samba-technical mailing list