Samba 3.0 Schema changes
Ronny Bremer
rbremer at future-gate.com
Thu Jun 19 04:56:57 GMT 2003
Andrew,
I have not yet fully explored the new schema for 3.0, but I will do
this week.
I've just got one comment on the next section:
> In particular:
> - We now have a 'sambaDomain' object, with the primary domain SID
> - We now store the 'sambaSid' for each user, not their RID
> - The algorithm for calculating such a SID is no longer fixed.
I am a bit concerened about storing just one SID at the user object.
Consider this setup:
One LDAP tree, a user dn: cn=test,ou=users,o=acme
I want two Samba domains, MKTG and ENG due to some restrictions in the
applications being used.
The same user needs to work in both domains.
I do not believe, this would be possible by using just a single SID.
I would rather recommend, that we make the SID at the user or group
object a multivalued attribute and for each value list the Domain dn and
the SID in that domain, for example:
Samba domain MKTG has dn: cn=MKTG,ou=samba-internal,o=acme
Samba domain ENG has dn: cn=ENG,ou=samba-internal,o=acme
So user would get:
sambaSID: cn=MKTG,ou=samba-internal,o=acme:x-567-xxx-xxxxx-1234
sambaSID: cn=ENG,ou=samba-internal,o=acme:x-123-xxx-xxxxx-5678
Doing this we allow multiple samba domains to be added to a single
directory without breaking the ability to have just a single domain.
There is an LDAP syntax for such attributes as well, but I need to check
for the correct one, because many just define the associated number
field as an integer and that would not be enough for a SID (but for a
RID??)
Whatcha think?
Ronny
More information about the samba-technical
mailing list