design for storing trusted domain passwords in ldap

Michael Adam ma at sernet.de
Wed Jan 17 13:51:06 GMT 2007 

Hi,

Volker committed my patch of adding trusted domain functions
({get,set,del}-trusteddom-pw and enum-trusteddoms) to pdb_interface.
Now as a next step I want to add implementations of these
functions to pdb_ldap, thus allowing for distribution of trusted
domain passwords from pdc to bdcs.

This rises a design question I would like to have some opinions
about before proceeding to far.

There is already an object class 'sambaTrustPassword', that is
currently unused and is commented as "Trust password for trust
relationships (any kind)". The definition is as follows:

objectclass ( 1.3.6.1.4.1.7165.2.2.14 NAME 'sambaTrustPassword' SUP top STRUCTURAL
        DESC 'Samba Trust Password'
        MUST ( sambaDomainName $ sambaNTPassword $ sambaTrustFlags )
        MAY ( sambaSID $ sambaPwdLastSet ))

I think it is definitely a good idea to have the trusted domain
passwords as objects of their own (as opposed to having them
attached to the sambaDomain as attributes). But the
sambaTrustPassword object does not quite match our needs:

I would have the SID of the trusted domain as a mandatory
attribute. 
I don't see a use for sambaTrustFlags here.
Furthermore, it might be useful to have the own domain name as 
an attribute in addition to the trusted domain name, thus 
facilitating searches. 

This would result in the following addition to the samba schema:

attributetype ( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaTrustedDomainName'
        DESC 'Windows NT domain which the own domain trusts'
        EQUALITY caseIgnoreMatch
        SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )

##
## Trust password for trusted domains
##
objectclass ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPassword' SUP top STRUCTURAL
        DESC 'Samba Trusted Domain Password'
        MUST ( sambaDomainName $
               sambaTrustedDomainName $ sambaSID $
               sambaNTPassword )
        MAY ( sambaPwdLastSet ))

Attached, find a patch with these changes to the schema file.

Are there any opinions about this?

Thanks, Michael

-- 
Michael Adam,  SerNet Service Network GmbH
phone: +49-551-370000-0,  fax: +49-551-370000-9

-------------- next part --------------
Index: examples/LDAP/samba.schema
===================================================================
--- examples/LDAP/samba.schema	(revision 20847)
+++ examples/LDAP/samba.schema	(working copy)
@@ -286,6 +286,11 @@
 	EQUALITY caseIgnoreMatch
 	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
 
+attributetype ( 1.3.6.1.4.1.7165.2.1.68 NAME 'sambaTrustedDomainName'
+	DESC 'Windows NT domain which the own domain trusts'
+	EQUALITY caseIgnoreMatch
+	SYNTAX 1.3.6.1.4.1.1466.115.121.1.15{128} )
+
 attributetype ( 1.3.6.1.4.1.7165.2.1.47 NAME 'sambaMungedDial'
 	DESC 'Base64 encoded user parameter string'
 	EQUALITY caseExactMatch
@@ -501,6 +506,16 @@
 	MAY ( sambaSID $ sambaPwdLastSet ))
 
 ##
+## Trust password for trusted domains
+##
+objectclass ( 1.3.6.1.4.1.7165.2.2.15 NAME 'sambaTrustedDomainPassword' SUP top STRUCTURAL
+	DESC 'Samba Trusted Domain Password'
+	MUST ( sambaDomainName $ 
+	       sambaTrustedDomainName $ sambaSID $
+	       sambaNTPassword )
+	MAY ( sambaPwdLastSet ))
+
+##
 ## Whole-of-domain info
 ##
 objectclass ( 1.3.6.1.4.1.7165.2.2.5 NAME 'sambaDomain' SUP top STRUCTURAL

More information about the samba-technical mailing list