[PATCH] sam backend parameter

Andrew Bartlett abartlet at samba.org
Thu Oct 3 06:07:00 GMT 2002

jra at dp.samba.org wrote:
> On Thu, Oct 03, 2002 at 03:36:48PM +1000, Andrew Bartlett wrote:
> > Simo Sorce wrote:
> > >
> > > Multi domain DC is never going to happen in samba, it just doesn't make
> > > sense, as the protocols used (eg. SMB) will not be able to support such
> > > thing, so please let's stop to talk about multi-DC samba.
> >
> > I'm not so sure on this one.
> >
> > Some parts of the protocol might need to be told 'if not specified, use
> > this', but I'm not sure the statement holds across everything.
> >
> > For example, I don't see any reason why we can't 'pretend' that any
> > secondary domain is a 'trusted domain'.  This would allow (for example)
> > a resource DC, which has each machine in it, but no users, and an
> > organizational DC to coexist nicely.  (This is quite a common setup,
> > btw).
> But not on the same machine.

Sorry, I meant to indicate that resource domains are common, and that I
like the idea that a resource DC could actually handle the
authentication itself.

> > For the rare cases where clients contact the trusted domain directly, we
> > could have either a separate Samba on another IP, or they could contact
> > the remote DC directly.
> That's the point. All this multi-domain stuff is "rare".
> I don't want the complexity in mainline Samba. I don't
> think Simo, Gerry, Volker or JF do either.
> Let just remove the multi-domain stuff for now and try
> and get 3.0 in a shippable state.

The 'new SAM' stuff is not being proposed for 3.0!  Certainly not yet,
we have a *lot* of work to do, before it gets there!

Also, *please* don't confuse that with the multi-backend stuff.  That
has a very different purpose, and was not included in the new SAM design
for exactly the reasons people don't want it in passdb.

The use of multiple backends in passdb has acknowledged issues, and I'm
not particularly fussed if you feel it should not ship with this
functionality enabled.  However, please do note that this *is* being
used at present, and cannot be 'just removed'.  (We map our non-passdb
users into the system via this method).  Volker has some solutions to
this issue however, which look very neat.  I'll need to check if they
actually catch it all the cases.

(In particular, we have the nasty requiremnt that we map NIS users and
the like to and from names).

Andrew Bartlett

Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net

More information about the samba-technical mailing list