Samba 3.0 Schema changes
Andrew Bartlett
abartlet at samba.org
Thu Jun 19 05:15:31 GMT 2003
On Thu, 2003-06-19 at 14:56, Ronny Bremer wrote:
> Andrew,
>
> I have not yet fully explored the new schema for 3.0, but I will do
> this week.
>
> I've just got one comment on the next section:
>
> > In particular:
> > - We now have a 'sambaDomain' object, with the primary domain SID
> > - We now store the 'sambaSid' for each user, not their RID
> > - The algorithm for calculating such a SID is no longer fixed.
>
> I am a bit concerened about storing just one SID at the user object.
> Consider this setup:
>
> One LDAP tree, a user dn: cn=test,ou=users,o=acme
> I want two Samba domains, MKTG and ENG due to some restrictions in the
> applications being used.
> The same user needs to work in both domains.
Then you want to setup an inter-domain trust between the two.
> I do not believe, this would be possible by using just a single SID.
>
> I would rather recommend, that we make the SID at the user or group
> object a multivalued attribute and for each value list the Domain dn and
> the SID in that domain, for example:
> Samba domain MKTG has dn: cn=MKTG,ou=samba-internal,o=acme
> Samba domain ENG has dn: cn=ENG,ou=samba-internal,o=acme
>
> So user would get:
> sambaSID: cn=MKTG,ou=samba-internal,o=acme:x-567-xxx-xxxxx-1234
> sambaSID: cn=ENG,ou=samba-internal,o=acme:x-123-xxx-xxxxx-5678
Apart from the implications for searches on the domain SID (we do that a
lot) this breaks the modal that Samba follows, particularly in relation
to our IDMAP. (Where one Unix UID *must* match with only one SID).
> Doing this we allow multiple samba domains to be added to a single
> directory without breaking the ability to have just a single domain.
> There is an LDAP syntax for such attributes as well, but I need to check
> for the correct one, because many just define the associated number
> field as an integer and that would not be enough for a SID (but for a
> RID??)
>
> Whatcha think?
This sounds like a mess - merging a broken NT domain system (users
should only ever have had one account) onto a unified LDAP server will
never give 'good' results, but I don't think this solution is a very
good one.
Andrew Bartlett
--
Andrew Bartlett abartlet at pcug.org.au
Manager, Authentication Subsystems, Samba Team abartlet at samba.org
Student Network Administrator, Hawker College abartlet at hawkerc.net
http://samba.org http://build.samba.org http://hawkerc.net
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 189 bytes
Desc: This is a digitally signed message part
Url : http://lists.samba.org/archive/samba-technical/attachments/20030619/bf52da2e/attachment.bin
More information about the samba-technical
mailing list