Samba 3.0 Schema changes

Andrew Bartlett abartlet at samba.org
Thu Jun 19 05:15:31 GMT 2003


On Thu, 2003-06-19 at 14:56, Ronny Bremer wrote:
> Andrew,
> 
> I have not yet fully explored the new schema for 3.0, but I will do
> this week.
> 
> I've just got one comment on the next section:
> 
> > In particular:
> > - We now have a 'sambaDomain' object, with the primary domain SID
> > - We now store the 'sambaSid' for each user, not their RID
> > - The algorithm for calculating such a SID is no longer fixed. 
> 
> I am a bit concerened about storing just one SID at the user object.
> Consider this setup:
> 
> One LDAP tree, a user dn: cn=test,ou=users,o=acme
> I want two Samba domains, MKTG and ENG due to some restrictions in the
> applications being used.
> The same user needs to work in both domains.

Then you want to setup an inter-domain trust between the two.  

> I do not believe, this would be possible by using just a single SID.
> 
> I would rather recommend, that we make the SID at the user or group
> object a multivalued attribute and for each value list the Domain dn and
> the SID in that domain, for example:
> Samba domain MKTG has dn: cn=MKTG,ou=samba-internal,o=acme
> Samba domain ENG has dn: cn=ENG,ou=samba-internal,o=acme
> 
> So user would get:
> sambaSID: cn=MKTG,ou=samba-internal,o=acme:x-567-xxx-xxxxx-1234
> sambaSID: cn=ENG,ou=samba-internal,o=acme:x-123-xxx-xxxxx-5678

Apart from the implications for searches on the domain SID (we do that a
lot) this breaks the modal that Samba follows, particularly in relation
to our IDMAP.  (Where one Unix UID *must* match with only one SID).

> Doing this we allow multiple samba domains to be added to a single
> directory without breaking the ability to have just a single domain.
> There is an LDAP syntax for such attributes as well, but I need to check
> for the correct one, because many just define the associated number
> field as an integer and that would not be enough for a SID (but for a
> RID??)
> 
> Whatcha think?

This sounds like a mess - merging a broken NT domain system (users
should only ever have had one account) onto a unified LDAP server will
never give 'good' results, but I don't think this solution is a very
good one.

Andrew Bartlett

-- 
Andrew Bartlett                                 abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team  abartlet at samba.org
Student Network Administrator, Hawker College   abartlet at hawkerc.net
http://samba.org     http://build.samba.org     http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030619/bf52da2e/attachment.bin


More information about the samba-technical mailing list