Samba 3.0 Schema changes

Ronny Bremer rbremer at
Thu Jun 19 04:56:57 GMT 2003


I have not yet fully explored the new schema for 3.0, but I will do
this week.

I've just got one comment on the next section:

> In particular:
> - We now have a 'sambaDomain' object, with the primary domain SID
> - We now store the 'sambaSid' for each user, not their RID
> - The algorithm for calculating such a SID is no longer fixed. 

I am a bit concerened about storing just one SID at the user object.
Consider this setup:

One LDAP tree, a user dn: cn=test,ou=users,o=acme
I want two Samba domains, MKTG and ENG due to some restrictions in the
applications being used.
The same user needs to work in both domains.

I do not believe, this would be possible by using just a single SID.

I would rather recommend, that we make the SID at the user or group
object a multivalued attribute and for each value list the Domain dn and
the SID in that domain, for example:
Samba domain MKTG has dn: cn=MKTG,ou=samba-internal,o=acme
Samba domain ENG has dn: cn=ENG,ou=samba-internal,o=acme

So user would get:
sambaSID: cn=MKTG,ou=samba-internal,o=acme:x-567-xxx-xxxxx-1234
sambaSID: cn=ENG,ou=samba-internal,o=acme:x-123-xxx-xxxxx-5678

Doing this we allow multiple samba domains to be added to a single
directory without breaking the ability to have just a single domain.
There is an LDAP syntax for such attributes as well, but I need to check
for the correct one, because many just define the associated number
field as an integer and that would not be enough for a SID (but for a

Whatcha think?


More information about the samba-technical mailing list